d13fd23e58228672bf18b9f3bdc21bbf5c3e5181b266bc65fffaf9392234dc68

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
23/08/2024, 02:31

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

d13fd23e58228672bf18b9f3bdc21bbf5c3e5181b266bc65fffaf9392234dc68.exe
Size

1.1MB
MD5

58326a16196d58e64ca62c8a58789c8c
SHA1

7c2e04d6459f182db9028ced71c3005c7e7e2bb1
SHA256

d13fd23e58228672bf18b9f3bdc21bbf5c3e5181b266bc65fffaf9392234dc68
SHA512

f8b5d8b9c6cb38230193cccef82e762f66754903406431358b466a3050a3d79bdf1768d3051f458b69981715417a0d1821308fb2571628b6559c03c153f75780
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5Q8:acallSllG4ZM7QzML

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2264	svchcst.exe

Executes dropped EXE 10 IoCs

pid	Process
2264	svchcst.exe
2856	svchcst.exe
684	svchcst.exe
2340	svchcst.exe
1640	svchcst.exe
1960	svchcst.exe
1124	svchcst.exe
2956	svchcst.exe
2392	svchcst.exe
1968	svchcst.exe

Loads dropped DLL 11 IoCs

pid	Process
2788	WScript.exe
2788	WScript.exe
1992	WScript.exe
2512	WScript.exe
2512	WScript.exe
732	WScript.exe
936	WScript.exe
1380	WScript.exe
2860	WScript.exe
2620	WScript.exe
2860	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	d13fd23e58228672bf18b9f3bdc21bbf5c3e5181b266bc65fffaf9392234dc68.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2732	d13fd23e58228672bf18b9f3bdc21bbf5c3e5181b266bc65fffaf9392234dc68.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe
2264	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2732	d13fd23e58228672bf18b9f3bdc21bbf5c3e5181b266bc65fffaf9392234dc68.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
2732	d13fd23e58228672bf18b9f3bdc21bbf5c3e5181b266bc65fffaf9392234dc68.exe
2732	d13fd23e58228672bf18b9f3bdc21bbf5c3e5181b266bc65fffaf9392234dc68.exe
2264	svchcst.exe
2264	svchcst.exe
2856	svchcst.exe
2856	svchcst.exe
684	svchcst.exe
684	svchcst.exe
2340	svchcst.exe
2340	svchcst.exe
1640	svchcst.exe
1640	svchcst.exe
1960	svchcst.exe
1960	svchcst.exe
1124	svchcst.exe
1124	svchcst.exe
2956	svchcst.exe
2956	svchcst.exe
2392	svchcst.exe
2392	svchcst.exe
1968	svchcst.exe
1968	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2732 wrote to memory of 2788	2732	d13fd23e58228672bf18b9f3bdc21bbf5c3e5181b266bc65fffaf9392234dc68.exe	30
PID 2732 wrote to memory of 2788	2732	d13fd23e58228672bf18b9f3bdc21bbf5c3e5181b266bc65fffaf9392234dc68.exe	30
PID 2732 wrote to memory of 2788	2732	d13fd23e58228672bf18b9f3bdc21bbf5c3e5181b266bc65fffaf9392234dc68.exe	30
PID 2732 wrote to memory of 2788	2732	d13fd23e58228672bf18b9f3bdc21bbf5c3e5181b266bc65fffaf9392234dc68.exe	30
PID 2788 wrote to memory of 2264	2788	WScript.exe	32
PID 2788 wrote to memory of 2264	2788	WScript.exe	32
PID 2788 wrote to memory of 2264	2788	WScript.exe	32
PID 2788 wrote to memory of 2264	2788	WScript.exe	32
PID 2264 wrote to memory of 1372	2264	svchcst.exe	33
PID 2264 wrote to memory of 1372	2264	svchcst.exe	33
PID 2264 wrote to memory of 1372	2264	svchcst.exe	33
PID 2264 wrote to memory of 1372	2264	svchcst.exe	33
PID 2264 wrote to memory of 1992	2264	svchcst.exe	34
PID 2264 wrote to memory of 1992	2264	svchcst.exe	34
PID 2264 wrote to memory of 1992	2264	svchcst.exe	34
PID 2264 wrote to memory of 1992	2264	svchcst.exe	34
PID 1992 wrote to memory of 2856	1992	WScript.exe	35
PID 1992 wrote to memory of 2856	1992	WScript.exe	35
PID 1992 wrote to memory of 2856	1992	WScript.exe	35
PID 1992 wrote to memory of 2856	1992	WScript.exe	35
PID 2856 wrote to memory of 2512	2856	svchcst.exe	36
PID 2856 wrote to memory of 2512	2856	svchcst.exe	36
PID 2856 wrote to memory of 2512	2856	svchcst.exe	36
PID 2856 wrote to memory of 2512	2856	svchcst.exe	36
PID 2512 wrote to memory of 684	2512	WScript.exe	37
PID 2512 wrote to memory of 684	2512	WScript.exe	37
PID 2512 wrote to memory of 684	2512	WScript.exe	37
PID 2512 wrote to memory of 684	2512	WScript.exe	37
PID 684 wrote to memory of 2256	684	svchcst.exe	38
PID 684 wrote to memory of 2256	684	svchcst.exe	38
PID 684 wrote to memory of 2256	684	svchcst.exe	38
PID 684 wrote to memory of 2256	684	svchcst.exe	38
PID 2512 wrote to memory of 2340	2512	WScript.exe	39
PID 2512 wrote to memory of 2340	2512	WScript.exe	39
PID 2512 wrote to memory of 2340	2512	WScript.exe	39
PID 2512 wrote to memory of 2340	2512	WScript.exe	39
PID 2340 wrote to memory of 936	2340	svchcst.exe	40
PID 2340 wrote to memory of 936	2340	svchcst.exe	40
PID 2340 wrote to memory of 936	2340	svchcst.exe	40
PID 2340 wrote to memory of 936	2340	svchcst.exe	40
PID 2340 wrote to memory of 732	2340	svchcst.exe	41
PID 2340 wrote to memory of 732	2340	svchcst.exe	41
PID 2340 wrote to memory of 732	2340	svchcst.exe	41
PID 2340 wrote to memory of 732	2340	svchcst.exe	41
PID 732 wrote to memory of 1640	732	WScript.exe	42
PID 732 wrote to memory of 1640	732	WScript.exe	42
PID 732 wrote to memory of 1640	732	WScript.exe	42
PID 732 wrote to memory of 1640	732	WScript.exe	42
PID 936 wrote to memory of 1960	936	WScript.exe	43
PID 936 wrote to memory of 1960	936	WScript.exe	43
PID 936 wrote to memory of 1960	936	WScript.exe	43
PID 936 wrote to memory of 1960	936	WScript.exe	43
PID 1640 wrote to memory of 1380	1640	svchcst.exe	44
PID 1640 wrote to memory of 1380	1640	svchcst.exe	44
PID 1640 wrote to memory of 1380	1640	svchcst.exe	44
PID 1640 wrote to memory of 1380	1640	svchcst.exe	44
PID 1380 wrote to memory of 1124	1380	WScript.exe	45
PID 1380 wrote to memory of 1124	1380	WScript.exe	45
PID 1380 wrote to memory of 1124	1380	WScript.exe	45
PID 1380 wrote to memory of 1124	1380	WScript.exe	45
PID 1124 wrote to memory of 2860	1124	svchcst.exe	46
PID 1124 wrote to memory of 2860	1124	svchcst.exe	46
PID 1124 wrote to memory of 2860	1124	svchcst.exe	46
PID 1124 wrote to memory of 2860	1124	svchcst.exe	46

C:\Users\Admin\AppData\Local\Temp\d13fd23e58228672bf18b9f3bdc21bbf5c3e5181b266bc65fffaf9392234dc68.exe
"C:\Users\Admin\AppData\Local\Temp\d13fd23e58228672bf18b9f3bdc21bbf5c3e5181b266bc65fffaf9392234dc68.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2788
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2264
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1372
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1992
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2856
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:684
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2256
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:936
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1960
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:732
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1640
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1124
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2860
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2956
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2620
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2392
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
3ed43de1cee96aaf1d64189d4482a672

SHA1
a346f6b3eca7b8442021d9878288d91084d00d79

SHA256
b2905e040a668759a3fbdc7f07ff57b3e197bbeec24099b65734e884c1e0bd98

SHA512
8f8536a36603c14a567034f0119212a6b3bf9dd52afcbe213b4e26c737394fe838baf0743440f62cd5d61d8d9c694279679e155920a9af3c2cac1549d43040dc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0e6005a9dcb5a78d6fdd54527602f926

SHA1
90adc62e99f3c94c643596af0e17b5853b91fe1f

SHA256
847552b1ad30bd72f24acfe4afa5c326d3e79d7c2f147c958d72e92daca716da

SHA512
b4acfd81c1e926fcd305690aa3780bbec50460bcf947d17c20d6445faca4e774294b9da3a144207ccb3855e3ea2008a2d82ef691f32a4db6c7c3eb8202c6b568

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
ab52ce62f84a24d48d9cebec5331b1c6

SHA1
6fcb810a46e83020e55af419752f5583f9dcb9ba

SHA256
908bec6021a78b90a02c6123db4ac62b590ea738e97fa35aac7c4dce624f3244

SHA512
8823f3f60863692a8fd2be8610670b06077ea7c948b7c46f9a1ab712276b27e48c19d0a394e7f51c0fbdf753f989af4cac5dab078e4f04ee5ee6a50427368cd2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ac4421f71447c6f92ce3ac17a3d9d38

SHA1
97f4ebc5875af7ee54f93ba70089361ca88da8af

SHA256
615df52b00308d2a7f8aed927fd28d1e40b5ac6cf5e6da78ec69acd149618d59

SHA512
3d7d6a0124324731462a5e71d797c77e9942371fbdda8b870cb9d035db293ef1765e1890737fd89fd1b9d56941bd04745f93c95c844057830605365367ea410e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
463784728a0ab2b8cc52ee1ed0e5258e

SHA1
620a618c31439d36e8539e50359713befcc28e92

SHA256
a34e1ed304dca4f58275bdd5daaf071d1767db7bb7ccc6bf2aea2df5e2be023b

SHA512
52f9736297fbaf65179d35e01c7a15d516d2ff8b5c949a45046bc668bbe94b5da63aea4d5920ebfc1a884721f16fdcae75ea08ca9a6aa78297a44051ed979c7f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6cc9dd78b42e2ca0e1deb237988b6ae2

SHA1
6ec16a7e43a4c558a19f125758d56ed9a180e6ee

SHA256
11367ac6f6a1b237ca69aeeb571a435181256f8836d6910f036beb90e160f7b2

SHA512
331f0ae896c0fb9906dd2fc2e3d58860073af97deb31cdb2184cc4bd104e2e066bfec6bdef0e16a8eda3d5605875fe7c03480b1e2d68bc9d7e3a2b237a3020a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
bdff210bf33c9ed5f2b10773c8c98ff5

SHA1
fc4fbaca4c7f23506dc792dec89e640050ad62e9

SHA256
900ab6b8ac0df4e138335d9d8e283495f569bf9fa1f401a6f8122661104f8cf8

SHA512
45849b735796586ea2518bd4aec42377db54b2de01025df65e52d8d1561d7e26702051c945ac7257857e00d7ab9d2d7fbf87f178e1e606905e095b22d95e5b32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
324689f1e639f2a40a2b2a43cc89efa2

SHA1
cd2f18606d59cce2f580bb43ff2e17d88a70a891

SHA256
b631b06c3eb2ee10fc743ee52c9790dd0d7f0ea067d0e85839b725651aa8c324

SHA512
a0357502baa226602e4852d4a847c1f35f93866fd925e12978eff349fc71ab5782c20d573ab63c51ccc96dc1cbc78f5fbcc6ae7782fa3442ac473cd04ad95705

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3c12f50bbe08874441e82aae5113fa7a

SHA1
82ff5db8f39a2b8a73d32836eabd4cb23672e356

SHA256
c45897a1eec2066b3dcf8c77e12bcdfae114c6b2bca0be18226290bdc0b538a6

SHA512
f94d090fe524f9e43ecaa699e0f2393b1bb0c2abd5de2393cf351d1d9072936245879804750de2db908edc2dd5ece19fff17b70f2c0f67c0b72bed18967e6787

Download Submit
memory/684-50-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/684-42-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/936-70-0x0000000005210000-0x000000000536F000-memory.dmp

Filesize
1.4MB

Download
memory/1124-79-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1124-87-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1640-76-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1640-64-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1960-72-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1968-108-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1992-31-0x0000000005380000-0x00000000054DF000-memory.dmp

Filesize
1.4MB

Download
memory/2264-16-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2264-28-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2340-54-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2340-61-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2392-107-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2392-109-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2512-53-0x0000000003E00000-0x0000000003F5F000-memory.dmp

Filesize
1.4MB

Download
memory/2620-110-0x0000000003F20000-0x000000000407F000-memory.dmp

Filesize
1.4MB

Download
memory/2732-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2732-9-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2788-14-0x0000000003EF0000-0x000000000404F000-memory.dmp

Filesize
1.4MB

Download
memory/2788-13-0x0000000003EF0000-0x000000000404F000-memory.dmp

Filesize
1.4MB

Download
memory/2856-39-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2856-32-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2860-90-0x00000000053A0000-0x00000000054FF000-memory.dmp

Filesize
1.4MB

Download
memory/2860-104-0x00000000053A0000-0x00000000054FF000-memory.dmp

Filesize
1.4MB

Download
memory/2956-91-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2956-100-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download