Analysis Overview
SHA256
1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6
Threat Level: Likely malicious
The file 1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N was found to be: Likely malicious.
Malicious Activity Summary
Renames multiple (1294) files with added filename extension
Renames multiple (231) files with added filename extension
Checks computer location settings
Reads user/profile data of web browsers
Adds Run key to start application
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Unsigned PE
Enumerates physical storage devices
Suspicious use of SetWindowsHookEx
Runs .reg file with regedit
Modifies registry class
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-20 21:35
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-20 21:35
Reported
2024-10-20 21:37
Platform
win7-20240729-en
Max time kernel
41s
Max time network
120s
Command Line
Signatures
Renames multiple (231) files with added filename extension
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yesenia = "C:\\Windows\\MSIEXEC32.EXE" | C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinExec = "C:\\Windows\\WinExec.exe.vbs" | C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinExec = "C:\\Windows\\Winexec.exe.vbs" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\MSIEXEC = "C:\\Windows\\MSIEXEC32.EXE" | C:\Windows\SysWOW64\WScript.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prnjobs.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prnmngr.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prndrvr.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prnjobs.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prndrvr.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnmngr.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnport.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prnjobs.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prnport.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prnqctl.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\pubprn.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnport.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnjobs.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prndrvr.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prnport.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prnqctl.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Windows\SysWOW64\migwiz\PostMigRes\Web\reportapi.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\migwiz\PostMigRes\Web\reportapi.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnjobs.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\pubprn.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prnport.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\pubprn.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prncnfg.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prncnfg.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prndrvr.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\winrm.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prncnfg.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prncnfg.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prncnfg.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prnmngr.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prnport.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\pubprn.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prnjobs.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\slmgr.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prndrvr.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnmngr.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prnqctl.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prndrvr.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\pubprn.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prnmngr.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prnqctl.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\migwiz\PostMigRes\Web\reportapi.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnqctl.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnqctl.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prnmngr.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prncnfg.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\VideoLAN\VLC\lua\http\css\main.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\calendar.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\library.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_win7.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\currency.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\settings.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME22.CSS.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\timeZones.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay.css | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME43.CSS.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_globalstyle.css | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\settings.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\picturePuzzle.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\RSSFeeds.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\weather.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\form_edit.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\currency.css | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\cpu.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\picturePuzzle.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\settings.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\calendar.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\settings.css | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\settings.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\init.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_win.css | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\settings.css | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\flyout.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\PROGRA~1\COMMON~1\MICROS~1\ink\en-US\delete.avi.exe | C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\picturePuzzle.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\highDpiImageSwap.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\weather.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\weather.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\localizedSettings.css | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Sts.css | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\cpu.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\cpu.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\settings.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_win7.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\settings.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME09.CSS | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME40.CSS.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\settings.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mru_on_win7.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\slideShow.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\weather.css | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\timeZones.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\currency.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\settings.css | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\localizedStrings.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME13.CSS.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FORM.JS | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\utilityfunctions.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow.css | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\calendar.css | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\RSSFeeds.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\blafdoc.css | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\settings.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\SUBMIT.JS.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\cpu.css | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\clock.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e9ea273bf74e2d7d\localizedSettings.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_355dd017d9254149\localizedSettings.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5956204d6dda4df5\picturePuzzle.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-iis-legacyscripts_31bf3856ad364e35_6.1.7600.16385_none_da3b5e9090e80564\IIsExt.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_997299d423475883\prndrvr.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_de-de_de44258d81747ce2\RSSFeeds.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0accb12490597570\timeZones.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e9ea273bf74e2d7d\highDpiImageSwap.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-ringtonesamples_31bf3856ad364e35_6.1.7600.16385_none_135e536ebbe59c28\Ringtone 08.wma | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1f85c65eb05726c7\settings.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_29b7ce69634b90ae\flyout.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_6c1ecf50d014f9d9\slideShow.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5646c597a746df57\settings.css | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c1b17ba477234d5e\prnmngr.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..-calendar.resources_31bf3856ad364e35_6.1.7600.16385_en-us_39b468a7491888f2\calendar.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_en-us_92dafd34e62c3942\library.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1f85c65eb05726c7\weather.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_en-us_92dafd34e62c3942\weather.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_31173e7d19fe591a\picturePuzzle.css | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a9549b67c137efeb\cpu.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-ringtonesamples_31bf3856ad364e35_6.1.7600.16385_none_135e536ebbe59c28\Ringtone 05.wma.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2d42a6783ff36048\localizedStrings.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_en-us_dbfc68edd3137610\clock.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f86c44a49a61f132\slideShow.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5c4791cafd126e03\currency.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b60543bd2d988807\settings.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c1ab456ba37238a2\settings.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_355dd017d9254149\settings.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1f85c65eb05726c7\library.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c1ab456ba37238a2\settings.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0246f6465cb859ba\settings.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\WebAdminStyles.css | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8486739b50ee62de\library.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8700586a70797a4c\RSSFeeds.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ba2212be09f75c28\localizedStrings.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_6c1ecf50d014f9d9\slideShow.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0098688ad232f281\cpu.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\WebAdminStyles.css | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\WebAdminStyles.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d85986ba7e56fda6\cpu.css | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6aa2519d66015923\prndrvr.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b60543bd2d988807\settings.css | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_355dd017d9254149\localizedStrings.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5956204d6dda4df5\picturePuzzle.css | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8734fb86705288a7\flyout.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c9675951dd42e377\settings.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6a6dae8166284ac8\prncnfg.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5c4791cafd126e03\library.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c1ab456ba37238a2\localizedSettings.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0d25248058fa612a\prnqctl.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2d42a6783ff36048\init.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_29b7ce69634b90ae\settings.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8ef1bf7026e3473f\picturePuzzle.css | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8700586a70797a4c\RSSFeeds.css | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_en-us_92dafd34e62c3942\localizedStrings.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_355dd017d9254149\settings.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_355dd017d9254149\weather.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a9549b67c137efeb\cpu.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..-calendar.resources_31bf3856ad364e35_6.1.7600.16385_de-de_90c392ae5a3a7d2d\calendar.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2d42a6783ff36048\currency.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_de-de_de44258d81747ce2\RSSFeeds.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_de-de_330b92f4e4356a4b\settings.css | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7e7f3bd0c60c7e17\timeZones.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_es-es_92a65a18e6532ae7\settings.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regedit.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Regedit.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe
"C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe"
C:\Windows\SysWOW64\Regedit.exe
Regedit.exe /s C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\Regedit.exe
Regedit.exe /s C:\Users\Admin\AppData\Local\Temp\2.reg
C:\Windows\SysWOW64\Regedit.exe
Regedit.exe /s C:\Users\Admin\AppData\Local\Temp\3.reg
C:\Windows\SysWOW64\Regedit.exe
Regedit.exe /s C:\Users\Admin\AppData\Local\Temp\4.reg
C:\Windows\SysWOW64\Regedit.exe
Regedit.exe /s C:\Users\Admin\AppData\Local\Temp\5.reg
C:\Windows\SysWOW64\Regedit.exe
Regedit.exe /s C:\Users\Admin\AppData\Local\Temp\6.reg
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\WinExec.exe.vbs"
Network
Files
memory/2704-0-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 1b8aa9c4579e695f722c7efeb62b1ceb |
| SHA1 | efd42acaefecbabbad2712c61b499c86cf587ed9 |
| SHA256 | 6f5d42baf0d55a215ee384479a8881e8781eb4302893abc85ae8b2219dbfc87e |
| SHA512 | 85947a9a2c9aa0eeb2b13f1e1dfd8cee0c3c584ecadfde981ca8c6876afcf4b493872520138b0f172ab5875e2a655a9e2880cb72b9ed7bcf205b9fb8d7a6473d |
C:\Users\Admin\AppData\Local\Temp\2.reg
| MD5 | 3cf886f68272009e51bf760ff02f2fd1 |
| SHA1 | 1c8d1db4f21738cf3345a5f8934920282d8aaf27 |
| SHA256 | 69a21a0cd503689fc61f0aef1803a4addf742ca55e6c1c60595a3dc435eb275c |
| SHA512 | c98169b4e3ad37339b6e465c436c8f67413e6c2ea32a1ce44c75ee6d39947b3ac9ac3e8ee06cda962e22484c1fe52f5242f197155975ab94c15ad8700392fe2f |
C:\Users\Admin\AppData\Local\Temp\3.reg
| MD5 | c0a6a61f9509d470195892991d17f51f |
| SHA1 | db566bf2c08894eaf3032e7c0aff68d01d99b382 |
| SHA256 | ad94ca231b24a4d7cd6f34fd009e8eddf9d09114fbfd7bab287c2e88479ad700 |
| SHA512 | 93680d6353ead2899c6070deeef60d57ec67323bad090fcae2b9c47e0748640345379ed4607646068772e11487f1915851809de0245a29263a50dd0755ccfb69 |
C:\Users\Admin\AppData\Local\Temp\4.reg
| MD5 | 7ff9ca1a78edea205480a199f18c3c52 |
| SHA1 | 39ce114f5ce61f5de55485d953d7194e377f80ad |
| SHA256 | bf70e43d27eb1e179e22f22721060a162d28f202ffaa09848d68bb36d15e1dcb |
| SHA512 | 80b89528a49716d1215da373a8d84c68c2acf29ff085f3a8694f4d3294f16e7238e3f41c63eae481596de58f772dbfe8ef10f300cc58c75eb748c195364e1c94 |
C:\Users\Admin\AppData\Local\Temp\5.reg
| MD5 | 3e3b711f00fddb7bd82e6ca38be79af9 |
| SHA1 | a3c9ee6e8e8d9617c3814c9f3f31c50a2ca80e42 |
| SHA256 | 776c84a44d9c7da404aae26d8238b242b4ec8a49c66bddf564104fec4e126acf |
| SHA512 | c403865f368333a1f849c5ae379c36fdc8f96bc8e235d8e5680d1866d65ba4eeed402292aeb8f8ed7891a91081db8b1721bc3647e7e07b74f3590ebe5c44e8b2 |
C:\Users\Admin\AppData\Local\Temp\6.reg
| MD5 | 605e06f594a02d384a023169fd6da5e6 |
| SHA1 | c61c8ab826851d808ee55fbc90073da44c1efa99 |
| SHA256 | 92f0a278cf25a44853b5af65f54f29cb62c4c3c1cf9d368e4ac90f70f0d79a28 |
| SHA512 | fc5be0eccb6100c1280f351b53dd39930f2731751d67d253d2623029f49f0d9f931b43b3e2072ad11c7db2b944b579d03ef761801dae02d240ac7c8d643cf79d |
C:\PROGRA~1\COMMON~1\MICROS~1\ink\en-US\boxed-delete.avi.exe
| MD5 | 921a82bd0fe814e8c9a529e8c1d3ae40 |
| SHA1 | 7aabea2c09e17f31d3d5ce8b7134c25ecebcca97 |
| SHA256 | 1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6 |
| SHA512 | 62600508aa8e687abb160bb2ffbe01f6dbe07598309c8a8e1c97d5ebe8d650db76d144d38c67ec1e045e918e22ed881b1be19c539d7e3699558181b1e7c28647 |
C:\Windows\WinExec.exe.vbs
| MD5 | 812f70c55c6a5aa67da09aa894f5d7a9 |
| SHA1 | e7ffdcd9add563f873a9c859ea63f9984ab87717 |
| SHA256 | 2eef0b78a9fbe606a269a80530dc60ea6a64172787bffcdbb12dfc869f577923 |
| SHA512 | a737e7552fc388df400cc84cf01201781ac58b0943efbc925ab6df922eef272ec7a2871e4c77485520f132d408d254fd3c91bf4f34eef7198411e388b1ac04ae |
C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\calendar.css.vbs
| MD5 | be7753ea9c0f2036f8d9cb803a0b6120 |
| SHA1 | f3c79f2e9136e24f3a86bb226298092e28cfdcc7 |
| SHA256 | e518d99125ee2af3f0528e8c8aa97de0e57e0f8aa9c725db19a85cbbecfd8b34 |
| SHA512 | bd44325c74aa23939f93049c6b20d7dd0214407be84ca08de2900a5cf80325c5a34f2c5d0573671c382a2a86023c8da6e2b836c3e826183179dddc3aef41620c |
C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\clock.css.vbs
| MD5 | c3adf6a62f420d0926b817bc570bcac7 |
| SHA1 | 5f2fdbe6e421079dadc1f3f15f61af894875fea9 |
| SHA256 | dca69ac4afb6fe543b7adbb2645bf3df57464383236fde6d82703106869a03f9 |
| SHA512 | f34ed769bfd01eb2fbfc05386f7ef587b3d208b68943f5c2fc10ef4a705e64aff99954450013b3e2e05699f51f8335749b820742f43d5153aa586817be51317f |
C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\clock.js.vbs
| MD5 | c678c8640b7ebe2250d1590b6aa49ed3 |
| SHA1 | b72c9e3a34baf274af26a00f8ea33497475da334 |
| SHA256 | 85959807a632f0791dc6074be606a46c17a13e95324a2e2e3aeec71336cbfc8b |
| SHA512 | cfc4433f72f10c6424cbe6598d995f7c352f1994f1484b09a3105a167d8b2b802f47ba178ed3b071a930ba06e6e4e8d2cf401c1e276d4af33be3b0390d0709f7 |
C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\settings.css.vbs
| MD5 | 268edb3270b37d34dd8c51a14ef2d665 |
| SHA1 | 886fc50e8f6fbbaa4fa00b39eeab79f99a9d4bbb |
| SHA256 | 369d24f49576471ead617d5a8f35c5ea5d059e0da840a28100a1a3fbc026af01 |
| SHA512 | e704d38d528b71f57d9c8f782f9fee0ac927c32e935d4d1ec4a821aaee7161c23db3ee7a858831d328acd4846cfaac6f3ef945c68721f595c12226180c29ab17 |
C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\timeZones.js.vbs
| MD5 | 559ecfb98fc63d046fd6240d2b09df90 |
| SHA1 | 1b36d4676afd5796aa37ed7750dd937e775e7108 |
| SHA256 | cc1b9a765f597e30df92e8958428dbd39694c52c70627b777008b70b00b37b86 |
| SHA512 | 643fc3c22382931583ab5df72d95f5a40f54c08a61049583be009db32d0499bd6fe8e71772453e27911682539454598c0837aa284a02c4c8d6f2b7b7652d2c60 |
C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\cpu.css.vbs
| MD5 | 803a207b47faf90c505ae1652a581ffd |
| SHA1 | bd5de7b5c8e9049c9250cb8859b39ab9cd25637f |
| SHA256 | 2efa8dfa785170498f0bd14dcc7415d31dc500086eca5393f69675149446039a |
| SHA512 | 6d12ed6eefae4802f5800def9321a6e85ef0d0bddbc4a1381b30ecb6089a5f6aaa6c9eea692d76656b087e09efcc032f35261dece316e4a16b1a6bb3f8da5807 |
C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\currency.js.vbs
| MD5 | 39053b6853da8972a05020728ec0df10 |
| SHA1 | 7369fa28da358f3843d3ebcd7d2a39ded05574c7 |
| SHA256 | 66cc94d33f120a2ca1ab63708d767b471b7dfa1c4c483d795f191fc5d7a52fc2 |
| SHA512 | 59a7bc1a71ee1ba444110cc16aa9de98f01dffbee014842e5bca1126a63c56d1cb80e57f91cb304eb53bfdbb531e2217a365d01f04a6310b786ac53fac7849dd |
C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\init.js.vbs
| MD5 | 9a9229799041e3654635f805aacc31ff |
| SHA1 | 99decfd163cb4f113b65e0f2729442297bdbe48e |
| SHA256 | f95ddb7fd27e5d834242cbdb1de8ed6c0005311c585d1988c3e48750b392b2a3 |
| SHA512 | 12a850170ced59d991c2756b3fc0bee5ddc16366d46eef11f9a522de08bb0017ea2354e4d6c747208ce65cf12e69bc1ba685609472e7516657aa978faa567ab0 |
C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\library.js.vbs
| MD5 | 82e7206c004e0d793f27ca6fe1b68eb7 |
| SHA1 | e201cdac02106be9b1330d8f9b6d8ff01a42e0b2 |
| SHA256 | 03f503f7abc328db6ea8254291c92575e6557d9496d33e20b08b8a4190080e6b |
| SHA512 | 4aa219a31e824c0fc41f01efeb3dd94486c2f0008bbd0a6495e66beb45cfccd0f1bf04d71bbf3d85397ad097a1a9d6a0e49df1f493ee777ec1961bfbe82b32ee |
C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\service.js.vbs
| MD5 | 32830f3441431dfe48864af66de41c15 |
| SHA1 | 23338b2bbcb6ca77ff0515869722080e07f42150 |
| SHA256 | 726b42ee090b8f9ac70cc5408d27d2547065c7a47f120da9a9a83128011c1c06 |
| SHA512 | 755abec7e7159e0d73131193b485c84325bb0bfedf8341cb54aeaad720b2631e069699d31b0adb8a5075c938715d9ec7a54f8afe3f4ab06106dd75cf3f8280c0 |
C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\picturePuzzle.css.vbs
| MD5 | 3685e6048c0c3e291328a942f63b471c |
| SHA1 | 960932c8479f7c460c728bfa64a1525c703754f4 |
| SHA256 | 1b6bc2a2b8c2d4a41df28ff65d34d80542c5d531cb6f9933f5f833f0eba43a27 |
| SHA512 | c5e1b181c9de1437a1c7678cb8effce6a8d4e3372d438cc312ef4f2efbc7864499d513def72f1e7711a2e5ca70f0a58d7d5a09f7aee5012b6d4aa20abe209f94 |
C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\settings.css.vbs
| MD5 | 951cf41e8d54d9346e0a03a723e549c1 |
| SHA1 | 0f368f110bc160ae85a77ac687454b951d6d7090 |
| SHA256 | 6c722a469a4afa79506b654f37cb7bf392290868b3f8a1e9b0afda003ec1ea64 |
| SHA512 | f890322609ab186086d4f433a808c77a9a46313fef28dcd77a9189039e12d0de41fcc2315a65cf00f2e8a437a0a63a038fbb53f04f5ca9b922832f23c48e5eb6 |
C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\flyout.css.vbs
| MD5 | 608c9d26a0d386740680c2c528e4502d |
| SHA1 | 26dc38aa68ffaac44c4c857fe4945711586a413e |
| SHA256 | 1b56a2be7fe8ab87c1b3afbd25004f2d2c78dda085e139eb9569f5c69caf3e3b |
| SHA512 | 6d44d09ea92de4e3fff9a013d8108a6d8c8022671f6f46614e70dccce6fc60a505a769e0c53a7389409c31e4809fa3a024f1c59029049e08234e6f743cb5a669 |
C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\RSSFeeds.css.vbs
| MD5 | fa877766d79d2feaae9c46f1cd6505b2 |
| SHA1 | 25fc2079abe4a05666398092e7bdbd642428c44c |
| SHA256 | 35c48772d44ee208b4ab05d90465f58c4d5f8a9c0fc88a62ff69f07b2d0dee06 |
| SHA512 | 4421309df73c12898488c0ffdf0c2548c11868901afd61ca95e55c0bb4c2b35d72093850a04183d5644cfc6bfafa2227fbcf83235290da6b5128e44a85aaf99c |
C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\settings.css.vbs
| MD5 | ad04cf0eae2cec98e3ed5ac72661b6ca |
| SHA1 | 0e5592d01682c718fd8d7ce8015655173d3c68b1 |
| SHA256 | 6024c313590c3b875226a4dffc5f25864b5653d73feb274f24448fa6a04eaf20 |
| SHA512 | 63cb5a8663f750ce185445d2e5dc8307589a256f186b02a61342098a4c27e1d3f703cb2f02d612d29f368da31415892859d2bcc276b5d9e79ad13a1bb7602581 |
C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\settings.js.vbs
| MD5 | 76c21b1cafda64f4e330b536ca45adb3 |
| SHA1 | f28e6dc46f91f2bd50945ca6529402bbdd65b3c4 |
| SHA256 | 9d5057a6f8e28d3beb006980e365322ce5a06da71c9b765d0deb51343ef02610 |
| SHA512 | 3f84e2116e7ead66f2eaca9d3669c8f20f293f064b1a4208e4c5b1b292d3282212813e4dde12a75c56e66d1e75d319e589dd30c005b410c073f4499fdc5f3850 |
C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\settings.css.vbs
| MD5 | fa8af3188c7c890d86fdcb10d4fbf62c |
| SHA1 | 0ba8343b35f0896040db086f04bc07cf408c1e28 |
| SHA256 | f14a541a9130f3bd0d6d4c4d351a87ed5298596afece3e3ec2390bbae063e65f |
| SHA512 | 3a933eb3ad69e3a18bb0b04bc1759067318cd8f8d09b4ad765e65a3d72eb03ed9069483279380f73b105cf4181f87a2b0eace70b1519ddea21954f69f6c98f64 |
C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\slideShow.css.vbs
| MD5 | f4ab06a44f9c0767574204ddd6cd54bf |
| SHA1 | 727d94b66abc9e7d5f2d5605b398f9d04bd6bc57 |
| SHA256 | 0af3484552719a12be64d09519d7758b76402769a7bffe2c1b6b22b9ff733139 |
| SHA512 | 7f80cf7b95d23e1267d198854896e0f3ebe88c1eddd62db0c90baf98f6ee3b7c8723172ffd3f0a6a6612c27108ae00862b1c480734d89dac7d0dc3dc44e227e8 |
C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\localizedSettings.css.vbs
| MD5 | 455e12b1a2bbfa973487f35e2c4d476f |
| SHA1 | 717c46c371efc1e70f19d32fce4347ff463a4242 |
| SHA256 | d3d9bb5c378d5a522afa38f53f8f2989b3eff089d68e14e2a70049a1af4ad29f |
| SHA512 | 15b27dea0aac91e7a1af7f836b0f7d1543519a241c4b99e90adf3d594a8ba5eb3118cf4b47c11c64f919f4b59925a77079f2251252f3a34cbe4a97eeed80a5f9 |
C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\settings.css.vbs
| MD5 | 5008235df64e2f496caced691259c065 |
| SHA1 | af5ef7c4420e1d3e3a1a022a93f4dd7641caf705 |
| SHA256 | 9263644146ea6f60654204d06d179a428c6023e4af8a3cf1794034b2819df9ae |
| SHA512 | cdac548d0f4acbdc04ac5d5a0071c1d4791616a513dca3f4131257de1e1e82a872c1487454613dd04103a50a1458944dbb06d6f82a150b723722630eb0eeb2c3 |
C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\weather.css.vbs
| MD5 | feb1c5d1501cce2cd5dc52cfb10f0e9a |
| SHA1 | b9038ceea201231e82d6c645f17f44089c21f161 |
| SHA256 | cb9a61101d99305ab26956610385093d790bd0c2145ead3a51212fa72a214a7c |
| SHA512 | ec6b29fdd28b2691adf905a682834bb3ffa82d2da4ce2557d61b593145a9aeeb94799528b907c1942932b06a002a20eb1fe578659db1e4f2123bcc19cc4c34a9 |
C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\highDpiImageSwap.js.vbs
| MD5 | ef9d56e80f446dc32e5838cfbc181dd6 |
| SHA1 | 84162ef02f261fd3d5c32e6f8ba75d0d6e1b6ef1 |
| SHA256 | 881d05322d7d06a5c2042256e2bc44cdc1dba02c984b839d55122e10cb26e147 |
| SHA512 | 0a40aebf8cd4ad1d26ebc1b6bc70057cf4db538b302d58f49c19a597f013c91640697224196aea21ee7b673300720b90ec1788d8b65bb352d62b07d4a5aceeb6 |
C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\library.js.vbs
| MD5 | fdb05ac511bb912ac9d92b046d8b36d0 |
| SHA1 | 9826dd418a39f46d2b42752ea9757da2d6378dea |
| SHA256 | d13efba10d58e54ce40add2c891cc083f018ccf5dc0531ddbdaeb9a607e8a20d |
| SHA512 | b476f807e07d6d103bd0ff0218a49e8e5286fdc86436b6338b52a583dd1910ec21d96ce3e579fcfe035484bf3adedb26059c861d4567ad1e8a1dbdbc114b4d67 |
C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\localizedStrings.js.vbs
| MD5 | 3d03fea624afad52cca52905dabccb10 |
| SHA1 | f5f5e17df6b24032509c74ed1fe932e93b9412d9 |
| SHA256 | 135098ee180cd12c8d7127ec361ff980b354aa02d7f8a6c3e184543a8a54907a |
| SHA512 | a7e14d73ed52d53d34ceecb18d9b0f9ef8f80bd3d48e2f0cee3d130e771909ececd96d2afaf2ebf4d656805e8acfb2954b99bd3e03c9eeeb101a983d8de946ec |
C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\settings.js.vbs
| MD5 | 023b5c1b5b1f0af894b829a5466f9748 |
| SHA1 | 24fbd393795fda1499f891713f1b7153f560e37b |
| SHA256 | 4d005737e6e9df58bf2124f30c4dbdce0ae557ff7333bfd5d70002ade7a6c328 |
| SHA512 | 473a405ba5bb0cfb0a16d766d0ce76b7e4787901f79efb74cb44fcc203b5b04245d38e3aa5f3a400fee41609bbea2a48056e60363fad7a5ea00aa761eca0ebf9 |
C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\weather.js.vbs
| MD5 | a805ed462ad9a81a3e8b8e0422f781cc |
| SHA1 | 025635fe06812ba52ba417e6e1dd880500aba193 |
| SHA256 | bdb4f2a048cad27aa3aa4d53741626eeff3919b0d80bd5ab90c3ec638b78e87c |
| SHA512 | 980753cced19520c04a0a2afe1278d92bfad6460274e91c24dad214df39ff8d45a5cf2953765ebd8a86188de7a6961acd767360aeee022987baa224aa068525a |
C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\currency.css.vbs
| MD5 | 74c6098c1ed97d023f2a5aa4d2258f16 |
| SHA1 | 8b48301e20467aaf8c7655c397b5056247d2aa73 |
| SHA256 | 78d729f5e9a3710e6ca3300589102d69e7b061bb744202db124fa3c05221840f |
| SHA512 | 6c7f6dd115ec15f119db233bbe2e133589a4d60643bc330fdba7c7c3722e8cc2fe99a6584f23935b60e093ef44e5ed5ba128f29ec87b7255b377002b9da5c7fe |
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-20 21:35
Reported
2024-10-20 21:37
Platform
win10v2004-20241007-en
Max time kernel
86s
Max time network
94s
Command Line
Signatures
Renames multiple (1294) files with added filename extension
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe | N/A |
Reads user/profile data of web browsers
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yesenia = "C:\\Windows\\MSIEXEC32.EXE" | C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinExec = "C:\\Windows\\WinExec.exe.vbs" | C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinExec = "C:\\Windows\\Winexec.exe.vbs" | C:\Windows\SysWOW64\WScript.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\MSIEXEC = "C:\\Windows\\MSIEXEC32.EXE" | C:\Windows\SysWOW64\WScript.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prnmngr.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prnmngr.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prnport.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prnqctl.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-constraints.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnjobs.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnqctl.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\pubprn.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnmngr.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prncnfg.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\pubprn.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prncnfg.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prncnfg.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prnport.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prnmngr.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prncnfg.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnqctl.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\pubprn.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prndrvr.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prnqctl.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prnqctl.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prndrvr.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prnqctl.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\winrm.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnjobs.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prnport.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\slmgr.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnport.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prncnfg.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnport.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prnjobs.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\pubprn.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prndrvr.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnmngr.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prnport.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\pubprn.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prnmngr.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prndrvr.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prndrvr.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prndrvr.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prnjobs.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prncnfg.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prnjobs.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prnjobs.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-constraints.js | C:\Windows\SysWOW64\WScript.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\tr-tr\ui-strings.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pl-pl\ui-strings.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-il\ui-strings.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hr-hr\ui-strings.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sv-se\ui-strings.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\ui-strings.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\css\main.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\main.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sk-sk\ui-strings.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-cn\ui-strings.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\css\main-selector.css | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ca-es\ui-strings.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fi-fi\ui-strings.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hr-hr\ui-strings.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pl-pl\ui-strings.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sv-se\ui-strings.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\it-it\ui-strings.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nl-nl\ui-strings.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\sv-se\ui-strings.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ui-strings.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fi-fi\ui-strings.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-cn\ui-strings.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\ui-strings.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\ui-strings.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\ui-strings.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\ui-strings.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-cn\ui-strings.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\uk-ua\ui-strings.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\plugin.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\root\ui-strings.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-cn\ui-strings.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ko-kr\ui-strings.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\ui-strings.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\ui-strings.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\ui-strings.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\de-de\ui-strings.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sv-se\ui-strings.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\root\ui-strings.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\ui-strings.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\eu-es\ui-strings.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\rna-main.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-ma\ui-strings.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ru-ru\ui-strings.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\ui-strings.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\selector.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\nb-no\ui-strings.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ru-ru\ui-strings.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\ui-strings.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\ui-strings.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-ma\ui-strings.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nb-no\ui-strings.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\tr-tr\ui-strings.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notificationsUI\fabric.min.css | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nl-nl\ui-strings.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\nl-nl\ui-strings.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-ae\ui-strings.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ar-ae\ui-strings.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pt-br\ui-strings.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\ui-strings.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\main-selector.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\ui-strings.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\da-dk\ui-strings.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\tool\plugin.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\main.css | C:\Windows\SysWOW64\WScript.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\monaco-editor\min\vs\basic-languages\src\xml.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\SlickGrid\slick.dataview.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobe-light-footer-vm.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\OobeCloudContentHydrant.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\ui-dark.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\Formatter\formatWorker.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\monaco-editor\min\vs\basic-languages\src\coffee.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\de-DE\assets\ErrorPages\ErrorPageStyles.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\core\js\appLaunchers\HostedApplication.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\core\js\appLaunchers\OobeEnterpriseProvisioningAfterConnectivity.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\scoobeoutro-page.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\js\storage.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\cortana.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\devicereactivation.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\helloEnrollmentPage.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobeprovisioningstatus-page.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\network\styles\networkGrid.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\js\navmesh.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\Microsoft.WinJS-reduced\js\base.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\autopilot\autopilotespprogress-vm.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\cortanaPage.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobe-footer-vm.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\js\hololensWorkAccount.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\RetailDemo\retailDemoSecurityInclusive.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobeerror-page.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\button.css | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\Formatter\FormattedTextMapping.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\js\OEMRegistrationPage.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\autopilot\accountsetupcategoryviewmodel.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\Formatter\typescript\formatterTypescriptServices.nls.keys.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\monaco-editor\min\vs\editor\editor.main.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\core\js\sspr-frame-vm.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\js\hololensWorkAccount.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\autopilot\autopilotespprogress-vm.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\deviceDisplayNameSetup.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\unifiedEnrollmentDiscoveryPage.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\core\js\oobe-chrome-breadcrumb-vm.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\css\oobe-desktop.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobeautopilotreboot-page.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobenetworklossaversion-page.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveSspr\js\ssprerror-vm.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Local\Desktop\5.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\storage\remote\storageRemote.bundle.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\js\navigationManager.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobezdp-helpers.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\retailDemoSecurity.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\ooberegion-page.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\deviceUserPage.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobelanguage-vm.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\common\GifSequencePlayer.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\appObjectFactory.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\storage\storage.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\js\resources.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Local\Desktop\8.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobe-chrome-contentview-vm.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobeerror-vm.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\Formatter\Formatter.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\perftools\commonPlugin.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\js\retailDemo.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\lib\require.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobeeula-vm.js.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Local\Desktop\21.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\scoobeoutro-page.js | C:\Windows\SysWOW64\WScript.exe | N/A |
| File created | C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\perftools\TokenExtractor.css.vbs | C:\Windows\SysWOW64\WScript.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regedit.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\Regedit.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\Regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Regedit.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\Regedit.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe
"C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe"
C:\Windows\SysWOW64\Regedit.exe
Regedit.exe /s C:\Users\Admin\AppData\Local\Temp\1.reg
C:\Windows\SysWOW64\Regedit.exe
Regedit.exe /s C:\Users\Admin\AppData\Local\Temp\2.reg
C:\Windows\SysWOW64\Regedit.exe
Regedit.exe /s C:\Users\Admin\AppData\Local\Temp\3.reg
C:\Windows\SysWOW64\Regedit.exe
Regedit.exe /s C:\Users\Admin\AppData\Local\Temp\4.reg
C:\Windows\SysWOW64\Regedit.exe
Regedit.exe /s C:\Users\Admin\AppData\Local\Temp\5.reg
C:\Windows\SysWOW64\Regedit.exe
Regedit.exe /s C:\Users\Admin\AppData\Local\Temp\6.reg
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Windows\WinExec.exe.vbs"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.58.199.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.86.106.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 19.229.111.52.in-addr.arpa | udp |
Files
memory/624-0-0x0000000000400000-0x0000000000417000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\1.reg
| MD5 | 1b8aa9c4579e695f722c7efeb62b1ceb |
| SHA1 | efd42acaefecbabbad2712c61b499c86cf587ed9 |
| SHA256 | 6f5d42baf0d55a215ee384479a8881e8781eb4302893abc85ae8b2219dbfc87e |
| SHA512 | 85947a9a2c9aa0eeb2b13f1e1dfd8cee0c3c584ecadfde981ca8c6876afcf4b493872520138b0f172ab5875e2a655a9e2880cb72b9ed7bcf205b9fb8d7a6473d |
C:\Users\Admin\AppData\Local\Temp\2.reg
| MD5 | 3cf886f68272009e51bf760ff02f2fd1 |
| SHA1 | 1c8d1db4f21738cf3345a5f8934920282d8aaf27 |
| SHA256 | 69a21a0cd503689fc61f0aef1803a4addf742ca55e6c1c60595a3dc435eb275c |
| SHA512 | c98169b4e3ad37339b6e465c436c8f67413e6c2ea32a1ce44c75ee6d39947b3ac9ac3e8ee06cda962e22484c1fe52f5242f197155975ab94c15ad8700392fe2f |
C:\Users\Admin\AppData\Local\Temp\3.reg
| MD5 | c0a6a61f9509d470195892991d17f51f |
| SHA1 | db566bf2c08894eaf3032e7c0aff68d01d99b382 |
| SHA256 | ad94ca231b24a4d7cd6f34fd009e8eddf9d09114fbfd7bab287c2e88479ad700 |
| SHA512 | 93680d6353ead2899c6070deeef60d57ec67323bad090fcae2b9c47e0748640345379ed4607646068772e11487f1915851809de0245a29263a50dd0755ccfb69 |
C:\Users\Admin\AppData\Local\Temp\4.reg
| MD5 | 7ff9ca1a78edea205480a199f18c3c52 |
| SHA1 | 39ce114f5ce61f5de55485d953d7194e377f80ad |
| SHA256 | bf70e43d27eb1e179e22f22721060a162d28f202ffaa09848d68bb36d15e1dcb |
| SHA512 | 80b89528a49716d1215da373a8d84c68c2acf29ff085f3a8694f4d3294f16e7238e3f41c63eae481596de58f772dbfe8ef10f300cc58c75eb748c195364e1c94 |
C:\Users\Admin\AppData\Local\Temp\5.reg
| MD5 | 3e3b711f00fddb7bd82e6ca38be79af9 |
| SHA1 | a3c9ee6e8e8d9617c3814c9f3f31c50a2ca80e42 |
| SHA256 | 776c84a44d9c7da404aae26d8238b242b4ec8a49c66bddf564104fec4e126acf |
| SHA512 | c403865f368333a1f849c5ae379c36fdc8f96bc8e235d8e5680d1866d65ba4eeed402292aeb8f8ed7891a91081db8b1721bc3647e7e07b74f3590ebe5c44e8b2 |
C:\Users\Admin\AppData\Local\Temp\6.reg
| MD5 | 605e06f594a02d384a023169fd6da5e6 |
| SHA1 | c61c8ab826851d808ee55fbc90073da44c1efa99 |
| SHA256 | 92f0a278cf25a44853b5af65f54f29cb62c4c3c1cf9d368e4ac90f70f0d79a28 |
| SHA512 | fc5be0eccb6100c1280f351b53dd39930f2731751d67d253d2623029f49f0d9f931b43b3e2072ad11c7db2b944b579d03ef761801dae02d240ac7c8d643cf79d |
C:\Windows\WinExec.exe.vbs
| MD5 | 41cea5604b6bd6971deca5227766eaee |
| SHA1 | b4f1fe5c9f56ffe92e9aae018ee7146b5b1d6c51 |
| SHA256 | 595d16fada5b5b80331b1b49ee39dba522cf17cf111be920ba596d01f85fa93d |
| SHA512 | 0b15fca5c5761c3c489c419f01dd8c918385ea837b5fb10db184c8cd08e8811c0547f00a90f7dd8ccb73e1907f55f2b4c7574547dd8a35a4d46bcc37575ab6a0 |
C:\Windows\MSIEXEC32.EXE
| MD5 | 921a82bd0fe814e8c9a529e8c1d3ae40 |
| SHA1 | 7aabea2c09e17f31d3d5ce8b7134c25ecebcca97 |
| SHA256 | 1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6 |
| SHA512 | 62600508aa8e687abb160bb2ffbe01f6dbe07598309c8a8e1c97d5ebe8d650db76d144d38c67ec1e045e918e22ed881b1be19c539d7e3699558181b1e7c28647 |
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\ErrorPageStyles.css.vbs
| MD5 | 0acb2045c25d91efe3d67166b650101a |
| SHA1 | 76c503ec1d87b8358eb8e226086baef23eb298cc |
| SHA256 | deb9bfc6d236a35310eaa6c23cebb1542fbc2eab801285b87c4b828f22627091 |
| SHA512 | d9fbcab6ed8840e9b83fb83012db2d6895749ebd999a3676791c84449e9cbb0089ef111ad2a2aa1fe87a8a320cf52cf9df3b3f6ca9ac266f39cc290f95a3c466 |
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\PhishSiteStyles.css.vbs
| MD5 | 3517207921bc421e52b64ede4226134f |
| SHA1 | 67da2033c4b3eddf347433ac4e79e4a1379eaf81 |
| SHA256 | c34a78268a7338d1e5d1c0f0c44e5a8cc78f670d8c871261b6f8d302e0b29176 |
| SHA512 | 713cd6ad7d14252ff9ed43898c1132968a306933c6b4c46327d07a945c1989ba8f5d149bbd8ffb59c211979e7c783e9c22bf6dec6c08e0bd46517411ddf0a546 |
C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\TridentErrorPageStyles.css.vbs
| MD5 | 559a66b58cf5163690ab75559c8801fb |
| SHA1 | b334704e65d0b492e78e71f65f455383060ac067 |
| SHA256 | 807ebc19ab4a95f4f03096c7e6acca70d263fdf256d62484270a7ce539443272 |
| SHA512 | 2a57029f8957a47a1d873c8e08c283c929c43e21e8c18764c8ca2ff812eaf999aabd9f28574f69d0a70437912c2a7d90909745c0b590a927fb5c73aa98c52a6f |