Malware Analysis Report

2024-10-19 08:27

Sample ID 240125-v4nd8abgc2
Target 06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e
SHA256 06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e
Tags
kinsing loader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e

Threat Level: Known bad

The file 06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e was found to be: Known bad.

Malicious Activity Summary

kinsing loader

Kinsing

Deletes itself

Executes dropped EXE

Loads dropped DLL

Checks computer location settings

Enumerates physical storage devices

Unsigned PE

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-25 17:32

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-25 17:32

Reported

2024-01-25 17:35

Platform

win7-20231215-en

Max time kernel

148s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3068 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe C:\Windows\SysWOW64\WScript.exe
PID 3068 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe C:\Windows\SysWOW64\WScript.exe
PID 3068 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe C:\Windows\SysWOW64\WScript.exe
PID 3068 wrote to memory of 2788 N/A C:\Users\Admin\AppData\Local\Temp\06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe C:\Windows\SysWOW64\WScript.exe
PID 2788 wrote to memory of 2640 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2788 wrote to memory of 2640 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2788 wrote to memory of 2640 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2788 wrote to memory of 2640 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2640 wrote to memory of 380 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2640 wrote to memory of 380 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2640 wrote to memory of 380 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2640 wrote to memory of 380 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 380 wrote to memory of 2396 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 380 wrote to memory of 2396 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 380 wrote to memory of 2396 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 380 wrote to memory of 2396 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2396 wrote to memory of 288 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2396 wrote to memory of 288 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2396 wrote to memory of 288 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2396 wrote to memory of 288 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 288 wrote to memory of 2468 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 288 wrote to memory of 2468 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 288 wrote to memory of 2468 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 288 wrote to memory of 2468 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2468 wrote to memory of 872 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2468 wrote to memory of 872 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2468 wrote to memory of 872 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2468 wrote to memory of 872 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 872 wrote to memory of 2248 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 872 wrote to memory of 2248 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 872 wrote to memory of 2248 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 872 wrote to memory of 2248 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2248 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2248 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2248 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2248 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2556 wrote to memory of 580 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2556 wrote to memory of 580 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2556 wrote to memory of 580 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2556 wrote to memory of 580 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 580 wrote to memory of 544 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 580 wrote to memory of 544 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 580 wrote to memory of 544 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 580 wrote to memory of 544 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 544 wrote to memory of 412 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 544 wrote to memory of 412 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 544 wrote to memory of 412 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 544 wrote to memory of 412 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 412 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 412 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 412 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 412 wrote to memory of 1700 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1700 wrote to memory of 784 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1700 wrote to memory of 784 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1700 wrote to memory of 784 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1700 wrote to memory of 784 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 784 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 784 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 784 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 784 wrote to memory of 2292 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1700 wrote to memory of 2656 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1700 wrote to memory of 2656 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1700 wrote to memory of 2656 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1700 wrote to memory of 2656 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Processes

C:\Users\Admin\AppData\Local\Temp\06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe

"C:\Users\Admin\AppData\Local\Temp\06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

Network

N/A

Files

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 85039f29e9fbdb42ba1fe566ad4e177a
SHA1 f1e06b305c768c772be59f0ea8ca3c58d5aebfc6
SHA256 4d2f0853887f504b4b3708f6530ecaf60bcb50be07aa64353513be03f7aa488c
SHA512 ed6960f56c46533e2576127fd4c5c36e4d25e2708f6fa3e070b5487014b194f1b092d30adc2327d4f8d21b688602ba669e5a7b64be398ffaad61a6bdba42f21a

\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 0db4cfe036fdcefe611b25d21c05bd86
SHA1 876953df7d1697ec6f66b475a5b7d39f413fe4c4
SHA256 7359e5d6915effa4784f97a8545e4ea624e7746eb2bd7247bd82d673631cdee9
SHA512 e9c27def6db1f128e69917dfb2a3fab7d64a7e7f67381097d8e5e0f3ac658857d7c4dabb9e3913eb58c1c85605622c6762e7540b5804b56c4371cbe6a47249cb

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 11dacc69a1202b2953c05fc7da7fcaa8
SHA1 1a9856a59735288889a836d96a75ccc29139337b
SHA256 0ac845ba2f3f564d928685986965254862cd6fad24db66d0d80cebba17815fde
SHA512 8463adb45328af3453ee3802c73ff10b18e63c2f8a1ab15b467b6af224718c79fadbd1a3b6ac25537bb1b99bc1a92d69ebce31f629b5a95acba3cbf124b88d5c

\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 8d65d5df8a2ff08ff8fd961145207200
SHA1 b13b36e678e59bc694343fbf1233beb4da383d96
SHA256 2ed0affbb87a9372a80f22d1c958355012d1941c978c06a04500488997579236
SHA512 11edf23c77a9b87317b97033b1ae2ed5e62ac71e641a13d204805b1d9ae0408a52b0933c00191ba6b13287edd1e9738519b864a3fd0d66202ff76a4e98e7727d

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 1a94fff9bade36e4d067e0fcefb1a8f5
SHA1 1713c3fc499a56cd97035e44405e0b5e1a0a586b
SHA256 1977a5ac15e88252efdd11b9aace6de92383e71132a94273b0e890e92ae91048
SHA512 89a7dd6811f9491a14bf49f1cbce3e869107d2e0d410fa3d3c867ce68d573d6f8e6ada98ac3635fc620c96c61676b5cef2563b5fbea14f617c1fa61bce4f3ac7

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

MD5 67b9b3e2ded7086f393ebbc36c5e7bca
SHA1 e6299d0450b9a92a18cc23b5704a2b475652c790
SHA256 44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d
SHA512 826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 e5bba46683440caa1508061b6e638120
SHA1 538ff5b7cb3ca90cee3e60bae0b487f4b78912de
SHA256 9b324dbd185a14c0ebfd2cd2731f6bb32c501dfefa7aef4f65b137357502c65d
SHA512 466f00fee10e323273e5d1151062e9fcc36f5657a404c6dd3c0c9ecb56e5205930087e612b13a9c6d1a56df7e05a2bd9c14e95debd5e5aed96ad2ef867e8de4d

C:\Users\Admin\AppData\Roaming\svchcst.exe

MD5 37a23942520c13dea3baf4b91bf5e491
SHA1 b29c4d777174da2ecc940b7c13c01e04f51d06ed
SHA256 3fffef5604c8280607c10b328251e96b21a2bf02cddcbed3e2c39e84e8d4a618
SHA512 5c4b581668e97886ccd251b0e18fa80bef34d8845275812d065579221de142db700d6c23fe53afee1d971a0c1757ee8126bea5dc50075a9c42cf33b8d711b39a

\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 67035f6e88cdc9e969185ba64e831a1a
SHA1 3b5e8ebe9a0a4b02161f2da70d9ac96725c2fc82
SHA256 aa67139ebbfdf9e6c4338ced12945d49072510fdb7bace17217ac863c248f6f4
SHA512 3dd64df2daf295bf06c1466743daaa4db68f2956fc124ecae5477d60ab803a12558e34cb07faf3f4e2ecac9bc05d041ab3d79a1d95e622e56835b1119a4c68f9

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 251a70f0c55d02e74e34c409c5795274
SHA1 b0eb587b5e8d597ef801848722b790692d804be2
SHA256 f5397f02a6c8c59bc9869c0e5c726c096a69c84ad7f0934608fdbd8bc7e5b9f3
SHA512 023cca65a97265961790183f43605fb3dd47426049f2152e5ed90d2daed98607d1e215cb8cabf54d7d2068f7a86d3b01b1d101823e8ed1acfb09076e69b67c71

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 3f88ed4a802ff96db44e34ad53ac06c2
SHA1 446fe4e265af02ea012b5a8d5d0e7a0c9867f1ed
SHA256 04a5abb92c689fa7b9d768a067b1d9bd16c0a5d856c67c7f7881d62662ae0911
SHA512 f1afaf53ee96969d58902836b841ca7feed9769c81d9b2d63b72db5d7cf04d6a659b50869f8dba0d650aa6833d892261c0c3dd918e8bfbed13237e6333c47fdf

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 6d7f7c489889b75561316023d3e8b801
SHA1 222906d8a273e49d99b9107d388856ba8e6a5400
SHA256 3c01dd72d85883db4a345c0092b799f8deb31d43fde226e7df011c64d95202a7
SHA512 7238e65f9b93ee3be8828f01b54fbb6acaeaaf31e2b62af398356b02fa80d615acc3f41139fb001b9c1e8855e5cfa467f2883acda663a08194955cadb409a24a

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 33923002ff087d4e9d20dc9167bf4b6f
SHA1 cd218dc8073081f7329889f96e1159c6d11fb8a1
SHA256 f24781ed9f535b0d29cbef666b2e299ee84ab75c48fd47bfdf0e9c2beaa0796e
SHA512 628c465e3ebed9b3ad689a6fa1fe38d3194c69a7446320408c28667acd49a157b853f734325e828a1577810393d0f9e69b6719bd7c201816ef0f06219a26534c

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 951aaea1269f2a203f3dd7cd181c5d34
SHA1 3623d216764b24aa0b02cbc136287252bf5b412a
SHA256 228b66ed4c4a1270fe5a6655cdd849de937351e95974b96acafa59b8107b7dd4
SHA512 cd84967ad43a13c3cd57cc80f6533a9e9fd93a5eddf4807825b8d19883da4acda3e7b4ff963f23209c579050fedf834382d8e718386c852ceaf350b2b0f91816

C:\Users\Admin\AppData\Roaming\svchcst.exe

MD5 61960d372759052738358480bd51d945
SHA1 ffd28363bf8b576d799cb187244c86302f24c514
SHA256 2f1f639a11ee39508a8667d468ecb89840374e014bf353b09578a0fd5e318149
SHA512 bf146eaaaee29023dcbb56ff6cb1d70e289c021cf6d68eff1099054e0523b62d2e43b1ddc5aae7f8e558eb7a1c4c6cbaf762c3ccd790e512c814f78121c1b4cc

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 0d7287608e57c918d75f595179c5fa29
SHA1 d16c5add83d14855a0d674ca2d287ef0233e7062
SHA256 539b077eb4ef610403f7c3cdec3fd11482b2a0c4f3c254c2e8f6f2a51905c9d1
SHA512 0050624a5937e196a1e7d08318d9a499ea706cf8023bf7c6b1ba42a671e98e202ab83723740e9aab99bd6c17c3895ca1f2b17f6e94dd81d1d01c064b997c8bff

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 18daeaff7fc134fc2edabbaea7e7e9f0
SHA1 a6a3002f7828141bac042e08241df957ef348bb4
SHA256 56a26505482cb65715785a972070bd6b72ad56c09ec26f7a97d7b0ac5bf52303
SHA512 6a91ececa4ca5ffbd12c7ca83888a63a7baf2be281610d9b0d83ee9dfcb8f6d04c1466de5ac1b53abe3daaf2998ec40b4b3a1a1d6fc271f35d25523358bd3df0

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 307d5712f3fe39c3bded854b3ced8c04
SHA1 030e81103328f392307f057ec7c792b8999ec687
SHA256 65bcc9e3e96546662b4ae95c1324fbc4be4e69595fe94acf52a07546601f6028
SHA512 bf0ccfcd7072b98ad50d02b104b7414349d4f7fed2f9e5933d4fcd174498308768a1c691b5ade9571e65baea68388571e3da8a3ea0ddab9c2ad89c5f29df6dcf

\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 22d2cdc8f769381f4edfa0f8ba72da0a
SHA1 683be64b21ddd1f635567f4847961e965265c454
SHA256 fa475efa73e4bcf4a887c36371c2070e5dcd6388d411e492aa61337202be7000
SHA512 deab74bf1b56016b275b8fa63d82e7f9ff4058b724352fa7e628f34b970c44503b597364dd57089d89d12df83e9496da508b180576208ca3f587dc879172ec09

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 81911744d71ed066085116eec2026095
SHA1 47cfe383cd90c80f367d20667fa26cd160507a8f
SHA256 3154f7fe0c77b8441733285f257a444605ca5badb1148288aa7275033f75d3f5
SHA512 e64925ee682737251c7d5f42a378a4f6c23a50a07a6811882547567725b59c172da356b235afc977d4c1e8209f5c1ba696b9dd54e7739f67a71c099c031d7396

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 c4e7c6e63669b7ac19a2abc4d482e577
SHA1 0b715c1b8c52526a168c5972ce10621deb7454cb
SHA256 44ce88ac30afb018736ddeb48d6592af936aa52a424f3630ed07f9ff016b3a58
SHA512 f95b66230ceb77d9ce412c472376233324766a3b31adcfe85797f5628b933811c970a7c538ebb06e5c66418656766704206c178745f71bec63bbbabab46af747

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 e74576d29f1c1a7185cdf1e12b96a260
SHA1 f76ee203cb56b7dda62a2947ff1e2fc954efa777
SHA256 e31ecb9dcf31c19fbd131b31e5191375f7aeb708ffa678363de99e118715eb65
SHA512 934e3a9171de8fe03c9b398b4e79b3eee77845750ba2b0d16c3a38bc8299d3d72643cedfbb025df848f4c5ab302f5d4b145da13c2ac3ed96bdc1658791d4f5bb

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 3fe126921f6537cf36cd507b1649ffbb
SHA1 445c8796d072bb5829f0af8421e3eb7da34add70
SHA256 b4af7c7ab452f12e0ea38532d00cfa19cf99247ef169e5e698acd882e72750a6
SHA512 5d8527210f01cc30bda93521cdbd9828d03f2af3e2810996ad8c60cf62a35e415c0e54a34e00847ae30bf2718e8c431b65ed4f509c11986a8eb54ed6ed64ac94

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-25 17:32

Reported

2024-01-25 17:35

Platform

win10v2004-20231215-en

Max time kernel

101s

Max time network

92s

Command Line

"C:\Users\Admin\AppData\Local\Temp\06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe"

Signatures

Kinsing

loader kinsing

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1216 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe C:\Windows\SysWOW64\WScript.exe
PID 1216 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe C:\Windows\SysWOW64\WScript.exe
PID 1216 wrote to memory of 1016 N/A C:\Users\Admin\AppData\Local\Temp\06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe C:\Windows\SysWOW64\WScript.exe
PID 1016 wrote to memory of 540 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1016 wrote to memory of 540 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1016 wrote to memory of 540 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 540 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 540 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 540 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2044 wrote to memory of 3700 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2044 wrote to memory of 3700 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2044 wrote to memory of 3700 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 3700 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 3700 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 3700 wrote to memory of 1608 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1608 wrote to memory of 3484 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1608 wrote to memory of 3484 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1608 wrote to memory of 3484 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 3484 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 3484 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 3484 wrote to memory of 3200 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 3200 wrote to memory of 4280 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 3200 wrote to memory of 4280 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 3200 wrote to memory of 4280 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 4280 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 4280 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 4280 wrote to memory of 3272 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 3272 wrote to memory of 2352 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 3272 wrote to memory of 2352 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 3272 wrote to memory of 2352 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2352 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2352 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2352 wrote to memory of 3428 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 3428 wrote to memory of 1216 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 3428 wrote to memory of 1216 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 3428 wrote to memory of 1216 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1216 wrote to memory of 680 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1216 wrote to memory of 680 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1216 wrote to memory of 680 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 680 wrote to memory of 5044 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 680 wrote to memory of 5044 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 680 wrote to memory of 5044 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 5044 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 5044 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 5044 wrote to memory of 4740 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 5044 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 5044 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 5044 wrote to memory of 4204 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 4204 wrote to memory of 5076 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 4204 wrote to memory of 5076 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 4204 wrote to memory of 5076 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 5076 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 5076 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 5076 wrote to memory of 4136 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 4136 wrote to memory of 3716 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 4136 wrote to memory of 3716 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 4136 wrote to memory of 3716 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 3716 wrote to memory of 916 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 3716 wrote to memory of 916 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 3716 wrote to memory of 916 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 916 wrote to memory of 2956 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 916 wrote to memory of 2956 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 916 wrote to memory of 2956 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2956 wrote to memory of 4212 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe

"C:\Users\Admin\AppData\Local\Temp\06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 183.142.211.20.in-addr.arpa udp
US 8.8.8.8:53 22.177.190.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 134.71.91.104.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 d5cbc6f0a5f31ce07e8fd229e8434c50
SHA1 90036111fbec7d4d7a1ecd79ce2f290cb9079880
SHA256 9a49a63db9146f5961dc414c43ae32a94b47678acc526038d3d9358495a221ed
SHA512 0f1870986ff661610377266f1d9221f06284978c5e3c44153db1f3fa2309fc7a22b1b05b15ebe47f5036647e4467dfca69b64c3ff5c13cee480d295168327cc1

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 99874a0eba237bcb542bea8815345a98
SHA1 89aadda48805c7015dfc793018406b88368a9e39
SHA256 662f81a36cf65e0f0ec5ae4192b83a07db11f8f2580f53144cfd78cf6d605b56
SHA512 e6edb0e95f4eb2c17b9c4a6cc4ac7da3eea45cb58d0aa4f873b99fa8e468aef1a4ad22c5ff8075c8f3339ac8c9cccc07c203446e7ee60b74b411bea9edd2a576

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 0deab118abcf8e078322ee46edd4cfd3
SHA1 b0f46f2ca33e8ea264812838f6c7a98d0c55a0bf
SHA256 344ce7e23c768177547510b0627c60667804530f220048e11f21e1cda521c502
SHA512 e7e4c041addbecf42ec91877dac6c89a207a3c1eb0247d56c6e4844852a3c7a3a716809d5040d01b03ab332bd155a4f4fb014abc896b9598ac52218c74a1f3c0

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

MD5 67b9b3e2ded7086f393ebbc36c5e7bca
SHA1 e6299d0450b9a92a18cc23b5704a2b475652c790
SHA256 44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d
SHA512 826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 bb3ef08dfff7d1fcf5c80360e8767839
SHA1 700b32e642ec719e351b7936c4a53b4fa2916ace
SHA256 e583240dc0b8d71f1896de239347ef97e455a9519872bcec4d37683f1338603a
SHA512 a10377d3030cdf8c8dbc3ce91de545732e2dd0c219adac70f6c15d18e9a2b7ecec5c4f053fc8c13ac104323c1f2437d304aa7a6a1772d782635d543d6a84f53a

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 4da44f527a1cad5677f96bf25858968c
SHA1 2d7425dd4617a686d5ea83c3c3cc03ae9926e9ca
SHA256 e1ac4f7e4e498f03a8a288625bafb964b14dd6ccaea13f5406aa77a481290ea7
SHA512 c59fa7960503cfdab48fe31acbfbe66bcb34bbd70fa94d26efe23efff22dbbc7811c42e85f682bb73a284f72033eb95f5c751c77bd82c47dff0bb3a23510ff5c

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 501f44d4c6e462c2e6ac802470ff0b8a
SHA1 36f5c199f6b2c77308ffb7a65f1cb0abd1bca1bb
SHA256 7961436fa4d70df97e89a2f6de64c74b148eddd8e0487abcd3de3576ea26fe98
SHA512 633d4ad8da4c85210efa1d10efe1aaae7122f8146165d782a46d16b5c36cf9221807d4dfdae90ac874f9145a7d8010a498dd8afe594afd7cfe695445e545a48a

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 d0a7594dbfff2934bae6e22de9f233fe
SHA1 b2a276918a0f5fb2da4440d77ec65c3c644dcf74
SHA256 b5ba466f75e4b160d164ce3886c42fe86c339961f2f303cfdba40d2c711bc61d
SHA512 3d0c5b27841efaa0286d2b58d1749c1efe45ce115cbcb2af1473e29ec3791501a278c90f087e995279518b3c3aec687edca8937f77ff2520ed6b8d3dff6c0a63

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 2a7822b6f52035b19cc816fa1583ebb5
SHA1 1e903898bbdc8719cfb4b8c6c992665896727f65
SHA256 5643fdef62cac10ba757f63ff6978d500939ae6c8ea77d229dd1d52f794565e0
SHA512 5b147152154622865d3b8664b8f9a2bcf5117cdc8cbf2b147332713e72c06b6dab8d8938b641f8fbbeacf86423ef2a6c0dd42a26b39c39b1de1775a8889f5090

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 343909c784c584bd2cd37002389eadf5
SHA1 6641ea17bf9fd097dd8d2076ac5ac6eb52118978
SHA256 df9a75e03b6d644e2665f31ecbfb7bbad1e743245c78b3d2059279fb0e66aeaf
SHA512 064f558d5877f81bfec0a10efcdee87ccc554b7017515dd574fae283c97e8cb289da00412363b24dce033fffca71d0e7a3e156bdf7d7b848017741cca6f62018

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 5c256ba320c7487a2c3cdb62bea97bb5
SHA1 2a28e5d7bd4483a40fb6035f1ec6fcf1d66cb2fc
SHA256 854aeaf6ba44537fc01088f8c336552a1aab4c6df84938d241c8616b6f0802e4
SHA512 bb55f293471dda9b074664d4cf2dad094f8f0c2479c1fd754dd85199d1d1b1012cfa3b050711ac0b59368d6bf1756cfcadcaff1e47d4f103a093a0b77782fdc0

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 4a1b23edb1b661011cb28061ae49aeb9
SHA1 419957d40ddebb436e3930711069b3f1138baf34
SHA256 a545203e5a8e042a1d7f77cdcb83d89df31c6f8d5a3785b31fc7273b271cd470
SHA512 5d57eee90cf7a018b08890ef6ad70e371afc544e47e0c8843349a9b5105db456105abe698740e448f7332cfd58116d9a7fe330eb885acc588be98b562bba8a31

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 cd3670279cfd4857ab7ae976f56ad473
SHA1 2b4136cb5f5aa98e7cf48135db771fe497da942f
SHA256 9824342f00af60b70c73fd0b0b08c54f1439d6f6964ce1286a7eec748047041f
SHA512 30e7536c3209027ad3df30edd10d69b666a936c4184f3ad26ebf683ae2d066607b9eda521955af0a3cb235d6d84cc5c6fda747525bef19ec3a5016db66945889

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 8f9785018f4517638f481da1a5d90ba0
SHA1 5f2b150196377238000fdc04a36a11cf5153de32
SHA256 d6ff7ac6f2d1e8363e11501ed5b3ba1506b7322e9ae381c392d555bf53d802b6
SHA512 8f855693ce23d015c2c70b773e0da90945ade3897063d3a65a4e66cdceae3fd0cbeec3820e6272ca934f1ca88fbe969529c22efdf7d2e3c32ad7d25dc476ba93

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 3fe126921f6537cf36cd507b1649ffbb
SHA1 445c8796d072bb5829f0af8421e3eb7da34add70
SHA256 b4af7c7ab452f12e0ea38532d00cfa19cf99247ef169e5e698acd882e72750a6
SHA512 5d8527210f01cc30bda93521cdbd9828d03f2af3e2810996ad8c60cf62a35e415c0e54a34e00847ae30bf2718e8c431b65ed4f509c11986a8eb54ed6ed64ac94

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 d8b246a6e190894d0c87c6992c9fb7d2
SHA1 fc56fa163b2508c9aa82ade4e163ea625015c3eb
SHA256 de13e86bcf9b5c1f56dca96e6d5fb97c6e0c209ee3d205be20a8f92f61d2f5bd
SHA512 1748cfbd06f1d69c26bb233da189ec027c69d724ad19f9dab33e3dc59c3244cca6647474369f2a7ace56437bee15bad3b7682e8fb0cacd8b466c92099b427fac

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 06a252a9516053e44ec8e64f1ebf0533
SHA1 29ac97e0cdade946c4feb81ad3f78d70953a2277
SHA256 6b8a799c3d4b977adb7220f6790b2ac09080ca3ccde5a2c33c83b33ea905928c
SHA512 0775aabeef7c910e03efc40f96143025a2ee3544dd656c78d09ef63c85d040037752aabe72fdf3b636ee31422ae8de01b73c85e27247203d5efc1635eaf15b2d

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 330a9f56a34fc077c512e2025baceb38
SHA1 5d54933e13bf672841f07c809d2da7cd7cf7915d
SHA256 eb822dda1b0bb74118cdefca5e85901e790b469110e4d12c18f1822c65f72c75
SHA512 163be58710bb8d5a6c2f0a9cd72ce36d1589a02bb8ee7eb45d858a304756528e2b3d7ba632049bbc9348d483d36737608b844a4357f57bf06493603c3132672f

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 ebf405e49dade13da94f737cdc03dba1
SHA1 8a0c39e59beed0deb4e726566b235c42c70942bb
SHA256 d15af3885670c4fea9dd97da21025faa5fd2b42bddc310bad2893e23a3ed2bef
SHA512 bbdef781757a387898665650d8f951e7fc495770d34595d9badbe5a39d46ec49a06ec00cbe28ed5e2677e5eeea518241fb638580668baca8d7728c44f2069ea2

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 b5ae98cf0cfeb652a3c00216199e910b
SHA1 84b1971d8af41577bfc21075b13403481e852c4d
SHA256 557118e0e9980792a64a463423d19ccbb8c98d23efe37a70d40da847b99cd6d3
SHA512 7f01a9a56272daecf32ac05469ddf13863715b5c4053227908a5eedb91ca833688175bd92149ec4d8d2834996bdf887bf878940e59cbc369dda4e008357f741f

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 4f1c3e04fe09c26eac61a6a5e73d41a6
SHA1 5d61ea8f22af3a41286cfd2e03bf0d5fe912527e
SHA256 fcea651549aa97e3646b2b5857daab87dfa90158918203ea713fbc3d8dc96d2b
SHA512 23a253717242040b3497cc5dd9736a2a19adac084ebdf17f578f11a3c07aa584c78a8155ece8de4317293c4b75fca53b4cc225d05785f69e01d18ef6582e01f5

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 58247efad099b9fcaa9cd97327547221
SHA1 cb15285d9c98566eaca6038be84b467be2c5ae0c
SHA256 2df4495ddaea2652ecc77df25c5c8cfc663bb770dd7882163f231afcb138ce9d
SHA512 34ae315dd177f787cff43024fa601731894189bd4f32e5567ae896807d3c29a7beee835afa5782ffd9d0a7b41f7bd0bad424eeaaea51ec4edd7152b9871c2c87

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 557c5323297722c8f3a8893391d61333
SHA1 d1ffaff4a8eb3bd2b2cb0b981258ab433aa24715
SHA256 889069ed7f3c778ecaadf53ba74ea7f3144fbe36a66e17f06c410c0cee55ec82
SHA512 9d137cbf99ce1ed752eb17b6581706de2e92a16ed67a76a94e0fc3f0e897940d1bcfb943f5a7b5a283f27b9c33fa69925ba54e6e3d625e7a2479c5e08df57d12

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 024be950e07002e527b8dd1efbb0e4b4
SHA1 1a56034c6366027442be28a75bce7cdea55a8a98
SHA256 51f47375c2a87dc9fe8cc958432adcc166d0faf75f7d1da1322e238fb5d72893
SHA512 96864be4661feeef155d1816192852146e5d2aa3266ce5b732ec203d43a6098a5fa456a7decb9ab1bd66bc959ed85b485de32c11cea6ee6d1a48d0bea2349b6f

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 b10281535611b5e62455be7188cbad12
SHA1 9bd350cc9e0277a5c7a074973e24e6b185861420
SHA256 a020a6b8fff436359678918d5158b15d179767d2736c01906f90bfef01ea0166
SHA512 c4f9cda25d596ef83ccba36631ff569bcfadaefabd2a9e4f5e0ba6e1b3f08903b9e2cbf927f8afdd8f2e00a1f203d9ba4ec0ed888b20ca8d7b2b25f3282d4e5f

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 464c7469920c69d55c69a17da086de74
SHA1 9cff40342ba21c11b352b785cd9701c4bc0ebd71
SHA256 8a220251cb96104730bf8dc7812e300f4a69c59ce65a531b9b6262919fe9a404
SHA512 2240d547bee755f6eb6a6d965df751e9cf7926971597e369b98bc6d2da0bf9ce737019a4933041a691a34c8e6e71e2da7a5594547f5c31ef8e84b309b124da86

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 08e59d2d672728796d1d263f61b8e693
SHA1 e2cf49b43ffba5735bf7d9aa4e1da8c5a1a4a243
SHA256 f0504a6142a9709ba8612a4e55816d410dc92778bedea66d34316e77edd2f923
SHA512 328bc5a9404388f3ef192bb0e4da20cc34b9eacd974299461b5cc2f37ce7d7f9bb494e933fe7e8bca0baa037b40778b06965e76ce258b596b60e88bd6b2f4253

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 32053fbbf9a5f31b64b7c0f212fcc621
SHA1 a40fd782160ba39a75f779968542471ef31c6edf
SHA256 2f3789e7997996da273e3a4f1f0e1135e01b47e539bf638bd7e030e905d24908
SHA512 d90ecbabd31a6e6782b1a505c22e49a85f0444612feea8163780c900306e17eea9305b95db96dbaa416bdc06bba117eb5d26074c04809ffd2dafdeffaec56b62

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 f3159db8bd483868144429c5909d280a
SHA1 a3698b1ebb0e43a564357bb77c3462539a114f87
SHA256 f31b8921a342ba1eecff8852bd1904a17e94e544a1975106b9b5533155ed044c
SHA512 328e166bbd706c7e6848c246909d96779ee2efcdf7bdb0ff47eed24e0267dcca005bb41651b60393ffafbb7b7467d94b22454e8c4be57108ffeb6238e88db916

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 f34b3ee42a2b55e470856c6f5500a431
SHA1 f03e110fe10545b879b2c5ac9da7015b883bcce8
SHA256 54ffcc0518aa7ac287ca3ca17e23acb9bfcf2edbcf4c098df0646f90bdf4dbda
SHA512 0b1a8cced30b74d2ffe85baf65d4c6ba3b31d2d59bf4782eaf7e876cd75cf3991801c5b2b28e29359ec4b92207e32befcaf340974a82f54fc5892d9d07bc780e

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 0b07dbb471d7fe60f6b7446050131aa9
SHA1 4e1f1ada445a0bd2f1df1b5fe3ac6fff22c577a1
SHA256 483f571197412d4524e63cd78ae3ccd6a0c934a2178119e6aea3331a7bae6929
SHA512 6ddb5ad7ea76630d076b3e6ff03cf3087f65b035e7de9a4b30c6243641efc9a1c2f2975f05662039e95558aa81e78ecc1694114b22877f1029cb0d551df59ec1

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 ec88d3e786ecf146fcfd3957edf4c1ec
SHA1 7831e1c5b57cff4234cb3fa78b8903bd22934b84
SHA256 83d7cbafe6bdcdcc6e87788bb52c399de5372cc211a4180818f7b17294d78d20
SHA512 df9e774f164c01620f1d557fcefbdc715b51f199cc518186a00aeb1a43453e14135fed4302ddedad518b081f51add121387ec7a9e6248ad0b5ee0ecb46ad0c31

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 5771c014296ebb077452c34a3ea54708
SHA1 6e6ff6d4e62db0f7295883fcdf1b10a4f69b2b58
SHA256 8abb3ec990928dfb09f067bb1f8b7e99a9487f039c9a5f80ab5306006c746859
SHA512 642db2534af82e398285770d5b6564603b457e1e4e0853cb46322aa24f7a880223a839875e7022d5c21f5eb01730df4e4dffdb426ef6e6c81defeb5f5f774ac5

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 4433cc23fc280ad8dcff9966bac19fe4
SHA1 62cc2abfe6e2ee0fd6b5cbce20daff4ba787bff0
SHA256 ca7cfd972b03d0b30404c8233125adda1dacc81a2e43e919d70bf1c2700af55b
SHA512 6a5e7454dde98251a987bedc21e628550c469480cbe41f3b3644789da38e782c8b94660d4a076697cc7abf3fcc767650d00ac3639b11cfeba96ece8110920b4f