Analysis

  • max time kernel
    149s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 18:43

General

  • Target

    691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe

  • Size

    1.1MB

  • MD5

    6d76dd1996b7c3c54a522968ea2ed08f

  • SHA1

    3f716630ac0d1b107e5bbc4b7b12502cf04fd8a8

  • SHA256

    691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f

  • SHA512

    96acca447a2e5997ece19e527584fb712a4182970071f8eb3eb6bc3b2fa6293d3303b352fa482630ba90aede9a28f51957120337285712b8b8b47cfe61638223

  • SSDEEP

    24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qb:acallSllG4ZM7QzM8

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 25 IoCs
  • Loads dropped DLL 41 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 52 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe
    "C:\Users\Admin\AppData\Local\Temp\691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3056
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2564
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2420
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:2472
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
            5⤵
            • Executes dropped EXE
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2668
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
              6⤵
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:2124
              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                7⤵
                • Executes dropped EXE
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:1008
                • C:\Windows\SysWOW64\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                  8⤵
                  • Loads dropped DLL
                  • Suspicious use of WriteProcessMemory
                  PID:332
                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                    9⤵
                    • Executes dropped EXE
                    • Suspicious use of SetWindowsHookEx
                    • Suspicious use of WriteProcessMemory
                    PID:1260
                    • C:\Windows\SysWOW64\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                      10⤵
                        PID:2228
                    • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                      "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                      9⤵
                      • Executes dropped EXE
                      • Suspicious use of SetWindowsHookEx
                      • Suspicious use of WriteProcessMemory
                      PID:1396
                      • C:\Windows\SysWOW64\WScript.exe
                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                        10⤵
                        • Loads dropped DLL
                        • Suspicious use of WriteProcessMemory
                        PID:2092
                        • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                          "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                          11⤵
                          • Executes dropped EXE
                          • Suspicious use of SetWindowsHookEx
                          • Suspicious use of WriteProcessMemory
                          PID:3040
                          • C:\Windows\SysWOW64\WScript.exe
                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                            12⤵
                            • Loads dropped DLL
                            • Suspicious use of WriteProcessMemory
                            PID:1900
                            • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                              "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                              13⤵
                              • Executes dropped EXE
                              • Suspicious use of SetWindowsHookEx
                              • Suspicious use of WriteProcessMemory
                              PID:2080
                              • C:\Windows\SysWOW64\WScript.exe
                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                14⤵
                                • Loads dropped DLL
                                • Suspicious use of WriteProcessMemory
                                PID:2296
                                • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                  15⤵
                                  • Executes dropped EXE
                                  • Suspicious use of SetWindowsHookEx
                                  PID:2584
                                  • C:\Windows\SysWOW64\WScript.exe
                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                    16⤵
                                    • Loads dropped DLL
                                    PID:2372
                                    • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                      "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                      17⤵
                                      • Executes dropped EXE
                                      • Suspicious use of SetWindowsHookEx
                                      PID:2000
                                      • C:\Windows\SysWOW64\WScript.exe
                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                        18⤵
                                        • Loads dropped DLL
                                        PID:2340
                                        • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                          "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                          19⤵
                                          • Executes dropped EXE
                                          • Suspicious use of SetWindowsHookEx
                                          PID:2332
                                          • C:\Windows\SysWOW64\WScript.exe
                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                            20⤵
                                            • Loads dropped DLL
                                            PID:1008
                                            • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                              "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                              21⤵
                                              • Executes dropped EXE
                                              • Suspicious use of SetWindowsHookEx
                                              PID:1836
                                            • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                              "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                              21⤵
                                              • Executes dropped EXE
                                              • Suspicious use of SetWindowsHookEx
                                              PID:1172
                                              • C:\Windows\SysWOW64\WScript.exe
                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                22⤵
                                                • Loads dropped DLL
                                                PID:816
                                                • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                  23⤵
                                                  • Executes dropped EXE
                                                  • Suspicious use of SetWindowsHookEx
                                                  PID:1428
                                                  • C:\Windows\SysWOW64\WScript.exe
                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                    24⤵
                                                    • Loads dropped DLL
                                                    PID:3000
                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                      "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                      25⤵
                                                      • Executes dropped EXE
                                                      • Suspicious use of SetWindowsHookEx
                                                      PID:1928
                                                      • C:\Windows\SysWOW64\WScript.exe
                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                        26⤵
                                                        • Loads dropped DLL
                                                        PID:2072
                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                          "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                          27⤵
                                                          • Executes dropped EXE
                                                          • Suspicious use of SetWindowsHookEx
                                                          PID:2528
                                                          • C:\Windows\SysWOW64\WScript.exe
                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                            28⤵
                                                            • Loads dropped DLL
                                                            PID:2384
                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                              "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                              29⤵
                                                              • Executes dropped EXE
                                                              • Suspicious use of SetWindowsHookEx
                                                              PID:2324
                                                              • C:\Windows\SysWOW64\WScript.exe
                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                                30⤵
                                                                • Loads dropped DLL
                                                                PID:2136
                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                                  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                                  31⤵
                                                                  • Executes dropped EXE
                                                                  • Suspicious use of SetWindowsHookEx
                                                                  PID:2412
                                                                  • C:\Windows\SysWOW64\WScript.exe
                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                                    32⤵
                                                                    • Loads dropped DLL
                                                                    PID:3056
                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                                      "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                                      33⤵
                                                                      • Executes dropped EXE
                                                                      • Suspicious use of SetWindowsHookEx
                                                                      PID:1960
                                                                      • C:\Windows\SysWOW64\WScript.exe
                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                                        34⤵
                                                                        • Loads dropped DLL
                                                                        PID:340
                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                                          "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                                          35⤵
                                                                          • Executes dropped EXE
                                                                          • Suspicious use of SetWindowsHookEx
                                                                          PID:1940
                                                                          • C:\Windows\SysWOW64\WScript.exe
                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                                            36⤵
                                                                            • Loads dropped DLL
                                                                            PID:1724
                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                                              "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                                              37⤵
                                                                              • Executes dropped EXE
                                                                              • Suspicious use of SetWindowsHookEx
                                                                              PID:2028
                                                                              • C:\Windows\SysWOW64\WScript.exe
                                                                                "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                                                38⤵
                                                                                • Loads dropped DLL
                                                                                PID:2316
                                                                                • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                                                  "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                                                  39⤵
                                                                                  • Executes dropped EXE
                                                                                  • Suspicious use of SetWindowsHookEx
                                                                                  PID:744
                                                                                  • C:\Windows\SysWOW64\WScript.exe
                                                                                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                                                    40⤵
                                                                                    • Loads dropped DLL
                                                                                    PID:2404
                                                                                    • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                                                      "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                                                      41⤵
                                                                                      • Executes dropped EXE
                                                                                      • Suspicious use of SetWindowsHookEx
                                                                                      PID:1312
                                                                                      • C:\Windows\SysWOW64\WScript.exe
                                                                                        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                                                        42⤵
                                                                                        • Loads dropped DLL
                                                                                        PID:2100
                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                                                          "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                                                          43⤵
                                                                                          • Executes dropped EXE
                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                          PID:1264
                                                                                          • C:\Windows\SysWOW64\WScript.exe
                                                                                            "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                                                            44⤵
                                                                                              PID:3000
                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                            19⤵
                                            • Executes dropped EXE
                                            • Suspicious use of SetWindowsHookEx
                                            PID:2848
                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                    15⤵
                                    • Executes dropped EXE
                                    • Suspicious use of SetWindowsHookEx
                                    PID:2544
                                    • C:\Windows\SysWOW64\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                      16⤵
                                        PID:2564

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

          Filesize

          92B

          MD5

          67b9b3e2ded7086f393ebbc36c5e7bca

          SHA1

          e6299d0450b9a92a18cc23b5704a2b475652c790

          SHA256

          44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

          SHA512

          826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          696B

          MD5

          774844b08b364b32d1209ef0d962d2fd

          SHA1

          967a30d076aa269a5cef321d36ac1f5c1eb180cb

          SHA256

          c9beda5ae7965cd968f1e6b1e11f17b1b443b8fc6dddb9ad0fe830aafe35ae3a

          SHA512

          2bab1d82f2cf484029722e64dd75516645e3f2dc6028153b65479757a3d33bbe883a1ac97771f1a9dfff1927cbfc58b5460f0c21a3ce01a4eae32b205772c4ec

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          696B

          MD5

          d6aef0b19d7d8dc2eda464cf358007b7

          SHA1

          c271fa23eee2c534cc862f7575df47f660c94d27

          SHA256

          70965d19e9afccec497ac21e98bfea9be46cf5df938982b3d19e6295aab3bb1d

          SHA512

          c547f50069f9f97dd9877bdb529f4ed49f9761d5cab1ff703e5185a6071e7591b98237834c6bd386b68b9c6504b76bdc581bf17a6fcef94e74b1483d47cf764a

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          696B

          MD5

          bdff210bf33c9ed5f2b10773c8c98ff5

          SHA1

          fc4fbaca4c7f23506dc792dec89e640050ad62e9

          SHA256

          900ab6b8ac0df4e138335d9d8e283495f569bf9fa1f401a6f8122661104f8cf8

          SHA512

          45849b735796586ea2518bd4aec42377db54b2de01025df65e52d8d1561d7e26702051c945ac7257857e00d7ab9d2d7fbf87f178e1e606905e095b22d95e5b32

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          753B

          MD5

          7acb3b276a6e23cc97861bb10fd48d5e

          SHA1

          458ca9fd7a469766573bdd9a4b527a7caadbdefb

          SHA256

          f19fdb878a52ee85d97a14085849ec88a2124126189213f8be103d5e13934397

          SHA512

          efd4b0b601b57de4e821c7be4f9d0e66affa2c91a18522dba015261efeeda08e33e13b8b0b2a500d164b3f77f5adcb19bbb2d2e82e9a0f40888027b2e190707d

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          696B

          MD5

          c5ae655707a21f6473c5f382a787e100

          SHA1

          1d2078ebfae286212eb90e60c9dbce5e70ac24f1

          SHA256

          baf83e476c96ab1af7a7482de26dae9909744fad6d12c6ae818f51b834cecb50

          SHA512

          af80731f380d75a643ab885ba152cb7118297ab4e70ff44dd96b7bae8542881f0d06cdbe0ac524cdc30ddca970c2b27adf6398f8efc6e510cea6cc0b2a59b34f

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          696B

          MD5

          2c6490a42a6a0c40ff0c4e23b3e1aa2f

          SHA1

          673399038e095a86936267b5014fc7d216ee5c0a

          SHA256

          4b5b75f23c5d2765bccf9691327947fcdd4e1e17e6da73c1b1c47dab8db99b3d

          SHA512

          8ffd13c3e9ecd8c522703bf13f839b3925bf3dd0418c33e8b4edc5cd07ca53d76d21e3d8f2e47622d51cc73ac3eed7dd2f7308bb332cde1bd1e6f1cb8f8bb8d5

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          696B

          MD5

          4e9605159361f93230fef3cc5ad4301c

          SHA1

          64e6d5673487e049cc4e96650b507641062ca1bf

          SHA256

          2abd0c0ae088f6c911f23add50e985c447f1c62c8a45f848698b08d6e6dd20e7

          SHA512

          5cf02982826cc6e08ea33c4ce5d186ad4277493480cf08c2df56a7deea87e58a6df3a95097c96409a89317528933e0999d4ccddc2403024bd04b6e1c312f42fe

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          696B

          MD5

          3fe126921f6537cf36cd507b1649ffbb

          SHA1

          445c8796d072bb5829f0af8421e3eb7da34add70

          SHA256

          b4af7c7ab452f12e0ea38532d00cfa19cf99247ef169e5e698acd882e72750a6

          SHA512

          5d8527210f01cc30bda93521cdbd9828d03f2af3e2810996ad8c60cf62a35e415c0e54a34e00847ae30bf2718e8c431b65ed4f509c11986a8eb54ed6ed64ac94

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          696B

          MD5

          f262d0722b88145e786399f42047785d

          SHA1

          9f4426b6ac52bb0456945b0619fcd355d118a0b7

          SHA256

          f20592c5d5216a153e7d9fc67c87e2d3346f3781014162462e824a5dbc4c7aef

          SHA512

          da8aa8fd4f84c224f7c6f3fe483b030e2307f3313c003f17f6b9c943f9ea9d052d9d9297f93fdf49428eedd235ef6d7efe0199e1620e55cb052f2ca3cb492eb1

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          696B

          MD5

          344b0286b823cd492e5ca9c83c00ba11

          SHA1

          b76dbac9b5724f5b1e11a10ed7a2125edb16259b

          SHA256

          04ea89515062031f99eb08fad07de798532e0adea7ff18c0c9a8b1e3a1d4dbbd

          SHA512

          9aba17235e4f1bd62f45545cfa0e4f302c0471732b33a8398b462e334126c5a3e74fdcbe17db70029184cc1207f558efc46b868475fb607ad536288b0796bb80

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          696B

          MD5

          1c4a20bad462e2ead31b207cd4b0dd1b

          SHA1

          e6037559a47f711d0e930c907b6c33269cb8ecb9

          SHA256

          7cbf5f523fb2c8a62f6308bc56b5ff19556c167b7ce2c9e2d74329835c79d29e

          SHA512

          78e63943987dbb5fa66f2b9865002911c5225dbcba3e89ea0de4ed94dbd211e965e766073e19205a55a7d83cc631e87c50b9f6815d83fced9f41a72c842c145b

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          696B

          MD5

          9d9867376c8284245aea97643987cadf

          SHA1

          fe6a7bd23577feb841e3cbeae6aebd38a742b0a5

          SHA256

          b31c91bdbe14673b004567163ddea094dd6bd903f62c5a57c3b3f79268021fb4

          SHA512

          2dc179cf9f71aae049072f62e06951537e38c6070d79d98aaaa94d2b1b53edd6550f6d1c61a2ffc117ed53791689b59c50826bb506cf22cb01235da522d623a1

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          696B

          MD5

          d9ab21af2046aedc3484d569036c3ef7

          SHA1

          ade5e9eb5b1180a77a2164e61f74beb411cdfb56

          SHA256

          90b8f17e573879b63c512e7c0dd6ff9454d177163e2d95d0090b2ef22ae5ec79

          SHA512

          cb8c202cd3d66ee897982e42257320dfef0a23eb96b9a3189869e9a0ce030d4baaa8c0a6fc5e197d2d19d742b0d7b3f34adb12933192dd6e4b1388433755d1ac

        • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

          Filesize

          1.1MB

          MD5

          6be6c6e7f069c3bf9f1d895f7d6dd6f9

          SHA1

          b82e1a63d67a70312d4e72ed0cad16c9eff2ea2d

          SHA256

          dffba73e9d8ef452fe2ebc3bf1468b89b2cc7e285f40f70dd1d27d2bf4772bd8

          SHA512

          d8915c3b517d927d476eaf96b9d9412e37822d5c1d1affa0013c75a858245ff080467b238efb171b9c0c43bb5fb79a68120eac48ecd169398b4c89de85b07ce9

        • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

          Filesize

          1.1MB

          MD5

          d5c326197c3c8819ce4834ce40ae5543

          SHA1

          655193ba4fd92bdce5d66ef92e8e4f26a2744692

          SHA256

          ac1b0a673c0487bdb00991b7e691be0de9eaf5c8a5364db88f034fb19985653a

          SHA512

          eaa8e4b5cb9372e9d052518b5708c520b4b069cc68f17624313d8eac08cbe17b3379ea6efd6cbc99eb2870f5353195407962c8ad6c46f6be355107098d79af21

        • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

          Filesize

          1.1MB

          MD5

          24bbc5a71c3896d3e8a8c404f9a63e13

          SHA1

          c01e200e1e700b6dcb8fc8119b4fd1a758617695

          SHA256

          c088e69540af849d49ab1fbe376fb3ae0f0bcb1fb7ccb5911caa7780bda28aef

          SHA512

          9ed40f24d6a54735c9af367d1b94f2dad61c53ad449c6581ac9b428fc8022157698b8a447c10549428cb4378f17c8a6c745f4da5e7944d7cdace264b235422bd

        • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

          Filesize

          1.1MB

          MD5

          55befd42195f27f2306f1cea1e980e53

          SHA1

          2f2de86c209fb9bb8b2dc79b3d9c5b974c2dfd8f

          SHA256

          a66ad18d767d721ca1b2b25e231eec8cfee12f9bf5d025d81f2dafde451b2a04

          SHA512

          906abde0b9aafd027442965b1bf865e39702ba5f6804ff5395543d0da636b34c12bf633ebc519dcab72529f74e675ee2fabf526658cc5f2f7dad3f3c92f58456

        • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

          Filesize

          1.1MB

          MD5

          c6329eeca2e45e82064afa07bc581406

          SHA1

          ad386af4101ebac4dbfddaf799f279e421d60826

          SHA256

          2b86de4712cb2c7e787c60e8767e747c5d819441cefec73bf081a148105e6817

          SHA512

          67f28db214685db505b5f7cb14926cba7d1ae9223f386bf191f68f2de9e51ab1205a6f37235dee1632a8e9f7f755ba1336c06ae36fe128b6c068facae5e818cf

        • \??\PIPE\srvsvc

          MD5

          d41d8cd98f00b204e9800998ecf8427e

          SHA1

          da39a3ee5e6b4b0d3255bfef95601890afd80709

          SHA256

          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

          SHA512

          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

        • memory/340-219-0x00000000043F0000-0x000000000454F000-memory.dmp

          Filesize

          1.4MB

        • memory/744-243-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/744-236-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/816-170-0x0000000005A00000-0x0000000005B5F000-memory.dmp

          Filesize

          1.4MB

        • memory/1008-164-0x0000000003B40000-0x0000000003C9F000-memory.dmp

          Filesize

          1.4MB

        • memory/1008-45-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/1008-50-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/1172-169-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/1172-165-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/1260-53-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/1260-61-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/1264-257-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/1312-248-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/1312-251-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/1396-66-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/1396-74-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/1428-177-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/1836-159-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/1836-156-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/1900-140-0x00000000046A0000-0x00000000047FF000-memory.dmp

          Filesize

          1.4MB

        • memory/1928-178-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/1928-185-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/1940-227-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/1940-224-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/1960-218-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2000-141-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2000-136-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2028-228-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2028-235-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2080-94-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2080-99-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2092-127-0x00000000059F0000-0x0000000005B4F000-memory.dmp

          Filesize

          1.4MB

        • memory/2100-256-0x0000000004900000-0x0000000004A5F000-memory.dmp

          Filesize

          1.4MB

        • memory/2296-118-0x0000000005DF0000-0x0000000005F4F000-memory.dmp

          Filesize

          1.4MB

        • memory/2296-117-0x0000000005DF0000-0x0000000005F4F000-memory.dmp

          Filesize

          1.4MB

        • memory/2296-102-0x0000000004770000-0x00000000048CF000-memory.dmp

          Filesize

          1.4MB

        • memory/2324-194-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2324-201-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2332-148-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2332-152-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2372-168-0x0000000005BB0000-0x0000000005D0F000-memory.dmp

          Filesize

          1.4MB

        • memory/2372-133-0x0000000005BB0000-0x0000000005D0F000-memory.dmp

          Filesize

          1.4MB

        • memory/2412-203-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2412-210-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2420-24-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2420-14-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2472-29-0x0000000004630000-0x000000000478F000-memory.dmp

          Filesize

          1.4MB

        • memory/2528-190-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2528-193-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2544-119-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2544-128-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2584-103-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2584-112-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2668-39-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2668-30-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2848-158-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2848-157-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/3000-202-0x0000000004870000-0x00000000049CF000-memory.dmp

          Filesize

          1.4MB

        • memory/3040-83-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/3040-87-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/3056-211-0x0000000004760000-0x00000000048BF000-memory.dmp

          Filesize

          1.4MB

        • memory/3056-9-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/3056-0-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB