Analysis Overview
SHA256
69983df4e763c21c65d22182966c032d269943f974123f395974e931de7459d5
Threat Level: Likely malicious
The file code.vbs was found to be: Likely malicious.
Malicious Activity Summary
Renames multiple (286) files with added filename extension
Renames multiple (151) files with added filename extension
Possible privilege escalation attempt
Manipulates Digital Signatures
Drops file in Drivers directory
Modifies file permissions
Checks computer location settings
Boot or Logon Autostart Execution: Print Processors
Indicator Removal: Clear Windows Event Logs
Drops desktop.ini file(s)
Drops autorun.inf file
Drops file in System32 directory
Modifies termsrv.dll
Drops file in Windows directory
Enumerates physical storage devices
Suspicious use of WriteProcessMemory
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-11 15:42
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-11 15:42
Reported
2024-10-11 15:44
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
Renames multiple (151) files with added filename extension
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\pcw.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\volmgr.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\wof.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\acpi.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\usbport.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\fltmgr.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\wacompen.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\mausbhost.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\tsusbflt.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\UMDF\it-IT\idtsec.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\mrxsmb.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\dmvsc.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\MTConfig.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\volsnap.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\UMDF\SDFLauncher.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\srv2.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\sermouse.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\afd.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\ntfs.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\pmem.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\wfplwfs.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\sisraid2.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\mrxsmb.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\sdbus.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\luafv.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\netio.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ntosext.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\CAD.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\vmstorfl.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\wdf01000.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\hidusb.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\vhdmp.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\isapnp.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\UMDF\en-US\hidscanner.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\UMDF\it-IT\wpdmtpdr.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\mouhid.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\scfilter.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\smbdirect.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\qwavedrv.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\UMDF\UsbXhciCompanion.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\raspppoe.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\rdpbus.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\urscx01000.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\rdpdr.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\ataport.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\NdisImPlatform.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\parport.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\percsas3i.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\pcmcia.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\HdAudio.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\qwavedrv.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\i8042prt.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\nwifi.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\usbhub.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\USBXHCI.SYS.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\mslldp.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\hidclass.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\ndisuio.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\rdpdr.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\fvevol.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\tunnel.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\nwifi.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\parport.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\qwavedrv.sys.mui | C:\Windows\System32\WScript.exe | N/A |
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\wintrust.dll | C:\Windows\System32\WScript.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Boot or Logon Autostart Execution: Print Processors
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\spool\prtprocs\x64\winprint.dll | C:\Windows\System32\WScript.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation | C:\Windows\System32\WScript.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\Fonts\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Downloaded Program Files\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group1\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessibility\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\System Tools\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Local\Microsoft\Windows\WinX\Group3\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Media\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Offline Web Pages\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WinX\Group2\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File created | C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf | C:\Windows\System32\WScript.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\DriverStore\FileRepository\mdmaiwa5.inf_amd64_8416dd97e1ecb6dc\mdmaiwa5.inf | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\net44amd.inf_amd64_450d4b1e35cc8e0d\net44amd.inf | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\storagewmi_passthru.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\sysclass.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\ndisuio.inf_amd64_6096fd74a67ccd5d\ndisuio.inf | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\Dism\DismCorePS.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\ja-JP\amdsata.inf_loc | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\uk-UA\BdeHdCfgLib.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\dsprov.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Network-Connectivity-Assistant-Service-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-VmBus-Host-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\es-ES\scavengeui.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-jp\dhcpcsvc.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\AutoRecover\87C0585DEAE72716889B524A66D1B5A3.mof | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\de-DE\swprv.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnms005.inf_amd64_add71423ba73e797\Amd64\MSxpsXPS.gpd | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\lz32.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\config\systemprofile\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\CloudExperienceHostCommon.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-ApplicationModel-Sync-Desktop-FOD-Package~31bf3856ad364e35~wow64~~10.0.19041.264.cat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\AutoRecover\0736061F644ECE849A494F2EDE2008CE.mof | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\es-ES\NdisImPlatform.inf_loc | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\migwiz\dlmanifests\TerminalServices-RemoteConnectionManager-DL.man | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\de-DE\shell32.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\TpmInit.exe.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\it-IT\netmsg.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-jp\UevAgentDriver.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Multimedia-CastingReceiver-Media-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-EditionSpecific-Professional-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Network-Connectivity-Assistant-Service-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\de-DE\cmmon32.exe.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-jp\Windows.Data.Activities.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\en-US\KrnlProv.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-DeviceUpdateCenter-Package~31bf3856ad364e35~amd64~~10.0.19041.1202.cat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\KBDSL1.DLL | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\HyperV-Host-Devices-EmulatedChipset-merged-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-OpenSSH-Common-Package~31bf3856ad364e35~amd64~~10.0.19041.84.cat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\oobe\it-IT\audit.exe.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\dialclient.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\it-IT\wpdcomp.inf_loc | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\it-IT\fdPHost.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\it-IT\raschap.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\es-ES\usbhub3.inf_loc | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Embedded-KeyboardFilter-Package~31bf3856ad364e35~amd64~~10.0.19041.844.cat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\de-DE\xmlfilter.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\es-ES\CertPolEng.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\fr-FR\WorkFoldersShell.Dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\DMWmiBridgeProv.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-OneCore-Containers-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\en-US\rtwlanu_oldIC.inf_loc | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\es-ES\Autofmt.exe.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\es-ES\dinput.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\spool\tools\en-US\PrintBrm.exe.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\spp\tokens\skus\ProfessionalWorkstation\ProfessionalWorkstation-Volume-CSVLK-6-ul-phn-rtm.xrm-ms | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\de-DE\STEXSTOR.inf_loc | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\en-US\battery.inf_loc | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\msports.inf_amd64_f2e8231e8b60f214\msports.inf | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-NetFx4-WCF-US-OC-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\de-DE\ajrouter.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\sendmail.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\es-ES\datadict.0C0A.dat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wscript.exe | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\it-IT\umpass.inf_loc | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\fr-FR\iashlpr.dll.mui | C:\Windows\System32\WScript.exe | N/A |
Modifies termsrv.dll
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\termsrv.dll | C:\Windows\System32\WScript.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\PolicyDefinitions\it-IT\pca.adml | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\servicing\Packages\HyperV-Compute-Host-VirtualMachines-Package~31bf3856ad364e35~amd64~~10.0.19041.264.mum | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\servicing\Packages\Microsoft-Windows-AppServerClient-OptGroup-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.mum | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\write.exe | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.P9de5a786#\7b5c5e18f54175c9d821602aea803caa\Microsoft.PowerShell.Management.Activities.ni.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v3.5\DataSvcUtil.exe | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.IO.Compression.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\en-US\PresentationHost_v0400.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\servicing\Packages\Microsoft-Windows-Holographic-Desktop-Analog-Package~31bf3856ad364e35~amd64~~10.0.19041.1288.cat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\servicing\Packages\Microsoft-Windows-LanguageFeatures-TextToSpeech-it-it-Package~31bf3856ad364e35~wow64~~10.0.19041.1.mum | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\servicing\Packages\Microsoft-Windows-Lxss-WOW64-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\servicing\Packages\Microsoft-OneCore-Containers-merged-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.cat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\servicing\Packages\Microsoft-OneCore-DeviceUpdateCenter-Package~31bf3856ad364e35~amd64~~10.0.19041.1.mum | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\servicing\Packages\Microsoft-Windows-EditionPack-Professional-WOW64-Package~31bf3856ad364e35~amd64~es-ES~10.0.19041.1.cat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Fonts\DUBAI-MEDIUM.TTF | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.WindowsAuthenticationProtocols.Commands.Resources\v4.0_10.0.0.0_en_31bf3856ad364e35\Microsoft.windowsauthenticationprotocols.commands.resources.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\PresentationFramework-SystemXml.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\fr\UIAutomationProvider.resources.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\PolicyDefinitions\fr-FR\WindowsDefenderSecurityCenter.adml | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\servicing\Packages\Microsoft-Windows-EnterpriseClientSync-Host-Opt-Package~31bf3856ad364e35~amd64~it-IT~10.0.19041.1.cat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Speech\Common\it-IT\sapisvr.exe.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\servicing\Packages\Microsoft-Windows-Security-SPP-Component-SKU-ProfessionalSingleLanguage-License-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\servicing\Packages\Microsoft-Windows-WordPad-FoD-Package~31bf3856ad364e35~amd64~de-DE~10.0.19041.1.cat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\BitLockerDiscoveryVolumeContents\ko-KR_BitLockerToGo.exe.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Installer\SourceHash{90160000-008C-0409-1000-0000000FF1CE} | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\error.aspx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\servicing\Packages\HyperV-VmBus-VirtualDevice-merged-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.cat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\servicing\Packages\Microsoft-Windows-NetFx-Shared-WPF-Package~31bf3856ad364e35~amd64~~10.0.19041.1.mum | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\App_LocalResources\navigationBar.ascx.fr.resx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\PolicyDefinitions\es-ES\Sensors.adml | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\PolicyDefinitions\it-IT\Setup.adml | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\System.Speech\3.0.0.0__31bf3856ad364e35\System.Speech.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Cursors\aero_up_l.cur | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\de\System.Workflow.Runtime.resources.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\fr\mscorlib.resources.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Windows.ApplicationServer.Applications.45.man | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\servicing\InboxFodMetadataCache\metadata\Language.OCR~nb-no~1.0.mum | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ja\aspnet_rc.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\PolicyDefinitions\en-US\Smartcard.adml | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\servicing\InboxFodMetadataCache\metadata\Language.Handwriting~nn-no~1.0.mum | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\diagnostics\system\IEBrowseWeb\fr-FR\RS_RestoreIEconnection.psd1 | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\diagnostics\system\IEBrowseWeb\ja-JP\DiagPackage.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Globalization\ELS\HyphenationDictionaries\MsHy7de.lex | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Microsoft.NET\assembly\GAC_64\PresentationCore\v4.0_4.0.0.0__31bf3856ad364e35\GlobalSansSerif.CompositeFont | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\Browsers\jphone.browser | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\servicing\Packages\Microsoft-OneCore-Containers-Guest-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.867.cat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\servicing\Packages\Microsoft-Windows-Media-Streaming-merged-Package~31bf3856ad364e35~amd64~~10.0.19041.1.mum | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\servicing\Packages\Microsoft-Windows-TerminalServices-WMIProvider-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.cat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\servicing\Packages\Microsoft-Windows-TextPrediction-Dictionaries-de-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\System.Printing.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\servicing\Packages\Microsoft-Windows-Media-Format-Package~31bf3856ad364e35~amd64~en-US~10.0.19041.1.mum | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\servicing\Packages\Microsoft-Windows-msmq-adintegration-Opt-Package~31bf3856ad364e35~amd64~~10.0.19041.1.cat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\ImmersiveControlPanel\images\logo.scale-200.png | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\L2Schemas\WWAN_profile_v8.xsd | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\servicing\Packages\Microsoft-Windows-EditionPack-Professional-Package~31bf3856ad364e35~amd64~fr-FR~10.0.19041.1.mum | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\INF\microsoft_bluetooth_avrcptransport.inf | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\servicing\Packages\Microsoft-Windows-OfflineFiles-UI-Package~31bf3856ad364e35~amd64~~10.0.19041.1.mum | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\fr\UIAutomationTypes.resources.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\servicing\Packages\HyperV-Compute-System-VirtualMachine-merged-Package~31bf3856ad364e35~amd64~uk-UA~10.0.19041.1.mum | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\servicing\Packages\Microsoft-Windows-SearchEngine-Client-Package-shell-Package~31bf3856ad364e35~amd64~ja-JP~10.0.19041.1.mum | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\INF\termkbd.inf | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Net.WebSockets.Client\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Net.WebSockets.Client.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\System.Transactions.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\System.Web.Entity.dll | C:\Windows\System32\WScript.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3100 wrote to memory of 4516 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
| PID 3100 wrote to memory of 4516 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
| PID 4516 wrote to memory of 1628 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\takeown.exe |
| PID 4516 wrote to memory of 1628 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\takeown.exe |
| PID 4516 wrote to memory of 404 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\icacls.exe |
| PID 4516 wrote to memory of 404 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\* && icacls C:\Windows\* /grant everyone:(F)
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\*
C:\Windows\system32\icacls.exe
icacls C:\Windows\* /grant everyone:(F)
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.28.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.28.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.117.19.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.236.111.52.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\whysoserious.bat
| MD5 | 3dfc9ee09967df4e049864cf81d9588b |
| SHA1 | bd5840c3cec86b04f8e8dbc0ddf5eb1754d346ce |
| SHA256 | 81544f6c725f842b68f7bcbeb26525f701293d3d2281dd64dcad1e9d2dfc398d |
| SHA512 | d55ed377a577bd9ecc3af2753716f8e145da79207e3435bccdbd377ffdeda6ac691f93ebcf3158c1450aaca429dda8f91bc6e4d2e608cec562dd7fe9cfb76708 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-11 15:42
Reported
2024-10-11 15:44
Platform
win7-20240903-en
Max time kernel
150s
Max time network
120s
Command Line
Signatures
Renames multiple (286) files with added filename extension
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\drivers\it-IT\rdpwd.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\vdrvroot.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\bridge.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\pnpmem.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\modem.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\tpm.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\AGP440.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\bfe.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\serscan.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\tcpip.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\amdppm.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\i8042prt.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\hidbth.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\parport.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\serial.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\UMDF\ja-JP\WpdMtpDr.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\acpipmi.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\lsi_sas.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\mrxsmb10.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\mouclass.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\iirsp.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\NV_AGP.SYS.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\wd.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\sermouse.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\UAGP35.SYS | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\ataport.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\isapnp.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\kbdclass.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\ULIAGPKX.SYS.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\tpm.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\qwavedrv.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\partmgr.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\vhdmp.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\ndisuio.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\fr-FR\tcpip.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\sermouse.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\wdf01000.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\atikmdag.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\HdAudio.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\nvraid.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ULIAGPKX.SYS | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\drivers\ja-JP\pacer.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\msahci.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\rdyboost.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\rspndr.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\es-ES\NV_AGP.SYS.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\processr.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ja-JP\luafv.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\http.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\ksthunk.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\USBSTOR.SYS | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\tcpip.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\ULIAGPKX.SYS.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\etc\protocol | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\NV_AGP.SYS.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\msfs.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\NV_AGP.SYS | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\vmbus.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\srv.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\appid.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\de-DE\portcls.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\it-IT\rdbss.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\en-US\bthenum.sys.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\drivers\fr-FR\MTConfig.sys.mui | C:\Windows\System32\WScript.exe | N/A |
Manipulates Digital Signatures
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\WindowsPowerShell\v1.0\pwrshsip.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\wintrust.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\WindowsPowerShell\v1.0\pwrshsip.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wintrust.dll | C:\Windows\System32\WScript.exe | N/A |
Possible privilege escalation attempt
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Boot or Logon Autostart Execution: Print Processors
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\spool\prtprocs\x64\en-US\LXKPTPRC.DLL.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\spool\prtprocs\x64\es-ES\LXKPTPRC.DLL.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\spool\prtprocs\x64\fr-FR\LXKPTPRC.DLL.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\spool\prtprocs\x64\it-IT\LXKPTPRC.DLL.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\spool\prtprocs\x64\ja-JP\LXKPTPRC.DLL.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\spool\prtprocs\x64\jnwppr.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\spool\prtprocs\x64\winprint.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\spool\prtprocs\x64\de-DE\LXKPTPRC.DLL.mui | C:\Windows\System32\WScript.exe | N/A |
Indicator Removal: Clear Windows Event Logs
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Admin.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsUpdateClient%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Inventory.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Telemetry.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4ConnectionSecurity.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Winlogon%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Key Management Service.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-PrintService%4Admin.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-User Profile Service%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-RestartManager%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-Power%4Thermal-Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-NCSI%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-WER-Diag%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Firewall With Advanced Security%4Firewall.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-BranchCacheSMB%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-CAPI2%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsBackup%4ActionCenter.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-EventTracing%4Admin.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkProfile%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-OfflineFiles%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application Server-Applications%4Admin.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application Server-Applications%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-StoreMgr%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-WindowsSystemAssessmentTool%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Assistant.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Kernel-WHEA%4Errors.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-NetworkAccessProtection%4WHC.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\System.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\HardwareEvents.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Known Folders API Service.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Setup.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Security.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Windows Defender%4WHC.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Application.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Media Center.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Bits-Client%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Program-Compatibility-Troubleshooter.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-DPS%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-GroupPolicy%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-MUI%4Admin.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Application-Experience%4Problem-Steps-Recorder.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcpv6-Client%4Admin.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Diagnosis-Scheduled%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Resource-Exhaustion-Detector%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Internet Explorer.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-CodeIntegrity%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-International%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Dhcp-Client%4Admin.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\OAlerts.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Windows PowerShell.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-Help%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-LanguagePackSetup%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\winevt\Logs\Microsoft-Windows-TerminalServices-LocalSessionManager%4Operational.evtx | C:\Windows\System32\WScript.exe | N/A |
Modifies file permissions
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\takeown.exe | N/A |
| N/A | N/A | C:\Windows\system32\icacls.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Windows\Media\Sonata\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-fontext_31bf3856ad364e35_6.1.7601.17514_none_fcab9df20a3cd55f\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-gb-component_31bf3856ad364e35_6.1.7601.17514_none_92d51a492ae12096\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-za-component_31bf3856ad364e35_6.1.7601.17514_none_a5926b147a413e6a\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-ringtonesamples_31bf3856ad364e35_6.1.7600.16385_none_135e536ebbe59c28\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-afternoon_31bf3856ad364e35_6.1.7600.16385_none_2a05e57d5ab3659e\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Fonts\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Media\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Media\Calligraphy\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Media\Quirky\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-gameexplorer_31bf3856ad364e35_6.1.7601.17514_none_a026547dd7dc8bbc\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-s..ini-systemtoolsuser_31bf3856ad364e35_6.1.7600.16385_none_7ca09f65fd387e58\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Media\Festival\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Media\Heritage\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-garden_31bf3856ad364e35_6.1.7600.16385_none_f7a4bf1e15863e21\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-shell-soundthemes-raga_31bf3856ad364e35_6.1.7600.16385_none_2fe300bf8e73cdbd\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-ehome-reg-inf_31bf3856ad364e35_6.1.7601.17514_none_535245f3d98ecb9a\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-m..-gb-links-component_31bf3856ad364e35_6.1.7601.17514_none_0ea01e97df141032\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-s..l-soundthemes-delta_31bf3856ad364e35_6.1.7600.16385_none_fbf7e0678b64a4b8\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Offline Web Pages\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-ie-objectcontrolviewer_31bf3856ad364e35_11.2.9600.16428_none_197d7b3a29314757\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-musicsamples_31bf3856ad364e35_6.1.7600.16385_none_06495209cbd8e93b\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-accessories_31bf3856ad364e35_6.1.7600.16385_none_480c0d8bd31ae43f\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-heritage_31bf3856ad364e35_6.1.7600.16385_none_5872c0830d0c4747\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-videosamples_31bf3856ad364e35_6.1.7600.16385_none_51a21f033003affd\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Media\Savanna\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-photosamples_31bf3856ad364e35_6.1.7600.16385_none_f36e0e659b8042be\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-characters_31bf3856ad364e35_6.1.7600.16385_none_bde0eaed84920a21\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-s..oundthemes-festival_31bf3856ad364e35_6.1.7600.16385_none_121f20b55f0bde68\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Media\Delta\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-s..opini-accessibility_31bf3856ad364e35_6.1.7600.16385_none_36604ea896f9a97d\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-au-component_31bf3856ad364e35_6.1.7601.17514_none_36a5754e72dd8aff\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-s..-soundthemes-quirky_31bf3856ad364e35_6.1.7600.16385_none_e55404efe49bb9cb\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-s..undthemes-cityscape_31bf3856ad364e35_6.1.7600.16385_none_5b48f43248490503\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-tabletpc-journal_31bf3856ad364e35_6.1.7601.17514_none_75d78dc0bb37c026\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\assembly\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Media\Landscape\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Web\Wallpaper\Landscapes\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-m..-us-links-component_31bf3856ad364e35_6.1.7601.17514_none_b325aa489d61d3a5\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-ca-component_31bf3856ad364e35_6.1.7601.17514_none_fae061a2e0ae5019\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Media\Garden\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Web\Wallpaper\Characters\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-ehome-samplemedia_31bf3856ad364e35_6.1.7600.16385_none_b6b9b223710b3802\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-mail-app_31bf3856ad364e35_6.1.7601.17514_none_4f7e32f76654bd3c\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-s..allpaper-landscapes_31bf3856ad364e35_6.1.7600.16385_none_e57abb2f66db71a9\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Media\Cityscape\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Web\Wallpaper\Nature\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-s..ktopini-systemtools_31bf3856ad364e35_6.1.7600.16385_none_da623240a154f357\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-s..sktopini-sendtouser_31bf3856ad364e35_6.1.7600.16385_none_64398328adc9c59d\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Media\Raga\Desktop.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-m..ttheme-us-component_31bf3856ad364e35_6.1.7601.17514_none_b52573ad8e4c2d89\desktop.ini | C:\Windows\System32\WScript.exe | N/A |
Drops autorun.inf file
| Description | Indicator | Process | Target |
| File created | C:\Windows\BitLockerDiscoveryVolumeContents\autorun.inf | C:\Windows\System32\WScript.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnca00c.inf_amd64_neutral_510c36849918ce92\Amd64\CNBBR320.DLL | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\en-US\TabSvc.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-JP\msacm32.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\sppui\migrate.obe | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\KBDHU.DLL | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\ja-JP\sensorscpl.mfl | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\mmcico.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\en-US\WinSCard.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\migwiz\dlmanifests\msmq-triggers-DL.man | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\cmutil.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\NlsLexicons003e.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\sbp2.inf_amd64_neutral_332943647e950ada\sbp2.inf | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\WindowsPowerShell\v1.0\de-DE\about_job_details.help.txt | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\migwiz\dlmanifests\ADFS-WebAgentToken-DL.man | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prngt003.inf_amd64_neutral_8c9aae54a5673a35\Amd64\GS35006.GPD | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\en-US\apilogen.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\it-IT\Licenses\_Default\StarterN\license.rtf | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\WSDMon.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\spool\drivers\x64\3\ja-JP\kyw7fr04.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\es-ES\hh.exe.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\it-IT\osk.exe.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\de-DE\acledit.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\es-ES\wdc.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\migwiz\dlmanifests\SimpleTCP-DL.man | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\ja-JP\prnlx009.inf_loc | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\de-DE\DeviceProperties.exe.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\spool\drivers\x64\3\es-ES\CNBBR332.DLL.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\WSTPager.ax | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\de-DE\diskmgmt.msc | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\de-DE\wave.inf_loc | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\it-IT\BWUnpairElevated.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\spool\drivers\x64\3\unidrv.hlp | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\de-DE\qedit.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\es-ES\openfiles.exe.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-JP\RMActivate.exe.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\fr-FR\fms.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\fr-FR\nlsbres.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\fr-FR\wininet.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\ja-JP\FirewallAPI.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-JP\mciseq.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\de-DE\sqlsrv32.rll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\WindowsPowerShell\v1.0\Modules\PSDiagnostics\PSDiagnostics.psd1 | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\en-US\ieunatt.exe.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\fr-FR\urlmon.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\NlsLexicons0046.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\qwinsta.exe | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\catroot2\edb006C0.log | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\spool\drivers\x64\3\en-US\CNBP_332.DLL.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\es-ES\WinMgmt.exe.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\it-IT\Licenses\OEM\StarterE\license.rtf | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-IIS-LegacyScripts-Deployment-DL.man | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\fr-FR\synth3dvsc.inf_loc | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\ja-JP\wpcsvc.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpD5400t.vdf | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\ja-JP\prnlx00c.inf_loc | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\cmdial32.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\mobsync.exe | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\de-DE\cmdial32.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\it-IT\trkwks.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\comres.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\manifeststore\user32.amx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\sl-SI\comctl32.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\System32\wbem\AutoRecover\B471CD3F6DA41643CF1F5221FE3E4CF9.mof | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\mfcsubs.dll | C:\Windows\System32\WScript.exe | N/A |
Modifies termsrv.dll
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\termsrv.dll | C:\Windows\System32\WScript.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Web.Entity\60bfeaba4a5209153daa3a63ef339cc1\System.Web.Entity.ni.dll.aux | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_mdmdcm5.inf_31bf3856ad364e35_6.1.7600.16385_none_46c088e6eb2f81f9\mdmdcm5.inf | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-iis-w3svc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_58d860520ac16b37\w3ctrs.ini | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-migrationengine_31bf3856ad364e35_6.1.7601.17514_none_b6cddd21f1df8715\SFPAT.inf | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-p..track-adm.resources_31bf3856ad364e35_6.1.7600.16385_en-us_c13d58e431d898bb\PerformancePerftrack.adml | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-s..boxgames-backgammon_31bf3856ad364e35_6.1.7600.16385_none_668d031845881638\bckgRes.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-smbserver_31bf3856ad364e35_6.1.7601.17514_none_571aee68017b07d2\sscore.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\System.Core.resources\3.5.0.0_de_b77a5c561934e089\System.Core.Resources.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\assembly\GAC_MSIL\System.DirectoryServices.Protocols.resources\2.0.0.0_fr_b03f5f7f11d50a3a\System.DirectoryServices.Protocols.resources.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\PolicyDefinitions\fr-FR\WinLogon.adml | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_it-it_aa520d2885499112\about_join.help.txt | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-r..iagnostic.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8a371f8237ce9694\rdrleakdiag.exe.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Boot\EFI\sv-SE\bootmgfw.efi.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Fonts\Candarai.ttf | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Providers\App_LocalResources\manageProviders.aspx.ja.resx | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\servicing\Packages\Microsoft-Windows-Client-Refresh-LanguagePack-Package~31bf3856ad364e35~amd64~it-IT~6.1.7601.17514.cat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_mdmnokia.inf_31bf3856ad364e35_6.1.7600.16385_none_81fe1974cdead8a0\MSIRCOMM.sys | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-authentication-logonui_31bf3856ad364e35_6.1.7601.17514_none_c3b917fd89d834f3\LogonUI.exe | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-com-dtc-runtime-tm_31bf3856ad364e35_6.1.7601.17514_none_f7be9391315f6cc3\msdtctm.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-e..rtingcore.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5ed3d9a150a4801e\wer.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\inf\netl1c64.inf | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v4.0.30319\Microsoft.Build.Engine.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\PolicyDefinitions\it-IT\sdiageng.adml | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-l..nterprise.resources_31bf3856ad364e35_6.1.7601.17514_es-es_ba57accaf17aa08b\license.rtf | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-proquota.resources_31bf3856ad364e35_6.1.7600.16385_es-es_5a998b0d94a568a6\proquota.exe.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_6.1.7600.16385_none_1412267f4b3bb985\shrpubw.exe | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\PolicyDefinitions\es-ES\PerfCenterCPL.adml | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-i..iagnostic.resources_31bf3856ad364e35_6.1.7601.17514_fr-fr_f3250f5cd121dc4e\RS_Resetpagesyncpolicy.psd1 | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-m..r-wmerror.resources_31bf3856ad364e35_6.1.7600.16385_de-de_fb99c9b51ac7298f\wmerror.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-o..calmediadisc-styles_31bf3856ad364e35_6.1.7600.16385_none_dac1eab162daeb45\Postage_VideoInset.png | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\NetFx_Full.mzz | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\assembly\NativeImages_v4.0.30319_32\UIAutomatio4e153cb6#\42295046050399a00e1928eeb8e37adc\UIAutomationClientsideProviders.ni.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-n..ion_service_runtime_31bf3856ad364e35_6.1.7601.17514_none_5726e0135925cd59\iaspolcy.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-p..ecounters.resources_31bf3856ad364e35_6.1.7600.16385_en-us_818946d5f0fa8194\perfdisk.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-p..opeerpnrp.resources_31bf3856ad364e35_6.1.7600.16385_it-it_839b02ed84198cec\pnrpnsp.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-t..-mscandui.resources_31bf3856ad364e35_6.1.7600.16385_de-de_cea99eac154e3adf\mscandui.dll.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Help\Windows\es-ES\netproj.h1s | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_dc21x4vm.inf_31bf3856ad364e35_6.1.7600.16385_none_8a8756a57a292631\dc21x4vm.inf | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5956204d6dda4df5\settings.html | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-m..-downlevelmanifests_31bf3856ad364e35_6.1.7601.17514_none_609ebaed9a394a1c\Mup-DL.man | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-n..xcorecomp.resources_31bf3856ad364e35_6.1.7601.17514_es-es_617418a2a916eb62\JSC.Resources.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-s..soundthemes-savanna_31bf3856ad364e35_6.1.7600.16385_none_8501e89d0b011992\Windows Information Bar.wav | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\inf\ASP.NET\aspnet_perf.h | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-e..nmove-adm.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_a1d121939c849ce8\EncryptFilesonMove.adml | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-m..kstvtuner.resources_31bf3856ad364e35_6.1.7600.16385_it-it_d906045c4a5c3b60\ksxbar.ax.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\inf\mdmmct.PNF | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-certutil.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8326e88a4904d5cb\certutil.exe.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-m..update-authenticamd_31bf3856ad364e35_6.1.7600.16385_none_599889656b4ace55\mcupdate_AuthenticAMD.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Microsoft.NET\NETFXRepair.1031.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\PolicyDefinitions\it-IT\Sidebar.adml | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_mdmnis3t.inf_31bf3856ad364e35_6.1.7600.16385_none_1a28a36619b5178f\mdmnis3t.inf | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-a..olicy-snapin-native_31bf3856ad364e35_6.1.7600.16385_none_9b6078314990d8e8\AuditPolicyGPInterop.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-help-adm.resources_31bf3856ad364e35_6.1.7600.16385_it-it_a68b5bce18e9d8ab\Help.adml | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-n..ncmdtools.resources_31bf3856ad364e35_6.1.7600.16385_es-es_d589a6dd339da78d\showmount.exe.mui | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-p..ll-preloc.resources_31bf3856ad364e35_6.1.7600.16385_es-es_1d72a0e2bb459532\about_CommonParameters.help.txt | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Fonts\Candara.ttf | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorwks.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-help-fstexp.resources_31bf3856ad364e35_6.1.7600.16385_en-us_97c71811a7874322\fstexp.h1s | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-mediaplayer-core_31bf3856ad364e35_6.1.7601.17514_none_698fc88e65b943d6\spwmp.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-tapisetup_31bf3856ad364e35_6.1.7600.16385_none_c5e81c6ab4db0c88\TapiUnattend.exe | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\assembly\GAC_32\Policy.1.7.Microsoft.Ink\6.1.0.0__31bf3856ad364e35\Policy.1.7.Microsoft.Ink.dll | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\inf\PERFLIB\0411\perfc.dat | C:\Windows\System32\WScript.exe | N/A |
| File created | C:\Windows\servicing\Packages\Microsoft-Windows-TerminalServices-UsbRedirector-Package~31bf3856ad364e35~amd64~es-ES~6.1.7601.17514.cat | C:\Windows\System32\WScript.exe | N/A |
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\takeown.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2768 wrote to memory of 2936 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
| PID 2768 wrote to memory of 2936 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
| PID 2768 wrote to memory of 2936 | N/A | C:\Windows\System32\WScript.exe | C:\Windows\System32\cmd.exe |
| PID 2936 wrote to memory of 2792 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\takeown.exe |
| PID 2936 wrote to memory of 2792 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\takeown.exe |
| PID 2936 wrote to memory of 2792 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\takeown.exe |
| PID 2936 wrote to memory of 2860 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\icacls.exe |
| PID 2936 wrote to memory of 2860 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\icacls.exe |
| PID 2936 wrote to memory of 2860 | N/A | C:\Windows\System32\cmd.exe | C:\Windows\system32\icacls.exe |
Processes
C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\code.vbs"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c takeown /f C:\Windows\* && icacls C:\Windows\* /grant everyone:(F)
C:\Windows\system32\takeown.exe
takeown /f C:\Windows\*
C:\Windows\system32\icacls.exe
icacls C:\Windows\* /grant everyone:(F)
Network
Files
C:\Users\Admin\AppData\Local\Temp\whysoserious.bat
| MD5 | 3dfc9ee09967df4e049864cf81d9588b |
| SHA1 | bd5840c3cec86b04f8e8dbc0ddf5eb1754d346ce |
| SHA256 | 81544f6c725f842b68f7bcbeb26525f701293d3d2281dd64dcad1e9d2dfc398d |
| SHA512 | d55ed377a577bd9ecc3af2753716f8e145da79207e3435bccdbd377ffdeda6ac691f93ebcf3158c1450aaca429dda8f91bc6e4d2e608cec562dd7fe9cfb76708 |