9ef9336d389f4ece363a9496e14a7e61e5f0facdba8cfef6f8145ca818bfa29d

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
12/09/2024, 23:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9ef9336d389f4ece363a9496e14a7e61e5f0facdba8cfef6f8145ca818bfa29d.exe
Size

1.1MB
MD5

f3ade788763f98cc17ea40feeb687df3
SHA1

b0e2023d1ecc4cc540eb95bb0314aaca137dee9a
SHA256

9ef9336d389f4ece363a9496e14a7e61e5f0facdba8cfef6f8145ca818bfa29d
SHA512

aafa3d861bb070ab47c8de98c824ab5657d7e3dec969a17c0a737d47b22c843b6a6c256f805152535106d3a90a64ecf91c64758407e8bff14d076c769ce1d982
SSDEEP

24576:CH0dl8myX9Bg42QoXFkrzkmmlSgRDko0lG4Z8r7Qfbkiu5Qx:CcaClSFlG4ZM7QzMC

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2788	svchcst.exe

Executes dropped EXE 10 IoCs

pid	Process
2788	svchcst.exe
2588	svchcst.exe
2880	svchcst.exe
1048	svchcst.exe
1076	svchcst.exe
1680	svchcst.exe
2448	svchcst.exe
2016	svchcst.exe
2604	svchcst.exe
2824	svchcst.exe

Loads dropped DLL 19 IoCs

pid	Process
2088	WScript.exe
2088	WScript.exe
2320	WScript.exe
2320	WScript.exe
1528	WScript.exe
1528	WScript.exe
2900	WScript.exe
2900	WScript.exe
2252	WScript.exe
2252	WScript.exe
1992	WScript.exe
1992	WScript.exe
1044	WScript.exe
1044	WScript.exe
2424	WScript.exe
2424	WScript.exe
2704	WScript.exe
2704	WScript.exe
2852	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 21 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9ef9336d389f4ece363a9496e14a7e61e5f0facdba8cfef6f8145ca818bfa29d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2348	9ef9336d389f4ece363a9496e14a7e61e5f0facdba8cfef6f8145ca818bfa29d.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe
2788	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2348	9ef9336d389f4ece363a9496e14a7e61e5f0facdba8cfef6f8145ca818bfa29d.exe

Suspicious use of SetWindowsHookEx 22 IoCs

pid	Process
2348	9ef9336d389f4ece363a9496e14a7e61e5f0facdba8cfef6f8145ca818bfa29d.exe
2348	9ef9336d389f4ece363a9496e14a7e61e5f0facdba8cfef6f8145ca818bfa29d.exe
2788	svchcst.exe
2788	svchcst.exe
2588	svchcst.exe
2588	svchcst.exe
2880	svchcst.exe
2880	svchcst.exe
1048	svchcst.exe
1048	svchcst.exe
1076	svchcst.exe
1076	svchcst.exe
1680	svchcst.exe
1680	svchcst.exe
2448	svchcst.exe
2448	svchcst.exe
2016	svchcst.exe
2016	svchcst.exe
2604	svchcst.exe
2604	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2348 wrote to memory of 2088	2348	9ef9336d389f4ece363a9496e14a7e61e5f0facdba8cfef6f8145ca818bfa29d.exe	30
PID 2348 wrote to memory of 2088	2348	9ef9336d389f4ece363a9496e14a7e61e5f0facdba8cfef6f8145ca818bfa29d.exe	30
PID 2348 wrote to memory of 2088	2348	9ef9336d389f4ece363a9496e14a7e61e5f0facdba8cfef6f8145ca818bfa29d.exe	30
PID 2348 wrote to memory of 2088	2348	9ef9336d389f4ece363a9496e14a7e61e5f0facdba8cfef6f8145ca818bfa29d.exe	30
PID 2088 wrote to memory of 2788	2088	WScript.exe	33
PID 2088 wrote to memory of 2788	2088	WScript.exe	33
PID 2088 wrote to memory of 2788	2088	WScript.exe	33
PID 2088 wrote to memory of 2788	2088	WScript.exe	33
PID 2788 wrote to memory of 2320	2788	svchcst.exe	34
PID 2788 wrote to memory of 2320	2788	svchcst.exe	34
PID 2788 wrote to memory of 2320	2788	svchcst.exe	34
PID 2788 wrote to memory of 2320	2788	svchcst.exe	34
PID 2320 wrote to memory of 2588	2320	WScript.exe	35
PID 2320 wrote to memory of 2588	2320	WScript.exe	35
PID 2320 wrote to memory of 2588	2320	WScript.exe	35
PID 2320 wrote to memory of 2588	2320	WScript.exe	35
PID 2588 wrote to memory of 1528	2588	svchcst.exe	36
PID 2588 wrote to memory of 1528	2588	svchcst.exe	36
PID 2588 wrote to memory of 1528	2588	svchcst.exe	36
PID 2588 wrote to memory of 1528	2588	svchcst.exe	36
PID 1528 wrote to memory of 2880	1528	WScript.exe	37
PID 1528 wrote to memory of 2880	1528	WScript.exe	37
PID 1528 wrote to memory of 2880	1528	WScript.exe	37
PID 1528 wrote to memory of 2880	1528	WScript.exe	37
PID 2880 wrote to memory of 2900	2880	svchcst.exe	38
PID 2880 wrote to memory of 2900	2880	svchcst.exe	38
PID 2880 wrote to memory of 2900	2880	svchcst.exe	38
PID 2880 wrote to memory of 2900	2880	svchcst.exe	38
PID 2900 wrote to memory of 1048	2900	WScript.exe	39
PID 2900 wrote to memory of 1048	2900	WScript.exe	39
PID 2900 wrote to memory of 1048	2900	WScript.exe	39
PID 2900 wrote to memory of 1048	2900	WScript.exe	39
PID 1048 wrote to memory of 2252	1048	svchcst.exe	40
PID 1048 wrote to memory of 2252	1048	svchcst.exe	40
PID 1048 wrote to memory of 2252	1048	svchcst.exe	40
PID 1048 wrote to memory of 2252	1048	svchcst.exe	40
PID 2252 wrote to memory of 1076	2252	WScript.exe	41
PID 2252 wrote to memory of 1076	2252	WScript.exe	41
PID 2252 wrote to memory of 1076	2252	WScript.exe	41
PID 2252 wrote to memory of 1076	2252	WScript.exe	41
PID 1076 wrote to memory of 1992	1076	svchcst.exe	42
PID 1076 wrote to memory of 1992	1076	svchcst.exe	42
PID 1076 wrote to memory of 1992	1076	svchcst.exe	42
PID 1076 wrote to memory of 1992	1076	svchcst.exe	42
PID 1992 wrote to memory of 1680	1992	WScript.exe	43
PID 1992 wrote to memory of 1680	1992	WScript.exe	43
PID 1992 wrote to memory of 1680	1992	WScript.exe	43
PID 1992 wrote to memory of 1680	1992	WScript.exe	43
PID 1680 wrote to memory of 1044	1680	svchcst.exe	44
PID 1680 wrote to memory of 1044	1680	svchcst.exe	44
PID 1680 wrote to memory of 1044	1680	svchcst.exe	44
PID 1680 wrote to memory of 1044	1680	svchcst.exe	44
PID 1044 wrote to memory of 2448	1044	WScript.exe	45
PID 1044 wrote to memory of 2448	1044	WScript.exe	45
PID 1044 wrote to memory of 2448	1044	WScript.exe	45
PID 1044 wrote to memory of 2448	1044	WScript.exe	45
PID 2448 wrote to memory of 2424	2448	svchcst.exe	46
PID 2448 wrote to memory of 2424	2448	svchcst.exe	46
PID 2448 wrote to memory of 2424	2448	svchcst.exe	46
PID 2448 wrote to memory of 2424	2448	svchcst.exe	46
PID 2016 wrote to memory of 2704	2016	svchcst.exe	48
PID 2016 wrote to memory of 2704	2016	svchcst.exe	48
PID 2016 wrote to memory of 2704	2016	svchcst.exe	48
PID 2016 wrote to memory of 2704	2016	svchcst.exe	48

C:\Users\Admin\AppData\Local\Temp\9ef9336d389f4ece363a9496e14a7e61e5f0facdba8cfef6f8145ca818bfa29d.exe
"C:\Users\Admin\AppData\Local\Temp\9ef9336d389f4ece363a9496e14a7e61e5f0facdba8cfef6f8145ca818bfa29d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2348
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2088
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2788
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2320
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2588
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1048
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        11⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        12⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        13⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        14⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        15⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        16⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2424
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2704
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2604
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        18⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2852
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        19⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
863a0c0893a2e07f4f4f06203682de79

SHA1
162798506f704dfab1de2cafe780a8846aa4c39a

SHA256
81d64229854d88f7887ae8366dcdb70d20f641ff216dbb86907fdcb551ed5e13

SHA512
b7e7ce8c4c1926a3a572974e518a17b33380ecf57935fa7c95bd32a65c8e8d8b164cac2b2020f5d41b56fd2f3c6bd2737c4e98def90fd5500aa4923bc7546fa1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
344b0286b823cd492e5ca9c83c00ba11

SHA1
b76dbac9b5724f5b1e11a10ed7a2125edb16259b

SHA256
04ea89515062031f99eb08fad07de798532e0adea7ff18c0c9a8b1e3a1d4dbbd

SHA512
9aba17235e4f1bd62f45545cfa0e4f302c0471732b33a8398b462e334126c5a3e74fdcbe17db70029184cc1207f558efc46b868475fb607ad536288b0796bb80

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
c94fda6716d92036e02a0e70b433735f

SHA1
eb4e57b1461e03a201dbfd20dd308ca88694e55d

SHA256
ca8d32856a5ad76e2bf41249ee83a498c238f51d9d3addbd5ca456ee6a6108ba

SHA512
bf4b3613a4d6d2854f7750a73f84579a3022c2aaae770c392c3d4b273cbb2b493028f8109856ba66ee4636bcfac53b61b7f9b689002858a040b62b47d097d24f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
a28791ebea83786bb5889ef857a9e493

SHA1
0c7cc3d05c844d5edd4535fbd48d2c73b2764630

SHA256
ad8607d9518b14cf6e9f567194700afa64c424bbe7da5b1819babbc7678a98bf

SHA512
d357643579f32de1c3f28b9d717d4d82a91d2ae25014a2ab52c0b6340ea577c31386cfa7901694f47889e5966ab11ff6888ae19a8602f812d2484827295d12ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e5bba46683440caa1508061b6e638120

SHA1
538ff5b7cb3ca90cee3e60bae0b487f4b78912de

SHA256
9b324dbd185a14c0ebfd2cd2731f6bb32c501dfefa7aef4f65b137357502c65d

SHA512
466f00fee10e323273e5d1151062e9fcc36f5657a404c6dd3c0c9ecb56e5205930087e612b13a9c6d1a56df7e05a2bd9c14e95debd5e5aed96ad2ef867e8de4d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
80ebf5d44551af5680e6faa0b57e8c8b

SHA1
2e17219fbf9ac0ffaf25efb6a11dfe6e9e404798

SHA256
ca82157de4bf3edea1ce728fea480f64259153ea391b2be7b5f59864c0ae7a53

SHA512
a96c9d64087a4b9eccb235e9e1b19da6adfa1adc40ea11eca5cca69cc7b57eb4c3a299eb2103768398d99aee534c3eced7e76099917c52d1499ea9af07ba2ca8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
d7e57302723e6adcd36bc753c7cb3d1b

SHA1
24f5af99f2988b5fa7383dae1f53347b597956a3

SHA256
abf7ef48d31eaabd0227b0a91a44e8b53e9fbadff16ef2d9c2b131776898977e

SHA512
0aee51cab495d2df1e1957f85cbfa1a8ca95fad5fa669d2f0918a0e4be4d090c868582935136684d872695bdd075523ad1386639690e9d7016201b6985a9c8a6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
f262d0722b88145e786399f42047785d

SHA1
9f4426b6ac52bb0456945b0619fcd355d118a0b7

SHA256
f20592c5d5216a153e7d9fc67c87e2d3346f3781014162462e824a5dbc4c7aef

SHA512
da8aa8fd4f84c224f7c6f3fe483b030e2307f3313c003f17f6b9c943f9ea9d052d9d9297f93fdf49428eedd235ef6d7efe0199e1620e55cb052f2ca3cb492eb1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
427acf0d31e4c051a5ecca486df18aaa

SHA1
66ed2e8e5533846366375ce855fb7b5d574d97fc

SHA256
397aa2536df328968f7006d3c5a2d0e7e53ab1e6d2deae8bb5bc7a242b4ba012

SHA512
aa2fe9a10550076d478762ed2043437460bfa1d81c3e6b793127d1235f8a6e75dc6002aad415f8086387faf7dc75a83f1790662cdfa58aa66596c640ed35b778

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
befbd4e4943acb14fe2d0b8ade25e184

SHA1
d167cd18ed21964efcd9fa0a167d1068fa4a4bc3

SHA256
f6c1216db4e3d16849274418ba9133b56d2816825f821309c7b26b745609e03b

SHA512
5da5f1ac6f4669040443ca60e625d8eb6ba1ff2e8732fadba6cf062a11bc9376462f8efeca7757ea1b754d76661dddae6290c46e3ce9181a3315d90d63cb4970

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
3291edf8335207d154e5b3435a459655

SHA1
6111c4279c641ad5b4f34c2be125002d4acf9966

SHA256
018d162a3d2cab358c125ca580acd7f81a74d11de0e0d3e26dcc5aeca525284a

SHA512
0175a3f39874a09c9e771525efcdab41a267f0083d72e602c10d0b42ee19481827e930c871953c15d43dbd65ad8bdabbeecaeae5f7b361658992abd387e0c927

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
55924f28eeecfe4734c03ab9a430fc48

SHA1
1fc8923b6c45df4066161296e1ef0489f8bf8571

SHA256
abd993c0581a2d6d0d99da55c5e5fedd45ea3d5a3d58c85b9e973c7b82ada2a4

SHA512
f459ee706e0d8ed60942d09e40ba6879650ac246244d31234bd87f94bf7935b9bbd293dc42ca73bf7df9fd5821d431a60e9d6eaf5aedb20b98b74d995e09750b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
1c41710f20981113e826b03bf93df0af

SHA1
c9c44c962a15eb355439865aee2a4b8909370dbe

SHA256
5b65d8e197be5a270747f878fd6aa755eff00b07fce00182326a3b6467678480

SHA512
1a82dd1c1ff907749ffc2335fb9a09533eb4d13dfc4dd7beffeb49f8f30f6b80c282a2637c6030be8e0ad1b9007b10508bbece121cd169578a4c9d94503f6d96

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
e28c8ee163edb47c3e4ff55f355ff9fc

SHA1
958bfefa1923648f64e0a1407d18fce602d98527

SHA256
c4eadf51d50ade4d9f8a134c6559042ee374082a782f2d3eb3a375477eadad65

SHA512
f12066ada3ec2766198f21f6d2d424b77740ac83aa41cdf4b599a644a6f9a6d18c9353d2cb5f2466cfcbe35690306dac9282349e1d201d83f76f1d10448bf151

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c09c4a95059c5b8ba783c9572cfd4abd

SHA1
5e9da1fcc38d14d35d2355bdf1f9427f42d5eea7

SHA256
e66ec82911f79ba92c4a999ff8ffbebfc00369553220fd8555cf04cceb82a163

SHA512
ee31a1e4d33dbb2443a810b7db7fed7d6d601369562e51d69f3bf9213f18c07cae9c8144bbb654011436f6b6691c5a74dc944e92f40d265266df9c3ba4552c53

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
87710b72a1055176ad8ab33146080431

SHA1
985173fc166a88eb6141202b17bbcd62cd69da14

SHA256
45fa0b59d8c076bb46b3b670e771e8bd5b338f9896b46b33d12987201b43138a

SHA512
25cf595a5e1b7eefc9bf1784413d0575466ebcbe552c1e7a4161d7554fd9b04e6931597df599a0284c98928c694f1bc655995c17f50fb3800aaff780cf8061ba

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c9f37595d3583e4b97425ffc9c8561d2

SHA1
173ea4dfc0175d9336010a7d4e92d565f2f745c6

SHA256
0949ff7db8dadb5bec08b0b661fa84af03f08b4e6f4979b5e528f3c432e0244d

SHA512
d591b486d30d55f8989b66935a8837a6782b99f2957ba30ac36b48ecbec5a5c1a15b9f9d84b763cb71af9b1a72bf2efe53f5d9682ebf7e861dc2515f4101c6ff

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
fd618bd7d08e4dd1c17bfec0a645a6a3

SHA1
3430ff0909e07c6731258eb19229659b3cf72500

SHA256
4f74b762f38bc98ff0fa14b089ccbe3a970935371fc428afa1bdaa6a43d45aa2

SHA512
2f45477e3d063987f9e1db58cf229f2cdcc1040e10d917501dde228bd627d2fa14ae28e34f13007bad3849a7125dda9a56bcc139f47e6879f2a9eb8205e9b43c

Download Submit
memory/2348-8-0x0000000000400000-0x0000000000551000-memory.dmp

Filesize
1.3MB

Download