Analysis

  • max time kernel
    150s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    25-08-2024 23:25

General

  • Target

    331334a26394c97dc7d51cc2f907971dffde09f2c905de0cedce299f8dd7ddef.exe

  • Size

    1.1MB

  • MD5

    61504593aacc72b2c2a76badb51e55b0

  • SHA1

    1ed451c0d8b037d8716ba49c04a362aaf45dd5c1

  • SHA256

    331334a26394c97dc7d51cc2f907971dffde09f2c905de0cedce299f8dd7ddef

  • SHA512

    7fa12b7ce0069d07f6a7e048d74d1cca7526e6093150127b717177818569173e9e899797b94e2d1efa2ca35a89908443c8b44667cac1bee5ae5dc2d32d01697d

  • SSDEEP

    24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Q5:CcaClSFlG4ZM7QzMK

Score
7/10

Malware Config

Signatures

  • Deletes itself 1 IoCs
  • Executes dropped EXE 23 IoCs
  • Loads dropped DLL 46 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 48 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: RenamesItself 1 IoCs
  • Suspicious use of SetWindowsHookEx 48 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\331334a26394c97dc7d51cc2f907971dffde09f2c905de0cedce299f8dd7ddef.exe
    "C:\Users\Admin\AppData\Local\Temp\331334a26394c97dc7d51cc2f907971dffde09f2c905de0cedce299f8dd7ddef.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: RenamesItself
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3032
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1028
      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        3⤵
        • Deletes itself
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2968
        • C:\Windows\SysWOW64\WScript.exe
          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
          4⤵
          • Loads dropped DLL
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2716
          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
            5⤵
            • Executes dropped EXE
            • System Location Discovery: System Language Discovery
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:2004
            • C:\Windows\SysWOW64\WScript.exe
              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
              6⤵
              • Loads dropped DLL
              • System Location Discovery: System Language Discovery
              • Suspicious use of WriteProcessMemory
              PID:2420
              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                7⤵
                • Executes dropped EXE
                • System Location Discovery: System Language Discovery
                • Suspicious use of SetWindowsHookEx
                • Suspicious use of WriteProcessMemory
                PID:2132
                • C:\Windows\SysWOW64\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                  8⤵
                  • Loads dropped DLL
                  • System Location Discovery: System Language Discovery
                  • Suspicious use of WriteProcessMemory
                  PID:1416
                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                    9⤵
                    • Executes dropped EXE
                    • System Location Discovery: System Language Discovery
                    • Suspicious use of SetWindowsHookEx
                    • Suspicious use of WriteProcessMemory
                    PID:2228
                    • C:\Windows\SysWOW64\WScript.exe
                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                      10⤵
                      • Loads dropped DLL
                      • System Location Discovery: System Language Discovery
                      • Suspicious use of WriteProcessMemory
                      PID:1692
                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                        11⤵
                        • Executes dropped EXE
                        • System Location Discovery: System Language Discovery
                        • Suspicious use of SetWindowsHookEx
                        • Suspicious use of WriteProcessMemory
                        PID:2988
                        • C:\Windows\SysWOW64\WScript.exe
                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                          12⤵
                          • Loads dropped DLL
                          • System Location Discovery: System Language Discovery
                          • Suspicious use of WriteProcessMemory
                          PID:880
                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                            13⤵
                            • Executes dropped EXE
                            • System Location Discovery: System Language Discovery
                            • Suspicious use of SetWindowsHookEx
                            • Suspicious use of WriteProcessMemory
                            PID:1556
                            • C:\Windows\SysWOW64\WScript.exe
                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                              14⤵
                              • Loads dropped DLL
                              • System Location Discovery: System Language Discovery
                              • Suspicious use of WriteProcessMemory
                              PID:2080
                              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                15⤵
                                • Executes dropped EXE
                                • System Location Discovery: System Language Discovery
                                • Suspicious use of SetWindowsHookEx
                                • Suspicious use of WriteProcessMemory
                                PID:2156
                                • C:\Windows\SysWOW64\WScript.exe
                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                  16⤵
                                  • Loads dropped DLL
                                  • System Location Discovery: System Language Discovery
                                  • Suspicious use of WriteProcessMemory
                                  PID:1604
                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                    17⤵
                                    • Executes dropped EXE
                                    • System Location Discovery: System Language Discovery
                                    • Suspicious use of SetWindowsHookEx
                                    PID:1656
                                    • C:\Windows\SysWOW64\WScript.exe
                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                      18⤵
                                      • Loads dropped DLL
                                      • System Location Discovery: System Language Discovery
                                      PID:2912
                                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                        19⤵
                                        • Executes dropped EXE
                                        • System Location Discovery: System Language Discovery
                                        • Suspicious use of SetWindowsHookEx
                                        PID:3064
                                        • C:\Windows\SysWOW64\WScript.exe
                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                          20⤵
                                          • Loads dropped DLL
                                          • System Location Discovery: System Language Discovery
                                          PID:2776
                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                            21⤵
                                            • Executes dropped EXE
                                            • System Location Discovery: System Language Discovery
                                            • Suspicious use of SetWindowsHookEx
                                            PID:664
                                            • C:\Windows\SysWOW64\WScript.exe
                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                              22⤵
                                              • Loads dropped DLL
                                              • System Location Discovery: System Language Discovery
                                              PID:1252
                                              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                23⤵
                                                • Executes dropped EXE
                                                • System Location Discovery: System Language Discovery
                                                • Suspicious use of SetWindowsHookEx
                                                PID:2704
                                                • C:\Windows\SysWOW64\WScript.exe
                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                  24⤵
                                                  • Loads dropped DLL
                                                  • System Location Discovery: System Language Discovery
                                                  PID:2224
                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                    25⤵
                                                    • Executes dropped EXE
                                                    • System Location Discovery: System Language Discovery
                                                    • Suspicious use of SetWindowsHookEx
                                                    PID:1920
                                                    • C:\Windows\SysWOW64\WScript.exe
                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                      26⤵
                                                      • Loads dropped DLL
                                                      • System Location Discovery: System Language Discovery
                                                      PID:2228
                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                        27⤵
                                                        • Executes dropped EXE
                                                        • System Location Discovery: System Language Discovery
                                                        • Suspicious use of SetWindowsHookEx
                                                        PID:1856
                                                        • C:\Windows\SysWOW64\WScript.exe
                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                          28⤵
                                                          • Loads dropped DLL
                                                          • System Location Discovery: System Language Discovery
                                                          PID:2988
                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                            29⤵
                                                            • Executes dropped EXE
                                                            • System Location Discovery: System Language Discovery
                                                            • Suspicious use of SetWindowsHookEx
                                                            PID:2464
                                                            • C:\Windows\SysWOW64\WScript.exe
                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                              30⤵
                                                              • Loads dropped DLL
                                                              • System Location Discovery: System Language Discovery
                                                              PID:2220
                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                                "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                                31⤵
                                                                • Executes dropped EXE
                                                                • System Location Discovery: System Language Discovery
                                                                • Suspicious use of SetWindowsHookEx
                                                                PID:1508
                                                                • C:\Windows\SysWOW64\WScript.exe
                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                                  32⤵
                                                                  • Loads dropped DLL
                                                                  • System Location Discovery: System Language Discovery
                                                                  PID:1644
                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                                    33⤵
                                                                    • Executes dropped EXE
                                                                    • System Location Discovery: System Language Discovery
                                                                    • Suspicious use of SetWindowsHookEx
                                                                    PID:2972
                                                                    • C:\Windows\SysWOW64\WScript.exe
                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                                      34⤵
                                                                      • Loads dropped DLL
                                                                      • System Location Discovery: System Language Discovery
                                                                      PID:2904
                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                                        35⤵
                                                                        • Executes dropped EXE
                                                                        • System Location Discovery: System Language Discovery
                                                                        • Suspicious use of SetWindowsHookEx
                                                                        PID:2656
                                                                        • C:\Windows\SysWOW64\WScript.exe
                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                                          36⤵
                                                                          • Loads dropped DLL
                                                                          • System Location Discovery: System Language Discovery
                                                                          PID:588
                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                                            37⤵
                                                                            • Executes dropped EXE
                                                                            • System Location Discovery: System Language Discovery
                                                                            • Suspicious use of SetWindowsHookEx
                                                                            PID:2612
                                                                            • C:\Windows\SysWOW64\WScript.exe
                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                                              38⤵
                                                                              • Loads dropped DLL
                                                                              • System Location Discovery: System Language Discovery
                                                                              PID:1140
                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                                                "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                                                39⤵
                                                                                • Executes dropped EXE
                                                                                • System Location Discovery: System Language Discovery
                                                                                • Suspicious use of SetWindowsHookEx
                                                                                PID:2812
                                                                                • C:\Windows\SysWOW64\WScript.exe
                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                                                  40⤵
                                                                                  • Loads dropped DLL
                                                                                  • System Location Discovery: System Language Discovery
                                                                                  PID:3056
                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                                                    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                                                    41⤵
                                                                                    • Executes dropped EXE
                                                                                    • System Location Discovery: System Language Discovery
                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                    PID:1888
                                                                                    • C:\Windows\SysWOW64\WScript.exe
                                                                                      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                                                      42⤵
                                                                                      • Loads dropped DLL
                                                                                      • System Location Discovery: System Language Discovery
                                                                                      PID:2796
                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                                                        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                                                        43⤵
                                                                                        • Executes dropped EXE
                                                                                        • System Location Discovery: System Language Discovery
                                                                                        • Suspicious use of SetWindowsHookEx
                                                                                        PID:2124
                                                                                        • C:\Windows\SysWOW64\WScript.exe
                                                                                          "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                                                          44⤵
                                                                                          • Loads dropped DLL
                                                                                          • System Location Discovery: System Language Discovery
                                                                                          PID:1532
                                                                                          • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                                                            "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                                                            45⤵
                                                                                            • Executes dropped EXE
                                                                                            • System Location Discovery: System Language Discovery
                                                                                            • Suspicious use of SetWindowsHookEx
                                                                                            PID:2232
                                                                                            • C:\Windows\SysWOW64\WScript.exe
                                                                                              "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                                                              46⤵
                                                                                              • Loads dropped DLL
                                                                                              • System Location Discovery: System Language Discovery
                                                                                              PID:1564
                                                                                              • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
                                                                                                "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
                                                                                                47⤵
                                                                                                • Executes dropped EXE
                                                                                                • System Location Discovery: System Language Discovery
                                                                                                • Suspicious use of SetWindowsHookEx
                                                                                                PID:2460
                                                                                                • C:\Windows\SysWOW64\WScript.exe
                                                                                                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
                                                                                                  48⤵
                                                                                                  • System Location Discovery: System Language Discovery
                                                                                                  PID:2256

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

    Filesize

    92B

    MD5

    67b9b3e2ded7086f393ebbc36c5e7bca

    SHA1

    e6299d0450b9a92a18cc23b5704a2b475652c790

    SHA256

    44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

    SHA512

    826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    753B

    MD5

    d1eba0335f1325906676b38df3ad2865

    SHA1

    e721e8d10fd94caa983cd5ffd2a606b63b067011

    SHA256

    fa307aed536f6972b8a84bfe5d2d5c8fcee94b01239b47216370f8173fb62964

    SHA512

    f84b49ad4a2518fe6591ff4a3861e6ed847ec12a5c7df7b40173832be8edbdf31ceb19dd263e93103757ba809901be9ad663eae6da6fdb7c33d906493e8083c3

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    696B

    MD5

    ae63ded87a90f9812749cac189d07a57

    SHA1

    5a37ba565ce8c2445ff71f7c3d7adc38cb68627f

    SHA256

    6251cc562aff44a7222fe555019800d44c515c0319748fae595621d92f5d9236

    SHA512

    293cf9a753b1456071db8840910ec3ee7a0a00342caeb27a3bf7c150b54e51a22673e8262fd4376bad6c29eff3b3a77c1c47c1e10c49abffaba899b9193d9429

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    696B

    MD5

    3353d1633bca569636039038a518d927

    SHA1

    780e7b0504ce0c3eb7a2d5ab9cc18b9d0596bd34

    SHA256

    6f9daffcca457b49869f9b22fe00e63b4c232c9e13998ab908b91909aa446b8d

    SHA512

    66a8b0877d6c6f196b85b4e8bf7d67da20fd3749543d65b54599233fc68f476445e70f9ad8e54cb3a71676c6b8a51957f11df2442883f1283c6d526884ec0c18

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    696B

    MD5

    b5e11596fa3b5ec67af0232750a3cadb

    SHA1

    80cb25f5250390b6b2130c8b4eefc9872cc4939d

    SHA256

    d6429bbb3e3d5c86f30efdb3aa599d47eb8f130c1d0f2a6345e3e9387f7670b3

    SHA512

    06c71dd481c8936cb5c8a259111986a31b94e7bf73267a081e2162e16b3bffc633a257b5dcf2fd64c7bcc95a20ee841d5d07ca2ea5a16b7f862aec9cde5f17f2

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    696B

    MD5

    c94fda6716d92036e02a0e70b433735f

    SHA1

    eb4e57b1461e03a201dbfd20dd308ca88694e55d

    SHA256

    ca8d32856a5ad76e2bf41249ee83a498c238f51d9d3addbd5ca456ee6a6108ba

    SHA512

    bf4b3613a4d6d2854f7750a73f84579a3022c2aaae770c392c3d4b273cbb2b493028f8109856ba66ee4636bcfac53b61b7f9b689002858a040b62b47d097d24f

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    696B

    MD5

    298f56408ef5bfe14b938d85e57c843d

    SHA1

    691d78c4c4887333b4679d3e340a7a04caad13a3

    SHA256

    b5738b726b24c9d220bd7256e4abb2e97215d50416bf67983cc82dc83b46298a

    SHA512

    227bf6d7e70568144112dc142ef60fa38f2b5f39196e3d3377a120b78fa86382726021f024bf5413548df0ce1734bb905d28e56de4dd80c6f21c05ab2a5ef83e

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    696B

    MD5

    d04e4fa1d3c8ba67f98c8e40c157ed97

    SHA1

    c0d95df53f8a804370ce7230fd02b9e58f75ec22

    SHA256

    b0544b1226f7cfd08fbffa33537e742cae314ef9ebc6a146d9aae7ead895ae1f

    SHA512

    7436211ec14314df3689406a0b828f28a337929922fe1d381569b3eedc40dd9639764a73adfb033ede68ff760c5c0429de44a865e96f105cd0a2b6ec80269890

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    696B

    MD5

    1a9d2727f5157f704f57fb2f0e0a7939

    SHA1

    4085542ccb9a53b29208916307ee515880d6410f

    SHA256

    46c5d3b8a158fe319dfd325df66634b1bdef724bab79b7007f565e44beb34f31

    SHA512

    7ec52df630965769dae3e05a1b9fd489c7d5413ea77b28cbe2435e839f80d7eabdbbcc74af4cf544b9f0f57403a505501b08753ffeaec8cf6c32972fc3e72d68

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    696B

    MD5

    66dec81d7f7dc4e36f9d8151fe38056a

    SHA1

    fc169994b2239eb407778d28d35025f7c9a1658e

    SHA256

    a09a3c722b494400011829c5645415020d39c8e6ec90f466fc3109a1ba49db2a

    SHA512

    3e8af1d301ba9228d5afcfaa1e1d3e6f931c5f0ba5e19c74f73b88ddf7c4baa7b24f13533679096f6c94871985de9e47d0f91362ec2ee9132b1e1b772d56fbcc

  • C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

    Filesize

    696B

    MD5

    aa6578debd9e5045ad239d59ebeb6d15

    SHA1

    2a25e6293914cd6ada6649f34506c8bcf35494aa

    SHA256

    7acb095ca5298eb1d1e2ba7f02c1b876d7d28684762a9d180ae2ed8c9e68beb2

    SHA512

    150796c7aad73d1732103e41bd01d3c181b4a0afd37b673d184d5c6c643622704e7692b668e231a319549c2bb378f4d83c7ede82caf81dd15c934b81936e22b2

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    1e469ebc91d6a75c01334fe9d164afed

    SHA1

    4f3aff7c09721aded279e99941c9fde919d248a6

    SHA256

    bb16ac1618c63dbf8ae0b828b8f53b0c506417e47a3a4f7ce3df25b3db0f785b

    SHA512

    202a69a18bc3d3bd1db80ece695a3f6ec062161bb02895c2c07481bdafe83f96c1e2f2e1c0aadc6d24be7bc0812ea0a444f01b1ba8fde9c73e50945d1a30fb73

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    20ef2b12c9ac4ef9c450654fe49ca077

    SHA1

    7a2f69d812e04ac899e1638f460d478d2ee9feef

    SHA256

    d571e77b680297a25b72bc899f029295a161800af8def0a3af9f3f5b4140d973

    SHA512

    3adb1f58d1dac69276fc84ac13af7025488c9bbbe47ac064d91e614b8a7adf3d2fd4882fab2682af149d0c1f578484f62f72c57018c666161dd13bba2065caf8

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    0b532730c1e4cbc4f597159fe784a6f6

    SHA1

    30798d1f6e86a9747037ccc88a9c35d89bea449c

    SHA256

    5bc99108c10e01f911d6db1bac9ad7c8381a80b101f21c2bf4335e3887a1459a

    SHA512

    10216e3d393fa989ab620ad218ffe1f7e1ef38877f76a5221b59734abbe7e0af7bf789e328b2616db8496444ca05fc684568cd4688960bf62db6e7f30460283b

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    87005137326a7dd82e8c208c40d1934a

    SHA1

    09838b8c34f0a33859e9f2de3064b051399c7406

    SHA256

    dfe3fa0285b197297ffe7407bebd4f93aa56f45b34c6fd55f8a6feaa0dc873fb

    SHA512

    5f4ea0570fef4651054d1eab99874f8cbcaa5ca903de79ae3dfb0457174ce836a5b1a0bba8d2582d30bda7137f01838059a7880313758ca81f546251bcebe67c

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    3a3d4a29893cfed7725817128460698b

    SHA1

    1439cff38fa61cd61270ec84d99acf318d073c9f

    SHA256

    c726d7a4e110fec32e4df55ed7143b826efb5923a9195391709d609903d47a5e

    SHA512

    412796da59950cad913d23b13bd0bbbeb5806d7cf1b7f6b9d7a13935e6dca45b9793e3f49a7eafc980a1b70213513003827dbcbf43379b1e85da735a17e18ef8

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    db5b32eb50fdb85bcaf6d25af11e0e60

    SHA1

    4c927a44bd32fc9bbc36969bf0ec0f42280850f5

    SHA256

    4719c4f3461da22df7d6a3431eaf6989a5a1eeda357a7c99acad5d2742d56644

    SHA512

    3ed26322e03f7107aa9e63bf1e6e17d44543eaf32546c6023916b2231c698fcd69171f64513c005e4e7b44b0011ea26ff68dd487ff0f35241426e71cb8f39e69

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    dd8f05a4ff18f928737ca92ffa453914

    SHA1

    59570f476b87dcaeaf33569c8fd01cabc73158ca

    SHA256

    c3fb42cf05d13dac13f07ae95edad6df6a4bbf10cb086869ba0f42a00b294ac2

    SHA512

    30e39161332353cfe0a33d5109bf5f9009fd2d2fcbf79a9143b9a7a3315088e3d673b97813b6119309cf1900ea2945d02223107a94a76ac55c90b4117ae1429d

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    44ea9a7b5eb04822ec99758df53e378a

    SHA1

    561e80288abc9a9fab588d418b1547ab5ba9d741

    SHA256

    d4da29530f1f03509a38f714c4f2d71adb5537508edefea1841d9718399130c4

    SHA512

    e3c6d00085ce05921a6a210d09ead2dcd6caf48564f7e782d3a8d5f475600022a5dfa3e5dcc1eedac02926209758ff266b760d20e9bada0b35921d631eb43aa6

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    0d289e5d35b5312bdf2e1aef44f0549b

    SHA1

    feee949527ffcd2c75273cef167d9d15e6aae50d

    SHA256

    b49c257e16f8acc809e2a4a3a77527667e812cfa461640a1963622f608afc67f

    SHA512

    1d3a871be1ec89755aac80a6a7ccf78968c4f6a7f2fdd4ad5a794cc401e746ccbde25f9116e9f7cf1bdc78c4240201e28c55efd1cb97af7ecca06fd541c9a1f6

  • C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    af8a5525760d50898235514a410f849f

    SHA1

    801a60d6bde5040a4d81851f056402a731f0c971

    SHA256

    c53bfef698602bc46ed8c7beb2c712bdaf44d72b4e920b5a9a20014b4f61df39

    SHA512

    970b12cdd257bac450f5604218cd2ca7195fbd9cdac3324faec8116153b1d9b54ef87df79bf6194a4a05a9fee614d5e908f0d9f19ad13508fd3253ec84d098ee

  • \Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

    Filesize

    1.1MB

    MD5

    48414dd74ebd979926b2eb3e660dd6da

    SHA1

    93338478d9a072f069212e1ca2f03287509b6320

    SHA256

    8225be0286a0ca4e8f7aacd3a30b731d6465af239254fc4dd26ca40932b53083

    SHA512

    802e435d76c156fdb800b593fd36b5b7f3a34b43899acee492f72f1856cc3f504e742897d5b35f62fae4c444496b06c0b40735ceb6da9984d7011f9af74901f5

  • memory/3032-8-0x0000000000400000-0x0000000000551000-memory.dmp

    Filesize

    1.3MB