Analysis Overview
SHA256
691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f
Threat Level: Shows suspicious behavior
The file 691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f was found to be: Shows suspicious behavior.
Malicious Activity Summary
Checks computer location settings
Deletes itself
Executes dropped EXE
Loads dropped DLL
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-13 18:43
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-13 18:43
Reported
2024-06-13 18:45
Platform
win10v2004-20240611-en
Max time kernel
93s
Max time network
142s
Command Line
Signatures
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\SysWOW64\WScript.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe
"C:\Users\Admin\AppData\Local\Temp\691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 21.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.121.18.2.in-addr.arpa | udp |
Files
memory/4556-0-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 414415ac100a7075914510a5bf124a3c |
| SHA1 | 353b3279f580a51d739553e56fc84e63defcf4c4 |
| SHA256 | 7db5de67a49f62351728b7419eb47c59b2971a209d8004df775f59a2064cbe23 |
| SHA512 | ed1629de56a0d5e8c80172b26430fb7995c42af8368e896f69c475ccb5a74f59dfda3f94874b95547e21401db3ce88c39d87b25ec64d9cc5a1069ed5340daf3f |
memory/4556-9-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | bcf5f9c96e205a858b8a59dd8dd74ed4 |
| SHA1 | 40a4df367555487be883cb691c242912f6796883 |
| SHA256 | 295c5ecbf9f1bdfc0aa9bce17482766464d8d0956bae2319e28425f32a4a0494 |
| SHA512 | 94f842d35d28ba55c5451b74c3c09d152be88857bb08d27d42172f29591baa6c5b6cf1024a97dafa08d7f100e7c6618ae6c49161ff2dc33a94025c1ab5d473f7 |
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 5465e98b54b47d65941e5d12deb27c9d |
| SHA1 | 50e5e6ced6e5e332b303de4fa146482fbdf782d5 |
| SHA256 | 38f339c2f4c0d7ea1ba1500460c63bc626a2465b3ca48c4d63ee2b0f3eafb82a |
| SHA512 | 50c6bc8c7da8c036c909672ade71b08aea49bc58474c40e660d7dc23c3a9869cfad82b4dc96335057ecd5bd1011f3db712f667b4085555e3dc6fb90de56b1c3a |
C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
| MD5 | 67b9b3e2ded7086f393ebbc36c5e7bca |
| SHA1 | e6299d0450b9a92a18cc23b5704a2b475652c790 |
| SHA256 | 44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d |
| SHA512 | 826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09 |
memory/4876-23-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | 469eea20a1bb6198a771a89a91dd034d |
| SHA1 | 16e2735ccfc23beeecf7881287597f6f439c4bdb |
| SHA256 | 69758fa6f8292d9f8857d09c03da9061b07f71f70e7bcbd849db0b588d711c3a |
| SHA512 | 0bd0d1d07f6420c14d65c6dbcdad8e8691018a327fdd52dbca1e8da8ccebe764185ecd1b6669879499a63d71e4c79f396f4818f0ffc688351c35884e111c1285 |
memory/3268-28-0x0000000000400000-0x000000000055F000-memory.dmp
memory/920-27-0x0000000000400000-0x000000000055F000-memory.dmp
memory/920-29-0x0000000000400000-0x000000000055F000-memory.dmp
memory/3268-30-0x0000000000400000-0x000000000055F000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-13 18:43
Reported
2024-06-13 18:45
Platform
win7-20240220-en
Max time kernel
149s
Max time network
123s
Command Line
Signatures
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe | N/A |
Executes dropped EXE
Loads dropped DLL
Enumerates physical storage devices
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: RenamesItself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe
"C:\Users\Admin\AppData\Local\Temp\691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
Network
Files
memory/3056-0-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 7acb3b276a6e23cc97861bb10fd48d5e |
| SHA1 | 458ca9fd7a469766573bdd9a4b527a7caadbdefb |
| SHA256 | f19fdb878a52ee85d97a14085849ec88a2124126189213f8be103d5e13934397 |
| SHA512 | efd4b0b601b57de4e821c7be4f9d0e66affa2c91a18522dba015261efeeda08e33e13b8b0b2a500d164b3f77f5adcb19bbb2d2e82e9a0f40888027b2e190707d |
memory/3056-9-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | 6be6c6e7f069c3bf9f1d895f7d6dd6f9 |
| SHA1 | b82e1a63d67a70312d4e72ed0cad16c9eff2ea2d |
| SHA256 | dffba73e9d8ef452fe2ebc3bf1468b89b2cc7e285f40f70dd1d27d2bf4772bd8 |
| SHA512 | d8915c3b517d927d476eaf96b9d9412e37822d5c1d1affa0013c75a858245ff080467b238efb171b9c0c43bb5fb79a68120eac48ecd169398b4c89de85b07ce9 |
memory/2420-14-0x0000000000400000-0x000000000055F000-memory.dmp
\??\PIPE\srvsvc
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | c5ae655707a21f6473c5f382a787e100 |
| SHA1 | 1d2078ebfae286212eb90e60c9dbce5e70ac24f1 |
| SHA256 | baf83e476c96ab1af7a7482de26dae9909744fad6d12c6ae818f51b834cecb50 |
| SHA512 | af80731f380d75a643ab885ba152cb7118297ab4e70ff44dd96b7bae8542881f0d06cdbe0ac524cdc30ddca970c2b27adf6398f8efc6e510cea6cc0b2a59b34f |
C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini
| MD5 | 67b9b3e2ded7086f393ebbc36c5e7bca |
| SHA1 | e6299d0450b9a92a18cc23b5704a2b475652c790 |
| SHA256 | 44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d |
| SHA512 | 826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09 |
memory/2420-24-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | 24bbc5a71c3896d3e8a8c404f9a63e13 |
| SHA1 | c01e200e1e700b6dcb8fc8119b4fd1a758617695 |
| SHA256 | c088e69540af849d49ab1fbe376fb3ae0f0bcb1fb7ccb5911caa7780bda28aef |
| SHA512 | 9ed40f24d6a54735c9af367d1b94f2dad61c53ad449c6581ac9b428fc8022157698b8a447c10549428cb4378f17c8a6c745f4da5e7944d7cdace264b235422bd |
memory/2668-30-0x0000000000400000-0x000000000055F000-memory.dmp
memory/2472-29-0x0000000004630000-0x000000000478F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 2c6490a42a6a0c40ff0c4e23b3e1aa2f |
| SHA1 | 673399038e095a86936267b5014fc7d216ee5c0a |
| SHA256 | 4b5b75f23c5d2765bccf9691327947fcdd4e1e17e6da73c1b1c47dab8db99b3d |
| SHA512 | 8ffd13c3e9ecd8c522703bf13f839b3925bf3dd0418c33e8b4edc5cd07ca53d76d21e3d8f2e47622d51cc73ac3eed7dd2f7308bb332cde1bd1e6f1cb8f8bb8d5 |
memory/2668-39-0x0000000000400000-0x000000000055F000-memory.dmp
memory/1008-45-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 4e9605159361f93230fef3cc5ad4301c |
| SHA1 | 64e6d5673487e049cc4e96650b507641062ca1bf |
| SHA256 | 2abd0c0ae088f6c911f23add50e985c447f1c62c8a45f848698b08d6e6dd20e7 |
| SHA512 | 5cf02982826cc6e08ea33c4ce5d186ad4277493480cf08c2df56a7deea87e58a6df3a95097c96409a89317528933e0999d4ccddc2403024bd04b6e1c312f42fe |
memory/1008-50-0x0000000000400000-0x000000000055F000-memory.dmp
memory/1260-53-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 3fe126921f6537cf36cd507b1649ffbb |
| SHA1 | 445c8796d072bb5829f0af8421e3eb7da34add70 |
| SHA256 | b4af7c7ab452f12e0ea38532d00cfa19cf99247ef169e5e698acd882e72750a6 |
| SHA512 | 5d8527210f01cc30bda93521cdbd9828d03f2af3e2810996ad8c60cf62a35e415c0e54a34e00847ae30bf2718e8c431b65ed4f509c11986a8eb54ed6ed64ac94 |
memory/1260-61-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | d5c326197c3c8819ce4834ce40ae5543 |
| SHA1 | 655193ba4fd92bdce5d66ef92e8e4f26a2744692 |
| SHA256 | ac1b0a673c0487bdb00991b7e691be0de9eaf5c8a5364db88f034fb19985653a |
| SHA512 | eaa8e4b5cb9372e9d052518b5708c520b4b069cc68f17624313d8eac08cbe17b3379ea6efd6cbc99eb2870f5353195407962c8ad6c46f6be355107098d79af21 |
memory/1396-66-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 344b0286b823cd492e5ca9c83c00ba11 |
| SHA1 | b76dbac9b5724f5b1e11a10ed7a2125edb16259b |
| SHA256 | 04ea89515062031f99eb08fad07de798532e0adea7ff18c0c9a8b1e3a1d4dbbd |
| SHA512 | 9aba17235e4f1bd62f45545cfa0e4f302c0471732b33a8398b462e334126c5a3e74fdcbe17db70029184cc1207f558efc46b868475fb607ad536288b0796bb80 |
memory/1396-74-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | 55befd42195f27f2306f1cea1e980e53 |
| SHA1 | 2f2de86c209fb9bb8b2dc79b3d9c5b974c2dfd8f |
| SHA256 | a66ad18d767d721ca1b2b25e231eec8cfee12f9bf5d025d81f2dafde451b2a04 |
| SHA512 | 906abde0b9aafd027442965b1bf865e39702ba5f6804ff5395543d0da636b34c12bf633ebc519dcab72529f74e675ee2fabf526658cc5f2f7dad3f3c92f58456 |
memory/3040-83-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 1c4a20bad462e2ead31b207cd4b0dd1b |
| SHA1 | e6037559a47f711d0e930c907b6c33269cb8ecb9 |
| SHA256 | 7cbf5f523fb2c8a62f6308bc56b5ff19556c167b7ce2c9e2d74329835c79d29e |
| SHA512 | 78e63943987dbb5fa66f2b9865002911c5225dbcba3e89ea0de4ed94dbd211e965e766073e19205a55a7d83cc631e87c50b9f6815d83fced9f41a72c842c145b |
memory/3040-87-0x0000000000400000-0x000000000055F000-memory.dmp
memory/2080-94-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 9d9867376c8284245aea97643987cadf |
| SHA1 | fe6a7bd23577feb841e3cbeae6aebd38a742b0a5 |
| SHA256 | b31c91bdbe14673b004567163ddea094dd6bd903f62c5a57c3b3f79268021fb4 |
| SHA512 | 2dc179cf9f71aae049072f62e06951537e38c6070d79d98aaaa94d2b1b53edd6550f6d1c61a2ffc117ed53791689b59c50826bb506cf22cb01235da522d623a1 |
memory/2080-99-0x0000000000400000-0x000000000055F000-memory.dmp
memory/2296-102-0x0000000004770000-0x00000000048CF000-memory.dmp
memory/2584-103-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | d6aef0b19d7d8dc2eda464cf358007b7 |
| SHA1 | c271fa23eee2c534cc862f7575df47f660c94d27 |
| SHA256 | 70965d19e9afccec497ac21e98bfea9be46cf5df938982b3d19e6295aab3bb1d |
| SHA512 | c547f50069f9f97dd9877bdb529f4ed49f9761d5cab1ff703e5185a6071e7591b98237834c6bd386b68b9c6504b76bdc581bf17a6fcef94e74b1483d47cf764a |
memory/2584-112-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
| MD5 | c6329eeca2e45e82064afa07bc581406 |
| SHA1 | ad386af4101ebac4dbfddaf799f279e421d60826 |
| SHA256 | 2b86de4712cb2c7e787c60e8767e747c5d819441cefec73bf081a148105e6817 |
| SHA512 | 67f28db214685db505b5f7cb14926cba7d1ae9223f386bf191f68f2de9e51ab1205a6f37235dee1632a8e9f7f755ba1336c06ae36fe128b6c068facae5e818cf |
memory/2296-118-0x0000000005DF0000-0x0000000005F4F000-memory.dmp
memory/2544-119-0x0000000000400000-0x000000000055F000-memory.dmp
memory/2296-117-0x0000000005DF0000-0x0000000005F4F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | bdff210bf33c9ed5f2b10773c8c98ff5 |
| SHA1 | fc4fbaca4c7f23506dc792dec89e640050ad62e9 |
| SHA256 | 900ab6b8ac0df4e138335d9d8e283495f569bf9fa1f401a6f8122661104f8cf8 |
| SHA512 | 45849b735796586ea2518bd4aec42377db54b2de01025df65e52d8d1561d7e26702051c945ac7257857e00d7ab9d2d7fbf87f178e1e606905e095b22d95e5b32 |
memory/2092-127-0x00000000059F0000-0x0000000005B4F000-memory.dmp
memory/2544-128-0x0000000000400000-0x000000000055F000-memory.dmp
memory/2372-133-0x0000000005BB0000-0x0000000005D0F000-memory.dmp
memory/2000-136-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | 774844b08b364b32d1209ef0d962d2fd |
| SHA1 | 967a30d076aa269a5cef321d36ac1f5c1eb180cb |
| SHA256 | c9beda5ae7965cd968f1e6b1e11f17b1b443b8fc6dddb9ad0fe830aafe35ae3a |
| SHA512 | 2bab1d82f2cf484029722e64dd75516645e3f2dc6028153b65479757a3d33bbe883a1ac97771f1a9dfff1927cbfc58b5460f0c21a3ce01a4eae32b205772c4ec |
memory/1900-140-0x00000000046A0000-0x00000000047FF000-memory.dmp
memory/2000-141-0x0000000000400000-0x000000000055F000-memory.dmp
memory/2332-148-0x0000000000400000-0x000000000055F000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | f262d0722b88145e786399f42047785d |
| SHA1 | 9f4426b6ac52bb0456945b0619fcd355d118a0b7 |
| SHA256 | f20592c5d5216a153e7d9fc67c87e2d3346f3781014162462e824a5dbc4c7aef |
| SHA512 | da8aa8fd4f84c224f7c6f3fe483b030e2307f3313c003f17f6b9c943f9ea9d052d9d9297f93fdf49428eedd235ef6d7efe0199e1620e55cb052f2ca3cb492eb1 |
memory/2332-152-0x0000000000400000-0x000000000055F000-memory.dmp
memory/2848-157-0x0000000000400000-0x000000000055F000-memory.dmp
memory/1836-156-0x0000000000400000-0x000000000055F000-memory.dmp
memory/1836-159-0x0000000000400000-0x000000000055F000-memory.dmp
memory/2848-158-0x0000000000400000-0x000000000055F000-memory.dmp
memory/1172-165-0x0000000000400000-0x000000000055F000-memory.dmp
memory/1008-164-0x0000000003B40000-0x0000000003C9F000-memory.dmp
memory/2372-168-0x0000000005BB0000-0x0000000005D0F000-memory.dmp
memory/1172-169-0x0000000000400000-0x000000000055F000-memory.dmp
memory/816-170-0x0000000005A00000-0x0000000005B5F000-memory.dmp
memory/1428-177-0x0000000000400000-0x000000000055F000-memory.dmp
memory/1928-178-0x0000000000400000-0x000000000055F000-memory.dmp
memory/1928-185-0x0000000000400000-0x000000000055F000-memory.dmp
memory/2528-190-0x0000000000400000-0x000000000055F000-memory.dmp
memory/2528-193-0x0000000000400000-0x000000000055F000-memory.dmp
memory/2324-194-0x0000000000400000-0x000000000055F000-memory.dmp
memory/2324-201-0x0000000000400000-0x000000000055F000-memory.dmp
memory/2412-203-0x0000000000400000-0x000000000055F000-memory.dmp
memory/3000-202-0x0000000004870000-0x00000000049CF000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs
| MD5 | d9ab21af2046aedc3484d569036c3ef7 |
| SHA1 | ade5e9eb5b1180a77a2164e61f74beb411cdfb56 |
| SHA256 | 90b8f17e573879b63c512e7c0dd6ff9454d177163e2d95d0090b2ef22ae5ec79 |
| SHA512 | cb8c202cd3d66ee897982e42257320dfef0a23eb96b9a3189869e9a0ce030d4baaa8c0a6fc5e197d2d19d742b0d7b3f34adb12933192dd6e4b1388433755d1ac |
memory/2412-210-0x0000000000400000-0x000000000055F000-memory.dmp
memory/3056-211-0x0000000004760000-0x00000000048BF000-memory.dmp
memory/1960-218-0x0000000000400000-0x000000000055F000-memory.dmp
memory/340-219-0x00000000043F0000-0x000000000454F000-memory.dmp
memory/1940-224-0x0000000000400000-0x000000000055F000-memory.dmp
memory/1940-227-0x0000000000400000-0x000000000055F000-memory.dmp
memory/2028-228-0x0000000000400000-0x000000000055F000-memory.dmp
memory/2028-235-0x0000000000400000-0x000000000055F000-memory.dmp
memory/744-236-0x0000000000400000-0x000000000055F000-memory.dmp
memory/744-243-0x0000000000400000-0x000000000055F000-memory.dmp
memory/1312-248-0x0000000000400000-0x000000000055F000-memory.dmp
memory/1312-251-0x0000000000400000-0x000000000055F000-memory.dmp
memory/1264-257-0x0000000000400000-0x000000000055F000-memory.dmp
memory/2100-256-0x0000000004900000-0x0000000004A5F000-memory.dmp