6ca95ecd56408d1e44cb18935578e6d8d7f407e37953c31136f73afa80c063ae

Analysis

max time kernel
131s
max time network
126s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
01/10/2023, 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6ca95ecd56408d1e44cb18935578e6d8d7f407e37953c31136f73afa80c063ae.exe
Size

1.1MB
MD5

e4984942dc13a6fc681001c5933a3963
SHA1

b8c1f6d36cf3887c48faa810561e6ed63ac14893
SHA256

6ca95ecd56408d1e44cb18935578e6d8d7f407e37953c31136f73afa80c063ae
SHA512

edc6899a9e768f98aeeee3c15fe7d60f37afc584f610e5a63f07f8201411da6c88afae84410639565b9bde73e4fe49791ecf3ad25384deaaecfe0e4f4f19ee1a
SSDEEP

24576:gRW3N/0f/oAPoRBchI5anfOlAUAi1K6oElG4lBujFAvCyRh:g5ApamAUAQ/lG4lBmFAvZh

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
3000	svchcst.exe

Executes dropped EXE 25 IoCs

pid	Process
3000	svchcst.exe
1912	svchcst.exe
1420	svchcst.exe
592	svchcst.exe
328	svchcst.exe
332	svchcst.exe
1336	svchcst.exe
2980	svchcst.exe
2892	svchcst.exe
924	svchcst.exe
1620	svchcst.exe
2296	svchcst.exe
1160	svchcst.exe
912	svchcst.exe
1748	svchcst.exe
2356	svchcst.exe
2824	svchcst.exe
2544	svchcst.exe
1200	svchcst.exe
800	svchcst.exe
1380	svchcst.exe
1152	svchcst.exe
1704	svchcst.exe
1336	svchcst.exe
2572	svchcst.exe

Loads dropped DLL 49 IoCs

pid	Process
2680	WScript.exe
2680	WScript.exe
2840	WScript.exe
2840	WScript.exe
700	WScript.exe
700	WScript.exe
436	WScript.exe
436	WScript.exe
2368	WScript.exe
2368	WScript.exe
2108	WScript.exe
2108	WScript.exe
1784	WScript.exe
1784	WScript.exe
2184	WScript.exe
2184	WScript.exe
2684	WScript.exe
2428	WScript.exe
2428	WScript.exe
2684	WScript.exe
2488	WScript.exe
2488	WScript.exe
1364	WScript.exe
1364	WScript.exe
2268	WScript.exe
2268	WScript.exe
1432	WScript.exe
1432	WScript.exe
868	WScript.exe
868	WScript.exe
2540	WScript.exe
2540	WScript.exe
2540	WScript.exe
2540	WScript.exe
1980	WScript.exe
1980	WScript.exe
2500	WScript.exe
2500	WScript.exe
2500	WScript.exe
1524	WScript.exe
1524	WScript.exe
2056	WScript.exe
2056	WScript.exe
3064	WScript.exe
3064	WScript.exe
1004	WScript.exe
1004	WScript.exe
3068	WScript.exe
3068	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3032	6ca95ecd56408d1e44cb18935578e6d8d7f407e37953c31136f73afa80c063ae.exe
3032	6ca95ecd56408d1e44cb18935578e6d8d7f407e37953c31136f73afa80c063ae.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe
3000	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3032	6ca95ecd56408d1e44cb18935578e6d8d7f407e37953c31136f73afa80c063ae.exe

Suspicious use of SetWindowsHookEx 52 IoCs

pid	Process
3032	6ca95ecd56408d1e44cb18935578e6d8d7f407e37953c31136f73afa80c063ae.exe
3032	6ca95ecd56408d1e44cb18935578e6d8d7f407e37953c31136f73afa80c063ae.exe
3000	svchcst.exe
3000	svchcst.exe
1912	svchcst.exe
1912	svchcst.exe
1420	svchcst.exe
1420	svchcst.exe
592	svchcst.exe
592	svchcst.exe
328	svchcst.exe
328	svchcst.exe
332	svchcst.exe
332	svchcst.exe
1336	svchcst.exe
1336	svchcst.exe
2980	svchcst.exe
2980	svchcst.exe
2892	svchcst.exe
2892	svchcst.exe
924	svchcst.exe
924	svchcst.exe
1620	svchcst.exe
1620	svchcst.exe
2296	svchcst.exe
2296	svchcst.exe
1160	svchcst.exe
1160	svchcst.exe
912	svchcst.exe
912	svchcst.exe
1748	svchcst.exe
1748	svchcst.exe
2356	svchcst.exe
2356	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2544	svchcst.exe
2544	svchcst.exe
1200	svchcst.exe
1200	svchcst.exe
800	svchcst.exe
800	svchcst.exe
1380	svchcst.exe
1380	svchcst.exe
1152	svchcst.exe
1152	svchcst.exe
1704	svchcst.exe
1704	svchcst.exe
1336	svchcst.exe
1336	svchcst.exe
2572	svchcst.exe
2572	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3032 wrote to memory of 2680	3032	6ca95ecd56408d1e44cb18935578e6d8d7f407e37953c31136f73afa80c063ae.exe	28
PID 3032 wrote to memory of 2680	3032	6ca95ecd56408d1e44cb18935578e6d8d7f407e37953c31136f73afa80c063ae.exe	28
PID 3032 wrote to memory of 2680	3032	6ca95ecd56408d1e44cb18935578e6d8d7f407e37953c31136f73afa80c063ae.exe	28
PID 3032 wrote to memory of 2680	3032	6ca95ecd56408d1e44cb18935578e6d8d7f407e37953c31136f73afa80c063ae.exe	28
PID 3032 wrote to memory of 2628	3032	6ca95ecd56408d1e44cb18935578e6d8d7f407e37953c31136f73afa80c063ae.exe	29
PID 3032 wrote to memory of 2628	3032	6ca95ecd56408d1e44cb18935578e6d8d7f407e37953c31136f73afa80c063ae.exe	29
PID 3032 wrote to memory of 2628	3032	6ca95ecd56408d1e44cb18935578e6d8d7f407e37953c31136f73afa80c063ae.exe	29
PID 3032 wrote to memory of 2628	3032	6ca95ecd56408d1e44cb18935578e6d8d7f407e37953c31136f73afa80c063ae.exe	29
PID 2680 wrote to memory of 3000	2680	WScript.exe	31
PID 2680 wrote to memory of 3000	2680	WScript.exe	31
PID 2680 wrote to memory of 3000	2680	WScript.exe	31
PID 2680 wrote to memory of 3000	2680	WScript.exe	31
PID 3000 wrote to memory of 2840	3000	svchcst.exe	33
PID 3000 wrote to memory of 2840	3000	svchcst.exe	33
PID 3000 wrote to memory of 2840	3000	svchcst.exe	33
PID 3000 wrote to memory of 2840	3000	svchcst.exe	33
PID 3000 wrote to memory of 2860	3000	svchcst.exe	32
PID 3000 wrote to memory of 2860	3000	svchcst.exe	32
PID 3000 wrote to memory of 2860	3000	svchcst.exe	32
PID 3000 wrote to memory of 2860	3000	svchcst.exe	32
PID 2840 wrote to memory of 1912	2840	WScript.exe	34
PID 2840 wrote to memory of 1912	2840	WScript.exe	34
PID 2840 wrote to memory of 1912	2840	WScript.exe	34
PID 2840 wrote to memory of 1912	2840	WScript.exe	34
PID 1912 wrote to memory of 700	1912	svchcst.exe	35
PID 1912 wrote to memory of 700	1912	svchcst.exe	35
PID 1912 wrote to memory of 700	1912	svchcst.exe	35
PID 1912 wrote to memory of 700	1912	svchcst.exe	35
PID 700 wrote to memory of 1420	700	WScript.exe	36
PID 700 wrote to memory of 1420	700	WScript.exe	36
PID 700 wrote to memory of 1420	700	WScript.exe	36
PID 700 wrote to memory of 1420	700	WScript.exe	36
PID 1420 wrote to memory of 436	1420	svchcst.exe	37
PID 1420 wrote to memory of 436	1420	svchcst.exe	37
PID 1420 wrote to memory of 436	1420	svchcst.exe	37
PID 1420 wrote to memory of 436	1420	svchcst.exe	37
PID 436 wrote to memory of 592	436	WScript.exe	38
PID 436 wrote to memory of 592	436	WScript.exe	38
PID 436 wrote to memory of 592	436	WScript.exe	38
PID 436 wrote to memory of 592	436	WScript.exe	38
PID 592 wrote to memory of 2368	592	svchcst.exe	39
PID 592 wrote to memory of 2368	592	svchcst.exe	39
PID 592 wrote to memory of 2368	592	svchcst.exe	39
PID 592 wrote to memory of 2368	592	svchcst.exe	39
PID 2368 wrote to memory of 328	2368	WScript.exe	40
PID 2368 wrote to memory of 328	2368	WScript.exe	40
PID 2368 wrote to memory of 328	2368	WScript.exe	40
PID 2368 wrote to memory of 328	2368	WScript.exe	40
PID 328 wrote to memory of 2108	328	svchcst.exe	41
PID 328 wrote to memory of 2108	328	svchcst.exe	41
PID 328 wrote to memory of 2108	328	svchcst.exe	41
PID 328 wrote to memory of 2108	328	svchcst.exe	41
PID 2108 wrote to memory of 332	2108	WScript.exe	42
PID 2108 wrote to memory of 332	2108	WScript.exe	42
PID 2108 wrote to memory of 332	2108	WScript.exe	42
PID 2108 wrote to memory of 332	2108	WScript.exe	42
PID 332 wrote to memory of 1784	332	svchcst.exe	43
PID 332 wrote to memory of 1784	332	svchcst.exe	43
PID 332 wrote to memory of 1784	332	svchcst.exe	43
PID 332 wrote to memory of 1784	332	svchcst.exe	43
PID 1784 wrote to memory of 1336	1784	WScript.exe	46
PID 1784 wrote to memory of 1336	1784	WScript.exe	46
PID 1784 wrote to memory of 1336	1784	WScript.exe	46
PID 1784 wrote to memory of 1336	1784	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\6ca95ecd56408d1e44cb18935578e6d8d7f407e37953c31136f73afa80c063ae.exe
"C:\Users\Admin\AppData\Local\Temp\6ca95ecd56408d1e44cb18935578e6d8d7f407e37953c31136f73afa80c063ae.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      PID:2860
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1912
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:700
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1420
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:436
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:592
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2368
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:328
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1336
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        
        PID:2184
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2980
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2684
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:924
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        Loads dropped DLL
        
        PID:2488
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1620
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        
        PID:1520
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        22⤵
        Loads dropped DLL
        
        PID:1364
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2296
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        Loads dropped DLL
        
        PID:2268
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1160
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        26⤵
        Loads dropped DLL
        
        PID:1432
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:912
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        28⤵
        Loads dropped DLL
        
        PID:868
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1748
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        Loads dropped DLL
        
        PID:2540
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2356
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        
        PID:3040
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2824
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:2500
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1200
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:800
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        Loads dropped DLL
        
        PID:1524
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1380
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        36⤵
        Loads dropped DLL
        
        PID:2056
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        37⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1152
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        38⤵
        Loads dropped DLL
        
        PID:3064
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1704
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        
        PID:112
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        40⤵
        Loads dropped DLL
        
        PID:1004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        41⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1336
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        42⤵
        Loads dropped DLL
        
        PID:3068
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2572
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        
        PID:2892
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        
        PID:1416
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        
        PID:1908
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        
        PID:1676
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        46⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        47⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        48⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        44⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        45⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        
        PID:1768
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        32⤵
        Loads dropped DLL
        
        PID:1980
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        33⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2544
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        34⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        30⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        24⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        20⤵
        
        PID:2180
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        
        PID:2428
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:2892
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        
        PID:1608
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  PID:2628

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
09c9c42e763b3974c27163afa811fa30

SHA1
6b47aa28987215bc564aab3d9453585f9079574a

SHA256
d8456d99916c74678d440578fabae75f98e506581100cb81a5797c2cc83b0155

SHA512
7d62a9b846e44ed39ea7dca8beec0103b76120fdaca8b34e7d6967ee7904549e70931285cb0080c10b84077ac589e1c81e36ebbbf0e4f3e9c258cbe5dded78ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
09c9c42e763b3974c27163afa811fa30

SHA1
6b47aa28987215bc564aab3d9453585f9079574a

SHA256
d8456d99916c74678d440578fabae75f98e506581100cb81a5797c2cc83b0155

SHA512
7d62a9b846e44ed39ea7dca8beec0103b76120fdaca8b34e7d6967ee7904549e70931285cb0080c10b84077ac589e1c81e36ebbbf0e4f3e9c258cbe5dded78ed

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
faa8ef2e758448ccba58a486794e0699

SHA1
85bd05023b75335ca0ff084efcd02e7e9e447e88

SHA256
f4c0222febb3104b66ec8578be36697e28bc8956d3606e711c39b3ad7fcf6b8b

SHA512
8a1074670bbf7942ba1cef24d474aa26b9a66c378cc790a5577bc3d487f7174dad7890d2fdd43eccad42c4da28e282e5909a8f9de120a3ba81ee2847b44a328e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
30eafc82ac9962314c98d54ef2588957

SHA1
3bf1e1f24264448ba2688366b10b083c808e1e7a

SHA256
fc93c94af2daa9c8b70b9f6104f613a1cf0ac39bf1856542a3dbb6f828d2bee6

SHA512
5cd90109e61e06fda91874fd3cd28d83b42b6e586446ce99cf69a611f0015f56010937fadca4accef57ab47b5bca54b4171479a9a989ab5b1a015d491f985fb5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d0a7594dbfff2934bae6e22de9f233fe

SHA1
b2a276918a0f5fb2da4440d77ec65c3c644dcf74

SHA256
b5ba466f75e4b160d164ce3886c42fe86c339961f2f303cfdba40d2c711bc61d

SHA512
3d0c5b27841efaa0286d2b58d1749c1efe45ce115cbcb2af1473e29ec3791501a278c90f087e995279518b3c3aec687edca8937f77ff2520ed6b8d3dff6c0a63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
55765ba68da8820ee35d2d4d1dedeac0

SHA1
19f5f147056f3d837a11d6b08a7fc9544f9927f6

SHA256
1eb237d283717ac45bdfef217d3d09fb4ef73db3838859057c94e488b329c522

SHA512
61b6361b8dfef2067016c50e830db1fc768d0654a3f643cf4b4cb1193de722f74401e73f719d8cff5a443058adfa7e3cd0dfc502f25dd249cdc36a7056c81c18

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ca638ab56e1883ffe75969d1d8c4a61

SHA1
2f32fe1ad07a21f4aade2693ef174e30427e4f26

SHA256
ab716890ffa3b303c706ba2fc2ff48ba57e82b94b3bb3198cbb5700d74218c9d

SHA512
91f259046507902e077ac73aa23005f33cb3f93b6822e325bf3dd785b7616128bae36e13ba016f6a67cdddedef644d9cf44d49bba7d989dc5e59b93d446d626c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5ba8c208c5700f7f25c2e24e00d50ac8

SHA1
9838a0ab093ed94bc85a80b1feee14b68e4df8d1

SHA256
213371c33e19f6f9e28f089e3206fe50c39b190548b0500f7ba8aff869a68cd6

SHA512
065e45ebe4197cdf7e13b799928dfb29e17d4a1741e3e103000b147288b34f16300b72874ec85aefa2c04cc939df115a9fb383d5c95982c1371e75605d1a9b17

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e94e88174ec781f873054a1341dde3c1

SHA1
1bfcc1fd57262661e3e17db7f582004d481e95d9

SHA256
83a3606b4d4b48761b768ff2bd5668a599025f46b5d31b73bd0b014f6f95e225

SHA512
10dd4c89ea250920267a33317f693093471b805e33f18b38ffd7e3b9fb12624047f6bca7c82b0a2c83a3d6cead4d289f3da723b249a7ab6a9c40b339977fe7f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e94e88174ec781f873054a1341dde3c1

SHA1
1bfcc1fd57262661e3e17db7f582004d481e95d9

SHA256
83a3606b4d4b48761b768ff2bd5668a599025f46b5d31b73bd0b014f6f95e225

SHA512
10dd4c89ea250920267a33317f693093471b805e33f18b38ffd7e3b9fb12624047f6bca7c82b0a2c83a3d6cead4d289f3da723b249a7ab6a9c40b339977fe7f6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
2caa2e102cde23b48c1d5a47d901c3ff

SHA1
715fcb390ad3d9016885ab48ea99b2e204d1989b

SHA256
8e1f14065ac316ee2fcefab057390fe8b1ec88d9c35536f0755204ddf0d84ada

SHA512
9f6b298b5becff9b0af67c3181177876366db57d8d48ad3974dffa4f61fe7512b68d770e518d08d59c58d2707c52bd78930d2e36f00ef06f0a26d208e5372ae3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
81911744d71ed066085116eec2026095

SHA1
47cfe383cd90c80f367d20667fa26cd160507a8f

SHA256
3154f7fe0c77b8441733285f257a444605ca5badb1148288aa7275033f75d3f5

SHA512
e64925ee682737251c7d5f42a378a4f6c23a50a07a6811882547567725b59c172da356b235afc977d4c1e8209f5c1ba696b9dd54e7739f67a71c099c031d7396

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f02b234115a56496bcd6642d1de04e5d

SHA1
d383b9d3c82fe145f25a9a6e7e4333151fd4ecc6

SHA256
9eca0120263ab4947d38369d9a4986744e61189382c1d313eb464ad449ea2651

SHA512
c446eccd822729a81d49321c88ecc0fba4e4f7b6f6277d2660c7f3a18a67614915ae24a96353bf93b039eb441f0c260c1961a1363f16524dbeaf2554626c1b4e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5465e98b54b47d65941e5d12deb27c9d

SHA1
50e5e6ced6e5e332b303de4fa146482fbdf782d5

SHA256
38f339c2f4c0d7ea1ba1500460c63bc626a2465b3ca48c4d63ee2b0f3eafb82a

SHA512
50c6bc8c7da8c036c909672ade71b08aea49bc58474c40e660d7dc23c3a9869cfad82b4dc96335057ecd5bd1011f3db712f667b4085555e3dc6fb90de56b1c3a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5f762b3b2477d92959f29d768008d453

SHA1
ceaa2b37d64bcffd7f862a75e1d0fb06edbddb97

SHA256
5827d14409ed9f3361d81904d50e067223457590dda163a680ce4216e495a3d5

SHA512
fd1445d89a0fa5d185ce51442c402d9906fa8bf7c1458a862568ad0649dfa22c5f90ed243b98339ec9706541d244b0217f1cd05e715dc49067e059fe08d80420

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
608aea68519434d685c413b31a12c6ce

SHA1
7a62e13cab985d0588a0faea63751fd0355da7fc

SHA256
5ed3aa382febd7a4e6c3a921a5add055f6e2bbea7558b21da46752f037d52b1a

SHA512
6ddca4b85fc1b6ecb6c1081b32067eb438ed5167b48565ea449e6babb1f27a01c75599c6b0f10b29ac9278e619891588d654466ce882d8080f4d2435f450d198

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
5f2a40f410e1db471d583c90bb1bf208

SHA1
1e49ed23e02976dede24633c367ab8c92fb4fd9b

SHA256
03c04fafe55862423025fe6e16bbeda1dbded8150a0c0dd363164733051fe1e4

SHA512
98a4ba3960f66728d4a286c8cff2223742d701467a647b6d4a2f118a6e2c53c9a4f6c329a36c099b151d42279ba0823ff07a8df49c87d02a7470f595052f725c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d44632a3e4cce7689f6de0096ea7b712

SHA1
62726ae2641d71b6a218793f1ca8c00c81443eda

SHA256
013ba01f27689a865f4497bdab298b8914e8c235beac2311020fa928649a7603

SHA512
ed9934194e0211fca3d30bb16802ae080086a71d4b8b065afecea339f06f4d5dc43f51786059d6ccaf7718a54dde8b050268068ed6a416dacfa6c79a8ba0881a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d44632a3e4cce7689f6de0096ea7b712

SHA1
62726ae2641d71b6a218793f1ca8c00c81443eda

SHA256
013ba01f27689a865f4497bdab298b8914e8c235beac2311020fa928649a7603

SHA512
ed9934194e0211fca3d30bb16802ae080086a71d4b8b065afecea339f06f4d5dc43f51786059d6ccaf7718a54dde8b050268068ed6a416dacfa6c79a8ba0881a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f76c7cf504b872903a1325a57e8baaf9

SHA1
896ac9d8338b41c7673781f07915612c538c385f

SHA256
46436b128cbdb907e9666c1aa6257164f7e5a2ebe1c79b9198b36e50115a8163

SHA512
59c0e9f508682af572185dd2578ad1e62abb99297a99018af7638bc8d2f6693fe00900bd739e00a912088f77624f08034dba041ce1677e2924cb8ab3196b6054

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d5a26bd3b4366107ffbb4663050f6576

SHA1
09a5b81e452620340fcc2343a146ac5469576d44

SHA256
6e6abc76efb5447d4e9b20d07396db93d0368e6f81f558217f81a4dedc437eef

SHA512
527fe34594e983df77843639208f832c63f24a23e6e72fabc3e27eb1cce2e08e4306f3a5ebd288142f9684c6730431fe09f2c60f699a0825dc8270e961abbb10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d5a26bd3b4366107ffbb4663050f6576

SHA1
09a5b81e452620340fcc2343a146ac5469576d44

SHA256
6e6abc76efb5447d4e9b20d07396db93d0368e6f81f558217f81a4dedc437eef

SHA512
527fe34594e983df77843639208f832c63f24a23e6e72fabc3e27eb1cce2e08e4306f3a5ebd288142f9684c6730431fe09f2c60f699a0825dc8270e961abbb10

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8e2ae053ceb7062fca84af2a4b776842

SHA1
e0efd0b54009a60e3682ed38deaddd833c8652b6

SHA256
58391f462883b293fdb398c52afb015698a4aa455fde921d706159ccccc6375f

SHA512
71b28f16bbcd83fd3cd69c985cc7482ddb167f287f6f331fc6c2f71b5b9759d6692ad93eb45e3a4039e5234f795076cd090e46c80b2661a00327a19b0ceab7b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
8e2ae053ceb7062fca84af2a4b776842

SHA1
e0efd0b54009a60e3682ed38deaddd833c8652b6

SHA256
58391f462883b293fdb398c52afb015698a4aa455fde921d706159ccccc6375f

SHA512
71b28f16bbcd83fd3cd69c985cc7482ddb167f287f6f331fc6c2f71b5b9759d6692ad93eb45e3a4039e5234f795076cd090e46c80b2661a00327a19b0ceab7b3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
58f24a6470c6d1ddfd848ff07a09ffd9

SHA1
586e20eb7c62ea68285da80294409b0b8edcf4bf

SHA256
3b3212c3b6a2f1e5c92511aa378d5073fcaf5ab350b91b7b85935b74b2132478

SHA512
f23457e6b011b2c43ea0c8ac87166d5e316cb63ceeaa105496cd6ca36c863b1c8f1ffe4046789992050fcf1d45499a17367282ebca9c9c756909325e3ded10b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
58f24a6470c6d1ddfd848ff07a09ffd9

SHA1
586e20eb7c62ea68285da80294409b0b8edcf4bf

SHA256
3b3212c3b6a2f1e5c92511aa378d5073fcaf5ab350b91b7b85935b74b2132478

SHA512
f23457e6b011b2c43ea0c8ac87166d5e316cb63ceeaa105496cd6ca36c863b1c8f1ffe4046789992050fcf1d45499a17367282ebca9c9c756909325e3ded10b2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1676b8e74c639cfc891b785850512367

SHA1
e93e62bd079c6a4686c36c7e87a13246b59e46cd

SHA256
d8eaaf486cfc3d13db98bcc5ca5d1a67e43810a555147196fdaeb4b4f4b74e9c

SHA512
a8a66e3fed34d750df375f963b6d8bd5738d513547d5525c8e8d16b9aa6a8b7c205b3d888015280257efce743b626d2428b5df9018e9364a00741f5ad372c0af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1676b8e74c639cfc891b785850512367

SHA1
e93e62bd079c6a4686c36c7e87a13246b59e46cd

SHA256
d8eaaf486cfc3d13db98bcc5ca5d1a67e43810a555147196fdaeb4b4f4b74e9c

SHA512
a8a66e3fed34d750df375f963b6d8bd5738d513547d5525c8e8d16b9aa6a8b7c205b3d888015280257efce743b626d2428b5df9018e9364a00741f5ad372c0af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7c47022fc6b5e322dcb8180110400cba

SHA1
bf55fb51225284dd84a5acace1fc5878f5d9dffa

SHA256
6deb5f296277bc379267509311fec910c820b4b588a2fd6ab6e2a1a480ba5065

SHA512
c44c2bc12e61d952c92eb99a773373016462ea95e592d9bd0b3cf3a0227809fba7bf412e7f14733e706df295d1863d559bc679a779267d5bbf5c0ccbc7882f45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7c47022fc6b5e322dcb8180110400cba

SHA1
bf55fb51225284dd84a5acace1fc5878f5d9dffa

SHA256
6deb5f296277bc379267509311fec910c820b4b588a2fd6ab6e2a1a480ba5065

SHA512
c44c2bc12e61d952c92eb99a773373016462ea95e592d9bd0b3cf3a0227809fba7bf412e7f14733e706df295d1863d559bc679a779267d5bbf5c0ccbc7882f45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7c47022fc6b5e322dcb8180110400cba

SHA1
bf55fb51225284dd84a5acace1fc5878f5d9dffa

SHA256
6deb5f296277bc379267509311fec910c820b4b588a2fd6ab6e2a1a480ba5065

SHA512
c44c2bc12e61d952c92eb99a773373016462ea95e592d9bd0b3cf3a0227809fba7bf412e7f14733e706df295d1863d559bc679a779267d5bbf5c0ccbc7882f45

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7cdc37e7a8fe98cc302619627bf2c69c

SHA1
d40d3ecce460a32874d88e2efb31147baac38ce2

SHA256
67e60bc04215343c68dea8d498d717027f34ca283bb6e9c7746cbb3876c0d433

SHA512
e8d8df371e5c9a665a6a8c99ea7b0fc081ee428d89fb1b9e064ced40b87d646144bebd066ed9601088c50516e1c664ab8b8bdd6bb8f7a32aa941456223e3cd01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7cdc37e7a8fe98cc302619627bf2c69c

SHA1
d40d3ecce460a32874d88e2efb31147baac38ce2

SHA256
67e60bc04215343c68dea8d498d717027f34ca283bb6e9c7746cbb3876c0d433

SHA512
e8d8df371e5c9a665a6a8c99ea7b0fc081ee428d89fb1b9e064ced40b87d646144bebd066ed9601088c50516e1c664ab8b8bdd6bb8f7a32aa941456223e3cd01

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
baf09c0fde954d5d6536eba61a06619a

SHA1
f9b8066785aa2f768f35c80ffab1aee450caeb03

SHA256
e60bd0e165f955688eef2044260f126cd749f4937b29b0c9ed068e44bfdcf31a

SHA512
eadf63e6e64fac605b63d0ed1ab6ecbe30b3dcb5ab3c9e68ee3c075ebec567fe33d000a333ce6dec6df8832ab0a049c62a024996cb1bcac86633794e0bd4b183

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
baf09c0fde954d5d6536eba61a06619a

SHA1
f9b8066785aa2f768f35c80ffab1aee450caeb03

SHA256
e60bd0e165f955688eef2044260f126cd749f4937b29b0c9ed068e44bfdcf31a

SHA512
eadf63e6e64fac605b63d0ed1ab6ecbe30b3dcb5ab3c9e68ee3c075ebec567fe33d000a333ce6dec6df8832ab0a049c62a024996cb1bcac86633794e0bd4b183

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
298b859ca780dda4b3f8d49a410ac110

SHA1
ddf2095791f26ac780183b183d7d2d3c84ce8a65

SHA256
f31635ac51bce2a2ffa1f7c18b596e3f5a980cc2a4e5a9da095297dbd83b7da3

SHA512
60d0c5f65d5aeaf90359209ce67799d8efeaac55482360bbea10e6e0ab8d5b825baab2eefe5657cb8c9d2cd1580e120863d4dd59a9b7eb47b75cfc55ff3502e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
298b859ca780dda4b3f8d49a410ac110

SHA1
ddf2095791f26ac780183b183d7d2d3c84ce8a65

SHA256
f31635ac51bce2a2ffa1f7c18b596e3f5a980cc2a4e5a9da095297dbd83b7da3

SHA512
60d0c5f65d5aeaf90359209ce67799d8efeaac55482360bbea10e6e0ab8d5b825baab2eefe5657cb8c9d2cd1580e120863d4dd59a9b7eb47b75cfc55ff3502e5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
bfb2d06425ec0721986fcb9948034b2e

SHA1
3758d7ee135ee89e8b105157f94266e0e4d5b172

SHA256
fc833857155722bc12a40e6302053f8f1dae5f4913f39b5964f013dc6aadff5c

SHA512
d51cbd93d0a9a03e3e6c38c12aeec7779919b3715129c492d4c3685b1c11d2edb1fec77f4b9f567e2534c7d7d4693ed028691fb2eaf88cd1f6e7c62c8dca33e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
bfb2d06425ec0721986fcb9948034b2e

SHA1
3758d7ee135ee89e8b105157f94266e0e4d5b172

SHA256
fc833857155722bc12a40e6302053f8f1dae5f4913f39b5964f013dc6aadff5c

SHA512
d51cbd93d0a9a03e3e6c38c12aeec7779919b3715129c492d4c3685b1c11d2edb1fec77f4b9f567e2534c7d7d4693ed028691fb2eaf88cd1f6e7c62c8dca33e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f2faa3a531bcc3a2a326ee8b54936204

SHA1
74bef2e35aa6403587c65e4f417c6490c8097ea2

SHA256
4341ce2aedae8bb28f00039c6bf7b2641305af9ee1704aca46fe459e65eec908

SHA512
47f122bc8c417dede9c739508085f84963d02e64f1b9fbade286975f06b13b36a57b317e59423f703a5b4d5eecefe6c818a4228b2455e373452b8d9fc95651bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f2faa3a531bcc3a2a326ee8b54936204

SHA1
74bef2e35aa6403587c65e4f417c6490c8097ea2

SHA256
4341ce2aedae8bb28f00039c6bf7b2641305af9ee1704aca46fe459e65eec908

SHA512
47f122bc8c417dede9c739508085f84963d02e64f1b9fbade286975f06b13b36a57b317e59423f703a5b4d5eecefe6c818a4228b2455e373452b8d9fc95651bd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9b2350dfa23d2bc833f4a23c2d55b52d

SHA1
50437ca0048e354b73f54338b9ee7ec60f8dc541

SHA256
e5262524cd33d0559543014122fb3abf0728e9b68273a2ee896aaad37f8c8500

SHA512
ca5cccfa34e69a09cf8de17c408582fe8465a9e135905976c40bf6e4ff1a0976414332d1f5a7873f2422d592a3b5aab3394706f4ef7b1c6b3ba2c7fa28131cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9b2350dfa23d2bc833f4a23c2d55b52d

SHA1
50437ca0048e354b73f54338b9ee7ec60f8dc541

SHA256
e5262524cd33d0559543014122fb3abf0728e9b68273a2ee896aaad37f8c8500

SHA512
ca5cccfa34e69a09cf8de17c408582fe8465a9e135905976c40bf6e4ff1a0976414332d1f5a7873f2422d592a3b5aab3394706f4ef7b1c6b3ba2c7fa28131cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9b2350dfa23d2bc833f4a23c2d55b52d

SHA1
50437ca0048e354b73f54338b9ee7ec60f8dc541

SHA256
e5262524cd33d0559543014122fb3abf0728e9b68273a2ee896aaad37f8c8500

SHA512
ca5cccfa34e69a09cf8de17c408582fe8465a9e135905976c40bf6e4ff1a0976414332d1f5a7873f2422d592a3b5aab3394706f4ef7b1c6b3ba2c7fa28131cc5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2a72688315620735440e382e081dceb5

SHA1
12aba65d0e74f2539e342611c5bd67e6ecfc7462

SHA256
95320d55a0be60bf73dd37a22bf13e3f0381c0343945260611dc1ae39602eea0

SHA512
0c464375608dbc552119f5055c628607b679bf6b5fee3a510058d73d1a4b2c4c40307750c5ffe43d756d6006a9022bc00ac25ba8a0dbcd11646c3063c9ca9c5a

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
58f24a6470c6d1ddfd848ff07a09ffd9

SHA1
586e20eb7c62ea68285da80294409b0b8edcf4bf

SHA256
3b3212c3b6a2f1e5c92511aa378d5073fcaf5ab350b91b7b85935b74b2132478

SHA512
f23457e6b011b2c43ea0c8ac87166d5e316cb63ceeaa105496cd6ca36c863b1c8f1ffe4046789992050fcf1d45499a17367282ebca9c9c756909325e3ded10b2

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
58f24a6470c6d1ddfd848ff07a09ffd9

SHA1
586e20eb7c62ea68285da80294409b0b8edcf4bf

SHA256
3b3212c3b6a2f1e5c92511aa378d5073fcaf5ab350b91b7b85935b74b2132478

SHA512
f23457e6b011b2c43ea0c8ac87166d5e316cb63ceeaa105496cd6ca36c863b1c8f1ffe4046789992050fcf1d45499a17367282ebca9c9c756909325e3ded10b2

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1676b8e74c639cfc891b785850512367

SHA1
e93e62bd079c6a4686c36c7e87a13246b59e46cd

SHA256
d8eaaf486cfc3d13db98bcc5ca5d1a67e43810a555147196fdaeb4b4f4b74e9c

SHA512
a8a66e3fed34d750df375f963b6d8bd5738d513547d5525c8e8d16b9aa6a8b7c205b3d888015280257efce743b626d2428b5df9018e9364a00741f5ad372c0af

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1676b8e74c639cfc891b785850512367

SHA1
e93e62bd079c6a4686c36c7e87a13246b59e46cd

SHA256
d8eaaf486cfc3d13db98bcc5ca5d1a67e43810a555147196fdaeb4b4f4b74e9c

SHA512
a8a66e3fed34d750df375f963b6d8bd5738d513547d5525c8e8d16b9aa6a8b7c205b3d888015280257efce743b626d2428b5df9018e9364a00741f5ad372c0af

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7c47022fc6b5e322dcb8180110400cba

SHA1
bf55fb51225284dd84a5acace1fc5878f5d9dffa

SHA256
6deb5f296277bc379267509311fec910c820b4b588a2fd6ab6e2a1a480ba5065

SHA512
c44c2bc12e61d952c92eb99a773373016462ea95e592d9bd0b3cf3a0227809fba7bf412e7f14733e706df295d1863d559bc679a779267d5bbf5c0ccbc7882f45

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7c47022fc6b5e322dcb8180110400cba

SHA1
bf55fb51225284dd84a5acace1fc5878f5d9dffa

SHA256
6deb5f296277bc379267509311fec910c820b4b588a2fd6ab6e2a1a480ba5065

SHA512
c44c2bc12e61d952c92eb99a773373016462ea95e592d9bd0b3cf3a0227809fba7bf412e7f14733e706df295d1863d559bc679a779267d5bbf5c0ccbc7882f45

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7cdc37e7a8fe98cc302619627bf2c69c

SHA1
d40d3ecce460a32874d88e2efb31147baac38ce2

SHA256
67e60bc04215343c68dea8d498d717027f34ca283bb6e9c7746cbb3876c0d433

SHA512
e8d8df371e5c9a665a6a8c99ea7b0fc081ee428d89fb1b9e064ced40b87d646144bebd066ed9601088c50516e1c664ab8b8bdd6bb8f7a32aa941456223e3cd01

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
7cdc37e7a8fe98cc302619627bf2c69c

SHA1
d40d3ecce460a32874d88e2efb31147baac38ce2

SHA256
67e60bc04215343c68dea8d498d717027f34ca283bb6e9c7746cbb3876c0d433

SHA512
e8d8df371e5c9a665a6a8c99ea7b0fc081ee428d89fb1b9e064ced40b87d646144bebd066ed9601088c50516e1c664ab8b8bdd6bb8f7a32aa941456223e3cd01

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
baf09c0fde954d5d6536eba61a06619a

SHA1
f9b8066785aa2f768f35c80ffab1aee450caeb03

SHA256
e60bd0e165f955688eef2044260f126cd749f4937b29b0c9ed068e44bfdcf31a

SHA512
eadf63e6e64fac605b63d0ed1ab6ecbe30b3dcb5ab3c9e68ee3c075ebec567fe33d000a333ce6dec6df8832ab0a049c62a024996cb1bcac86633794e0bd4b183

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
baf09c0fde954d5d6536eba61a06619a

SHA1
f9b8066785aa2f768f35c80ffab1aee450caeb03

SHA256
e60bd0e165f955688eef2044260f126cd749f4937b29b0c9ed068e44bfdcf31a

SHA512
eadf63e6e64fac605b63d0ed1ab6ecbe30b3dcb5ab3c9e68ee3c075ebec567fe33d000a333ce6dec6df8832ab0a049c62a024996cb1bcac86633794e0bd4b183

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
298b859ca780dda4b3f8d49a410ac110

SHA1
ddf2095791f26ac780183b183d7d2d3c84ce8a65

SHA256
f31635ac51bce2a2ffa1f7c18b596e3f5a980cc2a4e5a9da095297dbd83b7da3

SHA512
60d0c5f65d5aeaf90359209ce67799d8efeaac55482360bbea10e6e0ab8d5b825baab2eefe5657cb8c9d2cd1580e120863d4dd59a9b7eb47b75cfc55ff3502e5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
298b859ca780dda4b3f8d49a410ac110

SHA1
ddf2095791f26ac780183b183d7d2d3c84ce8a65

SHA256
f31635ac51bce2a2ffa1f7c18b596e3f5a980cc2a4e5a9da095297dbd83b7da3

SHA512
60d0c5f65d5aeaf90359209ce67799d8efeaac55482360bbea10e6e0ab8d5b825baab2eefe5657cb8c9d2cd1580e120863d4dd59a9b7eb47b75cfc55ff3502e5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
bfb2d06425ec0721986fcb9948034b2e

SHA1
3758d7ee135ee89e8b105157f94266e0e4d5b172

SHA256
fc833857155722bc12a40e6302053f8f1dae5f4913f39b5964f013dc6aadff5c

SHA512
d51cbd93d0a9a03e3e6c38c12aeec7779919b3715129c492d4c3685b1c11d2edb1fec77f4b9f567e2534c7d7d4693ed028691fb2eaf88cd1f6e7c62c8dca33e2

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
bfb2d06425ec0721986fcb9948034b2e

SHA1
3758d7ee135ee89e8b105157f94266e0e4d5b172

SHA256
fc833857155722bc12a40e6302053f8f1dae5f4913f39b5964f013dc6aadff5c

SHA512
d51cbd93d0a9a03e3e6c38c12aeec7779919b3715129c492d4c3685b1c11d2edb1fec77f4b9f567e2534c7d7d4693ed028691fb2eaf88cd1f6e7c62c8dca33e2

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f2faa3a531bcc3a2a326ee8b54936204

SHA1
74bef2e35aa6403587c65e4f417c6490c8097ea2

SHA256
4341ce2aedae8bb28f00039c6bf7b2641305af9ee1704aca46fe459e65eec908

SHA512
47f122bc8c417dede9c739508085f84963d02e64f1b9fbade286975f06b13b36a57b317e59423f703a5b4d5eecefe6c818a4228b2455e373452b8d9fc95651bd

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f2faa3a531bcc3a2a326ee8b54936204

SHA1
74bef2e35aa6403587c65e4f417c6490c8097ea2

SHA256
4341ce2aedae8bb28f00039c6bf7b2641305af9ee1704aca46fe459e65eec908

SHA512
47f122bc8c417dede9c739508085f84963d02e64f1b9fbade286975f06b13b36a57b317e59423f703a5b4d5eecefe6c818a4228b2455e373452b8d9fc95651bd

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9b2350dfa23d2bc833f4a23c2d55b52d

SHA1
50437ca0048e354b73f54338b9ee7ec60f8dc541

SHA256
e5262524cd33d0559543014122fb3abf0728e9b68273a2ee896aaad37f8c8500

SHA512
ca5cccfa34e69a09cf8de17c408582fe8465a9e135905976c40bf6e4ff1a0976414332d1f5a7873f2422d592a3b5aab3394706f4ef7b1c6b3ba2c7fa28131cc5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9b2350dfa23d2bc833f4a23c2d55b52d

SHA1
50437ca0048e354b73f54338b9ee7ec60f8dc541

SHA256
e5262524cd33d0559543014122fb3abf0728e9b68273a2ee896aaad37f8c8500

SHA512
ca5cccfa34e69a09cf8de17c408582fe8465a9e135905976c40bf6e4ff1a0976414332d1f5a7873f2422d592a3b5aab3394706f4ef7b1c6b3ba2c7fa28131cc5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9b2350dfa23d2bc833f4a23c2d55b52d

SHA1
50437ca0048e354b73f54338b9ee7ec60f8dc541

SHA256
e5262524cd33d0559543014122fb3abf0728e9b68273a2ee896aaad37f8c8500

SHA512
ca5cccfa34e69a09cf8de17c408582fe8465a9e135905976c40bf6e4ff1a0976414332d1f5a7873f2422d592a3b5aab3394706f4ef7b1c6b3ba2c7fa28131cc5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
9b2350dfa23d2bc833f4a23c2d55b52d

SHA1
50437ca0048e354b73f54338b9ee7ec60f8dc541

SHA256
e5262524cd33d0559543014122fb3abf0728e9b68273a2ee896aaad37f8c8500

SHA512
ca5cccfa34e69a09cf8de17c408582fe8465a9e135905976c40bf6e4ff1a0976414332d1f5a7873f2422d592a3b5aab3394706f4ef7b1c6b3ba2c7fa28131cc5

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
2a72688315620735440e382e081dceb5

SHA1
12aba65d0e74f2539e342611c5bd67e6ecfc7462

SHA256
95320d55a0be60bf73dd37a22bf13e3f0381c0343945260611dc1ae39602eea0

SHA512
0c464375608dbc552119f5055c628607b679bf6b5fee3a510058d73d1a4b2c4c40307750c5ffe43d756d6006a9022bc00ac25ba8a0dbcd11646c3063c9ca9c5a

Download Submit
memory/1336-90-0x0000000003F90000-0x0000000004000000-memory.dmp

Filesize
448KB

Download
memory/1704-210-0x0000000003DD0000-0x0000000003DF9000-memory.dmp

Filesize
164KB

Download
memory/1748-161-0x0000000004790000-0x0000000004800000-memory.dmp

Filesize
448KB

Download