Malware Analysis Report

2024-10-19 08:23

Sample ID 240613-xc1lkssapm
Target 691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f
SHA256 691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f
Tags
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f

Threat Level: Shows suspicious behavior

The file 691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f was found to be: Shows suspicious behavior.

Malicious Activity Summary


Checks computer location settings

Deletes itself

Executes dropped EXE

Loads dropped DLL

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: RenamesItself

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-13 18:43

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-13 18:43

Reported

2024-06-13 18:45

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

142s

Command Line

"C:\Users\Admin\AppData\Local\Temp\691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation C:\Windows\SysWOW64\WScript.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\SysWOW64\WScript.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4556 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe C:\Windows\SysWOW64\WScript.exe
PID 4556 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe C:\Windows\SysWOW64\WScript.exe
PID 4556 wrote to memory of 3912 N/A C:\Users\Admin\AppData\Local\Temp\691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe C:\Windows\SysWOW64\WScript.exe
PID 3912 wrote to memory of 4876 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 3912 wrote to memory of 4876 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 3912 wrote to memory of 4876 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 4876 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 4876 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 4876 wrote to memory of 3896 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 4876 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 4876 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 4876 wrote to memory of 3736 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 3736 wrote to memory of 920 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 3736 wrote to memory of 920 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 3736 wrote to memory of 920 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 3896 wrote to memory of 3268 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 3896 wrote to memory of 3268 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 3896 wrote to memory of 3268 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Processes

C:\Users\Admin\AppData\Local\Temp\691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe

"C:\Users\Admin\AppData\Local\Temp\691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 198.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.121.18.2.in-addr.arpa udp

Files

memory/4556-0-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 414415ac100a7075914510a5bf124a3c
SHA1 353b3279f580a51d739553e56fc84e63defcf4c4
SHA256 7db5de67a49f62351728b7419eb47c59b2971a209d8004df775f59a2064cbe23
SHA512 ed1629de56a0d5e8c80172b26430fb7995c42af8368e896f69c475ccb5a74f59dfda3f94874b95547e21401db3ce88c39d87b25ec64d9cc5a1069ed5340daf3f

memory/4556-9-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 bcf5f9c96e205a858b8a59dd8dd74ed4
SHA1 40a4df367555487be883cb691c242912f6796883
SHA256 295c5ecbf9f1bdfc0aa9bce17482766464d8d0956bae2319e28425f32a4a0494
SHA512 94f842d35d28ba55c5451b74c3c09d152be88857bb08d27d42172f29591baa6c5b6cf1024a97dafa08d7f100e7c6618ae6c49161ff2dc33a94025c1ab5d473f7

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 5465e98b54b47d65941e5d12deb27c9d
SHA1 50e5e6ced6e5e332b303de4fa146482fbdf782d5
SHA256 38f339c2f4c0d7ea1ba1500460c63bc626a2465b3ca48c4d63ee2b0f3eafb82a
SHA512 50c6bc8c7da8c036c909672ade71b08aea49bc58474c40e660d7dc23c3a9869cfad82b4dc96335057ecd5bd1011f3db712f667b4085555e3dc6fb90de56b1c3a

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

MD5 67b9b3e2ded7086f393ebbc36c5e7bca
SHA1 e6299d0450b9a92a18cc23b5704a2b475652c790
SHA256 44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d
SHA512 826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

memory/4876-23-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 469eea20a1bb6198a771a89a91dd034d
SHA1 16e2735ccfc23beeecf7881287597f6f439c4bdb
SHA256 69758fa6f8292d9f8857d09c03da9061b07f71f70e7bcbd849db0b588d711c3a
SHA512 0bd0d1d07f6420c14d65c6dbcdad8e8691018a327fdd52dbca1e8da8ccebe764185ecd1b6669879499a63d71e4c79f396f4818f0ffc688351c35884e111c1285

memory/3268-28-0x0000000000400000-0x000000000055F000-memory.dmp

memory/920-27-0x0000000000400000-0x000000000055F000-memory.dmp

memory/920-29-0x0000000000400000-0x000000000055F000-memory.dmp

memory/3268-30-0x0000000000400000-0x000000000055F000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-13 18:43

Reported

2024-06-13 18:45

Platform

win7-20240220-en

Max time kernel

149s

Max time network

123s

Command Line

"C:\Users\Admin\AppData\Local\Temp\691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe"

Signatures

Deletes itself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A
N/A N/A C:\Windows\SysWOW64\WScript.exe N/A

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A

Suspicious behavior: RenamesItself

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3056 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe C:\Windows\SysWOW64\WScript.exe
PID 3056 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe C:\Windows\SysWOW64\WScript.exe
PID 3056 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe C:\Windows\SysWOW64\WScript.exe
PID 3056 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe C:\Windows\SysWOW64\WScript.exe
PID 2564 wrote to memory of 2420 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2564 wrote to memory of 2420 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2564 wrote to memory of 2420 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2564 wrote to memory of 2420 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2420 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2420 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2420 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2420 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2472 wrote to memory of 2668 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2472 wrote to memory of 2668 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2472 wrote to memory of 2668 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2472 wrote to memory of 2668 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2668 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2668 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2668 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2668 wrote to memory of 2124 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2124 wrote to memory of 1008 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2124 wrote to memory of 1008 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2124 wrote to memory of 1008 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2124 wrote to memory of 1008 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1008 wrote to memory of 332 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1008 wrote to memory of 332 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1008 wrote to memory of 332 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1008 wrote to memory of 332 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 332 wrote to memory of 1260 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 332 wrote to memory of 1260 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 332 wrote to memory of 1260 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 332 wrote to memory of 1260 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1260 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1260 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1260 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1260 wrote to memory of 2228 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 332 wrote to memory of 1396 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 332 wrote to memory of 1396 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 332 wrote to memory of 1396 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 332 wrote to memory of 1396 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1396 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1396 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1396 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1396 wrote to memory of 2092 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2092 wrote to memory of 3040 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2092 wrote to memory of 3040 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2092 wrote to memory of 3040 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2092 wrote to memory of 3040 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 3040 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 3040 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 3040 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 3040 wrote to memory of 1900 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 1900 wrote to memory of 2080 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1900 wrote to memory of 2080 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1900 wrote to memory of 2080 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 1900 wrote to memory of 2080 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2080 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2080 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2080 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2080 wrote to memory of 2296 N/A C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe C:\Windows\SysWOW64\WScript.exe
PID 2296 wrote to memory of 2584 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2296 wrote to memory of 2584 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2296 wrote to memory of 2584 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
PID 2296 wrote to memory of 2584 N/A C:\Windows\SysWOW64\WScript.exe C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Processes

C:\Users\Admin\AppData\Local\Temp\691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe

"C:\Users\Admin\AppData\Local\Temp\691a74863f224585355714faf5a5f583dc729a14cdc3eb5c74dec29c64e3174f.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

"C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"

Network

N/A

Files

memory/3056-0-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 7acb3b276a6e23cc97861bb10fd48d5e
SHA1 458ca9fd7a469766573bdd9a4b527a7caadbdefb
SHA256 f19fdb878a52ee85d97a14085849ec88a2124126189213f8be103d5e13934397
SHA512 efd4b0b601b57de4e821c7be4f9d0e66affa2c91a18522dba015261efeeda08e33e13b8b0b2a500d164b3f77f5adcb19bbb2d2e82e9a0f40888027b2e190707d

memory/3056-9-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 6be6c6e7f069c3bf9f1d895f7d6dd6f9
SHA1 b82e1a63d67a70312d4e72ed0cad16c9eff2ea2d
SHA256 dffba73e9d8ef452fe2ebc3bf1468b89b2cc7e285f40f70dd1d27d2bf4772bd8
SHA512 d8915c3b517d927d476eaf96b9d9412e37822d5c1d1affa0013c75a858245ff080467b238efb171b9c0c43bb5fb79a68120eac48ecd169398b4c89de85b07ce9

memory/2420-14-0x0000000000400000-0x000000000055F000-memory.dmp

\??\PIPE\srvsvc

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 c5ae655707a21f6473c5f382a787e100
SHA1 1d2078ebfae286212eb90e60c9dbce5e70ac24f1
SHA256 baf83e476c96ab1af7a7482de26dae9909744fad6d12c6ae818f51b834cecb50
SHA512 af80731f380d75a643ab885ba152cb7118297ab4e70ff44dd96b7bae8542881f0d06cdbe0ac524cdc30ddca970c2b27adf6398f8efc6e510cea6cc0b2a59b34f

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

MD5 67b9b3e2ded7086f393ebbc36c5e7bca
SHA1 e6299d0450b9a92a18cc23b5704a2b475652c790
SHA256 44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d
SHA512 826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

memory/2420-24-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 24bbc5a71c3896d3e8a8c404f9a63e13
SHA1 c01e200e1e700b6dcb8fc8119b4fd1a758617695
SHA256 c088e69540af849d49ab1fbe376fb3ae0f0bcb1fb7ccb5911caa7780bda28aef
SHA512 9ed40f24d6a54735c9af367d1b94f2dad61c53ad449c6581ac9b428fc8022157698b8a447c10549428cb4378f17c8a6c745f4da5e7944d7cdace264b235422bd

memory/2668-30-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2472-29-0x0000000004630000-0x000000000478F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 2c6490a42a6a0c40ff0c4e23b3e1aa2f
SHA1 673399038e095a86936267b5014fc7d216ee5c0a
SHA256 4b5b75f23c5d2765bccf9691327947fcdd4e1e17e6da73c1b1c47dab8db99b3d
SHA512 8ffd13c3e9ecd8c522703bf13f839b3925bf3dd0418c33e8b4edc5cd07ca53d76d21e3d8f2e47622d51cc73ac3eed7dd2f7308bb332cde1bd1e6f1cb8f8bb8d5

memory/2668-39-0x0000000000400000-0x000000000055F000-memory.dmp

memory/1008-45-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 4e9605159361f93230fef3cc5ad4301c
SHA1 64e6d5673487e049cc4e96650b507641062ca1bf
SHA256 2abd0c0ae088f6c911f23add50e985c447f1c62c8a45f848698b08d6e6dd20e7
SHA512 5cf02982826cc6e08ea33c4ce5d186ad4277493480cf08c2df56a7deea87e58a6df3a95097c96409a89317528933e0999d4ccddc2403024bd04b6e1c312f42fe

memory/1008-50-0x0000000000400000-0x000000000055F000-memory.dmp

memory/1260-53-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 3fe126921f6537cf36cd507b1649ffbb
SHA1 445c8796d072bb5829f0af8421e3eb7da34add70
SHA256 b4af7c7ab452f12e0ea38532d00cfa19cf99247ef169e5e698acd882e72750a6
SHA512 5d8527210f01cc30bda93521cdbd9828d03f2af3e2810996ad8c60cf62a35e415c0e54a34e00847ae30bf2718e8c431b65ed4f509c11986a8eb54ed6ed64ac94

memory/1260-61-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 d5c326197c3c8819ce4834ce40ae5543
SHA1 655193ba4fd92bdce5d66ef92e8e4f26a2744692
SHA256 ac1b0a673c0487bdb00991b7e691be0de9eaf5c8a5364db88f034fb19985653a
SHA512 eaa8e4b5cb9372e9d052518b5708c520b4b069cc68f17624313d8eac08cbe17b3379ea6efd6cbc99eb2870f5353195407962c8ad6c46f6be355107098d79af21

memory/1396-66-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 344b0286b823cd492e5ca9c83c00ba11
SHA1 b76dbac9b5724f5b1e11a10ed7a2125edb16259b
SHA256 04ea89515062031f99eb08fad07de798532e0adea7ff18c0c9a8b1e3a1d4dbbd
SHA512 9aba17235e4f1bd62f45545cfa0e4f302c0471732b33a8398b462e334126c5a3e74fdcbe17db70029184cc1207f558efc46b868475fb607ad536288b0796bb80

memory/1396-74-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 55befd42195f27f2306f1cea1e980e53
SHA1 2f2de86c209fb9bb8b2dc79b3d9c5b974c2dfd8f
SHA256 a66ad18d767d721ca1b2b25e231eec8cfee12f9bf5d025d81f2dafde451b2a04
SHA512 906abde0b9aafd027442965b1bf865e39702ba5f6804ff5395543d0da636b34c12bf633ebc519dcab72529f74e675ee2fabf526658cc5f2f7dad3f3c92f58456

memory/3040-83-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 1c4a20bad462e2ead31b207cd4b0dd1b
SHA1 e6037559a47f711d0e930c907b6c33269cb8ecb9
SHA256 7cbf5f523fb2c8a62f6308bc56b5ff19556c167b7ce2c9e2d74329835c79d29e
SHA512 78e63943987dbb5fa66f2b9865002911c5225dbcba3e89ea0de4ed94dbd211e965e766073e19205a55a7d83cc631e87c50b9f6815d83fced9f41a72c842c145b

memory/3040-87-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2080-94-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 9d9867376c8284245aea97643987cadf
SHA1 fe6a7bd23577feb841e3cbeae6aebd38a742b0a5
SHA256 b31c91bdbe14673b004567163ddea094dd6bd903f62c5a57c3b3f79268021fb4
SHA512 2dc179cf9f71aae049072f62e06951537e38c6070d79d98aaaa94d2b1b53edd6550f6d1c61a2ffc117ed53791689b59c50826bb506cf22cb01235da522d623a1

memory/2080-99-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2296-102-0x0000000004770000-0x00000000048CF000-memory.dmp

memory/2584-103-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 d6aef0b19d7d8dc2eda464cf358007b7
SHA1 c271fa23eee2c534cc862f7575df47f660c94d27
SHA256 70965d19e9afccec497ac21e98bfea9be46cf5df938982b3d19e6295aab3bb1d
SHA512 c547f50069f9f97dd9877bdb529f4ed49f9761d5cab1ff703e5185a6071e7591b98237834c6bd386b68b9c6504b76bdc581bf17a6fcef94e74b1483d47cf764a

memory/2584-112-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

MD5 c6329eeca2e45e82064afa07bc581406
SHA1 ad386af4101ebac4dbfddaf799f279e421d60826
SHA256 2b86de4712cb2c7e787c60e8767e747c5d819441cefec73bf081a148105e6817
SHA512 67f28db214685db505b5f7cb14926cba7d1ae9223f386bf191f68f2de9e51ab1205a6f37235dee1632a8e9f7f755ba1336c06ae36fe128b6c068facae5e818cf

memory/2296-118-0x0000000005DF0000-0x0000000005F4F000-memory.dmp

memory/2544-119-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2296-117-0x0000000005DF0000-0x0000000005F4F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 bdff210bf33c9ed5f2b10773c8c98ff5
SHA1 fc4fbaca4c7f23506dc792dec89e640050ad62e9
SHA256 900ab6b8ac0df4e138335d9d8e283495f569bf9fa1f401a6f8122661104f8cf8
SHA512 45849b735796586ea2518bd4aec42377db54b2de01025df65e52d8d1561d7e26702051c945ac7257857e00d7ab9d2d7fbf87f178e1e606905e095b22d95e5b32

memory/2092-127-0x00000000059F0000-0x0000000005B4F000-memory.dmp

memory/2544-128-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2372-133-0x0000000005BB0000-0x0000000005D0F000-memory.dmp

memory/2000-136-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 774844b08b364b32d1209ef0d962d2fd
SHA1 967a30d076aa269a5cef321d36ac1f5c1eb180cb
SHA256 c9beda5ae7965cd968f1e6b1e11f17b1b443b8fc6dddb9ad0fe830aafe35ae3a
SHA512 2bab1d82f2cf484029722e64dd75516645e3f2dc6028153b65479757a3d33bbe883a1ac97771f1a9dfff1927cbfc58b5460f0c21a3ce01a4eae32b205772c4ec

memory/1900-140-0x00000000046A0000-0x00000000047FF000-memory.dmp

memory/2000-141-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2332-148-0x0000000000400000-0x000000000055F000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 f262d0722b88145e786399f42047785d
SHA1 9f4426b6ac52bb0456945b0619fcd355d118a0b7
SHA256 f20592c5d5216a153e7d9fc67c87e2d3346f3781014162462e824a5dbc4c7aef
SHA512 da8aa8fd4f84c224f7c6f3fe483b030e2307f3313c003f17f6b9c943f9ea9d052d9d9297f93fdf49428eedd235ef6d7efe0199e1620e55cb052f2ca3cb492eb1

memory/2332-152-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2848-157-0x0000000000400000-0x000000000055F000-memory.dmp

memory/1836-156-0x0000000000400000-0x000000000055F000-memory.dmp

memory/1836-159-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2848-158-0x0000000000400000-0x000000000055F000-memory.dmp

memory/1172-165-0x0000000000400000-0x000000000055F000-memory.dmp

memory/1008-164-0x0000000003B40000-0x0000000003C9F000-memory.dmp

memory/2372-168-0x0000000005BB0000-0x0000000005D0F000-memory.dmp

memory/1172-169-0x0000000000400000-0x000000000055F000-memory.dmp

memory/816-170-0x0000000005A00000-0x0000000005B5F000-memory.dmp

memory/1428-177-0x0000000000400000-0x000000000055F000-memory.dmp

memory/1928-178-0x0000000000400000-0x000000000055F000-memory.dmp

memory/1928-185-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2528-190-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2528-193-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2324-194-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2324-201-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2412-203-0x0000000000400000-0x000000000055F000-memory.dmp

memory/3000-202-0x0000000004870000-0x00000000049CF000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

MD5 d9ab21af2046aedc3484d569036c3ef7
SHA1 ade5e9eb5b1180a77a2164e61f74beb411cdfb56
SHA256 90b8f17e573879b63c512e7c0dd6ff9454d177163e2d95d0090b2ef22ae5ec79
SHA512 cb8c202cd3d66ee897982e42257320dfef0a23eb96b9a3189869e9a0ce030d4baaa8c0a6fc5e197d2d19d742b0d7b3f34adb12933192dd6e4b1388433755d1ac

memory/2412-210-0x0000000000400000-0x000000000055F000-memory.dmp

memory/3056-211-0x0000000004760000-0x00000000048BF000-memory.dmp

memory/1960-218-0x0000000000400000-0x000000000055F000-memory.dmp

memory/340-219-0x00000000043F0000-0x000000000454F000-memory.dmp

memory/1940-224-0x0000000000400000-0x000000000055F000-memory.dmp

memory/1940-227-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2028-228-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2028-235-0x0000000000400000-0x000000000055F000-memory.dmp

memory/744-236-0x0000000000400000-0x000000000055F000-memory.dmp

memory/744-243-0x0000000000400000-0x000000000055F000-memory.dmp

memory/1312-248-0x0000000000400000-0x000000000055F000-memory.dmp

memory/1312-251-0x0000000000400000-0x000000000055F000-memory.dmp

memory/1264-257-0x0000000000400000-0x000000000055F000-memory.dmp

memory/2100-256-0x0000000004900000-0x0000000004A5F000-memory.dmp