7f2f59a770a329a19c2f553da5b552c6a522ce4058934d3aa8c2f6f903c82ca7

Analysis

max time kernel
52s
max time network
51s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2024, 21:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7f2f59a770a329a19c2f553da5b552c6a522ce4058934d3aa8c2f6f903c82ca7.exe
Size

1.1MB
MD5

a9eac697c9ae3b58760706ee5d2d53e1
SHA1

0c556069ef02c87ded5d51b5127580e6bed14115
SHA256

7f2f59a770a329a19c2f553da5b552c6a522ce4058934d3aa8c2f6f903c82ca7
SHA512

16f5ea218c2a61fb91ecd730c2fd4fa3fde5bf2e40a864ef6805ed7a385e1188846efe1aaa07be465e209614a6eb9ecb60817af971d30c5a50609d9c79b2ebfb
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qm:acallSllG4ZM7QzMt

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 18 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	7f2f59a770a329a19c2f553da5b552c6a522ce4058934d3aa8c2f6f903c82ca7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	svchcst.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	WScript.exe

Deletes itself 1 IoCs

pid	Process
3512	svchcst.exe

Executes dropped EXE 10 IoCs

pid	Process
3512	svchcst.exe
2248	svchcst.exe
2068	svchcst.exe
1668	svchcst.exe
4120	svchcst.exe
4688	svchcst.exe
2944	svchcst.exe
2848	svchcst.exe
3396	svchcst.exe
1540	svchcst.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 18 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	svchcst.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	7f2f59a770a329a19c2f553da5b552c6a522ce4058934d3aa8c2f6f903c82ca7.exe
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3500	7f2f59a770a329a19c2f553da5b552c6a522ce4058934d3aa8c2f6f903c82ca7.exe
3500	7f2f59a770a329a19c2f553da5b552c6a522ce4058934d3aa8c2f6f903c82ca7.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe
3512	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
3500	7f2f59a770a329a19c2f553da5b552c6a522ce4058934d3aa8c2f6f903c82ca7.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
3500	7f2f59a770a329a19c2f553da5b552c6a522ce4058934d3aa8c2f6f903c82ca7.exe
3500	7f2f59a770a329a19c2f553da5b552c6a522ce4058934d3aa8c2f6f903c82ca7.exe
3512	svchcst.exe
3512	svchcst.exe
2248	svchcst.exe
2248	svchcst.exe
2068	svchcst.exe
2068	svchcst.exe
1668	svchcst.exe
1668	svchcst.exe
4120	svchcst.exe
4120	svchcst.exe
4688	svchcst.exe
4688	svchcst.exe
2944	svchcst.exe
2944	svchcst.exe
2848	svchcst.exe
2848	svchcst.exe
3396	svchcst.exe
3396	svchcst.exe
1540	svchcst.exe
1540	svchcst.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 3500 wrote to memory of 720	3500	7f2f59a770a329a19c2f553da5b552c6a522ce4058934d3aa8c2f6f903c82ca7.exe	80
PID 3500 wrote to memory of 720	3500	7f2f59a770a329a19c2f553da5b552c6a522ce4058934d3aa8c2f6f903c82ca7.exe	80
PID 3500 wrote to memory of 720	3500	7f2f59a770a329a19c2f553da5b552c6a522ce4058934d3aa8c2f6f903c82ca7.exe	80
PID 720 wrote to memory of 3512	720	WScript.exe	82
PID 720 wrote to memory of 3512	720	WScript.exe	82
PID 720 wrote to memory of 3512	720	WScript.exe	82
PID 3512 wrote to memory of 3640	3512	svchcst.exe	83
PID 3512 wrote to memory of 3640	3512	svchcst.exe	83
PID 3512 wrote to memory of 3640	3512	svchcst.exe	83
PID 3640 wrote to memory of 2248	3640	WScript.exe	85
PID 3640 wrote to memory of 2248	3640	WScript.exe	85
PID 3640 wrote to memory of 2248	3640	WScript.exe	85
PID 2248 wrote to memory of 2476	2248	svchcst.exe	86
PID 2248 wrote to memory of 2476	2248	svchcst.exe	86
PID 2248 wrote to memory of 2476	2248	svchcst.exe	86
PID 2476 wrote to memory of 2068	2476	WScript.exe	87
PID 2476 wrote to memory of 2068	2476	WScript.exe	87
PID 2476 wrote to memory of 2068	2476	WScript.exe	87
PID 2068 wrote to memory of 824	2068	svchcst.exe	88
PID 2068 wrote to memory of 824	2068	svchcst.exe	88
PID 2068 wrote to memory of 824	2068	svchcst.exe	88
PID 2068 wrote to memory of 2396	2068	svchcst.exe	89
PID 2068 wrote to memory of 2396	2068	svchcst.exe	89
PID 2068 wrote to memory of 2396	2068	svchcst.exe	89
PID 824 wrote to memory of 1668	824	WScript.exe	90
PID 824 wrote to memory of 1668	824	WScript.exe	90
PID 824 wrote to memory of 1668	824	WScript.exe	90
PID 2396 wrote to memory of 4120	2396	WScript.exe	91
PID 2396 wrote to memory of 4120	2396	WScript.exe	91
PID 2396 wrote to memory of 4120	2396	WScript.exe	91
PID 1668 wrote to memory of 4632	1668	svchcst.exe	92
PID 1668 wrote to memory of 4632	1668	svchcst.exe	92
PID 1668 wrote to memory of 4632	1668	svchcst.exe	92
PID 4632 wrote to memory of 4688	4632	WScript.exe	94
PID 4632 wrote to memory of 4688	4632	WScript.exe	94
PID 4632 wrote to memory of 4688	4632	WScript.exe	94
PID 4688 wrote to memory of 3972	4688	svchcst.exe	95
PID 4688 wrote to memory of 3972	4688	svchcst.exe	95
PID 4688 wrote to memory of 3972	4688	svchcst.exe	95
PID 3972 wrote to memory of 2944	3972	WScript.exe	100
PID 3972 wrote to memory of 2944	3972	WScript.exe	100
PID 3972 wrote to memory of 2944	3972	WScript.exe	100
PID 2944 wrote to memory of 232	2944	svchcst.exe	101
PID 2944 wrote to memory of 232	2944	svchcst.exe	101
PID 2944 wrote to memory of 232	2944	svchcst.exe	101
PID 232 wrote to memory of 2848	232	WScript.exe	103
PID 232 wrote to memory of 2848	232	WScript.exe	103
PID 232 wrote to memory of 2848	232	WScript.exe	103
PID 2848 wrote to memory of 4116	2848	svchcst.exe	104
PID 2848 wrote to memory of 4116	2848	svchcst.exe	104
PID 2848 wrote to memory of 4116	2848	svchcst.exe	104
PID 2848 wrote to memory of 3100	2848	svchcst.exe	105
PID 2848 wrote to memory of 3100	2848	svchcst.exe	105
PID 2848 wrote to memory of 3100	2848	svchcst.exe	105
PID 4116 wrote to memory of 3396	4116	WScript.exe	106
PID 4116 wrote to memory of 3396	4116	WScript.exe	106
PID 4116 wrote to memory of 3396	4116	WScript.exe	106
PID 3100 wrote to memory of 1540	3100	WScript.exe	107
PID 3100 wrote to memory of 1540	3100	WScript.exe	107
PID 3100 wrote to memory of 1540	3100	WScript.exe	107

C:\Users\Admin\AppData\Local\Temp\7f2f59a770a329a19c2f553da5b552c6a522ce4058934d3aa8c2f6f903c82ca7.exe
"C:\Users\Admin\AppData\Local\Temp\7f2f59a770a329a19c2f553da5b552c6a522ce4058934d3aa8c2f6f903c82ca7.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3500
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:720
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Checks computer location settings
    - Deletes itself
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3512
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Checks computer location settings
      Modifies registry class
      Suspicious use of WriteProcessMemory
      PID:3640
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2248
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2476
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1668
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4632
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:4688
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3972
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:232
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:4116
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:3396
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:3100
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:1540
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Checks computer location settings
        Modifies registry class
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetWindowsHookEx
        
        PID:4120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
be2cb1af04a1505b6140ee03852b6fcf

SHA1
1c7fb409271175cd1fcbc34593df79b51475d3c2

SHA256
0fddba86f37582e78375a9612deec540ce12972d3d977690c4b70aec685179cd

SHA512
3cd246d5d18cee8f93823a2ce1c9c79424f48a228e8362ca15789f0c9619a72cdb8044c98ec10c064a1bc22989541d5e8bd59bee4a5c0303617445f49959399f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
344b0286b823cd492e5ca9c83c00ba11

SHA1
b76dbac9b5724f5b1e11a10ed7a2125edb16259b

SHA256
04ea89515062031f99eb08fad07de798532e0adea7ff18c0c9a8b1e3a1d4dbbd

SHA512
9aba17235e4f1bd62f45545cfa0e4f302c0471732b33a8398b462e334126c5a3e74fdcbe17db70029184cc1207f558efc46b868475fb607ad536288b0796bb80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ad7007ed9542468662553e405df66821

SHA1
757c5ee287a113d689f2d370176fcf9c9e1223a3

SHA256
12967e637928b853b708430671e1b72f6ca847a2af2680f8f15da98efb31161e

SHA512
812220b05239ebb0e14f3cd738e58274deb60624eacc360d2b3be6c5010dc418f2587f5f6736a1d80a3a5f52ae9887a492e8934e64af66c89b45a9b47d3069c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
780c5b88f55c3463a252f361d53f98db

SHA1
244e739c7401ce41027d7786f4a48f4806a9939b

SHA256
d8b383df125f83a39c299a3134c88e981cf47755ddd6b44310f70231305c6bb0

SHA512
b12e3266edea4f9dff105ed8617c81a29f9873d646b6b326c5c29c0c590049dd85458b8ff7541957f9ab995896e7bfd08b171959e592ccc6edbedf998fdf1045

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
44c38fa25d3a9963483b583388b6f47b

SHA1
e9b37eb8bcbe2ddda96178ee7502616660cfce57

SHA256
004b640ccc72e36c16e85661847b12fff228d63de834042accadde333aa33e36

SHA512
c39bd240b263314169cef9af85a8e8a89146e96400026936b68a69a7c732d301c16561971dbeaee752e2618f2a592bff5a6a91ee75893522e77f574176887905

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d0a7594dbfff2934bae6e22de9f233fe

SHA1
b2a276918a0f5fb2da4440d77ec65c3c644dcf74

SHA256
b5ba466f75e4b160d164ce3886c42fe86c339961f2f303cfdba40d2c711bc61d

SHA512
3d0c5b27841efaa0286d2b58d1749c1efe45ce115cbcb2af1473e29ec3791501a278c90f087e995279518b3c3aec687edca8937f77ff2520ed6b8d3dff6c0a63

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
75b8f60cfe6895a93f2d8f1b5568af94

SHA1
b80485bc82864b4e1bf0bcc44579eaa01776b1fb

SHA256
6ff47f7681e8f497470bd11b2cfd8156c5d8f1b01f48bfd89037cc4bfe0f34cc

SHA512
089e237c5309d36058e036f69d78deb4144749e91b3a8a8383f817af051a3452acfdf42227cc721517e93428cfd5d48b42e9750e9548762609e81917a4de29c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
b11754cfc2b8e639252061c38ba01c23

SHA1
f474211e787d4374c63ed868d2f05daf1a32c0c7

SHA256
f1ee6de7dc7edd611191e2038ed5351cf527489128a1f31ab5574b8b9a0342be

SHA512
17771d3054454bad96afaa78197db41a969c9a6ca145712c3572737ae1b82deda6ff6e77b6694e8e9a4d9f584a945f3da7dc6c6a7376e1d1df36be64d27e371e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
f1cbd611b0d002d0e41ae6c600154c59

SHA1
c9a7304bda2a225a8da82c089d0e1d4c9c6e8f9f

SHA256
5dd9c76d6fec53d7382ed0591d68906a1d46fe56679d2d16db32dc4a79a4ee4f

SHA512
e029eb08cfd4cc1e2cf58f6f4701fb4ae30381b39afa58cc8157c54730ce5e0c31dfb648dd6cf68c7239d29bc70536fe91b9c199328b01a2b1bd0d5faa8cc588

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
05a1a477ecc4fb7a38a0edde8eee2ec9

SHA1
82f4cb78f5b2dec8d93cec1b041b1164aaedeb99

SHA256
383b8bbba4be8f7fc825bb2c677cd2dd96dc0c81e59bcda4dccb468abe1158b8

SHA512
1f5760f54561f1dabb4ea53ed67eb3b1cf0917b4e462ef4b00be1d4577e3751ed6c2a79c2c5df6f651619241d998b298ee5534be210b9c1c5bf590b308d90c56

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1cbafb3af63619d70ea60e9c9668159f

SHA1
7998140e4b3361c567545ea2eb440698f5311147

SHA256
f73ee8c31f5c56d493e0ef3eeb8985302242d7b40149c985558b0062456ce133

SHA512
b32b8d6cc45ed080874a2572c9f7e9b7196c36ec025ef29a0cf431761e07296ea52b0d1038e3dba6bcb06bbb646f5c8a559c0611a56942b4476048ee7e0f4267

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
a042edfe82c8faf020f03fab6c03f113

SHA1
3ebecbec6b3037bf830395ad895398aa18654ef4

SHA256
6149027bd8800a3828d6c18094eb4deeeaf4aa39feaa2aa528ab922b0e9d0be8

SHA512
76ea2d156f47a6661845c586adf5cd86fb25d9d126c134bf1cd45881c8835a9b6e83db459a9b75d956d4d717acd5086731d1fe6c338fbd13d3d2fa169f2d9e91

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
ff11422c86c85777c3d456cdefc3eee9

SHA1
31c0221c0d2624f5c647a7e7521f515cacff7c49

SHA256
34fefb6e345b03d0ebe12d7cd56238df63de3756816b6c6a8a43f658ce319d6e

SHA512
5d6ed3810627a508cbbbeb03b88daace931ad804573a2f8fb35ce6bd633ce65ed88164da772af145d81b93b0323e83bbcd3f0cb60b055a18bfbc96e35d7a03e6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
81a3388091227fd7d74bb6f7821b84b8

SHA1
ecdb29861277c3dd87e9bf970390adf7f8ec0592

SHA256
8ebbfeb7d4135ed17eab2bff471084e0b9698f60ca517e72941b37e1f3b992a4

SHA512
11555e705ea48dca7c4bf1c404b2f561bb454a6e7c3a817276bbc2420f4a08fbd209fbe819fec81afc54381d34365ef33587e879f9446bfcbd307d7bc9a4a6a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
6382552fd692331e0853f07086417768

SHA1
8bb44a110f4532067882c24ebf7188913cfa8f6a

SHA256
35d639c15f8479ba03fa52ef30b2294f3d02a2f407634d153f16c0323d52fe35

SHA512
d729185ed725b7ab2bc132ca6de2a0c9bc9cd3dc039f16a0394e876ee6b380b11ebf564e636e671f3ae8a10e2c595e635f0f0e47c1e5afccf89a7f2186a89cff

Download Submit
memory/1540-94-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1540-95-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1668-46-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1668-56-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2068-43-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2248-25-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2248-33-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2848-90-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2944-78-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3396-96-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3500-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3500-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3512-22-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/3512-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4120-48-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/4688-68-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download