Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    18/08/2024, 19:25

General

  • Target

    1196ebde2000490a156f6ce6f42ab8c3cdb2209dbff2d3b2b91d4ab289bf7f8d.exe

  • Size

    1.1MB

  • MD5

    706ebc05f625f5601927d95f1df25ce3

  • SHA1

    09c9acf256fbb5392438c2b699918edefb42b55e

  • SHA256

    1196ebde2000490a156f6ce6f42ab8c3cdb2209dbff2d3b2b91d4ab289bf7f8d

  • SHA512

    4909fb82e45951d714bd10ebd1b938c1571e472ce6d6c94b090273e9d305dfd6f72035d7c7a257d72117f872b6d8cd4f3ac88be9f8ac80319098b324938c74ce

  • SSDEEP

    24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Qs:acallSllG4ZM7QzM7

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 23 IoCs
  • Loads dropped DLL 46 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 48 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\1196ebde2000490a156f6ce6f42ab8c3cdb2209dbff2d3b2b91d4ab289bf7f8d.exe
    "C:\Users\Admin\AppData\Local\Temp\1196ebde2000490a156f6ce6f42ab8c3cdb2209dbff2d3b2b91d4ab289bf7f8d.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2136
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2756
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2928
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2720
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
              6⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2836
              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:2120
                • C:\Windows\SysWOW64\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                  8⤵
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:1932
                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                    9⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of SetWindowsHookEx
                    • Suspicious use of WriteProcessMemory
                    PID:2288
                    • C:\Windows\SysWOW64\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                      10⤵
                      • Loads dropped DLL
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:820
                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                        11⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of SetWindowsHookEx
                        • Suspicious use of WriteProcessMemory
                        PID:700
                        • C:\Windows\SysWOW64\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                          12⤵
                          • Loads dropped DLL
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of WriteProcessMemory
                          PID:1300
                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of SetWindowsHookEx
                            • Suspicious use of WriteProcessMemory
                            PID:972
                            • C:\Windows\SysWOW64\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                              14⤵
                              • Loads dropped DLL
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of WriteProcessMemory
                              PID:1484
                              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                15⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of SetWindowsHookEx
                                • Suspicious use of WriteProcessMemory
                                PID:2472
                                • C:\Windows\SysWOW64\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                  16⤵
                                  • Loads dropped DLL
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of WriteProcessMemory
                                  PID:1836
                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                    17⤵
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of SetWindowsHookEx
                                    PID:2724
                                    • C:\Windows\SysWOW64\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                      18⤵
                                      • Loads dropped DLL
                                      • System Location Discovery: System Language Discovery
                                      PID:2908
                                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                        19⤵
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious use of SetWindowsHookEx
                                        PID:2612
                                        • C:\Windows\SysWOW64\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                          20⤵
                                          • Loads dropped DLL
                                          • System Location Discovery: System Language Discovery
                                          PID:2624
                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                            21⤵
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious use of SetWindowsHookEx
                                            PID:1728
                                            • C:\Windows\SysWOW64\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                              22⤵
                                              • Loads dropped DLL
                                              • System Location Discovery: System Language Discovery
                                              PID:2496
                                              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                23⤵
                                                • Executes dropped EXE
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious use of SetWindowsHookEx
                                                PID:1744
                                                • C:\Windows\SysWOW64\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                  24⤵
                                                  • Loads dropped DLL
                                                  • System Location Discovery: System Language Discovery
                                                  PID:1428
                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                    25⤵
                                                    • Executes dropped EXE
                                                    • System Location Discovery: System Language Discovery
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:2980
                                                    • C:\Windows\SysWOW64\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                      26⤵
                                                      • Loads dropped DLL
                                                      • System Location Discovery: System Language Discovery
                                                      PID:2104
                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                        27⤵
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:916
                                                        • C:\Windows\SysWOW64\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                          28⤵
                                                          • Loads dropped DLL
                                                          • System Location Discovery: System Language Discovery
                                                          PID:780
                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                            29⤵
                                                            • Executes dropped EXE
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:2552
                                                            • C:\Windows\SysWOW64\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                              30⤵
                                                              • Loads dropped DLL
                                                              • System Location Discovery: System Language Discovery
                                                              PID:1508
                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                                "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                                31⤵
                                                                • Executes dropped EXE
                                                                • System Location Discovery: System Language Discovery
                                                                • Suspicious use of SetWindowsHookEx
                                                                PID:2512
                                                                • C:\Windows\SysWOW64\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                                  32⤵
                                                                  • Loads dropped DLL
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:2472
                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                                    33⤵
                                                                    • Executes dropped EXE
                                                                    • System Location Discovery: System Language Discovery
                                                                    • Suspicious use of SetWindowsHookEx
                                                                    PID:2760
                                                                    • C:\Windows\SysWOW64\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                                      34⤵
                                                                      • Loads dropped DLL
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:784
                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                                        35⤵
                                                                        • Executes dropped EXE
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Suspicious use of SetWindowsHookEx
                                                                        PID:2644
                                                                        • C:\Windows\SysWOW64\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                                          36⤵
                                                                          • Loads dropped DLL
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:2660
                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                                            37⤵
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Suspicious use of SetWindowsHookEx
                                                                            PID:1824
                                                                            • C:\Windows\SysWOW64\WScript.exe
                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                                              38⤵
                                                                              • Loads dropped DLL
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:2996
                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                                                "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                                                39⤵
                                                                                • Executes dropped EXE
                                                                                • System Location Discovery: System Language Discovery
                                                                                • Suspicious use of SetWindowsHookEx
                                                                                PID:3064
                                                                                • C:\Windows\SysWOW64\WScript.exe
                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                                                  40⤵
                                                                                  • Loads dropped DLL
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:1328
                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                                                    41⤵
                                                                                    • Executes dropped EXE
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                    PID:1124
                                                                                    • C:\Windows\SysWOW64\WScript.exe
                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                                                      42⤵
                                                                                      • Loads dropped DLL
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:1432
                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                                                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                                                        43⤵
                                                                                        • Executes dropped EXE
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                        PID:1696
                                                                                        • C:\Windows\SysWOW64\WScript.exe
                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                                                          44⤵
                                                                                          • Loads dropped DLL
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:1096
                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                                                            45⤵
                                                                                            • Executes dropped EXE
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                            PID:952
                                                                                            • C:\Windows\SysWOW64\WScript.exe
                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                                                              46⤵
                                                                                              • Loads dropped DLL
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:1032
                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                                                                "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                                                                47⤵
                                                                                                • Executes dropped EXE
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                PID:812
                                                                                                • C:\Windows\SysWOW64\WScript.exe
                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                                                                  48⤵
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:1668

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

          Filesize

          92B

          MD5

          67b9b3e2ded7086f393ebbc36c5e7bca

          SHA1

          e6299d0450b9a92a18cc23b5704a2b475652c790

          SHA256

          44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

          SHA512

          826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          753B

          MD5

          fbbbd97d1cd6c2b65ae5c6a96dd600f9

          SHA1

          ee11ae0acc36af43ce3fec4f897ab0bef3a9092b

          SHA256

          3646a35e98598cb938751885bc6f72e53daf0088420e0f1fcdc2a0f6a75e6b3e

          SHA512

          a7c0fa66b6ac43c575d5fabf2ad025942d2a61075cb02a12aaa6ed77c591ff48d7953f8ba43bdc471a1d171349fd8a93fbc3b89b1fb66d989904a610f1e8618a

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          696B

          MD5

          aac0fba8016aa15609aa7abb5db077ae

          SHA1

          f8afa6ff11a91f46eb961727ec6a5fad360fa1c9

          SHA256

          76a6ce5f2e579dc37db23bb0e1ef5ebdd8b02e6b22b6f8da1a17964db237a8a0

          SHA512

          26a4910f08563b7c4b1e1abba82fefdefcb43b7d1149d5e6c7dda36db4aa142c4b74bc64263f23a5177804e2191696795e0de5d5368ea6903b398415d435962e

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          696B

          MD5

          6a10838e65cf3aedda11230ee7f407b7

          SHA1

          7878e96feb82d309b74e4fe98ad256d3bfd63d08

          SHA256

          79b9776ab8d5f525f63ccab50ff6d79e7a7daeb47894ce971b63ab072314009e

          SHA512

          7fd419656935cef9e30f36f618df90399b015dc281dea6b30f12ba7bf2c07a58e7aa570ea5fd1f04b3643be33eb1d8521787c94384cb7ef0ec8d5459a8c50eaa

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          696B

          MD5

          81911744d71ed066085116eec2026095

          SHA1

          47cfe383cd90c80f367d20667fa26cd160507a8f

          SHA256

          3154f7fe0c77b8441733285f257a444605ca5badb1148288aa7275033f75d3f5

          SHA512

          e64925ee682737251c7d5f42a378a4f6c23a50a07a6811882547567725b59c172da356b235afc977d4c1e8209f5c1ba696b9dd54e7739f67a71c099c031d7396

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          696B

          MD5

          b80e64a84f22d05c1da6e47ce54973aa

          SHA1

          5cad9390328f2c7439c775fabb7a0456663085d9

          SHA256

          9dd0f5f176d3fad7c0eb3bdd6f14036a878cbce9fd50fb1a47318da147bfd82e

          SHA512

          983affb7f9189c1eb80982438c288ee607e7ee91675b6a6e854873c476961b39ddec66801e0a09bedd0f133a0132693a5fed5c8ff0f8c3d3aa4f470fdb8c39b9

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          696B

          MD5

          56b642f742552f48c6b8b9c099412a21

          SHA1

          c3cf968546d550feddcded0747d331305147e1e3

          SHA256

          a91e4afb0d2f495e9c4fd5031514174673505464922192f9d87832fc21ef119b

          SHA512

          43edab26c4c27b9458d393f139895b68ce6b230685fd112658b4046094beac5479329f63c9c836dace1e76984fc22b96aecdf0c0252cf656e6d1fe639abf403a

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          696B

          MD5

          1c4a20bad462e2ead31b207cd4b0dd1b

          SHA1

          e6037559a47f711d0e930c907b6c33269cb8ecb9

          SHA256

          7cbf5f523fb2c8a62f6308bc56b5ff19556c167b7ce2c9e2d74329835c79d29e

          SHA512

          78e63943987dbb5fa66f2b9865002911c5225dbcba3e89ea0de4ed94dbd211e965e766073e19205a55a7d83cc631e87c50b9f6815d83fced9f41a72c842c145b

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          696B

          MD5

          0746413c017663c2889cbadf684741eb

          SHA1

          6a61f92238e17b83adba719b52d2f3d9cd205b8a

          SHA256

          5e9eb3cc7e536ea1249b6bdb65b934565018fa760198e2b2c8f5537de84b86bd

          SHA512

          e222a18584aadd15f5c4706601acc6fa30d6a08325f2679724eba4b2952e56d4d7e1a97c42ae88aefacfa59b87723118d2dd28c1541204715dc1e11b4867b05c

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          696B

          MD5

          a7abbe21bd06224da6044ceefc079882

          SHA1

          45948d51fb8d65cd1032448311043927dcfa0d2f

          SHA256

          5f4905388f1de9cd98bc931f1f041dd2543394219661a271c11fff5b0d8222b2

          SHA512

          3371b7d36aadb7aa31617ba0d8cb23e2ccd36c8268946e8ec526e98e61d0312622b089331f05a36775fd59174fa8a68595e664a665feeb9afce17c906a8b1bd5

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          696B

          MD5

          6cc9dd78b42e2ca0e1deb237988b6ae2

          SHA1

          6ec16a7e43a4c558a19f125758d56ed9a180e6ee

          SHA256

          11367ac6f6a1b237ca69aeeb571a435181256f8836d6910f036beb90e160f7b2

          SHA512

          331f0ae896c0fb9906dd2fc2e3d58860073af97deb31cdb2184cc4bd104e2e066bfec6bdef0e16a8eda3d5605875fe7c03480b1e2d68bc9d7e3a2b237a3020a4

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          696B

          MD5

          e74576d29f1c1a7185cdf1e12b96a260

          SHA1

          f76ee203cb56b7dda62a2947ff1e2fc954efa777

          SHA256

          e31ecb9dcf31c19fbd131b31e5191375f7aeb708ffa678363de99e118715eb65

          SHA512

          934e3a9171de8fe03c9b398b4e79b3eee77845750ba2b0d16c3a38bc8299d3d72643cedfbb025df848f4c5ab302f5d4b145da13c2ac3ed96bdc1658791d4f5bb

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          696B

          MD5

          297aff64991480fd92a4ce9fb4d40807

          SHA1

          c586f7003f854f442db26448516e59826dfe41e9

          SHA256

          5137a62e031c71093a7d6c2684519614bb5eed80fd8daa92912f085a6ab82b8a

          SHA512

          f7a2fae80f26e6fb846ec9675c5a03932c8bd842d75f68cdb05c2f18e9397ed32774ce0a1f495e5618a5ce1b37e088c8991a69fb999559d1e2b0dd360cc96b4f

        • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

          Filesize

          1.1MB

          MD5

          02b37bf88f1ab7a2d7b74ecb09c804f3

          SHA1

          292743dc43c43f316a8ac1135694b3670e2c5fcb

          SHA256

          91c4a4418ac19c248a9dc1e0258dc3643d231fce4bcdf28277b34f30dae459ee

          SHA512

          401ea98c5fa9670c28013744b7ef415239ab30f2456f40fdd31f545f51b7e9a162340fe13754d45d35ffce890a81cf43131ae0dff1438d233a97f1f459e30668

        • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

          Filesize

          1.1MB

          MD5

          d505730b5d18a77ac2c57c8cba202148

          SHA1

          8e5ebe68cf8ea173bcfa60d698b02b80a00eb59b

          SHA256

          9f2a4b4d7bebdd787d3a02e8d4b899dbe8588895d9095e2fdb16418417fa1df2

          SHA512

          9f2bfe93c0ec4c64cf80bfc5165e216018e2143f59636f9eeee7507bebc932f51416a98b4103a4a333c3affc1394798075727dda1ad69fa81e4d7adfa3207bde

        • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

          Filesize

          1.1MB

          MD5

          ffa7aa4bdf07dabe09908c5707dad6a2

          SHA1

          9aa3a9d22669a0fc0d392b57dfbb9b622c0635e0

          SHA256

          b10ce4a29557979d8116658b26d5bccb42a023ec401567b982cdc082efe3f333

          SHA512

          ab78bbe06084cffef1701e9b2e33d57ebb306cf646b2113b05af377ec5c51783a317288d6802f2e3d57e8ce88ee773d051d794eb38273d40531b333e8b06061a

        • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

          Filesize

          1.1MB

          MD5

          c712974f3073193c55db010513b35643

          SHA1

          c6c9e491e19ae81da3c77b4738306ef76e79f4d7

          SHA256

          bafdb5720b562c47db405c5669c3f0ee79dc2314c053456eae83d3fcbc497e19

          SHA512

          ec9bbacde99efdb64af51a2d5ba7595c976456fa843952d73b02c6c4b124f6f2aa617327a28ac3776e6050d6d9dce834f7137b801b4aac855f0c3ae996780c22

        • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

          Filesize

          1.1MB

          MD5

          082ead1dadf9bdca5f5b7b939b0fcf15

          SHA1

          b17069416cdc9e6f4a28f66256bf02df028418f9

          SHA256

          3786111ab4165f77db72b998b94251042b515f5f92b14d5184d4db12b3cbbaa7

          SHA512

          e654af6d0c7f14838216ea1ff99e107e0c2c361d0484108b4fa62533f4b8d9384eaefedca31f322f6138d2676f6a21b6d872b59d6b853a41531ded2faebeee0c

        • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

          Filesize

          1.1MB

          MD5

          78a9a649e51a45157eb6a24e50a4bfdc

          SHA1

          2729c6eb19a7bc13f38b7080bbd59dd7de500852

          SHA256

          38a298f16067bd85e23e6de21b941519b9297c8ad1f4ea9c9d03b60eb9d46daa

          SHA512

          13945264472d5b59f5b9c8fd1c617e8d27a030f2d789550bcf3823be821dbd14762b600d316762258ed389a013e32775c66ae6e48fab22f6f864f235a10253f1

        • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

          Filesize

          1.1MB

          MD5

          872c976217cc1d41b337369c8a1824d3

          SHA1

          0d59e724ca91b7a8c061e163dfa6f9907293801b

          SHA256

          32279b9277ac7e85fd47ef65021ad2ad39c20a92371730b496c88d14113e0b44

          SHA512

          8ea47907a01fbb4abc7f8ec3abc81137f1b52e6aa268023762a69af106589472548145ef62069bc2a16f528731195d3c1eaa34a37d4af601e1e6c48892344b81

        • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

          Filesize

          1.1MB

          MD5

          fbe410d7d4876cbba34a14712e2065d6

          SHA1

          3c5c7ab5445c353d4dadf322737cb687fa8478eb

          SHA256

          ee3106c9a50b6925f2a530133108075ab0eb4d60b80a3f92cbc11ec19233c677

          SHA512

          16c2f14e542926e71de2a28a5dbb575fa670f98f0de91463f2fca739cf2ee04ea9e697804a223f06a0c51883f6c67b39c706050b098ba8168712e00188d9064f

        • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

          Filesize

          1.1MB

          MD5

          6a04ba2b57d5ae9152448de183ea8307

          SHA1

          ff3cf30fd7c96cb534f48185a4e6551526a8042a

          SHA256

          d1c1c03f5822cfabb19eccd18fa11831d24ddadbd65cb5a7931819adf9a5422b

          SHA512

          82cc8aac58559a0ca869609b54fa966bb28ac66875a3d2696c605055b081d88fe1c50f76342e57b7cd0001602f72185d263668f8df5780db52a65f7ea95b5e63

        • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

          Filesize

          1.1MB

          MD5

          cb97cfb338f3d310fd25e840650c2550

          SHA1

          3504c0e827b200049ee3f3fa61a962dc0a698e51

          SHA256

          ea6fd43c6879d61fcc2973d1b9423009952f13009cdacc22ead61dcf4c2bf456

          SHA512

          ead1394b71ede85701ca0e0a6f1db0c2b2ba2d58413be054c61695236da14ffd8e74937b2f732a2434e0168b95508a8bf92b0f5f09860e6e8b696fc2811a7fa8

        • memory/700-76-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/784-191-0x00000000046C0000-0x000000000481F000-memory.dmp

          Filesize

          1.4MB

        • memory/812-243-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/916-166-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/952-241-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/952-234-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/972-82-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/972-90-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/1032-242-0x00000000045F0000-0x000000000474F000-memory.dmp

          Filesize

          1.4MB

        • memory/1096-250-0x0000000004720000-0x000000000487F000-memory.dmp

          Filesize

          1.4MB

        • memory/1124-225-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/1328-218-0x0000000004490000-0x00000000045EF000-memory.dmp

          Filesize

          1.4MB

        • memory/1428-150-0x00000000045E0000-0x000000000473F000-memory.dmp

          Filesize

          1.4MB

        • memory/1432-226-0x0000000004A40000-0x0000000004B9F000-memory.dmp

          Filesize

          1.4MB

        • memory/1508-175-0x0000000004870000-0x00000000049CF000-memory.dmp

          Filesize

          1.4MB

        • memory/1696-233-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/1728-142-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/1744-149-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/1824-208-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/1824-201-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/1996-0-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/1996-9-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2104-159-0x0000000004A40000-0x0000000004B9F000-memory.dmp

          Filesize

          1.4MB

        • memory/2120-51-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2136-13-0x0000000003ED0000-0x000000000402F000-memory.dmp

          Filesize

          1.4MB

        • memory/2136-14-0x0000000003ED0000-0x000000000402F000-memory.dmp

          Filesize

          1.4MB

        • memory/2288-64-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2472-183-0x0000000004840000-0x000000000499F000-memory.dmp

          Filesize

          1.4MB

        • memory/2472-103-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2512-182-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2552-174-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2552-167-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2612-128-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2644-199-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2644-192-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2660-200-0x00000000045F0000-0x000000000474F000-memory.dmp

          Filesize

          1.4MB

        • memory/2720-38-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2724-116-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2756-24-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2760-190-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2980-151-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2980-158-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2996-209-0x0000000004570000-0x00000000046CF000-memory.dmp

          Filesize

          1.4MB

        • memory/3064-217-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/3064-210-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB