Malware Analysis Report

2024-12-07 14:40

Sample ID 241011-s51d3avenj
Target code.vbs
SHA256 a7e0361d293c68159a7d48b5cfeef5804ba938df7e6e0dfbb1e6ca200bcfd037
Tags
defense_evasion discovery exploit persistence ransomware
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

a7e0361d293c68159a7d48b5cfeef5804ba938df7e6e0dfbb1e6ca200bcfd037

Threat Level: Likely malicious

The file code.vbs was found to be: Likely malicious.

Malicious Activity Summary

defense_evasion discovery exploit persistence ransomware

Renames multiple (24555) files with added filename extension

Renames multiple (25612) files with added filename extension

Drops file in Drivers directory

Possible privilege escalation attempt

Checks computer location settings

Boot or Logon Autostart Execution: Print Processors

Indicator Removal: Clear Windows Event Logs

Modifies file permissions

Drops file in System32 directory

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-11 15:43

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-11 15:43

Reported

2024-10-11 15:45

Platform

win11-20241007-en

Max time kernel

147s

Max time network

151s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"

Signatures

Renames multiple (25612) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\NDKPing.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\mountmgr.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\disk.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\wacompen.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\mslldp.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\netvsc.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\intelppm.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\WifiCx.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\iaLPSS2i_GPIO2_GLK.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\EhStorTcgDrv.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\HvService.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\USBHUB3.SYS.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UMDF\en-US\UsbccidDriver.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\HyperVideo.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\agilevpn.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\IndirectKmd.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\vhdmp.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\iaLPSS2i_GPIO2_BXT_P.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\ndiscap.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\EhStorTcgDrv.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\rdpdr.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UMDF\es-ES\UsbccidDriver.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\hidbatt.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\msgpiowin32.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\USBCAMD2.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\kbdclass.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\sermouse.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\hyperkbd.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\sermouse.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\rdpdr.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\acpi.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\cdrom.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\NdisVirtualBus.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\winnat.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\volsnap.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\smbdirect.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\partmgr.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\tcpip.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\CEA.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fdc.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\ndis.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\tsusbflt.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\bthenum.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\isapnp.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\hdaudbus.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\kmpdc.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\dmvsc.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\cdrom.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\tcpip.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UMDF\ja-JP\SensorsCx.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\USBXHCI.SYS.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\usbhub.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\dmvsc.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ExecutionContext.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\usb8023.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\USBHUB3.SYS.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UMDF\de-DE\idtsec.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\mouclass.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ndis.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\hidbatt.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\vhdmp.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\wof.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UsbPmApi.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\winnat.sys.mui.bat C:\Windows\System32\WScript.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Boot or Logon Autostart Execution: Print Processors

persistence
Description Indicator Process Target
File created C:\Windows\System32\spool\prtprocs\x64\winprint.dll.bat C:\Windows\System32\WScript.exe N/A

Indicator Removal: Clear Windows Event Logs

defense_evasion
Description Indicator Process Target
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Provisioning-Diagnostics-Provider%4AutoPilot.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4ActionCenter.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Security.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Restricted.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-ManagementAgent%4WHC.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4FirewallDiagnostics.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-CloudStore%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-TenantRestrictions%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Connectivity.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceSetupManager%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4LogonTasksChannel.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Audio%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Errors.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-FileHistory-Core%4WHC.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Ntfs%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Audit.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-AAD%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Audio%4CaptureMonitor.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Security.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Containers-Wcifs%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-NCrypt%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-TWinUI%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\OAlerts.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppReadiness%4Admin.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppxPackaging%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-ShellCommon-StartLayoutPopulation%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageManagement%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Maintenance.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-UserPnp%4DeviceInstall.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsBackup%4ActionCenter.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-HotspotAuth%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Restricted.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\HardwareEvents.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Internet Explorer.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-HelloForBusiness%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Provisioning-Diagnostics-Provider%4ManagementService.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Wcmsvc%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\NetDriverInstall.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Package-base-merged-Package~31bf3856ad364e35~amd64~~10.0.22000.376.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\de-DE\propsys.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\Dism\UnattendProvider.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ntprint.inf_amd64_69e8e0efb212ba16\Amd64\LOCALE.GPD.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-jp\mcicda.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\VoipRT.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-IIS-WebServer-ServerCommon-Package~31bf3856ad364e35~amd64~ja-JP~10.0.22000.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\cs-CZ\APHostRes.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\usosvc.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\fr-FR\cob-au.rs.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\Modules\NetSwitchTeam\MSFT_NetSwitchTeamMember.cdxml.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\it-IT\WUDFUsbccidDriver.inf_loc.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\es-ES\msacm32.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\it-IT\softkbd.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\uk-UA\WfHC.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\findstr.exe.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\tlscsp.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\it-IT\net7400-x64-n650.inf_loc.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\fr-FR\winlogon.mfl.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\atmlib.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-WindowsCore-Network-FlowSteering-Package~31bf3856ad364e35~amd64~fr-FR~10.0.22000.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-WMPNetworkSharingService-Opt-Package~31bf3856ad364e35~amd64~de-DE~10.0.22000.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\es-ES\diagperf.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-InternetExplorer-merged-Package~31bf3856ad364e35~amd64~de-DE~11.0.22000.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\es-ES\seclogon.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\vds.mof.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\AutoRecover\9B7AE939DC5E63135058FA28EB025C7C.mof.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Holographic-Desktop-Merged-Package~31bf3856ad364e35~amd64~ja-JP~10.0.22000.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Multimedia-RestrictedCodecsExt-WCOSMinusHeadless-WOW64-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\windows.internal.shellcommon.shareexperience.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\it-IT\mmcshext.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\migwiz\replacementmanifests\Microsoft-Windows-SoftwareInventoryLogging-ScheduledTasks-Replacement.man.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmhay2.inf_amd64_6b35ae132cca4253\mdmhay2.inf.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\mdmsonyu.inf_amd64_81026882a3888d9c\mdmsonyu.inf.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\ws3cap.inf_amd64_cfe8f1c2f6f0f4f7\vms3cap.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\sensordataservice.exe.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\btpanui.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DeviceCompanionAppInstall.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-OneCore-Containers-Opt-Package~31bf3856ad364e35~amd64~uk-UA~10.0.22000.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\iastorav.inf_amd64_87f761c07c99d5e7\iaStorAVC.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~es-ES~10.0.22000.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-EventLog-Api-Package~31bf3856ad364e35~amd64~ja-JP~10.0.22000.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\de-DE\adrclient.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\en-US\cli.mfl.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\Performance\WmiApRpl.h.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\credprovs.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\cpu.inf_amd64_4930e9ac235a7d97\amdk8.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\es-ES\eappcfgui.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\appbackgroundtask.mof.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\Tabbtn.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\Modules\AppBackgroundTask\MSFT_BackgroundTask.Format.ps1xml.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\Windows.Media.Streaming.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MobilePC-Client-Basic-Package~31bf3856ad364e35~amd64~en-US~10.0.22000.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-MSMQ-MMC-OptGroup-WOW64-Package~31bf3856ad364e35~amd64~~10.0.22000.318.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\it-IT\gameport.inf_loc.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\fr-FR\joy.cpl.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\AutoRecover\A7463B23BFE582993515A0109F19D304.mof.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\it-IT\DeviceDirectoryClient.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\uk-UA\rasmm.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DefaultDeviceManager.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Web-Services-for-Management-WinRM-WecSvc-Http-Registration-Package~31bf3856ad364e35~amd64~~10.0.22000.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\hid.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\kmddsp.tsp.mui.bat C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2168 wrote to memory of 4644 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 2168 wrote to memory of 4644 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 4644 wrote to memory of 228 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 4644 wrote to memory of 228 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 4644 wrote to memory of 4744 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 4644 wrote to memory of 4744 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\* && icacls C:\Windows\System32\* /grant everyone:(F)

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\*

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\* /grant everyone:(F)

Network

Files

C:\Users\Admin\AppData\Local\Temp\whysoserious.bat

MD5 3dfc9ee09967df4e049864cf81d9588b
SHA1 bd5840c3cec86b04f8e8dbc0ddf5eb1754d346ce
SHA256 81544f6c725f842b68f7bcbeb26525f701293d3d2281dd64dcad1e9d2dfc398d
SHA512 d55ed377a577bd9ecc3af2753716f8e145da79207e3435bccdbd377ffdeda6ac691f93ebcf3158c1450aaca429dda8f91bc6e4d2e608cec562dd7fe9cfb76708

memory/2168-1487-0x00007FFBFD850000-0x00007FFBFDBC8000-memory.dmp

memory/2168-1514-0x00007FFBFB3C0000-0x00007FFBFB43F000-memory.dmp

memory/2168-1518-0x00007FFBEA5E0000-0x00007FFBEA5FD000-memory.dmp

memory/2168-1515-0x00007FFBFC940000-0x00007FFBFC9EF000-memory.dmp

memory/2168-1509-0x00007FFBFC860000-0x00007FFBFC90E000-memory.dmp

memory/2168-2711-0x00007FFBFAFA0000-0x00007FFBFAFEC000-memory.dmp

memory/2168-2714-0x00007FFBF22A0000-0x00007FFBF2305000-memory.dmp

memory/2168-2712-0x00007FFBE7430000-0x00007FFBE74DC000-memory.dmp

memory/2168-2704-0x00007FFBFAB20000-0x00007FFBFAB2C000-memory.dmp

memory/2168-11646-0x00007FFBFDEA0000-0x00007FFBFE0A9000-memory.dmp

memory/2168-11659-0x00007FFBFCAE0000-0x00007FFBFCB9D000-memory.dmp

memory/2168-11668-0x00007FFBFB440000-0x00007FFBFB7B4000-memory.dmp

memory/2168-11967-0x00007FFBFBC20000-0x00007FFBFBD32000-memory.dmp

memory/2168-11974-0x00007FFBEDB60000-0x00007FFBEDB6A000-memory.dmp

memory/2168-11979-0x00007FFBFB110000-0x00007FFBFB1B2000-memory.dmp

memory/2168-11993-0x00007FFBF1FC0000-0x00007FFBF1FF8000-memory.dmp

memory/2168-11998-0x00007FFBEDB40000-0x00007FFBEDB5D000-memory.dmp

memory/2168-12009-0x00007FFBF3AB0000-0x00007FFBF3C9E000-memory.dmp

memory/2168-12015-0x00007FFBFA9B0000-0x00007FFBFA9D9000-memory.dmp

memory/2168-12020-0x00007FFBF8D70000-0x00007FFBF8DA4000-memory.dmp

memory/2168-12017-0x00007FFBF4620000-0x00007FFBF4E36000-memory.dmp

memory/2168-11999-0x00007FFBFD480000-0x00007FFBFD56A000-memory.dmp

memory/2168-12013-0x00007FFBFA6B0000-0x00007FFBFA6F2000-memory.dmp

memory/2168-12012-0x00007FFBF9ED0000-0x00007FFBF9EDC000-memory.dmp

memory/2168-12011-0x00007FFBF36D0000-0x00007FFBF36F8000-memory.dmp

memory/2168-12010-0x00007FFBF3730000-0x00007FFBF39E2000-memory.dmp

memory/2168-12008-0x00007FFBE5900000-0x00007FFBE5959000-memory.dmp

memory/2168-12007-0x00007FFBE5960000-0x00007FFBE5986000-memory.dmp

memory/2168-12005-0x00007FFBFB2C0000-0x00007FFBFB2E1000-memory.dmp

memory/2168-12003-0x00007FFBF7970000-0x00007FFBF7A67000-memory.dmp

memory/2168-12002-0x00007FFBFC790000-0x00007FFBFC7ED000-memory.dmp

memory/2168-11994-0x00007FFBFCBB0000-0x00007FFBFD35E000-memory.dmp

memory/2168-11992-0x00007FFBF2000000-0x00007FFBF203A000-memory.dmp

memory/2168-11991-0x00007FFBF5270000-0x00007FFBF5286000-memory.dmp

memory/2168-11989-0x00007FFBFA3F0000-0x00007FFBFA425000-memory.dmp

memory/2168-11988-0x00007FFBFAB60000-0x00007FFBFAB72000-memory.dmp

memory/2168-11987-0x00007FFBFBA40000-0x00007FFBFBBA2000-memory.dmp

memory/2168-11984-0x00007FFBF2040000-0x00007FFBF20D8000-memory.dmp

memory/2168-11982-0x00007FFBFDBD0000-0x00007FFBFDCEE000-memory.dmp

memory/2168-11978-0x00007FFBF8AA0000-0x00007FFBF8B4C000-memory.dmp

memory/2168-11976-0x00007FFBFA490000-0x00007FFBFA4A8000-memory.dmp

memory/2168-11975-0x00007FFBFC5B0000-0x00007FFBFC5E1000-memory.dmp

memory/2168-11972-0x00007FFBFD360000-0x00007FFBFD3FE000-memory.dmp

memory/2168-11968-0x00007FFBFC5F0000-0x00007FFBFC78A000-memory.dmp

memory/2168-11966-0x00007FFBFC910000-0x00007FFBFC939000-memory.dmp

memory/2168-11965-0x00007FFBFB390000-0x00007FFBFB3B6000-memory.dmp

memory/2168-11964-0x00007FFBFBDD0000-0x00007FFBFBF7C000-memory.dmp

memory/2168-11961-0x00007FFBFB860000-0x00007FFBFB971000-memory.dmp

memory/2168-11960-0x00007FFBFB7C0000-0x00007FFBFB85D000-memory.dmp

memory/2168-11958-0x00007FFBFDDA0000-0x00007FFBFDE43000-memory.dmp

memory/2168-11959-0x00007FFBFD570000-0x00007FFBFD646000-memory.dmp

memory/2168-11963-0x00007FFBFD650000-0x00007FFBFD770000-memory.dmp

memory/2168-25641-0x00007FF67CBE0000-0x00007FF67CC0A000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-11 15:43

Reported

2024-10-11 15:45

Platform

win10v2004-20241007-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"

Signatures

Renames multiple (24555) files with added filename extension

ransomware

Drops file in Drivers directory

Description Indicator Process Target
File created C:\Windows\System32\drivers\es-ES\mssmbios.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\pcw.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\usbcir.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\scmbus.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\null.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\urscx01000.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\vms3cap.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\wcnfs.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\rfxvmt.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\tsusbhub.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\dxgmms2.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\hdaudbus.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\rasl2tp.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\synth3dvsc.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\hidclass.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\lsi_sss.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ufxsynopsys.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\nvdimm.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\sdstor.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\USBXHCI.SYS.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\rdbss.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\storahci.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\wfplwfs.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\iaStorAVC.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\hvservice.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\modem.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\mvumis.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\pacer.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\wdf01000.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\mrxsmb.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\exfat.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\modem.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\ws2ifsl.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\mountmgr.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\dmvsc.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\pcmcia.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\rdvgkmd.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fileinfo.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\netvsc.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\volsnap.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\dumpsd.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\netvsc.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\partmgr.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\hidbatt.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\dumpsd.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fvevol.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\it-IT\usbhub.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UMDF\it-IT\mgtdyn.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\NdisImPlatform.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\gm.dls.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\Udecx.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\NdisVirtualBus.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\vhdmp.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\de-DE\EhStorTcgDrv.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\ja-JP\i8042prt.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\qwavedrv.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\ndiscap.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\UMDF\fr-FR\SensorsHid.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\iorate.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\errdev.sys.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\es-ES\usbstor.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\http.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\fr-FR\luafv.sys.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\drivers\en-US\mountmgr.sys.mui.bat C:\Windows\System32\WScript.exe N/A

Possible privilege escalation attempt

exploit
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Boot or Logon Autostart Execution: Print Processors

persistence
Description Indicator Process Target
File created C:\Windows\System32\spool\prtprocs\x64\winprint.dll.bat C:\Windows\System32\WScript.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Indicator Removal: Clear Windows Event Logs

defense_evasion
Description Indicator Process Target
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-TaskScheduler%4Maintenance.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceSetupManager%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-HotspotAuth%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeploymentServer%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Audio%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Provisioning-Diagnostics-Provider%4AutoPilot.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-ReadyBoost%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Audit.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storsvc%4Diagnostic.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-Scheduled%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Security-Mitigations%4KernelMode.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Sysmon%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Errors.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-VolumeSnapshot-Driver%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-WMI-Activity%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-BackgroundTaskInfrastructure%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-SmbClient%4Connectivity.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-StateRepository%4Restricted.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider%4Admin.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Security.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnostics-Performance%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Provisioning-Diagnostics-Provider%4ManagementService.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-UserPnp%4ActionCenter.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-UserPnp%4DeviceInstall.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Steps-Recorder.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-CoreSystem-SmsRouter-Events%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4BackUpKeySvc.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-SMBServer%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Internet Explorer.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Client-Licensing-Platform%4Admin.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Program-Compatibility-Assistant%4CompatAfterUpgrade.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-VHDMP-Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-BitLocker%4BitLocker Management.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-PowerShell%4Admin.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-DeviceSetupManager%4Admin.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Boot%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Security.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Key Management Service.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-AppXDeployment%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Crypto-DPAPI%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Provisioning-Diagnostics-Provider%4Admin.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Shell-Core%4AppDefaults.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-StorageSpaces-Driver%4Diagnostic.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-UniversalTelemetryClient%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Biometrics%4Operational.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Setup.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\HardwareEvents.evtx.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\winevt\Logs\Microsoft-Windows-Storage-Storport%4Health.evtx.bat C:\Windows\System32\WScript.exe N/A

Modifies file permissions

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\takeown.exe N/A
N/A N/A C:\Windows\system32\icacls.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\System32\fr-FR\crypt32.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-jp\tdh.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\uk-UA\shdocvw.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Media-Foundation-WOW64-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PeerDist-Client-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\fr-FR\ufxsynopsys.inf_loc.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\de-DE\smbwmiv2.mfl.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Containers-Client-Manager-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1266.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\de-DE\NetworkStatus.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\de-DE\polprocl.mfl.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ConsentUxClient.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Multimedia-CastingCommon-WOW64-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\de-DE\rshx32.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\it-IT\DFDTS.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-jp\BthAvrcp.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Common-RegulatedPackages-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\TtlsAuth.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\wshext.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\fr-FR\TSWorkspace.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\it-IT\netmscli.inf_loc.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\shutdown.exe.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\spp\tokens\skus\ProfessionalSingleLanguage\ProfessionalSingleLanguage-Retail-1-ul-oob.xrm-ms.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\rundll32.exe.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Hyper-V-Offline-Core-Group-Package~31bf3856ad364e35~amd64~~10.0.19041.264.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-IsolatedUserMode-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\it-IT\c_sensor.inf_loc.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\sbe.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-LanguageFeatures-Handwriting-de-de-Package~31bf3856ad364e35~wow64~~10.0.19041.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\userinitext.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\sdfrd.inf_amd64_25779da6eca4810a\SDFRd.inf.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\it-IT\fthsvc.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\sdshext.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\imaadp32.acm.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\deviceregistration.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_ar6320_3p0_NFA364xp_ssku_DE_0522.bin.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\win32spl.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\fr-FR\EventCreate.exe.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\migwiz\mighost.exe.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\AutoRecover\348C74BBB0C8791244D9BA708604211E.mof.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\fr-FR\powermeterprovider.mfl.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\fr-FR\apds.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-LanguageFeatures-Speech-ja-jp-Package~31bf3856ad364e35~wow64~~10.0.19041.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\es-ES\usbcir.inf_loc.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\FunDisc.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\en-US\setupcl.exe.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-StepsRecorder-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\de-DE\StorSvc.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\es-ES\odbcconf.exe.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\provpackageapidll.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\AppV\AppVStreamingUX.exe.config.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\bg-BG\quickassist.exe.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-SMB1Server-D-Opt-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\OptionalFeatures.exe.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\ja-jp\MultiDigiMon.exe.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\oobe\de-DE\W32UIRes.dll.mui.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\cfgbkend.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\netathr10x.inf_amd64_2691c4f95b80eb3b\eeprom_qca9377_1p1_NFA435_olpc_LE_5.bin.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\WindowsPowerShell\v1.0\Modules\Storage\Volume.cdxml.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\shlwapi.dll.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-TerminalServices-UsbRedirector-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\wbem\AutoRecover\AD6E370A764693BABD73A1B75D243F0B.mof.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-EnterpriseClientSync-Host-Opt-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Media-Format-merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat.bat C:\Windows\System32\WScript.exe N/A
File created C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PhotoBasic-Feature-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat.bat C:\Windows\System32\WScript.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeTakeOwnershipPrivilege N/A C:\Windows\system32\takeown.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 916 wrote to memory of 4340 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 916 wrote to memory of 4340 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\cmd.exe
PID 4340 wrote to memory of 4996 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 4340 wrote to memory of 4996 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\takeown.exe
PID 4340 wrote to memory of 1552 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe
PID 4340 wrote to memory of 1552 N/A C:\Windows\System32\cmd.exe C:\Windows\system32\icacls.exe

Processes

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"

C:\Windows\System32\cmd.exe

"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\System32\* && icacls C:\Windows\System32\* /grant everyone:(F)

C:\Windows\system32\takeown.exe

takeown /f C:\Windows\System32\*

C:\Windows\system32\icacls.exe

icacls C:\Windows\System32\* /grant everyone:(F)

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 75.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 135.72.21.2.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

C:\Users\Admin\AppData\Local\Temp\whysoserious.bat

MD5 3dfc9ee09967df4e049864cf81d9588b
SHA1 bd5840c3cec86b04f8e8dbc0ddf5eb1754d346ce
SHA256 81544f6c725f842b68f7bcbeb26525f701293d3d2281dd64dcad1e9d2dfc398d
SHA512 d55ed377a577bd9ecc3af2753716f8e145da79207e3435bccdbd377ffdeda6ac691f93ebcf3158c1450aaca429dda8f91bc6e4d2e608cec562dd7fe9cfb76708