Analysis Overview
SHA256
fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac
Threat Level: Shows suspicious behavior
The file fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac was found to be: Shows suspicious behavior.
Malicious Activity Summary
Deletes itself
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Enumerates physical storage devices
Unsigned PE
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-03 10:34
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-03 10:34
Reported
2024-06-03 10:37
Platform
win10v2004-20240426-en
Max time kernel
93s
Max time network
96s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe
"C:\Users\Admin\AppData\Local\Temp\fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
Files
memory/4076-0-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | d0244eea3255327ca0c7c181d36b38ad |
| SHA1 | a302f6b421088197510913b8a2e901d60ecaa12b |
| SHA256 | 3cac7c5f48f3b40497fdf7a62c9e2d2d73380ab2b6b9954b8314ebbc7a313908 |
| SHA512 | f2c6647e8d2ae1b9b8703b1d3166fc2c41edae031628e8335c026e07850f43052ac4bd53d24f0d136386ebeb82ebf5d557900bcd2e4398a27bd7cf76a7cfcb71 |
memory/4076-9-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | adc21714a4a1d8bdf33658cd6ad2b397 |
| SHA1 | feb16cc031692882d36ea6126fdb04a34dde77f2 |
| SHA256 | 81add9c8fe7caeb7e81be1f6bd7b65660aef4baa9cdff9739138ea2c0e1e3116 |
| SHA512 | c800039a3145ecb262ea4f92a8742cb39a22ad1923c357ce8fc1eb2f02bfd023bc17af6c7d51baad817a224e7aa88ea511fa398f73a14a9ae5bc4cf2847d50a1 |
memory/4984-12-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 4e9605159361f93230fef3cc5ad4301c |
| SHA1 | 64e6d5673487e049cc4e96650b507641062ca1bf |
| SHA256 | 2abd0c0ae088f6c911f23add50e985c447f1c62c8a45f848698b08d6e6dd20e7 |
| SHA512 | 5cf02982826cc6e08ea33c4ce5d186ad4277493480cf08c2df56a7deea87e58a6df3a95097c96409a89317528933e0999d4ccddc2403024bd04b6e1c312f42fe |
C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
| MD5 | 67b9b3e2ded7086f393ebbc36c5e7bca |
| SHA1 | e6299d0450b9a92a18cc23b5704a2b475652c790 |
| SHA256 | 44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d |
| SHA512 | 826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09 |
memory/4984-23-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | 5858196fbaeead037ea6e9c4ab62ab10 |
| SHA1 | 543cb9047ecfd021ee83884ea840bb958fcca4e5 |
| SHA256 | caeccc62f5f0f2bf389948848bfb66cacc9ebbc8991f92f6781dc6d6de1c7353 |
| SHA512 | 99a374a6edd744fa84acc056c035540e2e72105208e3ca61115e5bc4acd94bd9e1f0336ddebbd2aec6a28458b2b454dee8d3c8be0690f68d259c634d70e6b484 |
memory/5740-27-0x0000000000400000-0x000000000055F000-memory.dmp
memory/5740-28-0x0000000000400000-0x000000000055F000-memory.dmp
memory/5800-29-0x0000000000400000-0x000000000055F000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-03 10:34
Reported
2024-06-03 10:37
Platform
win7-20240221-en
Max time kernel
150s
Max time network
121s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe
"C:\Users\Admin\AppData\Local\Temp\fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
Network
Files
memory/1924-0-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 6a154fc5130990b62a51eeda3e8602d6 |
| SHA1 | cf3edc8704db737e9508955510c2fd239d2dac0a |
| SHA256 | df53f1536ee7cdf3adb11ad3dc04c730bf75058178baf7f87199423743727695 |
| SHA512 | 7bc947908be0fc22a191fb19675bded9aef10414eedcdfb2b7ffad891099c93424fc45eb85b34a2cd8384e7ce3e77201d87b26cce6723f5d4f9ff97bdf58356d |
memory/1924-9-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | a9f725bd2094c4e214e1ac875eedc29d |
| SHA1 | da0659692a0ad01cf18cfd084f4384c9497345df |
| SHA256 | 0aba1d19335f764131931152f9e26e4fe48d1933fae45f8c3ca2a7001287b68c |
| SHA512 | a8e7e3b4f5b11c0d2befd969d2a2fa23c19df0bc924e101652d2ef1e48fd6deebfd7fd9f806e2f43ac600b0cca307e10b56b9278166d73edf49cc7ded995bc0d |
memory/2560-14-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 03088ab16e4136b8d3a3366505b767ed |
| SHA1 | e1d73c9dc7e6009659519b33b3dd80f3011adad8 |
| SHA256 | b31956814f1bc7c1e47a025622160df37664a3ee8e6d2016ce8919f1fba63a59 |
| SHA512 | 0c841cc8236b405951c5bdf0ea7c620ef32ab930077442e5c1f2eca9fe474c113e1377829e8072afdbfd9a0f0b2797cf156b2f861395d14b851abc7b365ec11a |
C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
| MD5 | 67b9b3e2ded7086f393ebbc36c5e7bca |
| SHA1 | e6299d0450b9a92a18cc23b5704a2b475652c790 |
| SHA256 | 44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d |
| SHA512 | 826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09 |
memory/2560-23-0x0000000000400000-0x000000000055F000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2652-30-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 840853c0aa5a4d702a8110a0cb763b4b |
| SHA1 | 58d028e09818c3fd2a9d521c26772cf4d1a9072a |
| SHA256 | 4438df44bf53668a332407b1c60d745bd1293a3f1acab9953b1d77e5131d2728 |
| SHA512 | f2b044e4710dadb03164bc78519207bd8d39d2cf9d4568fc11c38271eabc3e57410083b1cf29e40b1f6119ffa33ed4784ef652f112e50b554c2983755a606b6a |
memory/2652-34-0x0000000000400000-0x000000000055F000-memory.dmp
memory/2280-41-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 2c3b5340da071ac89dded61dffd49fb5 |
| SHA1 | 77a880658d0b70e5455379099427bfdae8cc0ae8 |
| SHA256 | d7433fbea40ea3f87e991ce54c73436c110cfbb83748d554aea8d94051a5224e |
| SHA512 | 7e69f14c55afec39149491531c2a499b6253aa71ad448e722912f239fde055826b34383bd8d14773af08ef475b5fe53451a0a93e0bcc46fbeba3872198200f3c |
memory/2280-46-0x0000000000400000-0x000000000055F000-memory.dmp
memory/2068-52-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 780c5b88f55c3463a252f361d53f98db |
| SHA1 | 244e739c7401ce41027d7786f4a48f4806a9939b |
| SHA256 | d8b383df125f83a39c299a3134c88e981cf47755ddd6b44310f70231305c6bb0 |
| SHA512 | b12e3266edea4f9dff105ed8617c81a29f9873d646b6b326c5c29c0c590049dd85458b8ff7541957f9ab995896e7bfd08b171959e592ccc6edbedf998fdf1045 |
memory/2068-56-0x0000000000400000-0x000000000055F000-memory.dmp
memory/576-64-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 25741fab0bc335b1ed971b3134b0edd3 |
| SHA1 | 9849046efa3f20662f73cefd0d090bef480c9835 |
| SHA256 | 05963c6d3a7cc5421377a784df6474456fcbd2f95c7190f2ddb4a9ccbfbe7f98 |
| SHA512 | 6e772baf90739a76c5c477780e2d158502b55d9c898e69402b0a3bfb840949959c6779f9b291c0503a4fcad95369be55b5f3233ded9329d49d5cde3f1a8369e1 |
memory/576-69-0x0000000000400000-0x000000000055F000-memory.dmp
memory/344-75-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 344b0286b823cd492e5ca9c83c00ba11 |
| SHA1 | b76dbac9b5724f5b1e11a10ed7a2125edb16259b |
| SHA256 | 04ea89515062031f99eb08fad07de798532e0adea7ff18c0c9a8b1e3a1d4dbbd |
| SHA512 | 9aba17235e4f1bd62f45545cfa0e4f302c0471732b33a8398b462e334126c5a3e74fdcbe17db70029184cc1207f558efc46b868475fb607ad536288b0796bb80 |
memory/344-80-0x0000000000400000-0x000000000055F000-memory.dmp
memory/2316-84-0x0000000000400000-0x000000000055F000-memory.dmp
memory/1540-83-0x0000000005A40000-0x0000000005B9F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | d6aef0b19d7d8dc2eda464cf358007b7 |
| SHA1 | c271fa23eee2c534cc862f7575df47f660c94d27 |
| SHA256 | 70965d19e9afccec497ac21e98bfea9be46cf5df938982b3d19e6295aab3bb1d |
| SHA512 | c547f50069f9f97dd9877bdb529f4ed49f9761d5cab1ff703e5185a6071e7591b98237834c6bd386b68b9c6504b76bdc581bf17a6fcef94e74b1483d47cf764a |
memory/2316-93-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | 773600b2ec8569408853efb186da4f5a |
| SHA1 | a531bcf5cf20c6b832e02f52eb9a21bbab6d03c0 |
| SHA256 | 2a319389c3a89f7f2c5dac6e9efc1c4c105cf9615dba98fec2661aef1dd0e962 |
| SHA512 | 98c1fbb9ab88fa7f090f8a7ee19c8c12dbe5bdf9eeb001e09ba9f9466d25a7064cfb11c51c6f26bcf022962cc1b96bf9fa31b6ceb621c6064d0e923976f823dc |
memory/1540-98-0x0000000005B50000-0x0000000005CAF000-memory.dmp
memory/2512-99-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 75b8f60cfe6895a93f2d8f1b5568af94 |
| SHA1 | b80485bc82864b4e1bf0bcc44579eaa01776b1fb |
| SHA256 | 6ff47f7681e8f497470bd11b2cfd8156c5d8f1b01f48bfd89037cc4bfe0f34cc |
| SHA512 | 089e237c5309d36058e036f69d78deb4144749e91b3a8a8383f817af051a3452acfdf42227cc721517e93428cfd5d48b42e9750e9548762609e81917a4de29c2 |
memory/2512-107-0x0000000000400000-0x000000000055F000-memory.dmp
memory/1864-110-0x0000000005950000-0x0000000005AAF000-memory.dmp
memory/2412-112-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 024be950e07002e527b8dd1efbb0e4b4 |
| SHA1 | 1a56034c6366027442be28a75bce7cdea55a8a98 |
| SHA256 | 51f47375c2a87dc9fe8cc958432adcc166d0faf75f7d1da1322e238fb5d72893 |
| SHA512 | 96864be4661feeef155d1816192852146e5d2aa3266ce5b732ec203d43a6098a5fa456a7decb9ab1bd66bc959ed85b485de32c11cea6ee6d1a48d0bea2349b6f |
memory/2412-120-0x0000000000400000-0x000000000055F000-memory.dmp
memory/2464-123-0x00000000047D0000-0x000000000492F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | a4e2d4727487955ad59bf2d1a6661981 |
| SHA1 | e52949b5d7226aaf75d3713ed2ff1283edab2259 |
| SHA256 | 4b2d44fd28dcc86d4f73784cea9ac601d2e69574ea0fc6214b3481b10687e0e2 |
| SHA512 | f3c59196a57237caa7ad762e2e31bb3b95156eb33cdad7d7b28244842a733160a74c6568452252ce2add95980fe653dc5322a3d1722f9d798289557351b5ea55 |
memory/2724-132-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | d4f6d0f61e81dbe80925a32c43a12d9d |
| SHA1 | 6bd2ca39d54a6a0a16ed4ae3083d717cccfe6849 |
| SHA256 | db15dd2eaae9716ac600a836a5a30b1dad591a7df047e26195d4e42497ac3759 |
| SHA512 | 9a18cb6c4d5b200fbc8978735c9e8e9c415149778ca938aa5e98cb73d8d30c7f16eaed84a9e59a131dd2da8eb1743f52340cdabc000025299c4a0d820df97e22 |
memory/2464-136-0x00000000047D0000-0x000000000492F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 4e9605159361f93230fef3cc5ad4301c |
| SHA1 | 64e6d5673487e049cc4e96650b507641062ca1bf |
| SHA256 | 2abd0c0ae088f6c911f23add50e985c447f1c62c8a45f848698b08d6e6dd20e7 |
| SHA512 | 5cf02982826cc6e08ea33c4ce5d186ad4277493480cf08c2df56a7deea87e58a6df3a95097c96409a89317528933e0999d4ccddc2403024bd04b6e1c312f42fe |
memory/1600-145-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | d47a42896e76864bbf55b5aa93f96b1e |
| SHA1 | 1fbc2c48390062c3063f58cb9d2062724887bea2 |
| SHA256 | 94d7ce3bd863d2aaee1bcab891900fe8ad13bc358457e7a102f409c1cdd54dd0 |
| SHA512 | 710429bcdfe81ec52020e6214dcb3e1539e65e62239a5566bcf32f349c6050938a80aac94850cbfc2c9fe995ae1aefb0170f4fadb01e786b1b6ed96f5e012401 |
memory/1552-149-0x0000000005F10000-0x000000000606F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 2af86d83545125b952334759f8554ae3 |
| SHA1 | ddfef7be6fbd8d8185c772a9a78eb18617a9637b |
| SHA256 | 7dd3660d7e87e64f451b4d1882d07c1733ce38d828770910453cc1b7f457d11d |
| SHA512 | 38d2854f941ff77a2fec871ba6513df9862fe4f86778b22053b4c3e25995b192f4ab943051a2c613cc3e78d275bc543b0dff09149cb4620e307809d20beae17b |
memory/592-158-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | 6c4280727be4a7e4fdbd8f20b794ee79 |
| SHA1 | a9f7293c14c944bbbd766a82424550a71e44ea4e |
| SHA256 | 71778b9829b6968b317b825c52c0fc6905f18fb865550363368631108ad64c34 |
| SHA512 | c560e22817ea93c8530484f50e7c7d9ee5f48f06be0c4adfdf3a38bb8ac37b351ccd8dcd789ad1bb9af2683fe307d05c355d04a914080106f68db282b44ffdb4 |
memory/636-160-0x0000000000400000-0x000000000055F000-memory.dmp
memory/636-167-0x0000000000400000-0x000000000055F000-memory.dmp
memory/1472-168-0x0000000000400000-0x000000000055F000-memory.dmp
memory/1472-175-0x0000000000400000-0x000000000055F000-memory.dmp
memory/2932-176-0x0000000000400000-0x000000000055F000-memory.dmp
memory/2932-183-0x0000000000400000-0x000000000055F000-memory.dmp
memory/2472-184-0x00000000048A0000-0x00000000049FF000-memory.dmp
memory/1952-185-0x0000000000400000-0x000000000055F000-memory.dmp
memory/1952-192-0x0000000000400000-0x000000000055F000-memory.dmp
memory/2456-197-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 41bdc303960afcda8ebae4f3e29f0b52 |
| SHA1 | 4cbf649fb04c836614138308a06ecd48dcb2882d |
| SHA256 | da674cdbd4dd762cc32ce0bd2ec36929a626e0e87f7ab7a4a1b1e1ce0123d999 |
| SHA512 | 800b5b01cc41e7633f203579e7f6ec0a9f6408f7af79dcfa74596be9264dbb8baade6b1439dedb5194496aa27b8b0e2680ce65ad91032138ea0ac2c8a0872cf1 |
memory/2456-200-0x0000000000400000-0x000000000055F000-memory.dmp
memory/1660-201-0x0000000000400000-0x000000000055F000-memory.dmp
memory/1660-208-0x0000000000400000-0x000000000055F000-memory.dmp
memory/2800-209-0x0000000000400000-0x000000000055F000-memory.dmp
memory/2800-216-0x0000000000400000-0x000000000055F000-memory.dmp
memory/848-217-0x0000000000400000-0x000000000055F000-memory.dmp
memory/2312-224-0x0000000005CF0000-0x0000000005E4F000-memory.dmp
memory/848-225-0x0000000000400000-0x000000000055F000-memory.dmp
memory/452-230-0x0000000000400000-0x000000000055F000-memory.dmp
memory/452-233-0x0000000000400000-0x000000000055F000-memory.dmp
memory/320-234-0x0000000004670000-0x00000000047CF000-memory.dmp
memory/1656-235-0x0000000000400000-0x000000000055F000-memory.dmp
memory/1656-242-0x0000000000400000-0x000000000055F000-memory.dmp
memory/344-247-0x0000000000400000-0x000000000055F000-memory.dmp