b5320a2a4ba300b3269f3bd3a33b26c4202e5baaaf0f12bd2aee5034197b3dfa

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
31/05/2024, 10:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

script.vbs
Size

3KB
MD5

0d27b8fed0a4160a6c127e875e4748e0
SHA1

51cdc11433b11ec14474a1947da187898ccb3e12
SHA256

b5320a2a4ba300b3269f3bd3a33b26c4202e5baaaf0f12bd2aee5034197b3dfa
SHA512

d6bf6bed82c30a5603893cdf3025f8c11e8a3c2f15764971420900f8bb602e0ee8fe482dc2f76746cf8afc8aac1d7f37af43226e04b6497424dda3aa6f38ad5b

Score

8^/10

evasion execution

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5612	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Kills process with taskkill 1 IoCs

evasion

pid	Process
3776	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000_Classes\Local Settings	WScript.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
2808	reg.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
5612	powershell.exe
5612	powershell.exe
5612	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5080	WScript.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3776	taskkill.exe
Token: SeDebugPrivilege	5612	powershell.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1180	WScript.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5080 wrote to memory of 2808	5080	WScript.exe	81
PID 5080 wrote to memory of 2808	5080	WScript.exe	81
PID 5080 wrote to memory of 2616	5080	WScript.exe	83
PID 5080 wrote to memory of 2616	5080	WScript.exe	83
PID 5080 wrote to memory of 2708	5080	WScript.exe	84
PID 5080 wrote to memory of 2708	5080	WScript.exe	84
PID 5080 wrote to memory of 1992	5080	WScript.exe	85
PID 5080 wrote to memory of 1992	5080	WScript.exe	85
PID 5080 wrote to memory of 4004	5080	WScript.exe	86
PID 5080 wrote to memory of 4004	5080	WScript.exe	86
PID 5080 wrote to memory of 924	5080	WScript.exe	87
PID 5080 wrote to memory of 924	5080	WScript.exe	87
PID 5080 wrote to memory of 3728	5080	WScript.exe	88
PID 5080 wrote to memory of 3728	5080	WScript.exe	88
PID 5080 wrote to memory of 2660	5080	WScript.exe	89
PID 5080 wrote to memory of 2660	5080	WScript.exe	89
PID 5080 wrote to memory of 2504	5080	WScript.exe	90
PID 5080 wrote to memory of 2504	5080	WScript.exe	90
PID 5080 wrote to memory of 2416	5080	WScript.exe	91
PID 5080 wrote to memory of 2416	5080	WScript.exe	91
PID 5080 wrote to memory of 3344	5080	WScript.exe	92
PID 5080 wrote to memory of 3344	5080	WScript.exe	92
PID 5080 wrote to memory of 1384	5080	WScript.exe	93
PID 5080 wrote to memory of 1384	5080	WScript.exe	93
PID 5080 wrote to memory of 4220	5080	WScript.exe	94
PID 5080 wrote to memory of 4220	5080	WScript.exe	94
PID 5080 wrote to memory of 5712	5080	WScript.exe	95
PID 5080 wrote to memory of 5712	5080	WScript.exe	95
PID 5080 wrote to memory of 4140	5080	WScript.exe	96
PID 5080 wrote to memory of 4140	5080	WScript.exe	96
PID 5080 wrote to memory of 5360	5080	WScript.exe	97
PID 5080 wrote to memory of 5360	5080	WScript.exe	97
PID 5080 wrote to memory of 2644	5080	WScript.exe	98
PID 5080 wrote to memory of 2644	5080	WScript.exe	98
PID 5080 wrote to memory of 5096	5080	WScript.exe	99
PID 5080 wrote to memory of 5096	5080	WScript.exe	99
PID 5080 wrote to memory of 4904	5080	WScript.exe	100
PID 5080 wrote to memory of 4904	5080	WScript.exe	100
PID 5080 wrote to memory of 5532	5080	WScript.exe	101
PID 5080 wrote to memory of 5532	5080	WScript.exe	101
PID 5080 wrote to memory of 5116	5080	WScript.exe	102
PID 5080 wrote to memory of 5116	5080	WScript.exe	102
PID 5080 wrote to memory of 5240	5080	WScript.exe	103
PID 5080 wrote to memory of 5240	5080	WScript.exe	103
PID 5080 wrote to memory of 4356	5080	WScript.exe	104
PID 5080 wrote to memory of 4356	5080	WScript.exe	104
PID 5080 wrote to memory of 4260	5080	WScript.exe	105
PID 5080 wrote to memory of 4260	5080	WScript.exe	105
PID 5080 wrote to memory of 4056	5080	WScript.exe	106
PID 5080 wrote to memory of 4056	5080	WScript.exe	106
PID 5080 wrote to memory of 4044	5080	WScript.exe	107
PID 5080 wrote to memory of 4044	5080	WScript.exe	107
PID 5080 wrote to memory of 3272	5080	WScript.exe	108
PID 5080 wrote to memory of 3272	5080	WScript.exe	108
PID 5080 wrote to memory of 812	5080	WScript.exe	109
PID 5080 wrote to memory of 812	5080	WScript.exe	109
PID 5080 wrote to memory of 3736	5080	WScript.exe	110
PID 5080 wrote to memory of 3736	5080	WScript.exe	110
PID 5080 wrote to memory of 1180	5080	WScript.exe	111
PID 5080 wrote to memory of 1180	5080	WScript.exe	111
PID 5080 wrote to memory of 1928	5080	WScript.exe	112
PID 5080 wrote to memory of 1928	5080	WScript.exe	112
PID 5080 wrote to memory of 716	5080	WScript.exe	118
PID 5080 wrote to memory of 716	5080	WScript.exe	118

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\script.vbs"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:5080
- C:\Windows\System32\reg.exe
  "C:\Windows\System32\reg.exe" add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2808
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:2616
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:2708
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:1992
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:4004
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:924
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:3728
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:2660
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:2504
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:2416
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:3344
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:1384
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:4220
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:5712
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:4140
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:5360
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:2644
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:5096
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:4904
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:5532
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:5116
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:5240
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:4356
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:4260
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:4056
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:4044
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:3272
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:812
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:3736
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:1180
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\f.vbs"
  2⤵
  PID:1928
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\c10.vbs"
  2⤵
  PID:716
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\c9.vbs"
  2⤵
  PID:4720
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\c8.vbs"
  2⤵
  PID:1124
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\c7.vbs"
  2⤵
  PID:4928
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\c6.vbs"
  2⤵
  PID:2768
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\c5.vbs"
  2⤵
  PID:1880
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\c4.vbs"
  2⤵
  PID:3512
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\c3.vbs"
  2⤵
  PID:4120
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\c2.vbs"
  2⤵
  PID:5412
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\c1.vbs"
  2⤵
  PID:1148
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\as.bat" "
  2⤵
  PID:1976
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\as.bat" "
  2⤵
  PID:628
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\as.bat" "
  2⤵
  PID:2200
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\as.bat" "
  2⤵
  PID:1892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\as.bat" "
  2⤵
  PID:4012
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\as.bat" "
  2⤵
  PID:5292
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\as.bat" "
  2⤵
  PID:5788
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\as.bat" "
  2⤵
  PID:216
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\as.bat" "
  2⤵
  PID:4456
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\as.bat" "
  2⤵
  PID:1552
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\as.bat" "
  2⤵
  PID:4460
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\as.bat" "
  2⤵
  PID:4724
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\as.bat" "
  2⤵
  PID:3476
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\as.bat" "
  2⤵
  PID:6108
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\as.bat" "
  2⤵
  PID:4716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\as.bat" "
  2⤵
  PID:3504
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\as.bat" "
  2⤵
  PID:4964
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\as.bat" "
  2⤵
  PID:2228
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\as.bat" "
  2⤵
  PID:2376
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\as.bat" "
  2⤵
  PID:3024
- C:\Windows\System32\taskkill.exe
  "C:\Windows\System32\taskkill.exe" /f /im cmd.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3776
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass -Command "Add-Type -TypeDefinition @using System;using System.Runtime.InteropServices;public class DisplaySettings {[DllImport("user32.dll")]public static extern bool EnumDisplaySettings(ing deviceName, int modeNum, ref DEVMODE devMode);[DllImport("user32.dll")]public static extern int ChangeDisplaySettings(ref DEVMODE devMode, int flags);[StructLayout(LayoutKind.Sequential)]public uct DEVMODE {// Definition of DEVMODE ucture}public static void ChangeResolution(int width, int height) {// Changing screen resolution}}@Invoke-Expression $PowerShellCode[DisplaySettings]::ChangeResolution(800, 600)Start-Sleep -Seconds 5[DisplaySettings]::ChangeResolution(1920, 1080)"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bbmbrkok.kin.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\as.bat

Filesize
113B

MD5
6b7662d24ce4aeb75c0fe81e694dffe1

SHA1
931d56c33a439a7be623e83fbbe62ca7aefce592

SHA256
cacb0ea05fd9d66af45db3e280d7d99ba54c586cd59b4b1f3d894f7a3f019719

SHA512
0923a92c2923726c1ecf91b9ab2d49e489cb1d730bdd80d026dc0e1ee6884e891c20d1d256e3478dbd47e6dd966d1e6fb49da18408840e2ca9add6f386033d82

Download Submit
C:\Users\Admin\AppData\Roaming\c1.vbs

Filesize
12B

MD5
bed42b9d326a44879de5f3eb64f664d4

SHA1
d297113e5c2fa35f0d38e28bc5c415f4c7c7638a

SHA256
3de1d68a2839c2ee330a217a9522c68ec2ccff242b30c13803d2298cb13053a9

SHA512
d596cd89049d17052ac6b4d1ba86e5f09640c89267811614357e1d15709631a2118ebdd5f8a666223912edbcf9d47b1bf2b5c4f263b0df5c6518fea603154e65

Download Submit
C:\Users\Admin\AppData\Roaming\c10.vbs

Filesize
13B

MD5
14e7c5759d0d75008c579ee6a575d9cf

SHA1
75a6f889e10960586e2fd7f379075ce8188e3954

SHA256
8c535942fd1c910358a8688dbde8bbe9c8b44d806906a8600509328ea86f743f

SHA512
0e85df4733a1ff6bf4499a0db0eed6bde7c1b8a713a5d6593b0a938c5f4c8b9d14c0566c06c792f11cb3f6111761c05a7b9f09b9c1372d97b0c954352ecdcf51

Download Submit
C:\Users\Admin\AppData\Roaming\c2.vbs

Filesize
12B

MD5
0fae1076ffeaa2603f96fac1a99d2e80

SHA1
a41992bfaf293188cd69a6d7a332f5be5ccac1eb

SHA256
92d284d5a32b1cd3aaad3a43158348b299e8917957b535cac86a0b11ef81adc0

SHA512
aea7fd69f9af5f1e022c248f93f20bf90560cde220f533dac14d4608650605eda38e7277a228382a5b3a8ed141ac63544041e150ac99bef49f1fcff140c12fbf

Download Submit
C:\Users\Admin\AppData\Roaming\c3.vbs

Filesize
12B

MD5
bd4b2bb62a5578f1586662d85f5bf184

SHA1
3dde7342f5698c892bd0ebefe537810a1f5aa58f

SHA256
579bebe8aa601373385d8299e08ab6f849bea11ce36fcc008e75ec81ee833f2d

SHA512
b6e6626dd78a8a75245674fc486563ed38a2eef30981d10617e410b1c474946b3f99495ca8170e21a07f4dcd60b313700df3f65bfd754880ec0d6144ad640e3d

Download Submit
C:\Users\Admin\AppData\Roaming\c4.vbs

Filesize
12B

MD5
969962260218d28896c4c38ed9614a79

SHA1
5e870923742f743af9d8015f8052d7015fcf5d84

SHA256
b7fd93b145bf64e8f0684d388ee6e80cbb8a375a770643758a8061bcc632348d

SHA512
c3e28fcbf0527c5d8ca871fdcbf4f58689ec34eceecb6fa890f356e3bf63ef25bff3fbc65a68db4ce34ce8f156df588f9767ca8c69bede5709779742e82b0367

Download Submit
C:\Users\Admin\AppData\Roaming\c5.vbs

Filesize
12B

MD5
67e7d34fe417cfe19c8561561e94b5d1

SHA1
907d07ab9d92f4eacb7873f6f10cb6e6a391b259

SHA256
c0d1316c827ad28a4b341079af39b1603a449bb4e01cb1736ed983ca65c041cc

SHA512
36c11f0991041d830203163f1e5e8dced08a9dc5262f78b1f4f284d397aea75974b801b8a143466182663c41724fe994408bc9478907de5c842275d559243814

Download Submit
C:\Users\Admin\AppData\Roaming\c6.vbs

Filesize
12B

MD5
ffba4e5b4b7e249daefdc9fe79390da4

SHA1
12e31e77e26d114a9e71f125341c590e903f4a7f

SHA256
bc752af7c09d6466d773f8f76f993075106681e9b42c2ec581f971834c28189c

SHA512
b20aa0474fb4e3e27420ed37d984a6e1324ac14e5d5defc5f05120c303b40fef0077adec382e9aa072e28de0bbbfe1fda18a6384148adf42b365c6f6637698c2

Download Submit
C:\Users\Admin\AppData\Roaming\c7.vbs

Filesize
12B

MD5
48030a79f4ff1532de2d4a306897b4c5

SHA1
f586f3166fcff869f415829d62d23a9098d21e34

SHA256
43f0b205b6abae092a22e2ce869127e09c81a5a476eea471f4584e84e3f3f555

SHA512
026e3b673d689bfeac4236b875bc24f58faf09f5a9bab5ae34062ff507e532e9b93d0ffec1c74a74a246f3ff04b3a7a8e56d516dbc0b2d790efd7d3b67b8c369

Download Submit
C:\Users\Admin\AppData\Roaming\c8.vbs

Filesize
12B

MD5
f37f28c52be97d0b8621d1292297a0b2

SHA1
98fd0120bd8dd6380b137262be078a211ff6d064

SHA256
b247c821445a8fe3a612495dc2fed3ac0204e51ba0294fec25e161c0cf2cdbd1

SHA512
c62e8b7392244dbb0d7b75e2a1a7d4574afc77cc27995ccd7dce557c25f3543c59cef008f689453325cf9731bc7d667d22b7304b42410f7f632f16a8b86a7cc2

Download Submit
C:\Users\Admin\AppData\Roaming\c9.vbs

Filesize
12B

MD5
a8d1a334bbe823d1f8a8fec4609509d0

SHA1
c496fd7e962fb04047b7af75c229d690ac18b249

SHA256
eb31a5954cab07331509dfd6946a5b9483dd8d04c02fc8a1931e171bf590fc1d

SHA512
30ec01583223007fb482344e5a028db5ea5c8d4f90237a63622a1c833983467199db689f12cbc3d98b4c48d75514e85370a56800c658796b51eef317a5b7b029

Download Submit
C:\Users\Admin\AppData\Roaming\f.vbs

Filesize
73B

MD5
039e283edf24991980db051506a0113e

SHA1
9faaa8e3719714614b561fbf90aabe099bfc9205

SHA256
8f9907942bad5f570b815d04b0c4b78b1daed97c30990769dfff48f2ea9f17be

SHA512
fe6184a4f4a4690eaa24a9318014fe1e3b8df262ef30f70bbd1d4ea53883f9737d54d38d24bc2ca60d30122bc538819370c9e0c9bf224fda14cfe78cc8290d4e

Download Submit
memory/5612-59-0x0000024EF5ED0000-0x0000024EF5EF2000-memory.dmp

Filesize
136KB

Download