Malware Analysis Report

2025-04-14 01:48

Sample ID 240602-2ekqcshd2y
Target 9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d
SHA256 9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d

Threat Level: Shows suspicious behavior

The file 9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d was found to be: Shows suspicious behavior.

Malicious Activity Summary


Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-02 22:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-02 22:29

Reported

2024-06-02 22:32

Platform

win7-20231129-en

Max time kernel

150s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1720 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d.exe C:\Windows\SysWOW64\WScript.exe
PID 1720 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d.exe C:\Windows\SysWOW64\WScript.exe
PID 1720 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d.exe C:\Windows\SysWOW64\WScript.exe
PID 1720 wrote to memory of 2964 N/A C:\Users\Admin\AppData\Local\Temp\9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d.exe C:\Windows\SysWOW64\WScript.exe
PID 2964 wrote to memory of 2752 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2964 wrote to memory of 2752 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2964 wrote to memory of 2752 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2964 wrote to memory of 2752 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2752 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2752 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2752 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2752 wrote to memory of 2448 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2448 wrote to memory of 2052 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2448 wrote to memory of 2052 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2448 wrote to memory of 2052 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2448 wrote to memory of 2052 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2052 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2052 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2052 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2052 wrote to memory of 2512 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2512 wrote to memory of 1232 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2512 wrote to memory of 1232 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2512 wrote to memory of 1232 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2512 wrote to memory of 1232 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1232 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1232 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1232 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1232 wrote to memory of 2984 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2984 wrote to memory of 2280 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2984 wrote to memory of 2280 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2984 wrote to memory of 2280 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2984 wrote to memory of 2280 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2280 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2280 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2280 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2280 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2384 wrote to memory of 1216 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2384 wrote to memory of 1216 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2384 wrote to memory of 1216 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2384 wrote to memory of 1216 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1216 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1216 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1216 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1216 wrote to memory of 1808 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2384 wrote to memory of 2416 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2384 wrote to memory of 2416 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2384 wrote to memory of 2416 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2384 wrote to memory of 2416 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2416 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2416 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2416 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2416 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1812 wrote to memory of 1164 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1812 wrote to memory of 1164 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1812 wrote to memory of 1164 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1812 wrote to memory of 1164 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1164 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1164 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1164 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1164 wrote to memory of 2412 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1812 wrote to memory of 2028 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1812 wrote to memory of 2028 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1812 wrote to memory of 2028 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1812 wrote to memory of 2028 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d.exe

"C:\Users\Admin\AppData\Local\Temp\9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 62f967c127f1478b67657629c853fa77
SHA1 7b637e21ff6d44571893719611838b0c51a3b986
SHA256 c2b91ebd60c9a12f3fbd0bf586c212628a91d458df413c3cfeef68c7039f309f
SHA512 72024ca907b90c8b15246b15920ced399d80faef46eb27587b1b60eefbb4ec5d0ebfb52d6f9add4ab4293487c935e9c93f9f55f8137f3b528f048b2881547dac

memory/1720-8-0x0000000000400000-0x0000000000551000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 50b99661f373303faae96d827e752cc2
SHA1 f958ebc65033cb518241d6a34319231bf6a436e6
SHA256 f18e4d6d2bb30d78c1ecac2c45ea87ceb090a10ecd849264515d1da89d6d3340
SHA512 70ec7b484a11f27a1d3ea0d8c7b3c7734770ec3a2d4ec7e2aad27786c63d9501505be70a78518e0c80b1ec40100e59ec1396ebe26fb09508fd79907207d8e053

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 41bdc303960afcda8ebae4f3e29f0b52
SHA1 4cbf649fb04c836614138308a06ecd48dcb2882d
SHA256 da674cdbd4dd762cc32ce0bd2ec36929a626e0e87f7ab7a4a1b1e1ce0123d999
SHA512 800b5b01cc41e7633f203579e7f6ec0a9f6408f7af79dcfa74596be9264dbb8baade6b1439dedb5194496aa27b8b0e2680ce65ad91032138ea0ac2c8a0872cf1

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

MD5 67b9b3e2ded7086f393ebbc36c5e7bca
SHA1 e6299d0450b9a92a18cc23b5704a2b475652c790
SHA256 44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d
SHA512 826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 25741fab0bc335b1ed971b3134b0edd3
SHA1 9849046efa3f20662f73cefd0d090bef480c9835
SHA256 05963c6d3a7cc5421377a784df6474456fcbd2f95c7190f2ddb4a9ccbfbe7f98
SHA512 6e772baf90739a76c5c477780e2d158502b55d9c898e69402b0a3bfb840949959c6779f9b291c0503a4fcad95369be55b5f3233ded9329d49d5cde3f1a8369e1

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 5ba8c208c5700f7f25c2e24e00d50ac8
SHA1 9838a0ab093ed94bc85a80b1feee14b68e4df8d1
SHA256 213371c33e19f6f9e28f089e3206fe50c39b190548b0500f7ba8aff869a68cd6
SHA512 065e45ebe4197cdf7e13b799928dfb29e17d4a1741e3e103000b147288b34f16300b72874ec85aefa2c04cc939df115a9fb383d5c95982c1371e75605d1a9b17

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 2af86d83545125b952334759f8554ae3
SHA1 ddfef7be6fbd8d8185c772a9a78eb18617a9637b
SHA256 7dd3660d7e87e64f451b4d1882d07c1733ce38d828770910453cc1b7f457d11d
SHA512 38d2854f941ff77a2fec871ba6513df9862fe4f86778b22053b4c3e25995b192f4ab943051a2c613cc3e78d275bc543b0dff09149cb4620e307809d20beae17b

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 ae63ded87a90f9812749cac189d07a57
SHA1 5a37ba565ce8c2445ff71f7c3d7adc38cb68627f
SHA256 6251cc562aff44a7222fe555019800d44c515c0319748fae595621d92f5d9236
SHA512 293cf9a753b1456071db8840910ec3ee7a0a00342caeb27a3bf7c150b54e51a22673e8262fd4376bad6c29eff3b3a77c1c47c1e10c49abffaba899b9193d9429

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 0e6005a9dcb5a78d6fdd54527602f926
SHA1 90adc62e99f3c94c643596af0e17b5853b91fe1f
SHA256 847552b1ad30bd72f24acfe4afa5c326d3e79d7c2f147c958d72e92daca716da
SHA512 b4acfd81c1e926fcd305690aa3780bbec50460bcf947d17c20d6445faca4e774294b9da3a144207ccb3855e3ea2008a2d82ef691f32a4db6c7c3eb8202c6b568

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 85fa416be0b995c6e53ce5e2df106d8a
SHA1 bcffe6d0eb7594897fb6c1c1e6e409bacd04f009
SHA256 f08a191ea7850c2d2e0fa0cd1f40254eecb8dcb63a9dfa94cc8a97f609c49293
SHA512 5d92938d833d0555e94027148d0d9fc064274885bb4992f4e5840e7be03b629a3d2dc3703f9a7aa7614cb46ee19f9cfe26c69cc2e3a162f4be9045e5da18efbf

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 c85adfb789ee03eba0d843b08042e4db
SHA1 263793011d11bd0dd1daf4b55215a8802f9bf6e2
SHA256 8cc7784dcb4efa452913063eacec257cd1b6577c80bb3540f7cfcc48320dbf59
SHA512 b52184fa3c8a36d8e9293921a40820991247bbd203aa991678dafcd5cc96af20bf2df3e0b876b77a0d6a91f5b43aa2768137f88fca28357f883410d3b9f77539

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 cd3670279cfd4857ab7ae976f56ad473
SHA1 2b4136cb5f5aa98e7cf48135db771fe497da942f
SHA256 9824342f00af60b70c73fd0b0b08c54f1439d6f6964ce1286a7eec748047041f
SHA512 30e7536c3209027ad3df30edd10d69b666a936c4184f3ad26ebf683ae2d066607b9eda521955af0a3cb235d6d84cc5c6fda747525bef19ec3a5016db66945889

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 0667072f0b99c114be29b17a58be850a
SHA1 8ec8d5ba1f5842c2f07a4332fb04ba60b0bc7143
SHA256 002841eff29a50e5cf34cf60cfb5bbbf780c4d2f8809016ab22a0e084fc10d07
SHA512 5e0c61897463fd935f2e0420389e4d7c6b08232e63175ccc96db2b6f3d294e9196bc5efd6445ccc8f460efc0791c13ea040b36ce3130f12e414a3ab7b678dfd9

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 70e226fbd8b4b3f2ddf8a8753a77586a
SHA1 a81a39d08f77479d0ee65599dd2749031c32fc19
SHA256 3eb2bfca11e83ada63c9e426764e07267c058964f959ca5e0c3f0f8933e40026
SHA512 f8c3f2f4172e8cabb856cbc2527dae48cba6d740a8ad9844bb32013ccba200b4c03dfdbe3713d9caa5f7416b8729cba4d516a73989b388c952ab08205b3cd4b8

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 10ffe941ac3b45a1b27eaab090d03e3b
SHA1 4f72abac858bc7659692930176f0cd4f18e354f1
SHA256 b2a27182b84ccf59736264c5fc788f96d92a2d3a14fe7c964e0976af00956144
SHA512 638a48fe06a5e0c47e50ac67e0df2d6952e5e39620a585e5fb086d40ff61cff9bee6a6cfda6582c54e216f052dc6ba4ce5d742ae5174a987701701e67dc65544

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-02 22:29

Reported

2024-06-02 22:32

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

156s

Command Line

"C:\Users\Admin\AppData\Local\Temp\9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4580 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d.exe C:\Windows\SysWOW64\WScript.exe
PID 4580 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d.exe C:\Windows\SysWOW64\WScript.exe
PID 4580 wrote to memory of 4008 N/A C:\Users\Admin\AppData\Local\Temp\9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d.exe C:\Windows\SysWOW64\WScript.exe
PID 4008 wrote to memory of 1892 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 4008 wrote to memory of 1892 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 4008 wrote to memory of 1892 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1892 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1892 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1892 wrote to memory of 2148 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1892 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1892 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1892 wrote to memory of 3020 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 3020 wrote to memory of 4600 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 3020 wrote to memory of 4600 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 3020 wrote to memory of 4600 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2148 wrote to memory of 3540 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2148 wrote to memory of 3540 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2148 wrote to memory of 3540 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Processes

C:\Users\Admin\AppData\Local\Temp\9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d.exe

"C:\Users\Admin\AppData\Local\Temp\9bdf16d92ece5f2ea0c80dc3dff97074eb44b7704ffc23325934145bd81cc87d.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 240.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 14.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 19b9f38e03869c4b463722b783c9de8c
SHA1 7148eddb6bc5459dd9eeb2ecb2170fb5eaba4575
SHA256 bcf6b029e9a26d281b3f5afd1894a74856040b1d42770f9bbb58b012836667a9
SHA512 d8d1168d40573023b9be6ada05ade4014088e710ad562e3ca0b03c456da995d35b9a16d4e582b4e1eb53d4ea8058a8d59b0b2ecf0eaeeabb385a807acd0833ad

memory/4580-8-0x0000000000400000-0x0000000000551000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 fa5aeb039efa08a786befab2a05e8298
SHA1 174a11410292d112cd2e0f2b08ca7c6f501a53fd
SHA256 acd9064e97bc33ef4b9ec26613bfecfb0258cf8223906786301b2949b4be8b73
SHA512 199c784edb5dcfbac28441318a303f07c2e914fdf7898397e70408ca28b8f501a31c8177a19c368edf55ccf26287e94a5440a8d31ae4dd6d1e50f2673ea4698a

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 a3b1a2435db9006df38c9e78df96e2f2
SHA1 a8a6d302d102686610f54547bdf0245b177a752f
SHA256 8ca1784265581709551e81326c9733c10ac943c899070bee9b799f88dad7870e
SHA512 fe8a0d2a67e28fcf1b31e640132a669186ddb33302b135d11c0706a5c9e98548d53d51be0d2ecc9d20c43efbe393d7865c57ca9b6c651deca93f67aff0968210

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

MD5 67b9b3e2ded7086f393ebbc36c5e7bca
SHA1 e6299d0450b9a92a18cc23b5704a2b475652c790
SHA256 44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d
SHA512 826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 95e18fa5ff75a8e5840f247fe8a88323
SHA1 3d1b4c6d7f84fcce6ee5d181b29e794eca88d3d7
SHA256 bcc9bba9757bcf60be83bafe7d9003dd57659a0c53cdead5617fe054c0932a41
SHA512 d7ecff3b42120b06e65354d756d01caccf917224128eae16be1fb379b7e4b41b3647bf2e102329b6425352639eeb80c7247d2748cc36ce62fb24da93929a80e8