Analysis Overview
SHA256
06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e
Threat Level: Known bad
The file 06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e was found to be: Known bad.
Malicious Activity Summary
Kinsing
Deletes itself
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of SetWindowsHookEx
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-01-25 17:32
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-01-25 17:32
Reported
2024-01-25 17:35
Platform
win7-20231215-en
Max time kernel
148s
Max time network
122s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe
"C:\Users\Admin\AppData\Local\Temp\06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
Network
Files
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 85039f29e9fbdb42ba1fe566ad4e177a |
| SHA1 | f1e06b305c768c772be59f0ea8ca3c58d5aebfc6 |
| SHA256 | 4d2f0853887f504b4b3708f6530ecaf60bcb50be07aa64353513be03f7aa488c |
| SHA512 | ed6960f56c46533e2576127fd4c5c36e4d25e2708f6fa3e070b5487014b194f1b092d30adc2327d4f8d21b688602ba669e5a7b64be398ffaad61a6bdba42f21a |
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | 0db4cfe036fdcefe611b25d21c05bd86 |
| SHA1 | 876953df7d1697ec6f66b475a5b7d39f413fe4c4 |
| SHA256 | 7359e5d6915effa4784f97a8545e4ea624e7746eb2bd7247bd82d673631cdee9 |
| SHA512 | e9c27def6db1f128e69917dfb2a3fab7d64a7e7f67381097d8e5e0f3ac658857d7c4dabb9e3913eb58c1c85605622c6762e7540b5804b56c4371cbe6a47249cb |
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | 11dacc69a1202b2953c05fc7da7fcaa8 |
| SHA1 | 1a9856a59735288889a836d96a75ccc29139337b |
| SHA256 | 0ac845ba2f3f564d928685986965254862cd6fad24db66d0d80cebba17815fde |
| SHA512 | 8463adb45328af3453ee3802c73ff10b18e63c2f8a1ab15b467b6af224718c79fadbd1a3b6ac25537bb1b99bc1a92d69ebce31f629b5a95acba3cbf124b88d5c |
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | 8d65d5df8a2ff08ff8fd961145207200 |
| SHA1 | b13b36e678e59bc694343fbf1233beb4da383d96 |
| SHA256 | 2ed0affbb87a9372a80f22d1c958355012d1941c978c06a04500488997579236 |
| SHA512 | 11edf23c77a9b87317b97033b1ae2ed5e62ac71e641a13d204805b1d9ae0408a52b0933c00191ba6b13287edd1e9738519b864a3fd0d66202ff76a4e98e7727d |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 1a94fff9bade36e4d067e0fcefb1a8f5 |
| SHA1 | 1713c3fc499a56cd97035e44405e0b5e1a0a586b |
| SHA256 | 1977a5ac15e88252efdd11b9aace6de92383e71132a94273b0e890e92ae91048 |
| SHA512 | 89a7dd6811f9491a14bf49f1cbce3e869107d2e0d410fa3d3c867ce68d573d6f8e6ada98ac3635fc620c96c61676b5cef2563b5fbea14f617c1fa61bce4f3ac7 |
C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
| MD5 | 67b9b3e2ded7086f393ebbc36c5e7bca |
| SHA1 | e6299d0450b9a92a18cc23b5704a2b475652c790 |
| SHA256 | 44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d |
| SHA512 | 826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09 |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | e5bba46683440caa1508061b6e638120 |
| SHA1 | 538ff5b7cb3ca90cee3e60bae0b487f4b78912de |
| SHA256 | 9b324dbd185a14c0ebfd2cd2731f6bb32c501dfefa7aef4f65b137357502c65d |
| SHA512 | 466f00fee10e323273e5d1151062e9fcc36f5657a404c6dd3c0c9ecb56e5205930087e612b13a9c6d1a56df7e05a2bd9c14e95debd5e5aed96ad2ef867e8de4d |
C:\Users\Admin\AppData\Roaming\svchcst.exe
| MD5 | 37a23942520c13dea3baf4b91bf5e491 |
| SHA1 | b29c4d777174da2ecc940b7c13c01e04f51d06ed |
| SHA256 | 3fffef5604c8280607c10b328251e96b21a2bf02cddcbed3e2c39e84e8d4a618 |
| SHA512 | 5c4b581668e97886ccd251b0e18fa80bef34d8845275812d065579221de142db700d6c23fe53afee1d971a0c1757ee8126bea5dc50075a9c42cf33b8d711b39a |
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | 67035f6e88cdc9e969185ba64e831a1a |
| SHA1 | 3b5e8ebe9a0a4b02161f2da70d9ac96725c2fc82 |
| SHA256 | aa67139ebbfdf9e6c4338ced12945d49072510fdb7bace17217ac863c248f6f4 |
| SHA512 | 3dd64df2daf295bf06c1466743daaa4db68f2956fc124ecae5477d60ab803a12558e34cb07faf3f4e2ecac9bc05d041ab3d79a1d95e622e56835b1119a4c68f9 |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 251a70f0c55d02e74e34c409c5795274 |
| SHA1 | b0eb587b5e8d597ef801848722b790692d804be2 |
| SHA256 | f5397f02a6c8c59bc9869c0e5c726c096a69c84ad7f0934608fdbd8bc7e5b9f3 |
| SHA512 | 023cca65a97265961790183f43605fb3dd47426049f2152e5ed90d2daed98607d1e215cb8cabf54d7d2068f7a86d3b01b1d101823e8ed1acfb09076e69b67c71 |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 3f88ed4a802ff96db44e34ad53ac06c2 |
| SHA1 | 446fe4e265af02ea012b5a8d5d0e7a0c9867f1ed |
| SHA256 | 04a5abb92c689fa7b9d768a067b1d9bd16c0a5d856c67c7f7881d62662ae0911 |
| SHA512 | f1afaf53ee96969d58902836b841ca7feed9769c81d9b2d63b72db5d7cf04d6a659b50869f8dba0d650aa6833d892261c0c3dd918e8bfbed13237e6333c47fdf |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 6d7f7c489889b75561316023d3e8b801 |
| SHA1 | 222906d8a273e49d99b9107d388856ba8e6a5400 |
| SHA256 | 3c01dd72d85883db4a345c0092b799f8deb31d43fde226e7df011c64d95202a7 |
| SHA512 | 7238e65f9b93ee3be8828f01b54fbb6acaeaaf31e2b62af398356b02fa80d615acc3f41139fb001b9c1e8855e5cfa467f2883acda663a08194955cadb409a24a |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 33923002ff087d4e9d20dc9167bf4b6f |
| SHA1 | cd218dc8073081f7329889f96e1159c6d11fb8a1 |
| SHA256 | f24781ed9f535b0d29cbef666b2e299ee84ab75c48fd47bfdf0e9c2beaa0796e |
| SHA512 | 628c465e3ebed9b3ad689a6fa1fe38d3194c69a7446320408c28667acd49a157b853f734325e828a1577810393d0f9e69b6719bd7c201816ef0f06219a26534c |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 951aaea1269f2a203f3dd7cd181c5d34 |
| SHA1 | 3623d216764b24aa0b02cbc136287252bf5b412a |
| SHA256 | 228b66ed4c4a1270fe5a6655cdd849de937351e95974b96acafa59b8107b7dd4 |
| SHA512 | cd84967ad43a13c3cd57cc80f6533a9e9fd93a5eddf4807825b8d19883da4acda3e7b4ff963f23209c579050fedf834382d8e718386c852ceaf350b2b0f91816 |
C:\Users\Admin\AppData\Roaming\svchcst.exe
| MD5 | 61960d372759052738358480bd51d945 |
| SHA1 | ffd28363bf8b576d799cb187244c86302f24c514 |
| SHA256 | 2f1f639a11ee39508a8667d468ecb89840374e014bf353b09578a0fd5e318149 |
| SHA512 | bf146eaaaee29023dcbb56ff6cb1d70e289c021cf6d68eff1099054e0523b62d2e43b1ddc5aae7f8e558eb7a1c4c6cbaf762c3ccd790e512c814f78121c1b4cc |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 0d7287608e57c918d75f595179c5fa29 |
| SHA1 | d16c5add83d14855a0d674ca2d287ef0233e7062 |
| SHA256 | 539b077eb4ef610403f7c3cdec3fd11482b2a0c4f3c254c2e8f6f2a51905c9d1 |
| SHA512 | 0050624a5937e196a1e7d08318d9a499ea706cf8023bf7c6b1ba42a671e98e202ab83723740e9aab99bd6c17c3895ca1f2b17f6e94dd81d1d01c064b997c8bff |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 18daeaff7fc134fc2edabbaea7e7e9f0 |
| SHA1 | a6a3002f7828141bac042e08241df957ef348bb4 |
| SHA256 | 56a26505482cb65715785a972070bd6b72ad56c09ec26f7a97d7b0ac5bf52303 |
| SHA512 | 6a91ececa4ca5ffbd12c7ca83888a63a7baf2be281610d9b0d83ee9dfcb8f6d04c1466de5ac1b53abe3daaf2998ec40b4b3a1a1d6fc271f35d25523358bd3df0 |
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | 307d5712f3fe39c3bded854b3ced8c04 |
| SHA1 | 030e81103328f392307f057ec7c792b8999ec687 |
| SHA256 | 65bcc9e3e96546662b4ae95c1324fbc4be4e69595fe94acf52a07546601f6028 |
| SHA512 | bf0ccfcd7072b98ad50d02b104b7414349d4f7fed2f9e5933d4fcd174498308768a1c691b5ade9571e65baea68388571e3da8a3ea0ddab9c2ad89c5f29df6dcf |
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | 22d2cdc8f769381f4edfa0f8ba72da0a |
| SHA1 | 683be64b21ddd1f635567f4847961e965265c454 |
| SHA256 | fa475efa73e4bcf4a887c36371c2070e5dcd6388d411e492aa61337202be7000 |
| SHA512 | deab74bf1b56016b275b8fa63d82e7f9ff4058b724352fa7e628f34b970c44503b597364dd57089d89d12df83e9496da508b180576208ca3f587dc879172ec09 |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 81911744d71ed066085116eec2026095 |
| SHA1 | 47cfe383cd90c80f367d20667fa26cd160507a8f |
| SHA256 | 3154f7fe0c77b8441733285f257a444605ca5badb1148288aa7275033f75d3f5 |
| SHA512 | e64925ee682737251c7d5f42a378a4f6c23a50a07a6811882547567725b59c172da356b235afc977d4c1e8209f5c1ba696b9dd54e7739f67a71c099c031d7396 |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | c4e7c6e63669b7ac19a2abc4d482e577 |
| SHA1 | 0b715c1b8c52526a168c5972ce10621deb7454cb |
| SHA256 | 44ce88ac30afb018736ddeb48d6592af936aa52a424f3630ed07f9ff016b3a58 |
| SHA512 | f95b66230ceb77d9ce412c472376233324766a3b31adcfe85797f5628b933811c970a7c538ebb06e5c66418656766704206c178745f71bec63bbbabab46af747 |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | e74576d29f1c1a7185cdf1e12b96a260 |
| SHA1 | f76ee203cb56b7dda62a2947ff1e2fc954efa777 |
| SHA256 | e31ecb9dcf31c19fbd131b31e5191375f7aeb708ffa678363de99e118715eb65 |
| SHA512 | 934e3a9171de8fe03c9b398b4e79b3eee77845750ba2b0d16c3a38bc8299d3d72643cedfbb025df848f4c5ab302f5d4b145da13c2ac3ed96bdc1658791d4f5bb |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 3fe126921f6537cf36cd507b1649ffbb |
| SHA1 | 445c8796d072bb5829f0af8421e3eb7da34add70 |
| SHA256 | b4af7c7ab452f12e0ea38532d00cfa19cf99247ef169e5e698acd882e72750a6 |
| SHA512 | 5d8527210f01cc30bda93521cdbd9828d03f2af3e2810996ad8c60cf62a35e415c0e54a34e00847ae30bf2718e8c431b65ed4f509c11986a8eb54ed6ed64ac94 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-01-25 17:32
Reported
2024-01-25 17:35
Platform
win10v2004-20231215-en
Max time kernel
101s
Max time network
92s
Command Line
Signatures
Kinsing
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
Executes dropped EXE
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe
"C:\Users\Admin\AppData\Local\Temp\06cb0b2edcc809014d32ad320b903be84f6dd3e517807a7f01a97b93146aab9e.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 22.177.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.71.91.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | d5cbc6f0a5f31ce07e8fd229e8434c50 |
| SHA1 | 90036111fbec7d4d7a1ecd79ce2f290cb9079880 |
| SHA256 | 9a49a63db9146f5961dc414c43ae32a94b47678acc526038d3d9358495a221ed |
| SHA512 | 0f1870986ff661610377266f1d9221f06284978c5e3c44153db1f3fa2309fc7a22b1b05b15ebe47f5036647e4467dfca69b64c3ff5c13cee480d295168327cc1 |
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | 99874a0eba237bcb542bea8815345a98 |
| SHA1 | 89aadda48805c7015dfc793018406b88368a9e39 |
| SHA256 | 662f81a36cf65e0f0ec5ae4192b83a07db11f8f2580f53144cfd78cf6d605b56 |
| SHA512 | e6edb0e95f4eb2c17b9c4a6cc4ac7da3eea45cb58d0aa4f873b99fa8e468aef1a4ad22c5ff8075c8f3339ac8c9cccc07c203446e7ee60b74b411bea9edd2a576 |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 0deab118abcf8e078322ee46edd4cfd3 |
| SHA1 | b0f46f2ca33e8ea264812838f6c7a98d0c55a0bf |
| SHA256 | 344ce7e23c768177547510b0627c60667804530f220048e11f21e1cda521c502 |
| SHA512 | e7e4c041addbecf42ec91877dac6c89a207a3c1eb0247d56c6e4844852a3c7a3a716809d5040d01b03ab332bd155a4f4fb014abc896b9598ac52218c74a1f3c0 |
C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
| MD5 | 67b9b3e2ded7086f393ebbc36c5e7bca |
| SHA1 | e6299d0450b9a92a18cc23b5704a2b475652c790 |
| SHA256 | 44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d |
| SHA512 | 826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09 |
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | bb3ef08dfff7d1fcf5c80360e8767839 |
| SHA1 | 700b32e642ec719e351b7936c4a53b4fa2916ace |
| SHA256 | e583240dc0b8d71f1896de239347ef97e455a9519872bcec4d37683f1338603a |
| SHA512 | a10377d3030cdf8c8dbc3ce91de545732e2dd0c219adac70f6c15d18e9a2b7ecec5c4f053fc8c13ac104323c1f2437d304aa7a6a1772d782635d543d6a84f53a |
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | 4da44f527a1cad5677f96bf25858968c |
| SHA1 | 2d7425dd4617a686d5ea83c3c3cc03ae9926e9ca |
| SHA256 | e1ac4f7e4e498f03a8a288625bafb964b14dd6ccaea13f5406aa77a481290ea7 |
| SHA512 | c59fa7960503cfdab48fe31acbfbe66bcb34bbd70fa94d26efe23efff22dbbc7811c42e85f682bb73a284f72033eb95f5c751c77bd82c47dff0bb3a23510ff5c |
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | 501f44d4c6e462c2e6ac802470ff0b8a |
| SHA1 | 36f5c199f6b2c77308ffb7a65f1cb0abd1bca1bb |
| SHA256 | 7961436fa4d70df97e89a2f6de64c74b148eddd8e0487abcd3de3576ea26fe98 |
| SHA512 | 633d4ad8da4c85210efa1d10efe1aaae7122f8146165d782a46d16b5c36cf9221807d4dfdae90ac874f9145a7d8010a498dd8afe594afd7cfe695445e545a48a |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | d0a7594dbfff2934bae6e22de9f233fe |
| SHA1 | b2a276918a0f5fb2da4440d77ec65c3c644dcf74 |
| SHA256 | b5ba466f75e4b160d164ce3886c42fe86c339961f2f303cfdba40d2c711bc61d |
| SHA512 | 3d0c5b27841efaa0286d2b58d1749c1efe45ce115cbcb2af1473e29ec3791501a278c90f087e995279518b3c3aec687edca8937f77ff2520ed6b8d3dff6c0a63 |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | 2a7822b6f52035b19cc816fa1583ebb5 |
| SHA1 | 1e903898bbdc8719cfb4b8c6c992665896727f65 |
| SHA256 | 5643fdef62cac10ba757f63ff6978d500939ae6c8ea77d229dd1d52f794565e0 |
| SHA512 | 5b147152154622865d3b8664b8f9a2bcf5117cdc8cbf2b147332713e72c06b6dab8d8938b641f8fbbeacf86423ef2a6c0dd42a26b39c39b1de1775a8889f5090 |
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | 343909c784c584bd2cd37002389eadf5 |
| SHA1 | 6641ea17bf9fd097dd8d2076ac5ac6eb52118978 |
| SHA256 | df9a75e03b6d644e2665f31ecbfb7bbad1e743245c78b3d2059279fb0e66aeaf |
| SHA512 | 064f558d5877f81bfec0a10efcdee87ccc554b7017515dd574fae283c97e8cb289da00412363b24dce033fffca71d0e7a3e156bdf7d7b848017741cca6f62018 |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 5c256ba320c7487a2c3cdb62bea97bb5 |
| SHA1 | 2a28e5d7bd4483a40fb6035f1ec6fcf1d66cb2fc |
| SHA256 | 854aeaf6ba44537fc01088f8c336552a1aab4c6df84938d241c8616b6f0802e4 |
| SHA512 | bb55f293471dda9b074664d4cf2dad094f8f0c2479c1fd754dd85199d1d1b1012cfa3b050711ac0b59368d6bf1756cfcadcaff1e47d4f103a093a0b77782fdc0 |
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | 4a1b23edb1b661011cb28061ae49aeb9 |
| SHA1 | 419957d40ddebb436e3930711069b3f1138baf34 |
| SHA256 | a545203e5a8e042a1d7f77cdcb83d89df31c6f8d5a3785b31fc7273b271cd470 |
| SHA512 | 5d57eee90cf7a018b08890ef6ad70e371afc544e47e0c8843349a9b5105db456105abe698740e448f7332cfd58116d9a7fe330eb885acc588be98b562bba8a31 |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | cd3670279cfd4857ab7ae976f56ad473 |
| SHA1 | 2b4136cb5f5aa98e7cf48135db771fe497da942f |
| SHA256 | 9824342f00af60b70c73fd0b0b08c54f1439d6f6964ce1286a7eec748047041f |
| SHA512 | 30e7536c3209027ad3df30edd10d69b666a936c4184f3ad26ebf683ae2d066607b9eda521955af0a3cb235d6d84cc5c6fda747525bef19ec3a5016db66945889 |
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | 8f9785018f4517638f481da1a5d90ba0 |
| SHA1 | 5f2b150196377238000fdc04a36a11cf5153de32 |
| SHA256 | d6ff7ac6f2d1e8363e11501ed5b3ba1506b7322e9ae381c392d555bf53d802b6 |
| SHA512 | 8f855693ce23d015c2c70b773e0da90945ade3897063d3a65a4e66cdceae3fd0cbeec3820e6272ca934f1ca88fbe969529c22efdf7d2e3c32ad7d25dc476ba93 |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 3fe126921f6537cf36cd507b1649ffbb |
| SHA1 | 445c8796d072bb5829f0af8421e3eb7da34add70 |
| SHA256 | b4af7c7ab452f12e0ea38532d00cfa19cf99247ef169e5e698acd882e72750a6 |
| SHA512 | 5d8527210f01cc30bda93521cdbd9828d03f2af3e2810996ad8c60cf62a35e415c0e54a34e00847ae30bf2718e8c431b65ed4f509c11986a8eb54ed6ed64ac94 |
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | d8b246a6e190894d0c87c6992c9fb7d2 |
| SHA1 | fc56fa163b2508c9aa82ade4e163ea625015c3eb |
| SHA256 | de13e86bcf9b5c1f56dca96e6d5fb97c6e0c209ee3d205be20a8f92f61d2f5bd |
| SHA512 | 1748cfbd06f1d69c26bb233da189ec027c69d724ad19f9dab33e3dc59c3244cca6647474369f2a7ace56437bee15bad3b7682e8fb0cacd8b466c92099b427fac |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 06a252a9516053e44ec8e64f1ebf0533 |
| SHA1 | 29ac97e0cdade946c4feb81ad3f78d70953a2277 |
| SHA256 | 6b8a799c3d4b977adb7220f6790b2ac09080ca3ccde5a2c33c83b33ea905928c |
| SHA512 | 0775aabeef7c910e03efc40f96143025a2ee3544dd656c78d09ef63c85d040037752aabe72fdf3b636ee31422ae8de01b73c85e27247203d5efc1635eaf15b2d |
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | 330a9f56a34fc077c512e2025baceb38 |
| SHA1 | 5d54933e13bf672841f07c809d2da7cd7cf7915d |
| SHA256 | eb822dda1b0bb74118cdefca5e85901e790b469110e4d12c18f1822c65f72c75 |
| SHA512 | 163be58710bb8d5a6c2f0a9cd72ce36d1589a02bb8ee7eb45d858a304756528e2b3d7ba632049bbc9348d483d36737608b844a4357f57bf06493603c3132672f |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | ebf405e49dade13da94f737cdc03dba1 |
| SHA1 | 8a0c39e59beed0deb4e726566b235c42c70942bb |
| SHA256 | d15af3885670c4fea9dd97da21025faa5fd2b42bddc310bad2893e23a3ed2bef |
| SHA512 | bbdef781757a387898665650d8f951e7fc495770d34595d9badbe5a39d46ec49a06ec00cbe28ed5e2677e5eeea518241fb638580668baca8d7728c44f2069ea2 |
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | b5ae98cf0cfeb652a3c00216199e910b |
| SHA1 | 84b1971d8af41577bfc21075b13403481e852c4d |
| SHA256 | 557118e0e9980792a64a463423d19ccbb8c98d23efe37a70d40da847b99cd6d3 |
| SHA512 | 7f01a9a56272daecf32ac05469ddf13863715b5c4053227908a5eedb91ca833688175bd92149ec4d8d2834996bdf887bf878940e59cbc369dda4e008357f741f |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 4f1c3e04fe09c26eac61a6a5e73d41a6 |
| SHA1 | 5d61ea8f22af3a41286cfd2e03bf0d5fe912527e |
| SHA256 | fcea651549aa97e3646b2b5857daab87dfa90158918203ea713fbc3d8dc96d2b |
| SHA512 | 23a253717242040b3497cc5dd9736a2a19adac084ebdf17f578f11a3c07aa584c78a8155ece8de4317293c4b75fca53b4cc225d05785f69e01d18ef6582e01f5 |
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | 58247efad099b9fcaa9cd97327547221 |
| SHA1 | cb15285d9c98566eaca6038be84b467be2c5ae0c |
| SHA256 | 2df4495ddaea2652ecc77df25c5c8cfc663bb770dd7882163f231afcb138ce9d |
| SHA512 | 34ae315dd177f787cff43024fa601731894189bd4f32e5567ae896807d3c29a7beee835afa5782ffd9d0a7b41f7bd0bad424eeaaea51ec4edd7152b9871c2c87 |
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | 557c5323297722c8f3a8893391d61333 |
| SHA1 | d1ffaff4a8eb3bd2b2cb0b981258ab433aa24715 |
| SHA256 | 889069ed7f3c778ecaadf53ba74ea7f3144fbe36a66e17f06c410c0cee55ec82 |
| SHA512 | 9d137cbf99ce1ed752eb17b6581706de2e92a16ed67a76a94e0fc3f0e897940d1bcfb943f5a7b5a283f27b9c33fa69925ba54e6e3d625e7a2479c5e08df57d12 |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 024be950e07002e527b8dd1efbb0e4b4 |
| SHA1 | 1a56034c6366027442be28a75bce7cdea55a8a98 |
| SHA256 | 51f47375c2a87dc9fe8cc958432adcc166d0faf75f7d1da1322e238fb5d72893 |
| SHA512 | 96864be4661feeef155d1816192852146e5d2aa3266ce5b732ec203d43a6098a5fa456a7decb9ab1bd66bc959ed85b485de32c11cea6ee6d1a48d0bea2349b6f |
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | b10281535611b5e62455be7188cbad12 |
| SHA1 | 9bd350cc9e0277a5c7a074973e24e6b185861420 |
| SHA256 | a020a6b8fff436359678918d5158b15d179767d2736c01906f90bfef01ea0166 |
| SHA512 | c4f9cda25d596ef83ccba36631ff569bcfadaefabd2a9e4f5e0ba6e1b3f08903b9e2cbf927f8afdd8f2e00a1f203d9ba4ec0ed888b20ca8d7b2b25f3282d4e5f |
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | 464c7469920c69d55c69a17da086de74 |
| SHA1 | 9cff40342ba21c11b352b785cd9701c4bc0ebd71 |
| SHA256 | 8a220251cb96104730bf8dc7812e300f4a69c59ce65a531b9b6262919fe9a404 |
| SHA512 | 2240d547bee755f6eb6a6d965df751e9cf7926971597e369b98bc6d2da0bf9ce737019a4933041a691a34c8e6e71e2da7a5594547f5c31ef8e84b309b124da86 |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 08e59d2d672728796d1d263f61b8e693 |
| SHA1 | e2cf49b43ffba5735bf7d9aa4e1da8c5a1a4a243 |
| SHA256 | f0504a6142a9709ba8612a4e55816d410dc92778bedea66d34316e77edd2f923 |
| SHA512 | 328bc5a9404388f3ef192bb0e4da20cc34b9eacd974299461b5cc2f37ce7d7f9bb494e933fe7e8bca0baa037b40778b06965e76ce258b596b60e88bd6b2f4253 |
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | 32053fbbf9a5f31b64b7c0f212fcc621 |
| SHA1 | a40fd782160ba39a75f779968542471ef31c6edf |
| SHA256 | 2f3789e7997996da273e3a4f1f0e1135e01b47e539bf638bd7e030e905d24908 |
| SHA512 | d90ecbabd31a6e6782b1a505c22e49a85f0444612feea8163780c900306e17eea9305b95db96dbaa416bdc06bba117eb5d26074c04809ffd2dafdeffaec56b62 |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | f3159db8bd483868144429c5909d280a |
| SHA1 | a3698b1ebb0e43a564357bb77c3462539a114f87 |
| SHA256 | f31b8921a342ba1eecff8852bd1904a17e94e544a1975106b9b5533155ed044c |
| SHA512 | 328e166bbd706c7e6848c246909d96779ee2efcdf7bdb0ff47eed24e0267dcca005bb41651b60393ffafbb7b7467d94b22454e8c4be57108ffeb6238e88db916 |
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | f34b3ee42a2b55e470856c6f5500a431 |
| SHA1 | f03e110fe10545b879b2c5ac9da7015b883bcce8 |
| SHA256 | 54ffcc0518aa7ac287ca3ca17e23acb9bfcf2edbcf4c098df0646f90bdf4dbda |
| SHA512 | 0b1a8cced30b74d2ffe85baf65d4c6ba3b31d2d59bf4782eaf7e876cd75cf3991801c5b2b28e29359ec4b92207e32befcaf340974a82f54fc5892d9d07bc780e |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 0b07dbb471d7fe60f6b7446050131aa9 |
| SHA1 | 4e1f1ada445a0bd2f1df1b5fe3ac6fff22c577a1 |
| SHA256 | 483f571197412d4524e63cd78ae3ccd6a0c934a2178119e6aea3331a7bae6929 |
| SHA512 | 6ddb5ad7ea76630d076b3e6ff03cf3087f65b035e7de9a4b30c6243641efc9a1c2f2975f05662039e95558aa81e78ecc1694114b22877f1029cb0d551df59ec1 |
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | ec88d3e786ecf146fcfd3957edf4c1ec |
| SHA1 | 7831e1c5b57cff4234cb3fa78b8903bd22934b84 |
| SHA256 | 83d7cbafe6bdcdcc6e87788bb52c399de5372cc211a4180818f7b17294d78d20 |
| SHA512 | df9e774f164c01620f1d557fcefbdc715b51f199cc518186a00aeb1a43453e14135fed4302ddedad518b081f51add121387ec7a9e6248ad0b5ee0ecb46ad0c31 |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 5771c014296ebb077452c34a3ea54708 |
| SHA1 | 6e6ff6d4e62db0f7295883fcdf1b10a4f69b2b58 |
| SHA256 | 8abb3ec990928dfb09f067bb1f8b7e99a9487f039c9a5f80ab5306006c746859 |
| SHA512 | 642db2534af82e398285770d5b6564603b457e1e4e0853cb46322aa24f7a880223a839875e7022d5c21f5eb01730df4e4dffdb426ef6e6c81defeb5f5f774ac5 |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 4433cc23fc280ad8dcff9966bac19fe4 |
| SHA1 | 62cc2abfe6e2ee0fd6b5cbce20daff4ba787bff0 |
| SHA256 | ca7cfd972b03d0b30404c8233125adda1dacc81a2e43e919d70bf1c2700af55b |
| SHA512 | 6a5e7454dde98251a987bedc21e628550c469480cbe41f3b3644789da38e782c8b94660d4a076697cc7abf3fcc767650d00ac3639b11cfeba96ece8110920b4f |