Analysis

  • max time kernel
    149s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    21/08/2024, 11:53

General

  • Target

    af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe

  • Size

    1.1MB

  • MD5

    e8196031924f935ff5c0ef93d4a24ab4

  • SHA1

    eeb6a3ff13e3e42db0e15c4387dddfdfa0e6b74a

  • SHA256

    af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d

  • SHA512

    6e040cc1591109bf93c4de1497790e25ce35d28bc5db8ab5e7ced8163a639600eb951039ecdaab868bc4b2bd24541fc29cdb16e6507f053a1621e350d248551c

  • SSDEEP

    24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QR:acallSllG4ZM7QzMi

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 24 IoCs
  • Loads dropped DLL 42 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 50 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 50 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe
    "C:\Users\Admin\AppData\Local\Temp\af1a5caf344d7e1d3853b93d4f8870dc8e1923aa0ec402082fe437c04e15987d.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:984
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1680
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2804
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2624
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:584
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
              6⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2992
              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:2608
                • C:\Windows\SysWOW64\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                  8⤵
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:1740
                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                    9⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of SetWindowsHookEx
                    • Suspicious use of WriteProcessMemory
                    PID:2604
                    • C:\Windows\SysWOW64\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                      10⤵
                      • Loads dropped DLL
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:2192
                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                        11⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of SetWindowsHookEx
                        • Suspicious use of WriteProcessMemory
                        PID:1424
                        • C:\Windows\SysWOW64\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                          12⤵
                          • Loads dropped DLL
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of WriteProcessMemory
                          PID:1216
                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of SetWindowsHookEx
                            • Suspicious use of WriteProcessMemory
                            PID:868
                            • C:\Windows\SysWOW64\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                              14⤵
                              • System Location Discovery: System Language Discovery
                              PID:2248
                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                        11⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of SetWindowsHookEx
                        PID:1748
                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                        11⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of SetWindowsHookEx
                        PID:2996
                        • C:\Windows\SysWOW64\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                          12⤵
                          • Loads dropped DLL
                          • System Location Discovery: System Language Discovery
                          PID:2052
                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of SetWindowsHookEx
                            PID:2668
                            • C:\Windows\SysWOW64\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                              14⤵
                              • Loads dropped DLL
                              • System Location Discovery: System Language Discovery
                              PID:1060
                              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                15⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of SetWindowsHookEx
                                PID:1968
                                • C:\Windows\SysWOW64\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                  16⤵
                                  • System Location Discovery: System Language Discovery
                                  PID:1160
                              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                15⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of SetWindowsHookEx
                                PID:2344
                                • C:\Windows\SysWOW64\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                  16⤵
                                  • Loads dropped DLL
                                  • System Location Discovery: System Language Discovery
                                  PID:980
                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                    17⤵
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of SetWindowsHookEx
                                    PID:376
                                    • C:\Windows\SysWOW64\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                      18⤵
                                      • Loads dropped DLL
                                      • System Location Discovery: System Language Discovery
                                      PID:660
                                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                        19⤵
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious use of SetWindowsHookEx
                                        PID:2680
                                        • C:\Windows\SysWOW64\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                          20⤵
                                          • Loads dropped DLL
                                          • System Location Discovery: System Language Discovery
                                          PID:884
                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                            21⤵
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious use of SetWindowsHookEx
                                            PID:2264
                                            • C:\Windows\SysWOW64\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                              22⤵
                                              • Loads dropped DLL
                                              • System Location Discovery: System Language Discovery
                                              PID:868
                                              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                23⤵
                                                • Executes dropped EXE
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious use of SetWindowsHookEx
                                                PID:580
                                                • C:\Windows\SysWOW64\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                  24⤵
                                                  • Loads dropped DLL
                                                  • System Location Discovery: System Language Discovery
                                                  PID:2832
                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                    25⤵
                                                    • Executes dropped EXE
                                                    • System Location Discovery: System Language Discovery
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:2648
                                                    • C:\Windows\SysWOW64\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                      26⤵
                                                      • Loads dropped DLL
                                                      • System Location Discovery: System Language Discovery
                                                      PID:2904
                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                        27⤵
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:2500
                                                        • C:\Windows\SysWOW64\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                          28⤵
                                                          • Loads dropped DLL
                                                          • System Location Discovery: System Language Discovery
                                                          PID:612
                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                            29⤵
                                                            • Executes dropped EXE
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:2064
                                                            • C:\Windows\SysWOW64\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                              30⤵
                                                              • Loads dropped DLL
                                                              • System Location Discovery: System Language Discovery
                                                              PID:2940
                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                                "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                                31⤵
                                                                • Executes dropped EXE
                                                                • System Location Discovery: System Language Discovery
                                                                • Suspicious use of SetWindowsHookEx
                                                                PID:1612
                                                                • C:\Windows\SysWOW64\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                                  32⤵
                                                                  • Loads dropped DLL
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:1360
                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                                    33⤵
                                                                    • Executes dropped EXE
                                                                    • System Location Discovery: System Language Discovery
                                                                    • Suspicious use of SetWindowsHookEx
                                                                    PID:1048
                                                                    • C:\Windows\SysWOW64\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                                      34⤵
                                                                      • Loads dropped DLL
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:568
                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                                        35⤵
                                                                        • Executes dropped EXE
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Suspicious use of SetWindowsHookEx
                                                                        PID:2540
                                                                        • C:\Windows\SysWOW64\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                                          36⤵
                                                                          • Loads dropped DLL
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:2132
                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                                            37⤵
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Suspicious use of SetWindowsHookEx
                                                                            PID:1604
                                                                            • C:\Windows\SysWOW64\WScript.exe
                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                                              38⤵
                                                                              • Loads dropped DLL
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:804
                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                                                "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                                                39⤵
                                                                                • Executes dropped EXE
                                                                                • System Location Discovery: System Language Discovery
                                                                                • Suspicious use of SetWindowsHookEx
                                                                                PID:1600
                                                                                • C:\Windows\SysWOW64\WScript.exe
                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                                                  40⤵
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:960
                            • C:\Windows\SysWOW64\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                              14⤵
                              • System Location Discovery: System Language Discovery
                              PID:2584
              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:3016
                • C:\Windows\SysWOW64\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                  8⤵
                  • System Location Discovery: System Language Discovery
                  PID:2388

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

          Filesize

          92B

          MD5

          67b9b3e2ded7086f393ebbc36c5e7bca

          SHA1

          e6299d0450b9a92a18cc23b5704a2b475652c790

          SHA256

          44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

          SHA512

          826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          696B

          MD5

          6a10838e65cf3aedda11230ee7f407b7

          SHA1

          7878e96feb82d309b74e4fe98ad256d3bfd63d08

          SHA256

          79b9776ab8d5f525f63ccab50ff6d79e7a7daeb47894ce971b63ab072314009e

          SHA512

          7fd419656935cef9e30f36f618df90399b015dc281dea6b30f12ba7bf2c07a58e7aa570ea5fd1f04b3643be33eb1d8521787c94384cb7ef0ec8d5459a8c50eaa

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          753B

          MD5

          5fb7bc16d617d3e0776046ccfaa6e47e

          SHA1

          078f0c3e072e11f1a7cc9581a9adab599763dd9b

          SHA256

          23b55f8e0edde2abb5366aa7f27d2a2f8a14800e78674f3178c2b15599d093a8

          SHA512

          962d13fb0f64e48dd0a41ac60021f388edb62d95da1e17e69b3f28c3630a3f25e9539847edcc5848e739a4b36ce10f370afac8cb716aca5e4116605e9f648bc3

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          696B

          MD5

          dcda7be7bee467e770890045f8b7ae2a

          SHA1

          c2d1c9669b5115473dd2fcb27bb76aed83afdcd1

          SHA256

          5818c70269cba768813218e1a65265488b4c36ebee593535af98a52bf1eeed33

          SHA512

          5a69286101d6a3f52a919910584f2618e2e7adcf8b77806b5e4ecd8b881a86693df968818cec771b93b50d05849e165da0d66c5cfb121297f56cf7bef804a408

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          696B

          MD5

          cd3670279cfd4857ab7ae976f56ad473

          SHA1

          2b4136cb5f5aa98e7cf48135db771fe497da942f

          SHA256

          9824342f00af60b70c73fd0b0b08c54f1439d6f6964ce1286a7eec748047041f

          SHA512

          30e7536c3209027ad3df30edd10d69b666a936c4184f3ad26ebf683ae2d066607b9eda521955af0a3cb235d6d84cc5c6fda747525bef19ec3a5016db66945889

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          696B

          MD5

          5465e98b54b47d65941e5d12deb27c9d

          SHA1

          50e5e6ced6e5e332b303de4fa146482fbdf782d5

          SHA256

          38f339c2f4c0d7ea1ba1500460c63bc626a2465b3ca48c4d63ee2b0f3eafb82a

          SHA512

          50c6bc8c7da8c036c909672ade71b08aea49bc58474c40e660d7dc23c3a9869cfad82b4dc96335057ecd5bd1011f3db712f667b4085555e3dc6fb90de56b1c3a

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          696B

          MD5

          24e4a44b907089d788280d647e33c77e

          SHA1

          ac5a4e397dea243c0022c55319e7c7035d013905

          SHA256

          7fcd076a55f0b7c8e9407217aee7e68893461d15cb8d2946ac5250af35137211

          SHA512

          c4a8dac1c1d5dfa976cc3e8fd299e423ab620463983b8c602be8a83ecc6598eb3f1d60a7370806e1f85a52dd91e4f1337a6dff2e99459f9a1e429a1ffb65a00b

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          696B

          MD5

          c91530bbaec9815f2db19bd6645b8729

          SHA1

          ea901a28f06bfbfc1dc9c3391910a87bfaf07020

          SHA256

          7924a95b4fb309a069dcb92b65632f01f9db2560b224d4812ebb84130994ab8d

          SHA512

          7ebce2d0627561189c27073f3e43e84e6164c3c4a63fe4172d2c1214fe799795393573038fb3dd75359327e7cca4eec17889749411e289480580f568b02e6588

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          696B

          MD5

          be85ce7bb02d959078db568ee3a8905d

          SHA1

          e3598468f1db49d961a98da4deda91a619b56985

          SHA256

          4d76969f7a746574f6be0eca7b1939230ca7607610f12f82b670f4b7bf829806

          SHA512

          8ffd0d9432c57b2a445afb0701de88903bee1df5295b7ec14042623bfd5d72d0d3cdf198bbdce55be06439c8ac594ddc9bcf53f425bf9e9c9ebb299f6d8150cb

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          696B

          MD5

          5ef4272f4d6f345fc8cc1b2f059c81b4

          SHA1

          78bcb559f775d70e10396e1d6d7b95c28d2645d1

          SHA256

          19f8d5209b4a5789cdfd5b67cb0b9f6c3546c62912bcb1ef1c69a15602beb652

          SHA512

          002693255c600456d965b5a7e36f780deec4d80cd9fe56f7f974b8762e2b140002a1dabf4b059d6163c9cc00a0e1e9da71899e13347fb4bb2985bbc7058469cb

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          696B

          MD5

          c5ae655707a21f6473c5f382a787e100

          SHA1

          1d2078ebfae286212eb90e60c9dbce5e70ac24f1

          SHA256

          baf83e476c96ab1af7a7482de26dae9909744fad6d12c6ae818f51b834cecb50

          SHA512

          af80731f380d75a643ab885ba152cb7118297ab4e70ff44dd96b7bae8542881f0d06cdbe0ac524cdc30ddca970c2b27adf6398f8efc6e510cea6cc0b2a59b34f

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          696B

          MD5

          70e226fbd8b4b3f2ddf8a8753a77586a

          SHA1

          a81a39d08f77479d0ee65599dd2749031c32fc19

          SHA256

          3eb2bfca11e83ada63c9e426764e07267c058964f959ca5e0c3f0f8933e40026

          SHA512

          f8c3f2f4172e8cabb856cbc2527dae48cba6d740a8ad9844bb32013ccba200b4c03dfdbe3713d9caa5f7416b8729cba4d516a73989b388c952ab08205b3cd4b8

        • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

          Filesize

          696B

          MD5

          910e8b4a682865877d5b4c6b32ac2db3

          SHA1

          7df0ffdcff6b2f1d51878af2ca989990c399c005

          SHA256

          0eaa114fec2febec98337efcccfbb2863979005935decd44f9cd7db110b33b9f

          SHA512

          eb3e30e57f8ae59dc62d7c7f6c20296c7105a3fead464229b7b037924a20127266c0f09a6090cdeae4bea0f728f6213b2da67b44c3cd85a662c6b0cdf34c24bb

        • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

          Filesize

          1.1MB

          MD5

          6f28f6d71b4c0a6a1cf8b531effc6778

          SHA1

          42b182137c690aca32f9c55277dfaede38857009

          SHA256

          bff72364674f8d50a3c78533c8cffda72a0fefba40dd9a68948a9be87d410f2b

          SHA512

          b0d8159098aee3e4f84759145b105bf136853fdbe1bd56852a5a749fa254cca729b1847028c9832a065d2bc32f9637f4b439e90b3025a32232bc50e134fbab79

        • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

          Filesize

          1.1MB

          MD5

          6947a2c72380d085326d3c8eb0810236

          SHA1

          6a1dd3944aa5ec6bef6914fb48720466a632f2c7

          SHA256

          de8d791abfd37cf9f31981c4930281367ba64ed8e9b8e53c0b19a1a464ace1e5

          SHA512

          b92d93464a8fe49a021bfda14ae043272990242b420d7b96a442547b837ac29ce7262ef0f1de0c4ecf48df7326b11714ed88f88a5f17873166633326af9e09d6

        • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

          Filesize

          1.1MB

          MD5

          56c639706e44e42d7d2036db9720871b

          SHA1

          c5fcb76775aa65efa3fb69519c35dd837103f6ce

          SHA256

          0d5a735b13219eaea8efed1dd1e0436aebeee2fdee5fe794f2677d2a39f7ae81

          SHA512

          10c29daaf543a521fa8d9c8690a629d2614003a871046ab86d92f78b3719a83177a5e1dbdd516a50ae9df5105f97e2489d343196e0892430f7fdf5a7ad5794a7

        • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

          Filesize

          1.1MB

          MD5

          6a449d034be3fce19c4dc196da7019ee

          SHA1

          20eb3caac22e6fbe940677a424bfd6c3467b02d3

          SHA256

          e02955c376930ff7a5fd2baa9003f2ae88a79bf926ed9a35fdd3d75ec1c67e64

          SHA512

          74ad9a53b265fbf56b910394a7226a3591c3ce32a656003b35cbcc8aa78dea6047d2f72b52c95129191e82db0cf3d634c19cad810a2a818a7108b8cddf531780

        • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

          Filesize

          1.1MB

          MD5

          80fbd7cf955089c8e21d3ab225a76493

          SHA1

          2c2fe8bea02749dc50bb9cf43c1f83b92ebbf1de

          SHA256

          1a34083112fe16b506d15926f2f7cfdf944ad79c6486ca20568620454d94666e

          SHA512

          ca228282f14954c0c7bdf7aacd23bdae6c69e01741b6978b325e07425010af21cd3c432bebe974e1ca99dfcb3533caf496af1f24e172ac20445301c3ec8622ed

        • \Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

          Filesize

          1.1MB

          MD5

          fd46a351f36c898575ccd273c9e8ba62

          SHA1

          172608b3ca02d9ae49ed2303075bbabac3addfe1

          SHA256

          d2e26580e3ad396e9c494fdac73ec85ee2cff4045f73e73f46c183af691a6788

          SHA512

          85de9268a76e454a529210eec9ec415b657a9e1e653dacdefa29967057d56f958b5eb40a974ff8dd0da5cc495d6953a0212a44796e2e62d3ceb3503e4da9ebc6

        • memory/376-165-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/376-162-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/568-230-0x0000000004570000-0x00000000046CF000-memory.dmp

          Filesize

          1.4MB

        • memory/580-189-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/580-182-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/584-36-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/584-29-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/804-252-0x0000000003F40000-0x000000000409F000-memory.dmp

          Filesize

          1.4MB

        • memory/868-94-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/868-103-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/980-157-0x00000000048B0000-0x0000000004A0F000-memory.dmp

          Filesize

          1.4MB

        • memory/984-0-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/984-9-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/1048-222-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/1048-229-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/1424-85-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/1600-253-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/1604-240-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/1604-247-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/1612-221-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/1612-214-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/1680-14-0x0000000003EA0000-0x0000000003FFF000-memory.dmp

          Filesize

          1.4MB

        • memory/1680-13-0x0000000003EA0000-0x0000000003FFF000-memory.dmp

          Filesize

          1.4MB

        • memory/1740-69-0x0000000005B80000-0x0000000005CDF000-memory.dmp

          Filesize

          1.4MB

        • memory/1748-93-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/1968-142-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2064-206-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2064-213-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2132-239-0x0000000005BA0000-0x0000000005CFF000-memory.dmp

          Filesize

          1.4MB

        • memory/2192-108-0x0000000004610000-0x000000000476F000-memory.dmp

          Filesize

          1.4MB

        • memory/2192-109-0x0000000004610000-0x000000000476F000-memory.dmp

          Filesize

          1.4MB

        • memory/2264-174-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2264-181-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2344-154-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2500-205-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2540-231-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2540-238-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2604-74-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2604-70-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2608-40-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2608-49-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2648-191-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2648-198-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2668-122-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2668-132-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2680-173-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2680-170-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2804-24-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2832-190-0x0000000004610000-0x000000000476F000-memory.dmp

          Filesize

          1.4MB

        • memory/2992-54-0x0000000005C60000-0x0000000005DBF000-memory.dmp

          Filesize

          1.4MB

        • memory/2992-39-0x0000000004590000-0x00000000046EF000-memory.dmp

          Filesize

          1.4MB

        • memory/2996-110-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/2996-118-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/3016-55-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB

        • memory/3016-63-0x0000000000400000-0x000000000055F000-memory.dmp

          Filesize

          1.4MB