31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405

Analysis

max time kernel
120s
max time network
125s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/09/2024, 21:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405.exe
Size

1.1MB
MD5

db17d8c37133f9f44f0302ae479f8743
SHA1

d1e69e64a6dad7a016b5854179749976786d3518
SHA256

31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405
SHA512

b071a30ce563659c5fe047223bb7c86e37d6d396089d02c0a78e5fdf318143059a02b0b820e48cd3d1b9338a4bbbb62123c9f2b785707a1ec54388c78c37d396
SSDEEP

24576:aH0dl8myX9Bg42QoXFkrzkmplSgRDYo0lG4Z8r7Qfbkiu5QB:acallSllG4ZM7QzMi

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
428	svchcst.exe

Executes dropped EXE 12 IoCs

pid	Process
428	svchcst.exe
2864	svchcst.exe
432	svchcst.exe
2024	svchcst.exe
1548	svchcst.exe
280	svchcst.exe
2076	svchcst.exe
2552	svchcst.exe
2824	svchcst.exe
2684	svchcst.exe
2772	svchcst.exe
2564	svchcst.exe

Loads dropped DLL 14 IoCs

pid	Process
2112	WScript.exe
2112	WScript.exe
2200	WScript.exe
2200	WScript.exe
2964	WScript.exe
2964	WScript.exe
1032	WScript.exe
972	WScript.exe
1032	WScript.exe
1536	WScript.exe
1536	WScript.exe
1256	WScript.exe
1256	WScript.exe
1536	WScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 23 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchcst.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2712	31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405.exe
2712	31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe
428	svchcst.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2712	31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405.exe

Suspicious use of SetWindowsHookEx 26 IoCs

pid	Process
2712	31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405.exe
2712	31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405.exe
428	svchcst.exe
428	svchcst.exe
2864	svchcst.exe
2864	svchcst.exe
432	svchcst.exe
432	svchcst.exe
2024	svchcst.exe
2024	svchcst.exe
1548	svchcst.exe
1548	svchcst.exe
280	svchcst.exe
280	svchcst.exe
2076	svchcst.exe
2076	svchcst.exe
2552	svchcst.exe
2552	svchcst.exe
2824	svchcst.exe
2824	svchcst.exe
2684	svchcst.exe
2684	svchcst.exe
2772	svchcst.exe
2772	svchcst.exe
2564	svchcst.exe
2564	svchcst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 2740	2712	31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405.exe	30
PID 2712 wrote to memory of 2740	2712	31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405.exe	30
PID 2712 wrote to memory of 2740	2712	31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405.exe	30
PID 2712 wrote to memory of 2740	2712	31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405.exe	30
PID 2712 wrote to memory of 2112	2712	31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405.exe	31
PID 2712 wrote to memory of 2112	2712	31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405.exe	31
PID 2712 wrote to memory of 2112	2712	31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405.exe	31
PID 2712 wrote to memory of 2112	2712	31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405.exe	31
PID 2112 wrote to memory of 428	2112	WScript.exe	33
PID 2112 wrote to memory of 428	2112	WScript.exe	33
PID 2112 wrote to memory of 428	2112	WScript.exe	33
PID 2112 wrote to memory of 428	2112	WScript.exe	33
PID 428 wrote to memory of 2200	428	svchcst.exe	34
PID 428 wrote to memory of 2200	428	svchcst.exe	34
PID 428 wrote to memory of 2200	428	svchcst.exe	34
PID 428 wrote to memory of 2200	428	svchcst.exe	34
PID 428 wrote to memory of 2964	428	svchcst.exe	35
PID 428 wrote to memory of 2964	428	svchcst.exe	35
PID 428 wrote to memory of 2964	428	svchcst.exe	35
PID 428 wrote to memory of 2964	428	svchcst.exe	35
PID 2200 wrote to memory of 2864	2200	WScript.exe	36
PID 2200 wrote to memory of 2864	2200	WScript.exe	36
PID 2200 wrote to memory of 2864	2200	WScript.exe	36
PID 2200 wrote to memory of 2864	2200	WScript.exe	36
PID 2964 wrote to memory of 432	2964	WScript.exe	37
PID 2964 wrote to memory of 432	2964	WScript.exe	37
PID 2964 wrote to memory of 432	2964	WScript.exe	37
PID 2964 wrote to memory of 432	2964	WScript.exe	37
PID 2864 wrote to memory of 1468	2864	svchcst.exe	38
PID 2864 wrote to memory of 1468	2864	svchcst.exe	38
PID 2864 wrote to memory of 1468	2864	svchcst.exe	38
PID 2864 wrote to memory of 1468	2864	svchcst.exe	38
PID 2964 wrote to memory of 2024	2964	WScript.exe	39
PID 2964 wrote to memory of 2024	2964	WScript.exe	39
PID 2964 wrote to memory of 2024	2964	WScript.exe	39
PID 2964 wrote to memory of 2024	2964	WScript.exe	39
PID 2024 wrote to memory of 1032	2024	svchcst.exe	40
PID 2024 wrote to memory of 1032	2024	svchcst.exe	40
PID 2024 wrote to memory of 1032	2024	svchcst.exe	40
PID 2024 wrote to memory of 1032	2024	svchcst.exe	40
PID 2024 wrote to memory of 972	2024	svchcst.exe	41
PID 2024 wrote to memory of 972	2024	svchcst.exe	41
PID 2024 wrote to memory of 972	2024	svchcst.exe	41
PID 2024 wrote to memory of 972	2024	svchcst.exe	41
PID 1032 wrote to memory of 1548	1032	WScript.exe	42
PID 1032 wrote to memory of 1548	1032	WScript.exe	42
PID 1032 wrote to memory of 1548	1032	WScript.exe	42
PID 1032 wrote to memory of 1548	1032	WScript.exe	42
PID 972 wrote to memory of 280	972	WScript.exe	43
PID 972 wrote to memory of 280	972	WScript.exe	43
PID 972 wrote to memory of 280	972	WScript.exe	43
PID 972 wrote to memory of 280	972	WScript.exe	43
PID 1548 wrote to memory of 1536	1548	svchcst.exe	44
PID 1548 wrote to memory of 1536	1548	svchcst.exe	44
PID 1548 wrote to memory of 1536	1548	svchcst.exe	44
PID 1548 wrote to memory of 1536	1548	svchcst.exe	44
PID 1032 wrote to memory of 2076	1032	WScript.exe	45
PID 1032 wrote to memory of 2076	1032	WScript.exe	45
PID 1032 wrote to memory of 2076	1032	WScript.exe	45
PID 1032 wrote to memory of 2076	1032	WScript.exe	45
PID 1536 wrote to memory of 2552	1536	WScript.exe	46
PID 1536 wrote to memory of 2552	1536	WScript.exe	46
PID 1536 wrote to memory of 2552	1536	WScript.exe	46
PID 1536 wrote to memory of 2552	1536	WScript.exe	46

C:\Users\Admin\AppData\Local\Temp\31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405.exe
"C:\Users\Admin\AppData\Local\Temp\31adc783303380f8f2147c37daf3068b8235343d1218b742f62f6f0a21af6405.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2740
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:428
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2200
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2864
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1468
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
      4⤵
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2964
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:432
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:2024
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1032
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1548
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2552
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2824
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2564
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2076
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        8⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:1256
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2684
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        9⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2772
      - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs"
        6⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:972
        
        C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe"
        7⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:280

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Config.ini

Filesize
92B

MD5
67b9b3e2ded7086f393ebbc36c5e7bca

SHA1
e6299d0450b9a92a18cc23b5704a2b475652c790

SHA256
44063c266686263f14cd2a83fee124fb3e61a9171a6aab69709464f49511011d

SHA512
826fbc9481f46b1ae3db828a665c55c349023caf563e6e8c17321f5f3af3e4c3914955db6f0eebfc6defe561315435d47310b4d0499ab9c2c85bb61264dedc09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
dabf4e9d32908d961aaffdd1c77d4879

SHA1
e41572d98b7452016fb004c843236377364ab1d3

SHA256
3488c64a6d2da3c00e50e954c495ac354ee504e54f3ed6dda6a991c5b9d33e19

SHA512
911d46aca8005857c86eddbb3cbbc4301ee5e173b2358a717053cf12727c06cc3b2d757ddf513f969dafe61c6b88d03b1478d8c483495f153e30bf64585195aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
6cc9dd78b42e2ca0e1deb237988b6ae2

SHA1
6ec16a7e43a4c558a19f125758d56ed9a180e6ee

SHA256
11367ac6f6a1b237ca69aeeb571a435181256f8836d6910f036beb90e160f7b2

SHA512
331f0ae896c0fb9906dd2fc2e3d58860073af97deb31cdb2184cc4bd104e2e066bfec6bdef0e16a8eda3d5605875fe7c03480b1e2d68bc9d7e3a2b237a3020a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
1ac4421f71447c6f92ce3ac17a3d9d38

SHA1
97f4ebc5875af7ee54f93ba70089361ca88da8af

SHA256
615df52b00308d2a7f8aed927fd28d1e40b5ac6cf5e6da78ec69acd149618d59

SHA512
3d7d6a0124324731462a5e71d797c77e9942371fbdda8b870cb9d035db293ef1765e1890737fd89fd1b9d56941bd04745f93c95c844057830605365367ea410e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
08e59d2d672728796d1d263f61b8e693

SHA1
e2cf49b43ffba5735bf7d9aa4e1da8c5a1a4a243

SHA256
f0504a6142a9709ba8612a4e55816d410dc92778bedea66d34316e77edd2f923

SHA512
328bc5a9404388f3ef192bb0e4da20cc34b9eacd974299461b5cc2f37ce7d7f9bb494e933fe7e8bca0baa037b40778b06965e76ce258b596b60e88bd6b2f4253

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
0667072f0b99c114be29b17a58be850a

SHA1
8ec8d5ba1f5842c2f07a4332fb04ba60b0bc7143

SHA256
002841eff29a50e5cf34cf60cfb5bbbf780c4d2f8809016ab22a0e084fc10d07

SHA512
5e0c61897463fd935f2e0420389e4d7c6b08232e63175ccc96db2b6f3d294e9196bc5efd6445ccc8f460efc0791c13ea040b36ce3130f12e414a3ab7b678dfd9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
696B

MD5
e4e96c55460da5fa5643648177198d56

SHA1
da09b8271cfd09349b8e79bd8856671e6124d6a0

SHA256
6ca56d2034da62f3a82f84935631e9d90430875cfd9b95382fdf1210758ba761

SHA512
23da2c3c87c8e52aab70931c7ca6f0d04f453cff01bda2fe078a060468d9d7b9e544635eb11976541246eaed2e4cac06e0ed7ed86bce775f95ff5d5f40c5d1bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\VBS3.vbs

Filesize
753B

MD5
56ea9607ff7d5bb79556dfffb621b318

SHA1
f1696b560709128eb45148e9f06668aed8134e42

SHA256
3de7a83eb3036ffe5212e707695424f366195a284348dd073558a8829c064273

SHA512
6a05b9b076fc01eaed825495f0a89378b6778c896b4c81de5e0aca32d96d569997ca30d311ee21d71b0fa6c7e82b896b87ff49a73b9edf80a35f6529737cd33a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
33a7ad19641c268df3e08e8da5deb263

SHA1
c35cab47727e5134f0fda77365952d9ed246be73

SHA256
05f1d32b0a5ca34619923ebabfb96f6ef02be3bd44eb48fc9aa4c68770a4c438

SHA512
0049a0412e841f9ff544247a18d975129a581d263283cf997696c7d8cf6b7882aa39527249f8b7eabbf8a7693175de5831d13f83c0f0c13c3e2398362c2834e7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\svchcst.exe

Filesize
1.1MB

MD5
c91880a212ea72cd99082e755c566283

SHA1
d19c59ecceea7f4f035621d62ca7afa1348cccd7

SHA256
d9fd38c0b9e1a265b165660050c7a975ed80a91ccdc5c47254046375cc217531

SHA512
1365cb26126dfa3cffc147caac12a55949d83eee72e9aed72dedcd1e21c1de3990543c6e4b0eebf57d1c1e6d11a629a360e9d4930f22dd34fb2aa5e6b2c4656f

Download Submit
memory/280-72-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/428-19-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/428-30-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/432-46-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1032-78-0x0000000005370000-0x00000000054CF000-memory.dmp

Filesize
1.4MB

Download
memory/1256-101-0x00000000051E0000-0x000000000533F000-memory.dmp

Filesize
1.4MB

Download
memory/1256-113-0x0000000003CB0000-0x0000000003E0F000-memory.dmp

Filesize
1.4MB

Download
memory/1536-94-0x00000000052F0000-0x000000000544F000-memory.dmp

Filesize
1.4MB

Download
memory/1536-85-0x0000000003D70000-0x0000000003ECF000-memory.dmp

Filesize
1.4MB

Download
memory/1548-65-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/1548-76-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2024-52-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2024-61-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2076-91-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2112-15-0x0000000003B00000-0x0000000003C5F000-memory.dmp

Filesize
1.4MB

Download
memory/2112-17-0x0000000003B00000-0x0000000003C5F000-memory.dmp

Filesize
1.4MB

Download
memory/2200-34-0x0000000005190000-0x00000000052EF000-memory.dmp

Filesize
1.4MB

Download
memory/2200-35-0x0000000005190000-0x00000000052EF000-memory.dmp

Filesize
1.4MB

Download
memory/2552-87-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2552-86-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2564-117-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2684-104-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2684-103-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2712-0-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2712-12-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2772-116-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2772-114-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2824-108-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2824-95-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2864-48-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2864-37-0x0000000000400000-0x000000000055F000-memory.dmp

Filesize
1.4MB

Download
memory/2964-51-0x0000000005290000-0x00000000053EF000-memory.dmp

Filesize
1.4MB

Download