Malware Analysis Report

2025-04-14 02:36

Sample ID 240603-mmjeyabe2t
Target fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac
SHA256 fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac

Threat Level: Shows suspicious behavior

The file fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac was found to be: Shows suspicious behavior.

Malicious Activity Summary


Deletes itself

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-03 10:34

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-03 10:34

Reported

2024-06-03 10:37

Platform

win10v2004-20240426-en

Max time kernel

93s

Max time network

96s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4076 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe C:\Windows\SysWOW64\WScript.exe
PID 4076 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe C:\Windows\SysWOW64\WScript.exe
PID 4076 wrote to memory of 4504 N/A C:\Users\Admin\AppData\Local\Temp\fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe C:\Windows\SysWOW64\WScript.exe
PID 4504 wrote to memory of 4984 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 4504 wrote to memory of 4984 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 4504 wrote to memory of 4984 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 4984 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 4984 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 4984 wrote to memory of 4960 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 4984 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 4984 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 4984 wrote to memory of 3300 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 4960 wrote to memory of 5800 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 4960 wrote to memory of 5800 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 4960 wrote to memory of 5800 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 3300 wrote to memory of 5740 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 3300 wrote to memory of 5740 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 3300 wrote to memory of 5740 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe

"C:\Users\Admin\AppData\Local\Temp\fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

memory/4076-0-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 d0244eea3255327ca0c7c181d36b38ad
SHA1 a302f6b421088197510913b8a2e901d60ecaa12b
SHA256 3cac7c5f48f3b40497fdf7a62c9e2d2d73380ab2b6b9954b8314ebbc7a313908
SHA512 f2c6647e8d2ae1b9b8703b1d3166fc2c41edae031628e8335c026e07850f43052ac4bd53d24f0d136386ebeb82ebf5d557900bcd2e4398a27bd7cf76a7cfcb71

memory/4076-9-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 adc21714a4a1d8bdf33658cd6ad2b397
SHA1 feb16cc031692882d36ea6126fdb04a34dde77f2
SHA256 81add9c8fe7caeb7e81be1f6bd7b65660aef4baa9cdff9739138ea2c0e1e3116
SHA512 c800039a3145ecb262ea4f92a8742cb39a22ad1923c357ce8fc1eb2f02bfd023bc17af6c7d51baad817a224e7aa88ea511fa398f73a14a9ae5bc4cf2847d50a1

memory/4984-12-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 4e9605159361f93230fef3cc5ad4301c
SHA1 64e6d5673487e049cc4e96650b507641062ca1bf
SHA256 2abd0c0ae088f6c911f23add50e985c447f1c62c8a45f848698b08d6e6dd20e7
SHA512 5cf02982826cc6e08ea33c4ce5d186ad4277493480cf08c2df56a7deea87e58a6df3a95097c96409a89317528933e0999d4ccddc2403024bd04b6e1c312f42fe

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

MD5 67b9b3e2ded7086f393ebbc36c5e7bca
SHA1 e6299d0450b9a92a18cc23b5704a2b475652c790
SHA256 44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d
SHA512 826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

memory/4984-23-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 5858196fbaeead037ea6e9c4ab62ab10
SHA1 543cb9047ecfd021ee83884ea840bb958fcca4e5
SHA256 caeccc62f5f0f2bf389948848bfb66cacc9ebbc8991f92f6781dc6d6de1c7353
SHA512 99a374a6edd744fa84acc056c035540e2e72105208e3ca61115e5bc4acd94bd9e1f0336ddebbd2aec6a28458b2b454dee8d3c8be0690f68d259c634d70e6b484

memory/5740-27-0x0000000000400000-0x000000000055F000-memory.dmp

memory/5740-28-0x0000000000400000-0x000000000055F000-memory.dmp

memory/5800-29-0x0000000000400000-0x000000000055F000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-03 10:34

Reported

2024-06-03 10:37

Platform

win7-20240221-en

Max time kernel

150s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1924 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe C:\Windows\SysWOW64\WScript.exe
PID 1924 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe C:\Windows\SysWOW64\WScript.exe
PID 1924 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe C:\Windows\SysWOW64\WScript.exe
PID 1924 wrote to memory of 1648 N/A C:\Users\Admin\AppData\Local\Temp\fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe C:\Windows\SysWOW64\WScript.exe
PID 1648 wrote to memory of 2560 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1648 wrote to memory of 2560 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1648 wrote to memory of 2560 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1648 wrote to memory of 2560 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2560 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2560 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2560 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2560 wrote to memory of 2944 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2944 wrote to memory of 2652 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2944 wrote to memory of 2652 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2944 wrote to memory of 2652 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2944 wrote to memory of 2652 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2652 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2652 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2652 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2652 wrote to memory of 1348 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1348 wrote to memory of 2280 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1348 wrote to memory of 2280 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1348 wrote to memory of 2280 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1348 wrote to memory of 2280 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2280 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2280 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2280 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2280 wrote to memory of 2368 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1348 wrote to memory of 2068 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1348 wrote to memory of 2068 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1348 wrote to memory of 2068 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1348 wrote to memory of 2068 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2068 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2068 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2068 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2068 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2616 wrote to memory of 576 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2616 wrote to memory of 576 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2616 wrote to memory of 576 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2616 wrote to memory of 576 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 576 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 576 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 576 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 576 wrote to memory of 2364 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2364 wrote to memory of 344 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2364 wrote to memory of 344 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2364 wrote to memory of 344 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2364 wrote to memory of 344 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 344 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 344 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 344 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 344 wrote to memory of 1540 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1540 wrote to memory of 2316 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1540 wrote to memory of 2316 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1540 wrote to memory of 2316 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1540 wrote to memory of 2316 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2316 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2316 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2316 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2316 wrote to memory of 1864 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1540 wrote to memory of 2512 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1540 wrote to memory of 2512 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1540 wrote to memory of 2512 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1540 wrote to memory of 2512 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Processes

C:\Users\Admin\AppData\Local\Temp\fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe

"C:\Users\Admin\AppData\Local\Temp\fc52c4127d0ded9066389eff2f4e84d70360c723c80b3bb4e66b5f63f3cf4eac.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

Network

N/A

Files

memory/1924-0-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 6a154fc5130990b62a51eeda3e8602d6
SHA1 cf3edc8704db737e9508955510c2fd239d2dac0a
SHA256 df53f1536ee7cdf3adb11ad3dc04c730bf75058178baf7f87199423743727695
SHA512 7bc947908be0fc22a191fb19675bded9aef10414eedcdfb2b7ffad891099c93424fc45eb85b34a2cd8384e7ce3e77201d87b26cce6723f5d4f9ff97bdf58356d

memory/1924-9-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 a9f725bd2094c4e214e1ac875eedc29d
SHA1 da0659692a0ad01cf18cfd084f4384c9497345df
SHA256 0aba1d19335f764131931152f9e26e4fe48d1933fae45f8c3ca2a7001287b68c
SHA512 a8e7e3b4f5b11c0d2befd969d2a2fa23c19df0bc924e101652d2ef1e48fd6deebfd7fd9f806e2f43ac600b0cca307e10b56b9278166d73edf49cc7ded995bc0d

memory/2560-14-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 03088ab16e4136b8d3a3366505b767ed
SHA1 e1d73c9dc7e6009659519b33b3dd80f3011adad8
SHA256 b31956814f1bc7c1e47a025622160df37664a3ee8e6d2016ce8919f1fba63a59
SHA512 0c841cc8236b405951c5bdf0ea7c620ef32ab930077442e5c1f2eca9fe474c113e1377829e8072afdbfd9a0f0b2797cf156b2f861395d14b851abc7b365ec11a

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

MD5 67b9b3e2ded7086f393ebbc36c5e7bca
SHA1 e6299d0450b9a92a18cc23b5704a2b475652c790
SHA256 44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d
SHA512 826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

memory/2560-23-0x0000000000400000-0x000000000055F000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

memory/2652-30-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 840853c0aa5a4d702a8110a0cb763b4b
SHA1 58d028e09818c3fd2a9d521c26772cf4d1a9072a
SHA256 4438df44bf53668a332407b1c60d745bd1293a3f1acab9953b1d77e5131d2728
SHA512 f2b044e4710dadb03164bc78519207bd8d39d2cf9d4568fc11c38271eabc3e57410083b1cf29e40b1f6119ffa33ed4784ef652f112e50b554c2983755a606b6a

memory/2652-34-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2280-41-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 2c3b5340da071ac89dded61dffd49fb5
SHA1 77a880658d0b70e5455379099427bfdae8cc0ae8
SHA256 d7433fbea40ea3f87e991ce54c73436c110cfbb83748d554aea8d94051a5224e
SHA512 7e69f14c55afec39149491531c2a499b6253aa71ad448e722912f239fde055826b34383bd8d14773af08ef475b5fe53451a0a93e0bcc46fbeba3872198200f3c

memory/2280-46-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2068-52-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 780c5b88f55c3463a252f361d53f98db
SHA1 244e739c7401ce41027d7786f4a48f4806a9939b
SHA256 d8b383df125f83a39c299a3134c88e981cf47755ddd6b44310f70231305c6bb0
SHA512 b12e3266edea4f9dff105ed8617c81a29f9873d646b6b326c5c29c0c590049dd85458b8ff7541957f9ab995896e7bfd08b171959e592ccc6edbedf998fdf1045

memory/2068-56-0x0000000000400000-0x000000000055F000-memory.dmp

memory/576-64-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 25741fab0bc335b1ed971b3134b0edd3
SHA1 9849046efa3f20662f73cefd0d090bef480c9835
SHA256 05963c6d3a7cc5421377a784df6474456fcbd2f95c7190f2ddb4a9ccbfbe7f98
SHA512 6e772baf90739a76c5c477780e2d158502b55d9c898e69402b0a3bfb840949959c6779f9b291c0503a4fcad95369be55b5f3233ded9329d49d5cde3f1a8369e1

memory/576-69-0x0000000000400000-0x000000000055F000-memory.dmp

memory/344-75-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 344b0286b823cd492e5ca9c83c00ba11
SHA1 b76dbac9b5724f5b1e11a10ed7a2125edb16259b
SHA256 04ea89515062031f99eb08fad07de798532e0adea7ff18c0c9a8b1e3a1d4dbbd
SHA512 9aba17235e4f1bd62f45545cfa0e4f302c0471732b33a8398b462e334126c5a3e74fdcbe17db70029184cc1207f558efc46b868475fb607ad536288b0796bb80

memory/344-80-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2316-84-0x0000000000400000-0x000000000055F000-memory.dmp

memory/1540-83-0x0000000005A40000-0x0000000005B9F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 d6aef0b19d7d8dc2eda464cf358007b7
SHA1 c271fa23eee2c534cc862f7575df47f660c94d27
SHA256 70965d19e9afccec497ac21e98bfea9be46cf5df938982b3d19e6295aab3bb1d
SHA512 c547f50069f9f97dd9877bdb529f4ed49f9761d5cab1ff703e5185a6071e7591b98237834c6bd386b68b9c6504b76bdc581bf17a6fcef94e74b1483d47cf764a

memory/2316-93-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 773600b2ec8569408853efb186da4f5a
SHA1 a531bcf5cf20c6b832e02f52eb9a21bbab6d03c0
SHA256 2a319389c3a89f7f2c5dac6e9efc1c4c105cf9615dba98fec2661aef1dd0e962
SHA512 98c1fbb9ab88fa7f090f8a7ee19c8c12dbe5bdf9eeb001e09ba9f9466d25a7064cfb11c51c6f26bcf022962cc1b96bf9fa31b6ceb621c6064d0e923976f823dc

memory/1540-98-0x0000000005B50000-0x0000000005CAF000-memory.dmp

memory/2512-99-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 75b8f60cfe6895a93f2d8f1b5568af94
SHA1 b80485bc82864b4e1bf0bcc44579eaa01776b1fb
SHA256 6ff47f7681e8f497470bd11b2cfd8156c5d8f1b01f48bfd89037cc4bfe0f34cc
SHA512 089e237c5309d36058e036f69d78deb4144749e91b3a8a8383f817af051a3452acfdf42227cc721517e93428cfd5d48b42e9750e9548762609e81917a4de29c2

memory/2512-107-0x0000000000400000-0x000000000055F000-memory.dmp

memory/1864-110-0x0000000005950000-0x0000000005AAF000-memory.dmp

memory/2412-112-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 024be950e07002e527b8dd1efbb0e4b4
SHA1 1a56034c6366027442be28a75bce7cdea55a8a98
SHA256 51f47375c2a87dc9fe8cc958432adcc166d0faf75f7d1da1322e238fb5d72893
SHA512 96864be4661feeef155d1816192852146e5d2aa3266ce5b732ec203d43a6098a5fa456a7decb9ab1bd66bc959ed85b485de32c11cea6ee6d1a48d0bea2349b6f

memory/2412-120-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2464-123-0x00000000047D0000-0x000000000492F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 a4e2d4727487955ad59bf2d1a6661981
SHA1 e52949b5d7226aaf75d3713ed2ff1283edab2259
SHA256 4b2d44fd28dcc86d4f73784cea9ac601d2e69574ea0fc6214b3481b10687e0e2
SHA512 f3c59196a57237caa7ad762e2e31bb3b95156eb33cdad7d7b28244842a733160a74c6568452252ce2add95980fe653dc5322a3d1722f9d798289557351b5ea55

memory/2724-132-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 d4f6d0f61e81dbe80925a32c43a12d9d
SHA1 6bd2ca39d54a6a0a16ed4ae3083d717cccfe6849
SHA256 db15dd2eaae9716ac600a836a5a30b1dad591a7df047e26195d4e42497ac3759
SHA512 9a18cb6c4d5b200fbc8978735c9e8e9c415149778ca938aa5e98cb73d8d30c7f16eaed84a9e59a131dd2da8eb1743f52340cdabc000025299c4a0d820df97e22

memory/2464-136-0x00000000047D0000-0x000000000492F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 4e9605159361f93230fef3cc5ad4301c
SHA1 64e6d5673487e049cc4e96650b507641062ca1bf
SHA256 2abd0c0ae088f6c911f23add50e985c447f1c62c8a45f848698b08d6e6dd20e7
SHA512 5cf02982826cc6e08ea33c4ce5d186ad4277493480cf08c2df56a7deea87e58a6df3a95097c96409a89317528933e0999d4ccddc2403024bd04b6e1c312f42fe

memory/1600-145-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 d47a42896e76864bbf55b5aa93f96b1e
SHA1 1fbc2c48390062c3063f58cb9d2062724887bea2
SHA256 94d7ce3bd863d2aaee1bcab891900fe8ad13bc358457e7a102f409c1cdd54dd0
SHA512 710429bcdfe81ec52020e6214dcb3e1539e65e62239a5566bcf32f349c6050938a80aac94850cbfc2c9fe995ae1aefb0170f4fadb01e786b1b6ed96f5e012401

memory/1552-149-0x0000000005F10000-0x000000000606F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 2af86d83545125b952334759f8554ae3
SHA1 ddfef7be6fbd8d8185c772a9a78eb18617a9637b
SHA256 7dd3660d7e87e64f451b4d1882d07c1733ce38d828770910453cc1b7f457d11d
SHA512 38d2854f941ff77a2fec871ba6513df9862fe4f86778b22053b4c3e25995b192f4ab943051a2c613cc3e78d275bc543b0dff09149cb4620e307809d20beae17b

memory/592-158-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 6c4280727be4a7e4fdbd8f20b794ee79
SHA1 a9f7293c14c944bbbd766a82424550a71e44ea4e
SHA256 71778b9829b6968b317b825c52c0fc6905f18fb865550363368631108ad64c34
SHA512 c560e22817ea93c8530484f50e7c7d9ee5f48f06be0c4adfdf3a38bb8ac37b351ccd8dcd789ad1bb9af2683fe307d05c355d04a914080106f68db282b44ffdb4

memory/636-160-0x0000000000400000-0x000000000055F000-memory.dmp

memory/636-167-0x0000000000400000-0x000000000055F000-memory.dmp

memory/1472-168-0x0000000000400000-0x000000000055F000-memory.dmp

memory/1472-175-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2932-176-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2932-183-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2472-184-0x00000000048A0000-0x00000000049FF000-memory.dmp

memory/1952-185-0x0000000000400000-0x000000000055F000-memory.dmp

memory/1952-192-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2456-197-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 41bdc303960afcda8ebae4f3e29f0b52
SHA1 4cbf649fb04c836614138308a06ecd48dcb2882d
SHA256 da674cdbd4dd762cc32ce0bd2ec36929a626e0e87f7ab7a4a1b1e1ce0123d999
SHA512 800b5b01cc41e7633f203579e7f6ec0a9f6408f7af79dcfa74596be9264dbb8baade6b1439dedb5194496aa27b8b0e2680ce65ad91032138ea0ac2c8a0872cf1

memory/2456-200-0x0000000000400000-0x000000000055F000-memory.dmp

memory/1660-201-0x0000000000400000-0x000000000055F000-memory.dmp

memory/1660-208-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2800-209-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2800-216-0x0000000000400000-0x000000000055F000-memory.dmp

memory/848-217-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2312-224-0x0000000005CF0000-0x0000000005E4F000-memory.dmp

memory/848-225-0x0000000000400000-0x000000000055F000-memory.dmp

memory/452-230-0x0000000000400000-0x000000000055F000-memory.dmp

memory/452-233-0x0000000000400000-0x000000000055F000-memory.dmp

memory/320-234-0x0000000004670000-0x00000000047CF000-memory.dmp

memory/1656-235-0x0000000000400000-0x000000000055F000-memory.dmp

memory/1656-242-0x0000000000400000-0x000000000055F000-memory.dmp

memory/344-247-0x0000000000400000-0x000000000055F000-memory.dmp