Malware Analysis Report

2025-03-15 08:23

Sample ID 241020-1fhfys1fkc
Target 1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N
SHA256 1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6
Tags
discovery persistence ransomware spyware stealer
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6

Threat Level: Likely malicious

The file 1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N was found to be: Likely malicious.

Malicious Activity Summary

discovery persistence ransomware spyware stealer

Renames multiple (1294) files with added filename extension

Renames multiple (231) files with added filename extension

Checks computer location settings

Reads user/profile data of web browsers

Adds Run key to start application

Drops file in System32 directory

Drops file in Windows directory

Drops file in Program Files directory

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Runs .reg file with regedit

Modifies registry class

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-20 21:35

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-20 21:35

Reported

2024-10-20 21:37

Platform

win7-20240729-en

Max time kernel

41s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe"

Signatures

Renames multiple (231) files with added filename extension

ransomware

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Yesenia = "C:\\Windows\\MSIEXEC32.EXE" C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinExec = "C:\\Windows\\WinExec.exe.vbs" C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinExec = "C:\\Windows\\Winexec.exe.vbs" C:\Windows\SysWOW64\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunServices\MSIEXEC = "C:\\Windows\\MSIEXEC32.EXE" C:\Windows\SysWOW64\WScript.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prnjobs.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prnmngr.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prndrvr.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prnjobs.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prndrvr.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnmngr.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnport.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prnjobs.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prnport.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prnqctl.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\pubprn.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnport.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnjobs.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prndrvr.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prnport.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prnqctl.vbs C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Windows\SysWOW64\migwiz\PostMigRes\Web\reportapi.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\migwiz\PostMigRes\Web\reportapi.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnjobs.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\pubprn.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prnport.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\pubprn.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prncnfg.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prncnfg.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prndrvr.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\winrm.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prncnfg.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prncnfg.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prncnfg.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prnmngr.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prnport.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\pubprn.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prnjobs.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\slmgr.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prndrvr.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnmngr.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prnqctl.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prndrvr.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\pubprn.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prnmngr.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prnqctl.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\migwiz\PostMigRes\Web\reportapi.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnqctl.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnqctl.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prnmngr.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prncnfg.vbs C:\Windows\SysWOW64\WScript.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files\VideoLAN\VLC\lua\http\css\main.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\js\calendar.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\library.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_classic_win7.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\css\currency.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\settings.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME22.CSS.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\timeZones.js C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Biscay.css C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME43.CSS.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_globalstyle.css C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\css\settings.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\picturePuzzle.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\RSSFeeds.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\weather.js C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\form_edit.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\currency.css C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\en-US\js\cpu.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\css\picturePuzzle.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\css\settings.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\calendar.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\settings.css C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\settings.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Biscay.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\init.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4-dark_win.css C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\css\settings.css C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\flyout.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\PROGRA~1\COMMON~1\MICROS~1\ink\en-US\delete.avi.exe C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\picturePuzzle.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\highDpiImageSwap.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\weather.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\weather.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\css\localizedSettings.css C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Sts.css C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\cpu.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\js\cpu.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\settings.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_win7.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\settings.js C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME09.CSS C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME40.CSS.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\es-ES\js\settings.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\e4_default_mru_on_win7.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\fr-FR\css\slideShow.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\es-ES\css\weather.css C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\de-DE\js\timeZones.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\en-US\js\currency.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\css\settings.css C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\fr-FR\js\localizedStrings.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\PUBFTSCM\SCHEME13.CSS.vbs C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FORM.JS C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\utilityfunctions.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightYellow.css C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\calendar.css C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\css\RSSFeeds.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\html\dcommon\css\blafdoc.css C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\js\settings.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\1033\GrooveForms5\FormsStyles\Oasis.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\SUBMIT.JS.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\fr-FR\css\cpu.css C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\es-ES\css\clock.css.vbs C:\Windows\SysWOW64\WScript.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e9ea273bf74e2d7d\localizedSettings.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_355dd017d9254149\localizedSettings.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5956204d6dda4df5\picturePuzzle.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-iis-legacyscripts_31bf3856ad364e35_6.1.7600.16385_none_da3b5e9090e80564\IIsExt.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_997299d423475883\prndrvr.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_de-de_de44258d81747ce2\RSSFeeds.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_0accb12490597570\timeZones.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_de-de_e9ea273bf74e2d7d\highDpiImageSwap.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ringtonesamples_31bf3856ad364e35_6.1.7600.16385_none_135e536ebbe59c28\Ringtone 08.wma C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1f85c65eb05726c7\settings.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_29b7ce69634b90ae\flyout.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_6c1ecf50d014f9d9\slideShow.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_it-it_5646c597a746df57\settings.css C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_6.1.7600.16385_de-de_c1b17ba477234d5e\prnmngr.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..-calendar.resources_31bf3856ad364e35_6.1.7600.16385_en-us_39b468a7491888f2\calendar.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_en-us_92dafd34e62c3942\library.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1f85c65eb05726c7\weather.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_en-us_92dafd34e62c3942\weather.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_31173e7d19fe591a\picturePuzzle.css C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a9549b67c137efeb\cpu.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-ringtonesamples_31bf3856ad364e35_6.1.7600.16385_none_135e536ebbe59c28\Ringtone 05.wma.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2d42a6783ff36048\localizedStrings.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_en-us_dbfc68edd3137610\clock.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_f86c44a49a61f132\slideShow.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5c4791cafd126e03\currency.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b60543bd2d988807\settings.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c1ab456ba37238a2\settings.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_355dd017d9254149\settings.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_it-it_1f85c65eb05726c7\library.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c1ab456ba37238a2\settings.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_en-us_0246f6465cb859ba\settings.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\WebAdminStyles.css C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_de-de_8486739b50ee62de\library.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8700586a70797a4c\RSSFeeds.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_it-it_ba2212be09f75c28\localizedStrings.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_6c1ecf50d014f9d9\slideShow.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_de-de_0098688ad232f281\cpu.js C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\WebAdminStyles.css C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ASP.NETWebAdminFiles\WebAdminStyles.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_d85986ba7e56fda6\cpu.css C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_6.1.7600.16385_en-us_6aa2519d66015923\prndrvr.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_b60543bd2d988807\settings.css C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_355dd017d9254149\localizedStrings.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_de-de_5956204d6dda4df5\picturePuzzle.css C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_en-us_8734fb86705288a7\flyout.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..howgadget.resources_31bf3856ad364e35_6.1.7600.16385_es-es_c9675951dd42e377\settings.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_6.1.7600.16385_es-es_6a6dae8166284ac8\prncnfg.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_5c4791cafd126e03\library.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_ja-jp_c1ab456ba37238a2\localizedSettings.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-p..inscripts.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_0d25248058fa612a\prnqctl.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2d42a6783ff36048\init.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_29b7ce69634b90ae\settings.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..zlegadget.resources_31bf3856ad364e35_6.1.7600.16385_it-it_8ef1bf7026e3473f\picturePuzzle.css C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_es-es_8700586a70797a4c\RSSFeeds.css C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_en-us_92dafd34e62c3942\localizedStrings.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_355dd017d9254149\settings.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_355dd017d9254149\weather.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-gadgets-cpu.resources_31bf3856ad364e35_6.1.7600.16385_es-es_a9549b67c137efeb\cpu.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..-calendar.resources_31bf3856ad364e35_6.1.7600.16385_de-de_90c392ae5a3a7d2d\calendar.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..-currency.resources_31bf3856ad364e35_6.1.7600.16385_es-es_2d42a6783ff36048\currency.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..edsgadget.resources_31bf3856ad364e35_6.1.7600.16385_de-de_de44258d81747ce2\RSSFeeds.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_de-de_330b92f4e4356a4b\settings.css C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..ets-clock.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_7e7f3bd0c60c7e17\timeZones.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\winsxs\amd64_microsoft-windows-g..s-weather.resources_31bf3856ad364e35_6.1.7600.16385_es-es_92a65a18e6532ae7\settings.css.vbs C:\Windows\SysWOW64\WScript.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regedit.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\Regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\Regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\Regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\Regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\Regedit.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2704 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 2704 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 2704 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 2704 wrote to memory of 2700 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 2704 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 2704 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 2704 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 2704 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 2704 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 2704 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 2704 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 2704 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 2704 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 2704 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 2704 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 2704 wrote to memory of 2360 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 2704 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 2704 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 2704 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 2704 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 2704 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 2704 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 2704 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 2704 wrote to memory of 2812 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 2704 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\WScript.exe
PID 2704 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\WScript.exe
PID 2704 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\WScript.exe
PID 2704 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\WScript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe

"C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe"

C:\Windows\SysWOW64\Regedit.exe

Regedit.exe /s C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Regedit.exe

Regedit.exe /s C:\Users\Admin\AppData\Local\Temp\2.reg

C:\Windows\SysWOW64\Regedit.exe

Regedit.exe /s C:\Users\Admin\AppData\Local\Temp\3.reg

C:\Windows\SysWOW64\Regedit.exe

Regedit.exe /s C:\Users\Admin\AppData\Local\Temp\4.reg

C:\Windows\SysWOW64\Regedit.exe

Regedit.exe /s C:\Users\Admin\AppData\Local\Temp\5.reg

C:\Windows\SysWOW64\Regedit.exe

Regedit.exe /s C:\Users\Admin\AppData\Local\Temp\6.reg

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\WinExec.exe.vbs"

Network

N/A

Files

memory/2704-0-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 1b8aa9c4579e695f722c7efeb62b1ceb
SHA1 efd42acaefecbabbad2712c61b499c86cf587ed9
SHA256 6f5d42baf0d55a215ee384479a8881e8781eb4302893abc85ae8b2219dbfc87e
SHA512 85947a9a2c9aa0eeb2b13f1e1dfd8cee0c3c584ecadfde981ca8c6876afcf4b493872520138b0f172ab5875e2a655a9e2880cb72b9ed7bcf205b9fb8d7a6473d

C:\Users\Admin\AppData\Local\Temp\2.reg

MD5 3cf886f68272009e51bf760ff02f2fd1
SHA1 1c8d1db4f21738cf3345a5f8934920282d8aaf27
SHA256 69a21a0cd503689fc61f0aef1803a4addf742ca55e6c1c60595a3dc435eb275c
SHA512 c98169b4e3ad37339b6e465c436c8f67413e6c2ea32a1ce44c75ee6d39947b3ac9ac3e8ee06cda962e22484c1fe52f5242f197155975ab94c15ad8700392fe2f

C:\Users\Admin\AppData\Local\Temp\3.reg

MD5 c0a6a61f9509d470195892991d17f51f
SHA1 db566bf2c08894eaf3032e7c0aff68d01d99b382
SHA256 ad94ca231b24a4d7cd6f34fd009e8eddf9d09114fbfd7bab287c2e88479ad700
SHA512 93680d6353ead2899c6070deeef60d57ec67323bad090fcae2b9c47e0748640345379ed4607646068772e11487f1915851809de0245a29263a50dd0755ccfb69

C:\Users\Admin\AppData\Local\Temp\4.reg

MD5 7ff9ca1a78edea205480a199f18c3c52
SHA1 39ce114f5ce61f5de55485d953d7194e377f80ad
SHA256 bf70e43d27eb1e179e22f22721060a162d28f202ffaa09848d68bb36d15e1dcb
SHA512 80b89528a49716d1215da373a8d84c68c2acf29ff085f3a8694f4d3294f16e7238e3f41c63eae481596de58f772dbfe8ef10f300cc58c75eb748c195364e1c94

C:\Users\Admin\AppData\Local\Temp\5.reg

MD5 3e3b711f00fddb7bd82e6ca38be79af9
SHA1 a3c9ee6e8e8d9617c3814c9f3f31c50a2ca80e42
SHA256 776c84a44d9c7da404aae26d8238b242b4ec8a49c66bddf564104fec4e126acf
SHA512 c403865f368333a1f849c5ae379c36fdc8f96bc8e235d8e5680d1866d65ba4eeed402292aeb8f8ed7891a91081db8b1721bc3647e7e07b74f3590ebe5c44e8b2

C:\Users\Admin\AppData\Local\Temp\6.reg

MD5 605e06f594a02d384a023169fd6da5e6
SHA1 c61c8ab826851d808ee55fbc90073da44c1efa99
SHA256 92f0a278cf25a44853b5af65f54f29cb62c4c3c1cf9d368e4ac90f70f0d79a28
SHA512 fc5be0eccb6100c1280f351b53dd39930f2731751d67d253d2623029f49f0d9f931b43b3e2072ad11c7db2b944b579d03ef761801dae02d240ac7c8d643cf79d

C:\PROGRA~1\COMMON~1\MICROS~1\ink\en-US\boxed-delete.avi.exe

MD5 921a82bd0fe814e8c9a529e8c1d3ae40
SHA1 7aabea2c09e17f31d3d5ce8b7134c25ecebcca97
SHA256 1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6
SHA512 62600508aa8e687abb160bb2ffbe01f6dbe07598309c8a8e1c97d5ebe8d650db76d144d38c67ec1e045e918e22ed881b1be19c539d7e3699558181b1e7c28647

C:\Windows\WinExec.exe.vbs

MD5 812f70c55c6a5aa67da09aa894f5d7a9
SHA1 e7ffdcd9add563f873a9c859ea63f9984ab87717
SHA256 2eef0b78a9fbe606a269a80530dc60ea6a64172787bffcdbb12dfc869f577923
SHA512 a737e7552fc388df400cc84cf01201781ac58b0943efbc925ab6df922eef272ec7a2871e4c77485520f132d408d254fd3c91bf4f34eef7198411e388b1ac04ae

C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\it-IT\css\calendar.css.vbs

MD5 be7753ea9c0f2036f8d9cb803a0b6120
SHA1 f3c79f2e9136e24f3a86bb226298092e28cfdcc7
SHA256 e518d99125ee2af3f0528e8c8aa97de0e57e0f8aa9c725db19a85cbbecfd8b34
SHA512 bd44325c74aa23939f93049c6b20d7dd0214407be84ca08de2900a5cf80325c5a34f2c5d0573671c382a2a86023c8da6e2b836c3e826183179dddc3aef41620c

C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\clock.css.vbs

MD5 c3adf6a62f420d0926b817bc570bcac7
SHA1 5f2fdbe6e421079dadc1f3f15f61af894875fea9
SHA256 dca69ac4afb6fe543b7adbb2645bf3df57464383236fde6d82703106869a03f9
SHA512 f34ed769bfd01eb2fbfc05386f7ef587b3d208b68943f5c2fc10ef4a705e64aff99954450013b3e2e05699f51f8335749b820742f43d5153aa586817be51317f

C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\clock.js.vbs

MD5 c678c8640b7ebe2250d1590b6aa49ed3
SHA1 b72c9e3a34baf274af26a00f8ea33497475da334
SHA256 85959807a632f0791dc6074be606a46c17a13e95324a2e2e3aeec71336cbfc8b
SHA512 cfc4433f72f10c6424cbe6598d995f7c352f1994f1484b09a3105a167d8b2b802f47ba178ed3b071a930ba06e6e4e8d2cf401c1e276d4af33be3b0390d0709f7

C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\css\settings.css.vbs

MD5 268edb3270b37d34dd8c51a14ef2d665
SHA1 886fc50e8f6fbbaa4fa00b39eeab79f99a9d4bbb
SHA256 369d24f49576471ead617d5a8f35c5ea5d059e0da840a28100a1a3fbc026af01
SHA512 e704d38d528b71f57d9c8f782f9fee0ac927c32e935d4d1ec4a821aaee7161c23db3ee7a858831d328acd4846cfaac6f3ef945c68721f595c12226180c29ab17

C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\it-IT\js\timeZones.js.vbs

MD5 559ecfb98fc63d046fd6240d2b09df90
SHA1 1b36d4676afd5796aa37ed7750dd937e775e7108
SHA256 cc1b9a765f597e30df92e8958428dbd39694c52c70627b777008b70b00b37b86
SHA512 643fc3c22382931583ab5df72d95f5a40f54c08a61049583be009db32d0499bd6fe8e71772453e27911682539454598c0837aa284a02c4c8d6f2b7b7652d2c60

C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\it-IT\css\cpu.css.vbs

MD5 803a207b47faf90c505ae1652a581ffd
SHA1 bd5de7b5c8e9049c9250cb8859b39ab9cd25637f
SHA256 2efa8dfa785170498f0bd14dcc7415d31dc500086eca5393f69675149446039a
SHA512 6d12ed6eefae4802f5800def9321a6e85ef0d0bddbc4a1381b30ecb6089a5f6aaa6c9eea692d76656b087e09efcc032f35261dece316e4a16b1a6bb3f8da5807

C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\currency.js.vbs

MD5 39053b6853da8972a05020728ec0df10
SHA1 7369fa28da358f3843d3ebcd7d2a39ded05574c7
SHA256 66cc94d33f120a2ca1ab63708d767b471b7dfa1c4c483d795f191fc5d7a52fc2
SHA512 59a7bc1a71ee1ba444110cc16aa9de98f01dffbee014842e5bca1126a63c56d1cb80e57f91cb304eb53bfdbb531e2217a365d01f04a6310b786ac53fac7849dd

C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\init.js.vbs

MD5 9a9229799041e3654635f805aacc31ff
SHA1 99decfd163cb4f113b65e0f2729442297bdbe48e
SHA256 f95ddb7fd27e5d834242cbdb1de8ed6c0005311c585d1988c3e48750b392b2a3
SHA512 12a850170ced59d991c2756b3fc0bee5ddc16366d46eef11f9a522de08bb0017ea2354e4d6c747208ce65cf12e69bc1ba685609472e7516657aa978faa567ab0

C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\library.js.vbs

MD5 82e7206c004e0d793f27ca6fe1b68eb7
SHA1 e201cdac02106be9b1330d8f9b6d8ff01a42e0b2
SHA256 03f503f7abc328db6ea8254291c92575e6557d9496d33e20b08b8a4190080e6b
SHA512 4aa219a31e824c0fc41f01efeb3dd94486c2f0008bbd0a6495e66beb45cfccd0f1bf04d71bbf3d85397ad097a1a9d6a0e49df1f493ee777ec1961bfbe82b32ee

C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\service.js.vbs

MD5 32830f3441431dfe48864af66de41c15
SHA1 23338b2bbcb6ca77ff0515869722080e07f42150
SHA256 726b42ee090b8f9ac70cc5408d27d2547065c7a47f120da9a9a83128011c1c06
SHA512 755abec7e7159e0d73131193b485c84325bb0bfedf8341cb54aeaad720b2631e069699d31b0adb8a5075c938715d9ec7a54f8afe3f4ab06106dd75cf3f8280c0

C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\css\picturePuzzle.css.vbs

MD5 3685e6048c0c3e291328a942f63b471c
SHA1 960932c8479f7c460c728bfa64a1525c703754f4
SHA256 1b6bc2a2b8c2d4a41df28ff65d34d80542c5d531cb6f9933f5f833f0eba43a27
SHA512 c5e1b181c9de1437a1c7678cb8effce6a8d4e3372d438cc312ef4f2efbc7864499d513def72f1e7711a2e5ca70f0a58d7d5a09f7aee5012b6d4aa20abe209f94

C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\css\settings.css.vbs

MD5 951cf41e8d54d9346e0a03a723e549c1
SHA1 0f368f110bc160ae85a77ac687454b951d6d7090
SHA256 6c722a469a4afa79506b654f37cb7bf392290868b3f8a1e9b0afda003ec1ea64
SHA512 f890322609ab186086d4f433a808c77a9a46313fef28dcd77a9189039e12d0de41fcc2315a65cf00f2e8a437a0a63a038fbb53f04f5ca9b922832f23c48e5eb6

C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\flyout.css.vbs

MD5 608c9d26a0d386740680c2c528e4502d
SHA1 26dc38aa68ffaac44c4c857fe4945711586a413e
SHA256 1b56a2be7fe8ab87c1b3afbd25004f2d2c78dda085e139eb9569f5c69caf3e3b
SHA512 6d44d09ea92de4e3fff9a013d8108a6d8c8022671f6f46614e70dccce6fc60a505a769e0c53a7389409c31e4809fa3a024f1c59029049e08234e6f743cb5a669

C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\RSSFeeds.css.vbs

MD5 fa877766d79d2feaae9c46f1cd6505b2
SHA1 25fc2079abe4a05666398092e7bdbd642428c44c
SHA256 35c48772d44ee208b4ab05d90465f58c4d5f8a9c0fc88a62ff69f07b2d0dee06
SHA512 4421309df73c12898488c0ffdf0c2548c11868901afd61ca95e55c0bb4c2b35d72093850a04183d5644cfc6bfafa2227fbcf83235290da6b5128e44a85aaf99c

C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\css\settings.css.vbs

MD5 ad04cf0eae2cec98e3ed5ac72661b6ca
SHA1 0e5592d01682c718fd8d7ce8015655173d3c68b1
SHA256 6024c313590c3b875226a4dffc5f25864b5653d73feb274f24448fa6a04eaf20
SHA512 63cb5a8663f750ce185445d2e5dc8307589a256f186b02a61342098a4c27e1d3f703cb2f02d612d29f368da31415892859d2bcc276b5d9e79ad13a1bb7602581

C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\js\settings.js.vbs

MD5 76c21b1cafda64f4e330b536ca45adb3
SHA1 f28e6dc46f91f2bd50945ca6529402bbdd65b3c4
SHA256 9d5057a6f8e28d3beb006980e365322ce5a06da71c9b765d0deb51343ef02610
SHA512 3f84e2116e7ead66f2eaca9d3669c8f20f293f064b1a4208e4c5b1b292d3282212813e4dde12a75c56e66d1e75d319e589dd30c005b410c073f4499fdc5f3850

C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\settings.css.vbs

MD5 fa8af3188c7c890d86fdcb10d4fbf62c
SHA1 0ba8343b35f0896040db086f04bc07cf408c1e28
SHA256 f14a541a9130f3bd0d6d4c4d351a87ed5298596afece3e3ec2390bbae063e65f
SHA512 3a933eb3ad69e3a18bb0b04bc1759067318cd8f8d09b4ad765e65a3d72eb03ed9069483279380f73b105cf4181f87a2b0eace70b1519ddea21954f69f6c98f64

C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\css\slideShow.css.vbs

MD5 f4ab06a44f9c0767574204ddd6cd54bf
SHA1 727d94b66abc9e7d5f2d5605b398f9d04bd6bc57
SHA256 0af3484552719a12be64d09519d7758b76402769a7bffe2c1b6b22b9ff733139
SHA512 7f80cf7b95d23e1267d198854896e0f3ebe88c1eddd62db0c90baf98f6ee3b7c8723172ffd3f0a6a6612c27108ae00862b1c480734d89dac7d0dc3dc44e227e8

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\localizedSettings.css.vbs

MD5 455e12b1a2bbfa973487f35e2c4d476f
SHA1 717c46c371efc1e70f19d32fce4347ff463a4242
SHA256 d3d9bb5c378d5a522afa38f53f8f2989b3eff089d68e14e2a70049a1af4ad29f
SHA512 15b27dea0aac91e7a1af7f836b0f7d1543519a241c4b99e90adf3d594a8ba5eb3118cf4b47c11c64f919f4b59925a77079f2251252f3a34cbe4a97eeed80a5f9

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\settings.css.vbs

MD5 5008235df64e2f496caced691259c065
SHA1 af5ef7c4420e1d3e3a1a022a93f4dd7641caf705
SHA256 9263644146ea6f60654204d06d179a428c6023e4af8a3cf1794034b2819df9ae
SHA512 cdac548d0f4acbdc04ac5d5a0071c1d4791616a513dca3f4131257de1e1e82a872c1487454613dd04103a50a1458944dbb06d6f82a150b723722630eb0eeb2c3

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\weather.css.vbs

MD5 feb1c5d1501cce2cd5dc52cfb10f0e9a
SHA1 b9038ceea201231e82d6c645f17f44089c21f161
SHA256 cb9a61101d99305ab26956610385093d790bd0c2145ead3a51212fa72a214a7c
SHA512 ec6b29fdd28b2691adf905a682834bb3ffa82d2da4ce2557d61b593145a9aeeb94799528b907c1942932b06a002a20eb1fe578659db1e4f2123bcc19cc4c34a9

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\highDpiImageSwap.js.vbs

MD5 ef9d56e80f446dc32e5838cfbc181dd6
SHA1 84162ef02f261fd3d5c32e6f8ba75d0d6e1b6ef1
SHA256 881d05322d7d06a5c2042256e2bc44cdc1dba02c984b839d55122e10cb26e147
SHA512 0a40aebf8cd4ad1d26ebc1b6bc70057cf4db538b302d58f49c19a597f013c91640697224196aea21ee7b673300720b90ec1788d8b65bb352d62b07d4a5aceeb6

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\library.js.vbs

MD5 fdb05ac511bb912ac9d92b046d8b36d0
SHA1 9826dd418a39f46d2b42752ea9757da2d6378dea
SHA256 d13efba10d58e54ce40add2c891cc083f018ccf5dc0531ddbdaeb9a607e8a20d
SHA512 b476f807e07d6d103bd0ff0218a49e8e5286fdc86436b6338b52a583dd1910ec21d96ce3e579fcfe035484bf3adedb26059c861d4567ad1e8a1dbdbc114b4d67

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\localizedStrings.js.vbs

MD5 3d03fea624afad52cca52905dabccb10
SHA1 f5f5e17df6b24032509c74ed1fe932e93b9412d9
SHA256 135098ee180cd12c8d7127ec361ff980b354aa02d7f8a6c3e184543a8a54907a
SHA512 a7e14d73ed52d53d34ceecb18d9b0f9ef8f80bd3d48e2f0cee3d130e771909ececd96d2afaf2ebf4d656805e8acfb2954b99bd3e03c9eeeb101a983d8de946ec

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\settings.js.vbs

MD5 023b5c1b5b1f0af894b829a5466f9748
SHA1 24fbd393795fda1499f891713f1b7153f560e37b
SHA256 4d005737e6e9df58bf2124f30c4dbdce0ae557ff7333bfd5d70002ade7a6c328
SHA512 473a405ba5bb0cfb0a16d766d0ce76b7e4787901f79efb74cb44fcc203b5b04245d38e3aa5f3a400fee41609bbea2a48056e60363fad7a5ea00aa761eca0ebf9

C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\js\weather.js.vbs

MD5 a805ed462ad9a81a3e8b8e0422f781cc
SHA1 025635fe06812ba52ba417e6e1dd880500aba193
SHA256 bdb4f2a048cad27aa3aa4d53741626eeff3919b0d80bd5ab90c3ec638b78e87c
SHA512 980753cced19520c04a0a2afe1278d92bfad6460274e91c24dad214df39ff8d45a5cf2953765ebd8a86188de7a6961acd767360aeee022987baa224aa068525a

C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\de-DE\css\currency.css.vbs

MD5 74c6098c1ed97d023f2a5aa4d2258f16
SHA1 8b48301e20467aaf8c7655c397b5056247d2aa73
SHA256 78d729f5e9a3710e6ca3300589102d69e7b061bb744202db124fa3c05221840f
SHA512 6c7f6dd115ec15f119db233bbe2e133589a4d60643bc330fdba7c7c3722e8cc2fe99a6584f23935b60e093ef44e5ed5ba128f29ec87b7255b377002b9da5c7fe

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-20 21:35

Reported

2024-10-20 21:37

Platform

win10v2004-20241007-en

Max time kernel

86s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe"

Signatures

Renames multiple (1294) files with added filename extension

ransomware

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe N/A

Reads user/profile data of web browsers

spyware stealer

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Yesenia = "C:\\Windows\\MSIEXEC32.EXE" C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinExec = "C:\\Windows\\WinExec.exe.vbs" C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\WinExec = "C:\\Windows\\Winexec.exe.vbs" C:\Windows\SysWOW64\WScript.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunServices\MSIEXEC = "C:\\Windows\\MSIEXEC32.EXE" C:\Windows\SysWOW64\WScript.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prnmngr.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prnmngr.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prnport.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prnqctl.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-constraints.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnjobs.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnqctl.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\pubprn.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnmngr.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prncnfg.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\pubprn.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prncnfg.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prncnfg.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prnport.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prnmngr.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prncnfg.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnqctl.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\pubprn.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prndrvr.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prnqctl.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prnqctl.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prndrvr.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prnqctl.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\winrm.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnjobs.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prnport.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\slmgr.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnport.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prncnfg.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prnport.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\pubprn.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prnjobs.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\pubprn.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prndrvr.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\de-DE\prnmngr.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prnport.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\pubprn.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prnmngr.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\en-US\prndrvr.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\es-ES\prndrvr.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prndrvr.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\fr-FR\prnjobs.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prncnfg.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\it-IT\prnjobs.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SysWOW64\Printing_Admin_Scripts\ja-JP\prnjobs.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\System32\DriverStore\FileRepository\prnms009.inf_amd64_a7412a554c9bc1fd\MPDW-constraints.js C:\Windows\SysWOW64\WScript.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\tr-tr\ui-strings.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\pl-pl\ui-strings.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\en-il\ui-strings.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\hr-hr\ui-strings.js C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\sv-se\ui-strings.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\viewer\nls\es-es\ui-strings.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\css\main.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\activity-badge\css\main.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\sk-sk\ui-strings.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\js\nls\zh-cn\ui-strings.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\css\main-selector.css C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ca-es\ui-strings.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\fi-fi\ui-strings.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-recent-files\js\nls\hr-hr\ui-strings.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\pl-pl\ui-strings.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\sv-se\ui-strings.js C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\it-it\ui-strings.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\search-summary\js\nls\nl-nl\ui-strings.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\nls\sv-se\ui-strings.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\ui-strings.js C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fi-fi\ui-strings.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\zh-cn\ui-strings.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\fr-ma\ui-strings.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\hr-hr\ui-strings.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\es-es\ui-strings.js C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\fr-ma\ui-strings.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\zh-cn\ui-strings.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sign-services-auth\js\nls\uk-ua\ui-strings.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\task-handler\js\plugin.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\root\ui-strings.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\zh-cn\ui-strings.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\nls\ko-kr\ui-strings.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\ca-es\ui-strings.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\hr-hr\ui-strings.js C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\createpdfupsell-app\js\nls\en-ae\ui-strings.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\de-de\ui-strings.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer\js\nls\sv-se\ui-strings.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\root\ui-strings.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\combinepdf\js\nls\fr-ma\ui-strings.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\eu-es\ui-strings.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\rna-main.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-computer-select\js\nls\fr-ma\ui-strings.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\scan-files\js\nls\ru-ru\ui-strings.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\files\dev\nls\eu-es\ui-strings.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\digsig\js\selector.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\nb-no\ui-strings.js C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\ru-ru\ui-strings.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\da-dk\ui-strings.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\da-dk\ui-strings.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\my-files\js\nls\fr-ma\ui-strings.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\nb-no\ui-strings.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\tr-tr\ui-strings.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\notificationsUI\fabric.min.css C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\desktop-connector-files\js\nls\nl-nl\ui-strings.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\pages-app\js\nls\nl-nl\ui-strings.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\sample-files\js\nls\en-ae\ui-strings.js C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\send-for-sign\js\nls\ar-ae\ui-strings.js C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\pt-br\ui-strings.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\core\dev\nls\de-de\ui-strings.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\css\main-selector.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\editpdf\js\nls\ja-jp\ui-strings.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\signatures\js\nls\da-dk\ui-strings.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\js\tool\plugin.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\css\main.css C:\Windows\SysWOW64\WScript.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\monaco-editor\min\vs\basic-languages\src\xml.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\SlickGrid\slick.dataview.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobe-light-footer-vm.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\OobeCloudContentHydrant.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\ui-dark.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\Formatter\formatWorker.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\monaco-editor\min\vs\basic-languages\src\coffee.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\de-DE\assets\ErrorPages\ErrorPageStyles.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\core\js\appLaunchers\HostedApplication.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\core\js\appLaunchers\OobeEnterpriseProvisioningAfterConnectivity.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\scoobeoutro-page.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\js\storage.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\cortana.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\devicereactivation.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\helloEnrollmentPage.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobeprovisioningstatus-page.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\network\styles\networkGrid.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\js\navmesh.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\Microsoft.WinJS-reduced\js\base.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\autopilot\autopilotespprogress-vm.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\cortanaPage.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobe-footer-vm.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\js\hololensWorkAccount.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\RetailDemo\retailDemoSecurityInclusive.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobeerror-page.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\button.css C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\Formatter\FormattedTextMapping.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\js\OEMRegistrationPage.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\autopilot\accountsetupcategoryviewmodel.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\Formatter\typescript\formatterTypescriptServices.nls.keys.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\monaco-editor\min\vs\editor\editor.main.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\core\js\sspr-frame-vm.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\js\hololensWorkAccount.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\autopilot\autopilotespprogress-vm.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\deviceDisplayNameSetup.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\unifiedEnrollmentDiscoveryPage.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\core\js\oobe-chrome-breadcrumb-vm.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\css\oobe-desktop.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobeautopilotreboot-page.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobenetworklossaversion-page.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveSspr\js\ssprerror-vm.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Local\Desktop\5.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\storage\remote\storageRemote.bundle.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\js\navigationManager.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobezdp-helpers.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\retailDemoSecurity.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\ooberegion-page.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\deviceUserPage.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobelanguage-vm.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\common\GifSequencePlayer.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\appObjectFactory.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\storage\storage.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\js\resources.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Local\Desktop\8.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobe-chrome-contentview-vm.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\oobeerror-vm.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\Formatter\Formatter.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\perftools\commonPlugin.css.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\js\retailDemo.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\lib\require.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.CloudExperienceHost_cw5n1h2txyewy\webapps\inclusiveOobe\js\oobeeula-vm.js.vbs C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\cache\Local\Desktop\21.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\WinSxS\amd64_microsoft-windows-c..riencehost.appxmain_31bf3856ad364e35_10.0.19041.117_none_e0d32848ac56114e\scoobeoutro-page.js C:\Windows\SysWOW64\WScript.exe N/A
File created C:\Windows\SystemApps\Microsoft.MicrosoftEdgeDevToolsClient_8wekyb3d8bbwe\23\common\perftools\TokenExtractor.css.vbs C:\Windows\SysWOW64\WScript.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\WScript.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regedit.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\Regedit.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe N/A

Runs .reg file with regedit

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\Regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\Regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\Regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\Regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\Regedit.exe N/A
N/A N/A C:\Windows\SysWOW64\Regedit.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 624 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 624 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 624 wrote to memory of 3604 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 624 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 624 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 624 wrote to memory of 3316 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 624 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 624 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 624 wrote to memory of 3728 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 624 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 624 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 624 wrote to memory of 2540 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 624 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 624 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 624 wrote to memory of 1804 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 624 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 624 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 624 wrote to memory of 3724 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\Regedit.exe
PID 624 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\WScript.exe
PID 624 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\WScript.exe
PID 624 wrote to memory of 4772 N/A C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe C:\Windows\SysWOW64\WScript.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe

"C:\Users\Admin\AppData\Local\Temp\1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6N.exe"

C:\Windows\SysWOW64\Regedit.exe

Regedit.exe /s C:\Users\Admin\AppData\Local\Temp\1.reg

C:\Windows\SysWOW64\Regedit.exe

Regedit.exe /s C:\Users\Admin\AppData\Local\Temp\2.reg

C:\Windows\SysWOW64\Regedit.exe

Regedit.exe /s C:\Users\Admin\AppData\Local\Temp\3.reg

C:\Windows\SysWOW64\Regedit.exe

Regedit.exe /s C:\Users\Admin\AppData\Local\Temp\4.reg

C:\Windows\SysWOW64\Regedit.exe

Regedit.exe /s C:\Users\Admin\AppData\Local\Temp\5.reg

C:\Windows\SysWOW64\Regedit.exe

Regedit.exe /s C:\Users\Admin\AppData\Local\Temp\6.reg

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Windows\WinExec.exe.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 73.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 19.229.111.52.in-addr.arpa udp

Files

memory/624-0-0x0000000000400000-0x0000000000417000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\1.reg

MD5 1b8aa9c4579e695f722c7efeb62b1ceb
SHA1 efd42acaefecbabbad2712c61b499c86cf587ed9
SHA256 6f5d42baf0d55a215ee384479a8881e8781eb4302893abc85ae8b2219dbfc87e
SHA512 85947a9a2c9aa0eeb2b13f1e1dfd8cee0c3c584ecadfde981ca8c6876afcf4b493872520138b0f172ab5875e2a655a9e2880cb72b9ed7bcf205b9fb8d7a6473d

C:\Users\Admin\AppData\Local\Temp\2.reg

MD5 3cf886f68272009e51bf760ff02f2fd1
SHA1 1c8d1db4f21738cf3345a5f8934920282d8aaf27
SHA256 69a21a0cd503689fc61f0aef1803a4addf742ca55e6c1c60595a3dc435eb275c
SHA512 c98169b4e3ad37339b6e465c436c8f67413e6c2ea32a1ce44c75ee6d39947b3ac9ac3e8ee06cda962e22484c1fe52f5242f197155975ab94c15ad8700392fe2f

C:\Users\Admin\AppData\Local\Temp\3.reg

MD5 c0a6a61f9509d470195892991d17f51f
SHA1 db566bf2c08894eaf3032e7c0aff68d01d99b382
SHA256 ad94ca231b24a4d7cd6f34fd009e8eddf9d09114fbfd7bab287c2e88479ad700
SHA512 93680d6353ead2899c6070deeef60d57ec67323bad090fcae2b9c47e0748640345379ed4607646068772e11487f1915851809de0245a29263a50dd0755ccfb69

C:\Users\Admin\AppData\Local\Temp\4.reg

MD5 7ff9ca1a78edea205480a199f18c3c52
SHA1 39ce114f5ce61f5de55485d953d7194e377f80ad
SHA256 bf70e43d27eb1e179e22f22721060a162d28f202ffaa09848d68bb36d15e1dcb
SHA512 80b89528a49716d1215da373a8d84c68c2acf29ff085f3a8694f4d3294f16e7238e3f41c63eae481596de58f772dbfe8ef10f300cc58c75eb748c195364e1c94

C:\Users\Admin\AppData\Local\Temp\5.reg

MD5 3e3b711f00fddb7bd82e6ca38be79af9
SHA1 a3c9ee6e8e8d9617c3814c9f3f31c50a2ca80e42
SHA256 776c84a44d9c7da404aae26d8238b242b4ec8a49c66bddf564104fec4e126acf
SHA512 c403865f368333a1f849c5ae379c36fdc8f96bc8e235d8e5680d1866d65ba4eeed402292aeb8f8ed7891a91081db8b1721bc3647e7e07b74f3590ebe5c44e8b2

C:\Users\Admin\AppData\Local\Temp\6.reg

MD5 605e06f594a02d384a023169fd6da5e6
SHA1 c61c8ab826851d808ee55fbc90073da44c1efa99
SHA256 92f0a278cf25a44853b5af65f54f29cb62c4c3c1cf9d368e4ac90f70f0d79a28
SHA512 fc5be0eccb6100c1280f351b53dd39930f2731751d67d253d2623029f49f0d9f931b43b3e2072ad11c7db2b944b579d03ef761801dae02d240ac7c8d643cf79d

C:\Windows\WinExec.exe.vbs

MD5 41cea5604b6bd6971deca5227766eaee
SHA1 b4f1fe5c9f56ffe92e9aae018ee7146b5b1d6c51
SHA256 595d16fada5b5b80331b1b49ee39dba522cf17cf111be920ba596d01f85fa93d
SHA512 0b15fca5c5761c3c489c419f01dd8c918385ea837b5fb10db184c8cd08e8811c0547f00a90f7dd8ccb73e1907f55f2b4c7574547dd8a35a4d46bcc37575ab6a0

C:\Windows\MSIEXEC32.EXE

MD5 921a82bd0fe814e8c9a529e8c1d3ae40
SHA1 7aabea2c09e17f31d3d5ce8b7134c25ecebcca97
SHA256 1d9f0e5240f25cc5c277a66e4c63597bce8c7c89821944b2cb42a8ece39167b6
SHA512 62600508aa8e687abb160bb2ffbe01f6dbe07598309c8a8e1c97d5ebe8d650db76d144d38c67ec1e045e918e22ed881b1be19c539d7e3699558181b1e7c28647

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\ErrorPageStyles.css.vbs

MD5 0acb2045c25d91efe3d67166b650101a
SHA1 76c503ec1d87b8358eb8e226086baef23eb298cc
SHA256 deb9bfc6d236a35310eaa6c23cebb1542fbc2eab801285b87c4b828f22627091
SHA512 d9fbcab6ed8840e9b83fb83012db2d6895749ebd999a3676791c84449e9cbb0089ef111ad2a2aa1fe87a8a320cf52cf9df3b3f6ca9ac266f39cc290f95a3c466

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\PhishSiteStyles.css.vbs

MD5 3517207921bc421e52b64ede4226134f
SHA1 67da2033c4b3eddf347433ac4e79e4a1379eaf81
SHA256 c34a78268a7338d1e5d1c0f0c44e5a8cc78f670d8c871261b6f8d302e0b29176
SHA512 713cd6ad7d14252ff9ed43898c1132968a306933c6b4c46327d07a945c1989ba8f5d149bbd8ffb59c211979e7c783e9c22bf6dec6c08e0bd46517411ddf0a546

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\uk-UA\assets\ErrorPages\TridentErrorPageStyles.css.vbs

MD5 559a66b58cf5163690ab75559c8801fb
SHA1 b334704e65d0b492e78e71f65f455383060ac067
SHA256 807ebc19ab4a95f4f03096c7e6acca70d263fdf256d62484270a7ce539443272
SHA512 2a57029f8957a47a1d873c8e08c283c929c43e21e8c18764c8ca2ff812eaf999aabd9f28574f69d0a70437912c2a7d90909745c0b590a927fb5c73aa98c52a6f