30a220aed9f5c0c92a4737a4f32b2ce66eb3d1e8525d0b6879321592b79096ca

Analysis

max time kernel
121s
max time network
497s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-04-2023 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ADZP 20 Complex.exe
Size

102KB
MD5

b64873bc80527aa8e18c0a3b95244f19
SHA1

af6c574a2b8fac6a565c551a196ce07e92fd05cc
SHA256

30a220aed9f5c0c92a4737a4f32b2ce66eb3d1e8525d0b6879321592b79096ca
SHA512

b78165b6edec3abd32ee2bd0465cbc7e30fc14c32db66b65bebb0c1d5a7061cec85172f26a57b97630baa47ee17405560f17da5f37d9f80d141dba5198158f7c
SSDEEP

1536:j7fbN3eEDhDPA/pICdUkbBtW7upvaLU0bI5taxKo0IOlnToIf9w2PwpLpNuOh:/7DhdC6kzWypvaQ0FxyNTBf9T8Dv

Score

8^/10

discovery exploit spyware stealer

Malware Config

Signatures

Possible privilege escalation attempt 64 IoCs

exploit

Processes:

takeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exe

pid	process
8372	takeown.exe
6776	takeown.exe
8876	icacls.exe
6616	icacls.exe
10172	takeown.exe
5956	icacls.exe
10632	takeown.exe
1780	icacls.exe
8572	icacls.exe
8032	icacls.exe
12796	icacls.exe
12196	icacls.exe
12524	icacls.exe
11820	takeown.exe
8668	takeown.exe
3444	takeown.exe
12180	takeown.exe
11776	takeown.exe
5052	icacls.exe
4584	takeown.exe
9316	icacls.exe
4400	takeown.exe
13036	icacls.exe
10748	icacls.exe
8572	takeown.exe
1832	takeown.exe
10000	takeown.exe
6852	takeown.exe
4604	takeown.exe
5776	icacls.exe
1168	takeown.exe
6964	takeown.exe
10248	takeown.exe
224	takeown.exe
5780	icacls.exe
9996	icacls.exe
12896	icacls.exe
10660	takeown.exe
13112	takeown.exe
6320	takeown.exe
8668	takeown.exe
11392	icacls.exe
6960	icacls.exe
1832	icacls.exe
10120	takeown.exe
11444	takeown.exe
12860	takeown.exe
7544	takeown.exe
3472	icacls.exe
12452	icacls.exe
12528	icacls.exe
6592	takeown.exe
3300	takeown.exe
9932	takeown.exe
5732	icacls.exe
11252	icacls.exe
3300	takeown.exe
12832	takeown.exe
1780	icacls.exe
3300	takeown.exe
5776	icacls.exe
12540	takeown.exe
12980	takeown.exe
8820	icacls.exe

Checks computer location settings 2 TTPs 9 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000\Control Panel\International\Geo\Nation	cmd.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File Permissions Modification

T1222

Processes:

takeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exe

pid	process
9932	takeown.exe
12948	takeown.exe
12796	icacls.exe
11952	takeown.exe
11220	icacls.exe
3300	takeown.exe
548	takeown.exe
6544	takeown.exe
3472	icacls.exe
10632	takeown.exe
6960	icacls.exe
12712	takeown.exe
11252	icacls.exe
1780	icacls.exe
12572	icacls.exe
12676	icacls.exe
12896	icacls.exe
12216	icacls.exe
6356	takeown.exe
12316	takeown.exe
12884	icacls.exe
12952	icacls.exe
8820	icacls.exe
6828	icacls.exe
3188	takeown.exe
12072	takeown.exe
12180	takeown.exe
1160	icacls.exe
12540	takeown.exe
10172	takeown.exe
8124	icacls.exe
3580	icacls.exe
6960	icacls.exe
1160	icacls.exe
9628	takeown.exe
9408	icacls.exe
8032	icacls.exe
6324	takeown.exe
10248	takeown.exe
8544	takeown.exe
11544	takeown.exe
6508	takeown.exe
6712	takeown.exe
5052	icacls.exe
6320	takeown.exe
7436	takeown.exe
5444	takeown.exe
5456	takeown.exe
10896	icacls.exe
12952	icacls.exe
12540	icacls.exe
8572	icacls.exe
2080	icacls.exe
1832	icacls.exe
11392	icacls.exe
12860	takeown.exe
12824	takeown.exe
8424	icacls.exe
3268	takeown.exe
1792	takeown.exe
13216	takeown.exe
13128	takeown.exe
9316	icacls.exe
6508	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Drops autorun.inf file 1 TTPs 9 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe

Drops file in Windows directory 10 IoCs

Processes:

mspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

6960 4204 WerFault.exe dwm.exe

pid	pid_target	process	target process
6960	4204	WerFault.exe	dwm.exe

Gathers network information 2 TTPs 23 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command-Line Interface

T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exe

pid	process
5032	ipconfig.exe
6992	ipconfig.exe
5732	ipconfig.exe
1908	ipconfig.exe
4172	ipconfig.exe
6132	ipconfig.exe
5096	ipconfig.exe
6408	ipconfig.exe
4620	ipconfig.exe
6392	ipconfig.exe
6968	ipconfig.exe
5004	ipconfig.exe
1104	ipconfig.exe
1004	ipconfig.exe
9956	ipconfig.exe
7280	ipconfig.exe
1920	ipconfig.exe
7240	ipconfig.exe
12144	ipconfig.exe
2224	ipconfig.exe
7524	ipconfig.exe
5628	ipconfig.exe
8160	ipconfig.exe

Kills process with taskkill 21 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
4756	taskkill.exe
2476	taskkill.exe
9844	taskkill.exe
6520	taskkill.exe
3252	taskkill.exe
6044	taskkill.exe
5920	taskkill.exe
8012	taskkill.exe
9740	taskkill.exe
3904	taskkill.exe
4512	taskkill.exe
8708	taskkill.exe
7180	taskkill.exe
12040	taskkill.exe
6132	taskkill.exe
6908	taskkill.exe
8540	taskkill.exe
7736	taskkill.exe
12556	taskkill.exe
10748	taskkill.exe
3240	taskkill.exe

Modifies registry class 29 IoCs

Processes:

cmd.execalc.exeWScript.exeexplorer.exeWScript.execmd.execalc.exeexplorer.exetaskkill.execmd.execalc.execmd.execalc.execmd.execalc.exeexplorer.exeexplorer.exetakeown.exeConhost.exeexplorer.execalc.exeWScript.execmd.execmd.execalc.exeexplorer.execmd.execmd.exeWScript.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	taskkill.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	takeown.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	Conhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	WScript.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2275444769-3691835758-4097679484-1000_Classes\Local Settings	WScript.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

mspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exe

pid	process
4032	mspaint.exe
4032	mspaint.exe
2068	mspaint.exe
2068	mspaint.exe
5356	mspaint.exe
5356	mspaint.exe
5796	mspaint.exe
5796	mspaint.exe
3672	mspaint.exe
3672	mspaint.exe
5492	mspaint.exe
5492	mspaint.exe
1196	mspaint.exe
1196	mspaint.exe
1456	mspaint.exe
1456	mspaint.exe
4556	mspaint.exe
4556	mspaint.exe
8644	mspaint.exe
8644	mspaint.exe

Suspicious use of AdjustPrivilegeToken 15 IoCs

Processes:

takeown.exetaskkill.exetakeown.exetaskkill.exetakeown.exetaskkill.exetakeown.exetaskkill.exetakeown.exetakeown.exeConhost.exetakeown.exetaskkill.exeWScript.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	224	takeown.exe
Token: SeDebugPrivilege	3904	taskkill.exe
Token: SeTakeOwnershipPrivilege	4200	takeown.exe
Token: SeDebugPrivilege	4756	taskkill.exe
Token: SeTakeOwnershipPrivilege	3396	takeown.exe
Token: SeDebugPrivilege	2476	taskkill.exe
Token: SeTakeOwnershipPrivilege	6932	takeown.exe
Token: SeDebugPrivilege	6044	taskkill.exe
Token: SeTakeOwnershipPrivilege	6852	takeown.exe
Token: SeTakeOwnershipPrivilege	5764	takeown.exe
Token: SeDebugPrivilege	6132	Conhost.exe
Token: SeTakeOwnershipPrivilege	4584	takeown.exe
Token: SeDebugPrivilege	5920	taskkill.exe
Token: SeDebugPrivilege	4512	WScript.exe
Token: SeTakeOwnershipPrivilege	7436	takeown.exe

Suspicious use of SetWindowsHookEx 49 IoCs

Processes:

mspaint.exemspaint.exeOpenWith.exeOpenWith.exemspaint.exemspaint.exetakeown.exeOpenWith.exemspaint.exemspaint.exeOpenWith.exetakeown.exemspaint.exemspaint.exeOpenWith.execmd.exemspaint.exemspaint.exeOpenWith.exe

pid	process
4032	mspaint.exe
2068	mspaint.exe
4032	mspaint.exe
4032	mspaint.exe
4032	mspaint.exe
2068	mspaint.exe
2068	mspaint.exe
2068	mspaint.exe
4608	OpenWith.exe
4592	OpenWith.exe
5356	mspaint.exe
5356	mspaint.exe
5356	mspaint.exe
5356	mspaint.exe
5796	mspaint.exe
5796	mspaint.exe
5796	mspaint.exe
5796	mspaint.exe
5456	takeown.exe
5760	OpenWith.exe
3672	mspaint.exe
5492	mspaint.exe
3672	mspaint.exe
3672	mspaint.exe
3672	mspaint.exe
5492	mspaint.exe
5492	mspaint.exe
5492	mspaint.exe
5400	OpenWith.exe
6508	takeown.exe
1196	mspaint.exe
1196	mspaint.exe
1196	mspaint.exe
1196	mspaint.exe
1456	mspaint.exe
1456	mspaint.exe
1456	mspaint.exe
1456	mspaint.exe
4608	OpenWith.exe
5652	cmd.exe
4556	mspaint.exe
4556	mspaint.exe
4556	mspaint.exe
4556	mspaint.exe
8644	mspaint.exe
8644	mspaint.exe
8644	mspaint.exe
8644	mspaint.exe
8280	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ADZP 20 Complex.execmd.execmd.exeADZP 20 Complex.exeADZP 20 Complex.exe

description	pid	process	target process
PID 3900 wrote to memory of 636	3900	ADZP 20 Complex.exe	cmd.exe
PID 3900 wrote to memory of 636	3900	ADZP 20 Complex.exe	cmd.exe
PID 636 wrote to memory of 1460	636	cmd.exe	WScript.exe
PID 636 wrote to memory of 1460	636	cmd.exe	WScript.exe
PID 636 wrote to memory of 3204	636	cmd.exe	cmd.exe
PID 636 wrote to memory of 3204	636	cmd.exe	cmd.exe
PID 636 wrote to memory of 3736	636	cmd.exe	reg.exe
PID 636 wrote to memory of 3736	636	cmd.exe	reg.exe
PID 636 wrote to memory of 3688	636	cmd.exe	reg.exe
PID 636 wrote to memory of 3688	636	cmd.exe	reg.exe
PID 3204 wrote to memory of 224	3204	cmd.exe	takeown.exe
PID 3204 wrote to memory of 224	3204	cmd.exe	takeown.exe
PID 636 wrote to memory of 5096	636	cmd.exe	ipconfig.exe
PID 636 wrote to memory of 5096	636	cmd.exe	ipconfig.exe
PID 636 wrote to memory of 3904	636	cmd.exe	taskkill.exe
PID 636 wrote to memory of 3904	636	cmd.exe	taskkill.exe
PID 636 wrote to memory of 680	636	cmd.exe	WScript.exe
PID 636 wrote to memory of 680	636	cmd.exe	WScript.exe
PID 636 wrote to memory of 4516	636	cmd.exe	WScript.exe
PID 636 wrote to memory of 4516	636	cmd.exe	WScript.exe
PID 636 wrote to memory of 2688	636	cmd.exe	WScript.exe
PID 636 wrote to memory of 2688	636	cmd.exe	WScript.exe
PID 636 wrote to memory of 4952	636	cmd.exe	WScript.exe
PID 636 wrote to memory of 4952	636	cmd.exe	WScript.exe
PID 636 wrote to memory of 3060	636	cmd.exe	WScript.exe
PID 636 wrote to memory of 3060	636	cmd.exe	WScript.exe
PID 636 wrote to memory of 4108	636	cmd.exe	WScript.exe
PID 636 wrote to memory of 4108	636	cmd.exe	WScript.exe
PID 636 wrote to memory of 4624	636	cmd.exe	WScript.exe
PID 636 wrote to memory of 4624	636	cmd.exe	WScript.exe
PID 636 wrote to memory of 3536	636	cmd.exe	WScript.exe
PID 636 wrote to memory of 3536	636	cmd.exe	WScript.exe
PID 636 wrote to memory of 3936	636	cmd.exe	WScript.exe
PID 636 wrote to memory of 3936	636	cmd.exe	WScript.exe
PID 636 wrote to memory of 1364	636	cmd.exe	WScript.exe
PID 636 wrote to memory of 1364	636	cmd.exe	WScript.exe
PID 636 wrote to memory of 900	636	cmd.exe	msg.exe
PID 636 wrote to memory of 900	636	cmd.exe	msg.exe
PID 636 wrote to memory of 2844	636	cmd.exe	msg.exe
PID 636 wrote to memory of 2844	636	cmd.exe	msg.exe
PID 636 wrote to memory of 2032	636	cmd.exe	msg.exe
PID 636 wrote to memory of 2032	636	cmd.exe	msg.exe
PID 636 wrote to memory of 2072	636	cmd.exe	ADZP 20 Complex.exe
PID 636 wrote to memory of 2072	636	cmd.exe	ADZP 20 Complex.exe
PID 636 wrote to memory of 2072	636	cmd.exe	ADZP 20 Complex.exe
PID 636 wrote to memory of 4876	636	cmd.exe	notepad.exe
PID 636 wrote to memory of 4876	636	cmd.exe	notepad.exe
PID 636 wrote to memory of 4756	636	cmd.exe	taskkill.exe
PID 636 wrote to memory of 4756	636	cmd.exe	taskkill.exe
PID 636 wrote to memory of 4944	636	cmd.exe	explorer.exe
PID 636 wrote to memory of 4944	636	cmd.exe	explorer.exe
PID 636 wrote to memory of 4032	636	cmd.exe	mspaint.exe
PID 636 wrote to memory of 4032	636	cmd.exe	mspaint.exe
PID 2072 wrote to memory of 1804	2072	ADZP 20 Complex.exe	cmd.exe
PID 2072 wrote to memory of 1804	2072	ADZP 20 Complex.exe	cmd.exe
PID 636 wrote to memory of 3624	636	cmd.exe	ADZP 20 Complex.exe
PID 636 wrote to memory of 3624	636	cmd.exe	ADZP 20 Complex.exe
PID 636 wrote to memory of 3624	636	cmd.exe	ADZP 20 Complex.exe
PID 636 wrote to memory of 2348	636	cmd.exe	notepad.exe
PID 636 wrote to memory of 2348	636	cmd.exe	notepad.exe
PID 3624 wrote to memory of 3572	3624	ADZP 20 Complex.exe	cmd.exe
PID 3624 wrote to memory of 3572	3624	ADZP 20 Complex.exe	cmd.exe
PID 636 wrote to memory of 2868	636	cmd.exe	calc.exe
PID 636 wrote to memory of 2868	636	cmd.exe	calc.exe

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3900

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\AC33.tmp\AC34.tmp\AC35.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
2⤵
- Checks computer location settings
- Drops autorun.inf file
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:636

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
3⤵
PID:1460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:3204

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
4⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:224

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
3⤵
PID:3736

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
3⤵
PID:3688

C:\Windows\system32\ipconfig.exe
ipconfig /release
3⤵
- Gathers network information
PID:5096

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3904

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:680

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:4516

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:2688

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:4952

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:3060

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:4108

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:4624

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:3536

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:3936

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:1364

C:\Windows\system32\msg.exe
msg * Virus Detectado
3⤵
PID:900

C:\Windows\system32\msg.exe
msg * Virus Detectado
3⤵
PID:2844

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
3⤵
PID:2032

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\BB27.tmp\BB28.tmp\BB29.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
4⤵
- Checks computer location settings
- Drops autorun.inf file
- Modifies registry class
PID:1804

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
5⤵
PID:1188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
5⤵
PID:3420

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:3396

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:4892

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:3220

C:\Windows\system32\ipconfig.exe
ipconfig /release
5⤵
- Gathers network information
PID:5004

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2476

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:5160

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:5216

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:5408

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:5596

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:5696

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:5864

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:5968

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:6016

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:5132

C:\Windows\system32\msg.exe
msg * Virus Detectado
5⤵
PID:5392

C:\Windows\system32\msg.exe
msg * Virus Detectado
5⤵
PID:5484

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
5⤵
PID:3404

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:4404

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2ED0.tmp\2ED1.tmp\2ED2.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
6⤵
- Checks computer location settings
- Drops autorun.inf file
- Modifies registry class
PID:4052

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
7⤵
PID:6276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
7⤵
PID:5944

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:5764

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
7⤵
PID:6868

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
7⤵
PID:6112

C:\Windows\system32\ipconfig.exe
ipconfig /release
7⤵
- Gathers network information
PID:4620

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5920

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:7576

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:7752

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:7920

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:8000

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:8140

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:5380

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:7628

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:8024

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:8320

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:8500

C:\Windows\system32\msg.exe
msg * Virus Detectado
7⤵
PID:8704

C:\Windows\system32\msg.exe
msg * Virus Detectado
7⤵
PID:8764

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
7⤵
PID:8868

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
7⤵
PID:9092

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\81DD.tmp\81DE.tmp\81DF.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
8⤵
PID:6716

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
9⤵
PID:6088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
9⤵
PID:7784

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
10⤵
PID:6456

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
9⤵
PID:7280

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
9⤵
PID:3116

C:\Windows\system32\ipconfig.exe
ipconfig /release
9⤵
- Gathers network information
PID:7280

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
9⤵
- Kills process with taskkill
PID:8540

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:10516

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:10616

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:10696

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:10708

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:10720

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:10820

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:10884

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:11052

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:11260

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:5308

C:\Windows\system32\msg.exe
msg * Virus Detectado
9⤵
PID:7424

C:\Windows\system32\msg.exe
msg * Virus Detectado
9⤵
PID:11748

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
9⤵
PID:12224

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
9⤵
PID:7880

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\926E.tmp\926F.tmp\927F.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
10⤵
PID:5420

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
11⤵
PID:11740

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
11⤵
PID:11664

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
11⤵
PID:11860

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
11⤵
- Kills process with taskkill
PID:10748

C:\Windows\system32\notepad.exe
notepad
9⤵
PID:4388

C:\Windows\system32\calc.exe
calc
9⤵
PID:3816

C:\Windows\explorer.exe
explorer.exe
9⤵
PID:7032

C:\Windows\system32\mspaint.exe
mspaint.exe
9⤵
PID:11340

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
9⤵
PID:2764

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C219.tmp\C21A.tmp\C21B.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
10⤵
PID:6580

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
11⤵
PID:4452

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
11⤵
PID:12680

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
11⤵
PID:13268

C:\Windows\system32\ipconfig.exe
ipconfig /release
11⤵
- Gathers network information
PID:9956

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
11⤵
- Kills process with taskkill
PID:9740

C:\Windows\system32\notepad.exe
notepad
9⤵
PID:6576

C:\Windows\system32\calc.exe
calc
9⤵
PID:8524

C:\Windows\explorer.exe
explorer.exe
9⤵
PID:6512

C:\Windows\system32\mspaint.exe
mspaint.exe
9⤵
PID:10812

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:13168

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:12648

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:10492

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:12756

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:12396

C:\Windows\system32\notepad.exe
notepad
7⤵
PID:8248

C:\Windows\system32\calc.exe
calc
7⤵
PID:8724

C:\Windows\explorer.exe
explorer.exe
7⤵
PID:4428

C:\Windows\system32\mspaint.exe
mspaint.exe
7⤵
PID:9048

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
7⤵
PID:868

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B1A7.tmp\B1A8.tmp\B1A9.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
8⤵
PID:6764

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
9⤵
PID:5712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
9⤵
PID:8896

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
10⤵
- Modifies registry class
PID:8432

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
10⤵
PID:8472

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
9⤵
PID:6128

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
9⤵
PID:9172

C:\Windows\system32\ipconfig.exe
ipconfig /release
9⤵
- Gathers network information
PID:7240

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
9⤵
- Kills process with taskkill
PID:9844

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:616

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
- Suspicious use of AdjustPrivilegeToken
PID:4512

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:9788

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:1472

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:9752

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:3920

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:7736

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:10432

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:10528

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:10596

C:\Windows\system32\msg.exe
msg * Virus Detectado
9⤵
PID:10664

C:\Windows\system32\msg.exe
msg * Virus Detectado
9⤵
PID:10808

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
9⤵
PID:10956

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
9⤵
PID:11176

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\12AE.tmp\12AF.tmp\12B0.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
10⤵
PID:6964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
11⤵
PID:7776

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
12⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:9932

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
11⤵
PID:1004

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
11⤵
PID:6552

C:\Windows\system32\ipconfig.exe
ipconfig /release
11⤵
- Gathers network information
PID:2224

C:\Windows\system32\notepad.exe
notepad
9⤵
PID:8824

C:\Windows\system32\calc.exe
calc
9⤵
PID:10656

C:\Windows\explorer.exe
explorer.exe
9⤵
PID:10920

C:\Windows\system32\mspaint.exe
mspaint.exe
9⤵
PID:11128

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
9⤵
PID:11320

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3922.tmp\3923.tmp\3924.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
10⤵
PID:11588

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
11⤵
PID:11764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
11⤵
PID:11988

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
12⤵
- Modifies file permissions
PID:6356

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
11⤵
PID:7276

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
11⤵
PID:4748

C:\Windows\system32\ipconfig.exe
ipconfig /release
11⤵
- Gathers network information
PID:6132

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
11⤵
PID:9304

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
11⤵
PID:1320

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
11⤵
PID:11200

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
11⤵
PID:6704

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
11⤵
PID:10244

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
11⤵
PID:10320

C:\Windows\system32\notepad.exe
notepad
9⤵
PID:11500

C:\Windows\system32\calc.exe
calc
9⤵
PID:11684

C:\Windows\explorer.exe
explorer.exe
9⤵
PID:11840

C:\Windows\system32\mspaint.exe
mspaint.exe
9⤵
PID:12016

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:6872

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:9952

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:10124

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:12620

C:\Windows\system32\notepad.exe
notepad
7⤵
PID:9124

C:\Windows\system32\calc.exe
calc
7⤵
PID:7828

C:\Windows\explorer.exe
explorer.exe
7⤵
PID:8708

C:\Windows\system32\mspaint.exe
mspaint.exe
7⤵
PID:4428

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
- Modifies registry class
PID:5704

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:6112

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:4704

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:6532

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:6804

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:6976

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:5332

C:\Windows\system32\calc.exe
calc
5⤵
- Modifies registry class
PID:2596

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:5608

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:228

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3B44.tmp\3B45.tmp\3B46.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
6⤵
- Checks computer location settings
- Drops autorun.inf file
- Modifies registry class
PID:6492

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
7⤵
PID:6288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
7⤵
PID:4688

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
8⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:4584

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
7⤵
PID:4104

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
7⤵
PID:3504

C:\Windows\system32\ipconfig.exe
ipconfig /release
7⤵
- Gathers network information
PID:6392

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
7⤵
- Kills process with taskkill
PID:4512

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:7528

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:7684

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:7708

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:7760

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:7944

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:8072

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:8088

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
- Modifies registry class
PID:5396

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:7488

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:6732

C:\Windows\system32\msg.exe
msg * Virus Detectado
7⤵
PID:8240

C:\Windows\system32\msg.exe
msg * Virus Detectado
7⤵
PID:8560

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
7⤵
PID:8740

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
7⤵
PID:8796

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7896.tmp\7897.tmp\7898.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
8⤵
PID:8928

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
9⤵
PID:8108

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
9⤵
PID:7344

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
10⤵
- Possible privilege escalation attempt
PID:8372

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
9⤵
PID:8532

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
9⤵
PID:3920

C:\Windows\system32\ipconfig.exe
ipconfig /release
9⤵
- Gathers network information
PID:1920

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
9⤵
- Kills process with taskkill
PID:7180

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:8468

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:8136

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:4132

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:10304

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:6988

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:9652

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:9588

C:\Windows\system32\msg.exe
msg * Virus Detectado
9⤵
PID:4588

C:\Windows\system32\msg.exe
msg * Virus Detectado
9⤵
PID:8860

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
9⤵
PID:9472

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
9⤵
PID:10536

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\659C.tmp\659D.tmp\659E.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
10⤵
PID:11684

C:\Windows\system32\notepad.exe
notepad
9⤵
PID:9768

C:\Windows\system32\calc.exe
calc
9⤵
PID:7636

C:\Windows\explorer.exe
explorer.exe
9⤵
PID:12448

C:\Windows\system32\mspaint.exe
mspaint.exe
9⤵
PID:12584

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
9⤵
PID:12792

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8EEE.tmp\8EEF.tmp\8EF0.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
10⤵
PID:13116

C:\Windows\system32\notepad.exe
notepad
9⤵
PID:13016

C:\Windows\system32\calc.exe
calc
9⤵
PID:13268

C:\Windows\explorer.exe
explorer.exe
9⤵
PID:6968

C:\Windows\system32\mspaint.exe
mspaint.exe
9⤵
PID:12828

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:11168

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:13140

C:\Windows\system32\notepad.exe
notepad
7⤵
PID:8848

C:\Windows\system32\calc.exe
calc
7⤵
PID:8952

C:\Windows\explorer.exe
explorer.exe
7⤵
PID:9044

C:\Windows\system32\mspaint.exe
mspaint.exe
7⤵
PID:9128

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
7⤵
PID:8244

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9A86.tmp\9A87.tmp\9A88.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
8⤵
PID:8760

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
9⤵
PID:7696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
9⤵
PID:8452

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
10⤵
PID:2304

C:\Windows\system32\tree.com
tree "C:\Windows"
10⤵
PID:11220

C:\Windows\system32\icacls.exe
icacls "C:\Windows" /reset /t /c /q
10⤵
- Modifies file permissions
PID:2080

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
10⤵
- Modifies file permissions
PID:12316

C:\Windows\system32\tree.com
tree "C:\Windows\System32"
10⤵
PID:11560

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32" /reset /t /c /q
10⤵
PID:6468

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
10⤵
PID:6592

C:\Windows\system32\tree.com
tree "C:\Windows\System32"
10⤵
PID:6664

C:\Windows\system32\tree.com
tree "C:\Windows"
10⤵
PID:7564

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
10⤵
- Modifies file permissions
PID:13128

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32" /reset /t /c /q
10⤵
- Modifies file permissions
PID:1160

C:\Windows\system32\icacls.exe
icacls "C:\Windows" /reset /t /c /q
10⤵
- Possible privilege escalation attempt
PID:5780

C:\Windows\system32\tree.com
tree "C:\Windows"
10⤵
PID:9936

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
10⤵
PID:3712

C:\Windows\system32\icacls.exe
icacls "C:\Windows" /reset /t /c /q
10⤵
PID:3444

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:12540

C:\Windows\system32\tree.com
tree "C:\Windows\System32"
10⤵
PID:9680

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32" /reset /t /c /q
10⤵
PID:12832

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
10⤵
PID:12820

C:\Windows\system32\tree.com
tree "C:\Windows"
10⤵
PID:11212

C:\Windows\system32\icacls.exe
icacls "C:\Windows" /reset /t /c /q
10⤵
PID:3472

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32" /reset /t /c /q
10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:9316

C:\Windows\system32\tree.com
tree "C:\Windows\System32"
10⤵
PID:12792

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
10⤵
- Possible privilege escalation attempt
PID:4400

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
10⤵
- Possible privilege escalation attempt
PID:7544

C:\Windows\system32\tree.com
tree "C:\Windows"
10⤵
PID:13032

C:\Windows\system32\icacls.exe
icacls "C:\Windows" /reset /t /c /q
10⤵
PID:12900

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
10⤵
- Modifies file permissions
PID:12948

C:\Windows\system32\tree.com
tree "C:\Windows\System32"
10⤵
PID:13044

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32" /reset /t /c /q
10⤵
- Possible privilege escalation attempt
PID:13036

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
10⤵
- Modifies file permissions
PID:6324

C:\Windows\system32\tree.com
tree "C:\Windows"
10⤵
PID:10588

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:10172

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32" /reset /t /c /q
10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1780

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:10248

C:\Windows\system32\tree.com
tree "C:\Windows\System32"
10⤵
PID:10856

C:\Windows\system32\icacls.exe
icacls "C:\Windows" /reset /t /c /q
10⤵
- Modifies file permissions
PID:6828

C:\Windows\system32\tree.com
tree "C:\Windows"
10⤵
PID:8876

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
10⤵
- Possible privilege escalation attempt
PID:13112

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32" /reset /t /c /q
10⤵
- Modifies file permissions
PID:8424

C:\Windows\system32\icacls.exe
icacls "C:\Windows" /reset /t /c /q
10⤵
PID:12460

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
10⤵
PID:9676

C:\Windows\system32\tree.com
tree "C:\Windows"
10⤵
PID:3908

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
10⤵
- Possible privilege escalation attempt
PID:1832

C:\Windows\system32\tree.com
tree "C:\Windows\System32"
10⤵
PID:12316

C:\Windows\system32\icacls.exe
icacls "C:\Windows" /reset /t /c /q
10⤵
- Modifies file permissions
PID:6960

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32" /reset /t /c /q
10⤵
PID:6320

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
10⤵
- Possible privilege escalation attempt
PID:11776

C:\Windows\system32\tree.com
tree "C:\Windows\System32"
10⤵
PID:10656

C:\Windows\system32\tree.com
tree "C:\Windows"
10⤵
PID:460

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
10⤵
- Possible privilege escalation attempt
PID:12832

C:\Windows\system32\icacls.exe
icacls "C:\Windows" /reset /t /c /q
10⤵
- Possible privilege escalation attempt
PID:5956

C:\Windows\system32\tree.com
tree "C:\Windows\System32"
10⤵
PID:4380

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32" /reset /t /c /q
10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3472

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
10⤵
- Modifies file permissions
PID:3188

C:\Windows\system32\tree.com
tree "C:\Windows"
10⤵
PID:8012

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
10⤵
- Modifies file permissions
PID:11544

C:\Windows\system32\icacls.exe
icacls "C:\Windows" /reset /t /c /q
10⤵
PID:5516

C:\Windows\system32\tree.com
tree "C:\Windows"
10⤵
PID:10856

C:\Windows\system32\icacls.exe
icacls "C:\Windows" /reset /t /c /q
10⤵
- Possible privilege escalation attempt
PID:12452

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
10⤵
PID:9332

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
9⤵
PID:8396

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
9⤵
PID:3700

C:\Windows\system32\ipconfig.exe
ipconfig /release
9⤵
- Gathers network information
PID:4172

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
9⤵
- Kills process with taskkill
PID:7736

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:12264

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:5976

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:11064

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:12228

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:9212

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:8656

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:11808

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:4972

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:7876

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:10976

C:\Windows\system32\msg.exe
msg * Virus Detectado
9⤵
PID:10544

C:\Windows\system32\msg.exe
msg * Virus Detectado
9⤵
PID:11928

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
9⤵
PID:9484

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
9⤵
PID:11316

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\659D.tmp\659D.tmp\659E.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
10⤵
PID:9484

C:\Windows\system32\notepad.exe
notepad
9⤵
PID:8612

C:\Windows\system32\calc.exe
calc
9⤵
PID:12328

C:\Windows\explorer.exe
explorer.exe
9⤵
PID:12472

C:\Windows\system32\mspaint.exe
mspaint.exe
9⤵
PID:12596

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
9⤵
PID:12856

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8EFE.tmp\8EFF.tmp\8F00.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
10⤵
PID:13128

C:\Windows\system32\notepad.exe
notepad
9⤵
PID:13096

C:\Windows\system32\calc.exe
calc
9⤵
PID:7280

C:\Windows\explorer.exe
explorer.exe
9⤵
PID:9496

C:\Windows\system32\mspaint.exe
mspaint.exe
9⤵
PID:11280

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:8948

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:13288

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:11272

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:7768

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:8444

C:\Windows\system32\notepad.exe
notepad
7⤵
PID:8496

C:\Windows\system32\calc.exe
calc
7⤵
PID:8828

C:\Windows\explorer.exe
explorer.exe
7⤵
PID:1912

C:\Windows\system32\mspaint.exe
mspaint.exe
7⤵
PID:1612

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:6792

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:3460

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:6944

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:6300

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:3032

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:8912

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3672

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:3760

C:\Windows\system32\calc.exe
calc
5⤵
- Modifies registry class
PID:5740

C:\Windows\explorer.exe
explorer.exe
5⤵
- Modifies registry class
PID:6096

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5492

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:6724

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:6900

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:7000

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:7012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:7136

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:6344

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:4876

C:\Windows\system32\calc.exe
calc
3⤵
PID:4756

C:\Windows\explorer.exe
explorer.exe
3⤵
- Modifies registry class
PID:4944

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4032

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:3624

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\BDF6.tmp\BDF7.tmp\BDF8.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
4⤵
- Checks computer location settings
- Drops autorun.inf file
- Modifies registry class
PID:3572

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
5⤵
PID:4312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
5⤵
PID:4272

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
6⤵
- Suspicious use of AdjustPrivilegeToken
PID:4200

C:\Windows\system32\tree.com
tree "C:\Windows"
6⤵
PID:6060

C:\Windows\system32\icacls.exe
icacls "C:\Windows" /reset /t /c /q
6⤵
PID:10228

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
6⤵
- Modifies file permissions
PID:1792

C:\Windows\system32\tree.com
tree "C:\Windows\System32"
6⤵
PID:12528

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32" /reset /t /c /q
6⤵
- Modifies file permissions
PID:12572

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:12180

C:\Windows\system32\tree.com
tree "C:\Windows"
6⤵
PID:12552

C:\Windows\system32\icacls.exe
icacls "C:\Windows" /reset /t /c /q
6⤵
PID:6668

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
6⤵
- Modifies file permissions
PID:13216

C:\Windows\system32\tree.com
tree "C:\Windows\System32"
6⤵
PID:13132

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32" /reset /t /c /q
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:1832

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
6⤵
PID:10252

C:\Windows\system32\tree.com
tree "C:\Windows"
6⤵
PID:6012

C:\Windows\system32\icacls.exe
icacls "C:\Windows" /reset /t /c /q
6⤵
- Possible privilege escalation attempt
PID:5732

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
6⤵
- Possible privilege escalation attempt
PID:8668

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
6⤵
- Possible privilege escalation attempt
PID:1168

C:\Windows\system32\tree.com
tree "C:\Windows"
6⤵
PID:10640

C:\Windows\system32\icacls.exe
icacls "C:\Windows" /reset /t /c /q
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:11392

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32" /reset /t /c /q
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:8032

C:\Windows\system32\tree.com
tree "C:\Windows\System32"
6⤵
PID:7460

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
6⤵
PID:1824

C:\Windows\system32\tree.com
tree "C:\Windows\System32"
6⤵
PID:7964

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32" /reset /t /c /q
6⤵
- Modifies file permissions
PID:12676

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:12860

C:\Windows\system32\tree.com
tree "C:\Windows"
6⤵
PID:12872

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
6⤵
PID:11628

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32" /reset /t /c /q
6⤵
PID:10224

C:\Windows\system32\tree.com
tree "C:\Windows\System32"
6⤵
PID:6284

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
6⤵
PID:12184

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32" /reset /t /c /q
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:11252

C:\Windows\system32\icacls.exe
icacls "C:\Windows" /reset /t /c /q
6⤵
- Possible privilege escalation attempt
PID:6616

C:\Windows\system32\tree.com
tree "C:\Windows"
6⤵
PID:13240

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
6⤵
- Modifies file permissions
PID:12824

C:\Windows\system32\tree.com
tree "C:\Windows\System32"
6⤵
PID:12008

C:\Windows\system32\icacls.exe
icacls "C:\Windows" /reset /t /c /q
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:12896

C:\Windows\system32\icacls.exe
icacls "C:\Windows" /reset /t /c /q
6⤵
- Modifies file permissions
PID:12884

C:\Windows\system32\tree.com
tree "C:\Windows"
6⤵
PID:12612

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
6⤵
- Possible privilege escalation attempt
PID:3300

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32" /reset /t /c /q
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:8820

C:\Windows\system32\tree.com
tree "C:\Windows\System32"
6⤵
PID:6912

C:\Windows\system32\tree.com
tree "C:\Windows"
6⤵
PID:13228

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
6⤵
PID:12992

C:\Windows\system32\icacls.exe
icacls "C:\Windows" /reset /t /c /q
6⤵
- Possible privilege escalation attempt
PID:10748

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
6⤵
- Modifies file permissions
PID:6508

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
6⤵
- Modifies file permissions
PID:11952

C:\Windows\system32\tree.com
tree "C:\Windows\System32"
6⤵
PID:3528

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32" /reset /t /c /q
6⤵
- Modifies file permissions
PID:3580

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
6⤵
- Possible privilege escalation attempt
PID:8572

C:\Windows\system32\tree.com
tree "C:\Windows"
6⤵
PID:10184

C:\Windows\system32\icacls.exe
icacls "C:\Windows" /reset /t /c /q
6⤵
- Possible privilege escalation attempt
PID:5776

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
6⤵
- Modifies file permissions
PID:3268

C:\Windows\system32\tree.com
tree "C:\Windows\System32"
6⤵
PID:9792

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
6⤵
PID:6372

C:\Windows\system32\tree.com
tree "C:\Windows"
6⤵
PID:7564

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32" /reset /t /c /q
6⤵
- Modifies file permissions
PID:1160

C:\Windows\system32\icacls.exe
icacls "C:\Windows" /reset /t /c /q
6⤵
- Possible privilege escalation attempt
PID:12524

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
6⤵
PID:2316

C:\Windows\system32\tree.com
tree "C:\Windows"
6⤵
PID:11952

C:\Windows\system32\tree.com
tree "C:\Windows\System32"
6⤵
PID:2384

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
6⤵
- Modifies file permissions
PID:8544

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32" /reset /t /c /q
6⤵
PID:11176

C:\Windows\system32\tree.com
tree "C:\Windows\System32"
6⤵
PID:12988

C:\Windows\system32\icacls.exe
icacls "C:\Windows" /reset /t /c /q
6⤵
- Modifies file permissions
PID:8124

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
6⤵
PID:12864

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32" /reset /t /c /q
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5052

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3300

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
6⤵
- Modifies file permissions
- Suspicious use of SetWindowsHookEx
PID:6508

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
6⤵
PID:8688

C:\Windows\system32\icacls.exe
icacls "C:\Windows" /reset /t /c /q
6⤵
- Possible privilege escalation attempt
PID:12528

C:\Windows\system32\tree.com
tree "C:\Windows"
6⤵
PID:11560

C:\Windows\system32\tree.com
tree "C:\Windows\System32"
6⤵
PID:4604

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
6⤵
- Possible privilege escalation attempt
PID:6592

C:\Windows\system32\icacls.exe
icacls "C:\Windows" /reset /t /c /q
6⤵
PID:3268

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32" /reset /t /c /q
6⤵
PID:1168

C:\Windows\system32\tree.com
tree "C:\Windows"
6⤵
PID:12196

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6320

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:1516

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:4232

C:\Windows\system32\ipconfig.exe
ipconfig /release
5⤵
- Gathers network information
PID:5032

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
5⤵
- Kills process with taskkill
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4756

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:2872

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:3024

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:3380

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:2176

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:1956

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:2624

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:4044

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:3704

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:1488

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:2916

C:\Windows\system32\msg.exe
msg * Virus Detectado
5⤵
PID:4892

C:\Windows\system32\msg.exe
msg * Virus Detectado
5⤵
PID:5128

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
5⤵
PID:5144

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:5188

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\158.tmp\159.tmp\169.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
6⤵
- Checks computer location settings
- Drops autorun.inf file
- Modifies registry class
PID:5324

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
7⤵
PID:6568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
7⤵
PID:6628

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
8⤵
- Suspicious use of AdjustPrivilegeToken
PID:6932

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
7⤵
PID:7020

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
7⤵
PID:7164

C:\Windows\system32\ipconfig.exe
ipconfig /release
7⤵
- Gathers network information
PID:6408

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6044

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:7096

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:6448

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:7108

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:3644

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:2356

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:6516

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:5096

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:3976

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:5036

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:6120

C:\Windows\system32\msg.exe
msg * Virus Detectado
7⤵
PID:7040

C:\Windows\system32\msg.exe
msg * Virus Detectado
7⤵
PID:5012

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
7⤵
PID:3412

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
7⤵
PID:2452

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E54F.tmp\E550.tmp\E551.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
8⤵
- Checks computer location settings
- Drops autorun.inf file
- Modifies registry class
PID:1128

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
9⤵
PID:7204

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
9⤵
PID:7264

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
10⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:7436

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
9⤵
PID:7700

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
9⤵
PID:7964

C:\Windows\system32\ipconfig.exe
ipconfig /release
9⤵
- Gathers network information
PID:8160

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
9⤵
- Kills process with taskkill
PID:8708

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:3520

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:9032

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:8724

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:5836

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:5572

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:6104

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
- Modifies registry class
PID:3760

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:9052

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:7128

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:3792

C:\Windows\system32\msg.exe
msg * Virus Detectado
9⤵
PID:6536

C:\Windows\system32\msg.exe
msg * Virus Detectado
9⤵
PID:860

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
9⤵
PID:6816

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
9⤵
PID:3116

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7F58.tmp\7F68.tmp\7F69.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
10⤵
PID:9760

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
11⤵
PID:8740

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
11⤵
- Suspicious use of SetWindowsHookEx
PID:5652

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
12⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:10632

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
11⤵
PID:8956

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
11⤵
PID:6436

C:\Windows\system32\ipconfig.exe
ipconfig /release
11⤵
- Gathers network information
PID:1104

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
11⤵
- Kills process with taskkill
PID:3252

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
11⤵
PID:12100

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
11⤵
PID:11616

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
11⤵
PID:12136

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
11⤵
PID:9044

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
11⤵
PID:6892

C:\Windows\system32\msg.exe
msg * Virus Detectado
11⤵
PID:12656

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
11⤵
PID:6180

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
12⤵
- Suspicious use of AdjustPrivilegeToken
PID:6132

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4038.tmp\4039.tmp\403A.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
12⤵
PID:10840

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
13⤵
PID:9468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
13⤵
PID:6536

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
13⤵
PID:11980

C:\Windows\system32\notepad.exe
notepad
11⤵
PID:10584

C:\Windows\system32\calc.exe
calc
11⤵
PID:9500

C:\Windows\explorer.exe
explorer.exe
11⤵
PID:10168

C:\Windows\system32\mspaint.exe
mspaint.exe
11⤵
PID:11532

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
11⤵
PID:9432

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C774.tmp\C775.tmp\C776.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
12⤵
PID:9712

C:\Windows\system32\notepad.exe
notepad
11⤵
PID:12500

C:\Windows\system32\calc.exe
calc
11⤵
PID:6760

C:\Windows\explorer.exe
explorer.exe
11⤵
PID:1504

C:\Windows\system32\mspaint.exe
mspaint.exe
11⤵
PID:9856

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
11⤵
PID:5312

C:\Windows\system32\notepad.exe
notepad
9⤵
PID:3700

C:\Windows\system32\calc.exe
calc
9⤵
PID:9784

C:\Windows\explorer.exe
explorer.exe
9⤵
PID:9828

C:\Windows\system32\mspaint.exe
mspaint.exe
9⤵
PID:9892

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
9⤵
PID:9960

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\908E.tmp\908F.tmp\9090.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
10⤵
PID:10184

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
11⤵
PID:10688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
11⤵
PID:6140

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
12⤵
PID:5128

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
12⤵
PID:7252

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
11⤵
PID:7360

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
11⤵
PID:11832

C:\Windows\system32\ipconfig.exe
ipconfig /release
11⤵
- Gathers network information
PID:1004

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
11⤵
- Kills process with taskkill
PID:12556

C:\Windows\system32\notepad.exe
notepad
9⤵
PID:10048

C:\Windows\system32\mspaint.exe
mspaint.exe
9⤵
PID:10128

C:\Windows\explorer.exe
explorer.exe
9⤵
PID:10120

C:\Windows\system32\calc.exe
calc
9⤵
PID:10112

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:8100

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:8508

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:8428

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:1920

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:9872

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:10424

C:\Windows\system32\notepad.exe
notepad
7⤵
PID:5072

C:\Windows\system32\calc.exe
calc
7⤵
- Modifies registry class
PID:4652

C:\Windows\explorer.exe
explorer.exe
7⤵
PID:4680

C:\Windows\system32\mspaint.exe
mspaint.exe
7⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1196

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
7⤵
PID:5056

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\EEB5.tmp\EEB6.tmp\EEB7.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
8⤵
- Checks computer location settings
- Drops autorun.inf file
- Modifies registry class
PID:1416

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
9⤵
PID:9100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
9⤵
PID:5436

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
10⤵
- Possible privilege escalation attempt
PID:3300

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
10⤵
- Possible privilege escalation attempt
PID:6776

C:\Windows\system32\icacls.exe
icacls "C:\Windows" /reset /t /c /q
10⤵
- Possible privilege escalation attempt
PID:8876

C:\Windows\system32\tree.com
tree "C:\Windows\System32"
10⤵
PID:6508

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32" /reset /t /c /q
10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6960

C:\Windows\system32\tree.com
tree "C:\Windows"
10⤵
PID:10248

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
10⤵
- Possible privilege escalation attempt
PID:11820

C:\Windows\system32\tree.com
tree "C:\Windows"
10⤵
PID:12296

C:\Windows\system32\icacls.exe
icacls "C:\Windows" /reset /t /c /q
10⤵
- Modifies file permissions
PID:9408

C:\Windows\system32\tree.com
tree "C:\Windows\System32"
10⤵
PID:10244

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
10⤵
- Possible privilege escalation attempt
PID:4604

C:\Windows\system32\tree.com
tree "C:\Windows\System32"
10⤵
PID:12352

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32" /reset /t /c /q
10⤵
- Modifies file permissions
PID:10896

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
10⤵
PID:9676

C:\Windows\system32\icacls.exe
icacls "C:\Windows" /reset /t /c /q
10⤵
PID:6064

C:\Windows\system32\tree.com
tree "C:\Windows"
10⤵
PID:5344

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
10⤵
- Possible privilege escalation attempt
PID:10120

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32" /reset /t /c /q
10⤵
- Possible privilege escalation attempt
PID:5776

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
10⤵
- Possible privilege escalation attempt
- Modifies registry class
PID:6964

C:\Windows\system32\tree.com
tree "C:\Windows"
10⤵
PID:12524

C:\Windows\system32\icacls.exe
icacls "C:\Windows" /reset /t /c /q
10⤵
- Possible privilege escalation attempt
PID:9996

C:\Windows\system32\tree.com
tree "C:\Windows\System32"
10⤵
PID:1660

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
10⤵
PID:12084

C:\Windows\system32\icacls.exe
icacls "C:\Windows" /reset /t /c /q
10⤵
PID:13056

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
10⤵
- Modifies file permissions
PID:12712

C:\Windows\system32\tree.com
tree "C:\Windows"
10⤵
PID:3188

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32" /reset /t /c /q
10⤵
- Modifies file permissions
PID:12952

C:\Windows\system32\tree.com
tree "C:\Windows\System32"
10⤵
PID:9356

C:\Windows\system32\tree.com
tree "C:\Windows"
10⤵
PID:11744

C:\Windows\system32\icacls.exe
icacls "C:\Windows" /reset /t /c /q
10⤵
PID:1768

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32" /reset /t /c /q
10⤵
PID:9520

C:\Windows\system32\tree.com
tree "C:\Windows\System32"
10⤵
PID:13160

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
10⤵
PID:13004

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
10⤵
- Possible privilege escalation attempt
PID:12980

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32" /reset /t /c /q
10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:12796

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
10⤵
PID:9396

C:\Windows\system32\tree.com
tree "C:\Windows"
10⤵
PID:8388

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
10⤵
- Possible privilege escalation attempt
PID:11444

C:\Windows\system32\tree.com
tree "C:\Windows\System32"
10⤵
PID:10376

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32" /reset /t /c /q
10⤵
- Modifies file permissions
PID:12216

C:\Windows\system32\icacls.exe
icacls "C:\Windows" /reset /t /c /q
10⤵
PID:3416

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
10⤵
PID:9004

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
10⤵
- Possible privilege escalation attempt
PID:10660

C:\Windows\system32\tree.com
tree "C:\Windows"
10⤵
PID:1776

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
10⤵
PID:6420

C:\Windows\system32\icacls.exe
icacls "C:\Windows" /reset /t /c /q
10⤵
- Modifies file permissions
PID:11220

C:\Windows\system32\tree.com
tree "C:\Windows\System32"
10⤵
PID:5564

C:\Windows\system32\tree.com
tree "C:\Windows"
10⤵
PID:4640

C:\Windows\system32\tree.com
tree "C:\Windows\System32"
10⤵
PID:6664

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
10⤵
- Possible privilege escalation attempt
PID:8668

C:\Windows\system32\icacls.exe
icacls "C:\Windows" /reset /t /c /q
10⤵
PID:6012

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
10⤵
- Modifies file permissions
PID:6544

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32" /reset /t /c /q
10⤵
PID:2284

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32" /reset /t /c /q
10⤵
- Possible privilege escalation attempt
PID:12196

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
10⤵
PID:4924

C:\Windows\system32\tree.com
tree "C:\Windows"
10⤵
PID:12568

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
10⤵
- Possible privilege escalation attempt
PID:3444

C:\Windows\system32\tree.com
tree "C:\Windows"
10⤵
PID:9396

C:\Windows\system32\icacls.exe
icacls "C:\Windows" /reset /t /c /q
10⤵
- Modifies file permissions
PID:12540

C:\Windows\system32\tree.com
tree "C:\Windows\System32"
10⤵
PID:2344

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32" /reset /t /c /q
10⤵
PID:4400

C:\Windows\system32\tree.com
tree "C:\Windows\System32"
10⤵
PID:9356

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32" /reset /t /c /q
10⤵
- Modifies file permissions
PID:12952

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
10⤵
- Modifies file permissions
PID:6712

C:\Windows\system32\icacls.exe
icacls "C:\Windows" /reset /t /c /q
10⤵
PID:1660

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
10⤵
- Possible privilege escalation attempt
PID:10000

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
10⤵
PID:4664

C:\Windows\system32\icacls.exe
icacls "C:\Windows" /reset /t /c /q
10⤵
- Possible privilege escalation attempt
PID:1780

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
10⤵
- Modifies file permissions
PID:548

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
10⤵
PID:9404

C:\Windows\system32\tree.com
tree "C:\Windows"
10⤵
PID:2304

C:\Windows\system32\tree.com
tree "C:\Windows\System32"
10⤵
PID:11820

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
10⤵
PID:12316

C:\Windows\system32\icacls.exe
icacls "C:\Windows" /reset /t /c /q
10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:8572

C:\Windows\system32\icacls.exe
icacls "C:\Windows\System32" /reset /t /c /q
10⤵
PID:4640

C:\Windows\system32\tree.com
tree "C:\Windows"
10⤵
PID:2516

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
9⤵
PID:7796

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
9⤵
PID:4076

C:\Windows\system32\ipconfig.exe
ipconfig /release
9⤵
- Gathers network information
PID:5732

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
9⤵
- Kills process with taskkill
PID:6908

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:10160

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:9828

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:7960

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:348

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:7472

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:5728

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:8348

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:10112

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:9864

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:10364

C:\Windows\system32\msg.exe
msg * Virus Detectado
9⤵
PID:10488

C:\Windows\system32\msg.exe
msg * Virus Detectado
9⤵
PID:10632

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
9⤵
PID:10796

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
9⤵
PID:10872

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5DD.tmp\5DE.tmp\5DF.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
10⤵
PID:10992

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
11⤵
PID:2520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
11⤵
PID:12664

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
12⤵
PID:7148

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
11⤵
PID:1652

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
11⤵
PID:1908

C:\Windows\system32\ipconfig.exe
ipconfig /release
11⤵
- Gathers network information
PID:12144

C:\Windows\system32\notepad.exe
notepad
9⤵
PID:10948

C:\Windows\system32\calc.exe
calc
9⤵
PID:11044

C:\Windows\explorer.exe
explorer.exe
9⤵
PID:11108

C:\Windows\system32\mspaint.exe
mspaint.exe
9⤵
PID:11228

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
9⤵
PID:10444

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1AAD.tmp\1AAE.tmp\1AAF.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
10⤵
PID:10816

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
11⤵
PID:11708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
11⤵
PID:10088

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
12⤵
- Modifies file permissions
PID:12072

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
11⤵
PID:9000

C:\Windows\system32\ipconfig.exe
ipconfig /release
11⤵
- Gathers network information
PID:7524

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
11⤵
- Kills process with taskkill
PID:12040

C:\Windows\system32\notepad.exe
notepad
9⤵
PID:244

C:\Windows\system32\calc.exe
calc
9⤵
PID:11012

C:\Windows\explorer.exe
explorer.exe
9⤵
PID:11108

C:\Windows\system32\mspaint.exe
mspaint.exe
9⤵
PID:11364

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:12172

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:8456

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:7860

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:8560

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:7156

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:8784

C:\Windows\system32\notepad.exe
notepad
7⤵
PID:6264

C:\Windows\system32\calc.exe
calc
7⤵
PID:5396

C:\Windows\explorer.exe
explorer.exe
7⤵
- Modifies registry class
PID:5228

C:\Windows\system32\mspaint.exe
mspaint.exe
7⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1456

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:7536

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:7676

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:7892

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:8036

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:7124

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:6160

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:5244

C:\Windows\system32\calc.exe
calc
5⤵
- Modifies registry class
PID:5256

C:\Windows\explorer.exe
explorer.exe
5⤵
- Modifies registry class
PID:5344

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5356

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:5496

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\81E.tmp\81F.tmp\820.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
6⤵
- Checks computer location settings
- Drops autorun.inf file
- Modifies registry class
PID:5680

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
7⤵
PID:5368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
7⤵
PID:6640

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
8⤵
- Possible privilege escalation attempt
- Suspicious use of AdjustPrivilegeToken
PID:6852

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
7⤵
PID:6908

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
7⤵
PID:4644

C:\Windows\system32\ipconfig.exe
ipconfig /release
7⤵
- Gathers network information
PID:6992

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
7⤵
- Kills process with taskkill
PID:6132

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:3504

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:6024

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:4892

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:6708

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:7172

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:7288

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:7408

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:7444

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:7640

C:\Windows\system32\msg.exe
msg * Virus Detectado
7⤵
PID:7832

C:\Windows\system32\msg.exe
msg * Virus Detectado
7⤵
PID:8020

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
7⤵
PID:3392

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
7⤵
PID:4932

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4EC7.tmp\4EC8.tmp\4EC9.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
8⤵
PID:8008

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
9⤵
PID:8184

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
9⤵
PID:1836

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
10⤵
- Modifies file permissions
PID:5444

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
9⤵
PID:7572

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
9⤵
PID:5860

C:\Windows\system32\ipconfig.exe
ipconfig /release
9⤵
- Gathers network information
PID:1908

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
9⤵
- Kills process with taskkill
PID:8012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:11148

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:10508

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:8980

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:11516

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:11536

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:11868

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:12204

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:4644

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:740

C:\Windows\system32\msg.exe
msg * Virus Detectado
9⤵
PID:10628

C:\Windows\system32\msg.exe
msg * Virus Detectado
9⤵
PID:6744

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
9⤵
PID:5844

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
9⤵
PID:7032

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E698.tmp\E6A9.tmp\E6AA.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
10⤵
PID:8924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
11⤵
PID:11924

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
12⤵
- Modifies file permissions
PID:9628

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
11⤵
PID:11636

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
11⤵
PID:9772

C:\Windows\system32\notepad.exe
notepad
9⤵
PID:8716

C:\Windows\system32\calc.exe
calc
9⤵
PID:11964

C:\Windows\explorer.exe
explorer.exe
9⤵
PID:6720

C:\Windows\system32\mspaint.exe
mspaint.exe
9⤵
PID:10140

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
9⤵
PID:8908

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A5D.tmp\A5E.tmp\A5F.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
10⤵
PID:11248

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
11⤵
PID:1032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
11⤵
PID:12932

C:\Windows\system32\ipconfig.exe
ipconfig /release
11⤵
- Gathers network information
PID:5628

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
11⤵
- Kills process with taskkill
PID:3240

C:\Windows\system32\notepad.exe
notepad
9⤵
PID:9568

C:\Windows\system32\calc.exe
calc
9⤵
PID:11684

C:\Windows\explorer.exe
explorer.exe
9⤵
PID:10476

C:\Windows\system32\mspaint.exe
mspaint.exe
9⤵
PID:11848

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:12888

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:13124

C:\Windows\system32\notepad.exe
notepad
7⤵
PID:7852

C:\Windows\system32\calc.exe
calc
7⤵
- Modifies registry class
PID:8020

C:\Windows\system32\mspaint.exe
mspaint.exe
7⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4556

C:\Windows\explorer.exe
explorer.exe
7⤵
PID:6964

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
7⤵
PID:8228

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5B0C.tmp\5B0D.tmp\5B1D.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
8⤵
PID:8400

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
9⤵
PID:9012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
9⤵
PID:4836

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows" /r
10⤵
- Modifies file permissions
- Suspicious use of SetWindowsHookEx
PID:5456

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentv ersionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
9⤵
PID:5880

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentve rsionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
9⤵
PID:5168

C:\Windows\system32\ipconfig.exe
ipconfig /release
9⤵
- Gathers network information
PID:6968

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
9⤵
- Kills process with taskkill
PID:6520

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:5156

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:11396

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:11724

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:12060

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:8272

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:6108

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:10084

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
9⤵
PID:6736

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
9⤵
PID:8208

C:\Windows\system32\msg.exe
msg * Virus Detectado
9⤵
PID:7900

C:\Windows\system32\msg.exe
msg * Virus Detectado
9⤵
PID:10496

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
9⤵
PID:4400

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
9⤵
PID:164

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\25A5.tmp\25A6.tmp\25A7.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
10⤵
PID:7020

C:\Windows\system32\notepad.exe
notepad
9⤵
PID:1396

C:\Windows\system32\calc.exe
calc
9⤵
PID:9688

C:\Windows\explorer.exe
explorer.exe
9⤵
PID:10204

C:\Windows\system32\mspaint.exe
mspaint.exe
9⤵
PID:4600

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
9⤵
PID:9316

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4E6B.tmp\4E6C.tmp\4E6D.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
10⤵
PID:8168

C:\Windows\system32\notepad.exe
notepad
9⤵
PID:10092

C:\Windows\system32\calc.exe
calc
9⤵
PID:12136

C:\Windows\explorer.exe
explorer.exe
9⤵
PID:2424

C:\Windows\system32\mspaint.exe
mspaint.exe
9⤵
PID:9264

C:\Windows\system32\notepad.exe
notepad
7⤵
PID:8312

C:\Windows\system32\calc.exe
calc
7⤵
PID:8432

C:\Windows\explorer.exe
explorer.exe
7⤵
- Modifies registry class
PID:8492

C:\Windows\system32\mspaint.exe
mspaint.exe
7⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:8644

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:1648

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
- Modifies registry class
PID:4680

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:6316

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:8420

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:6176

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:5932

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:5508

C:\Windows\system32\calc.exe
calc
5⤵
- Modifies registry class
PID:5604

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:5704

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5796

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:5352

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:6192

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:6208

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:6220

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:6304

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:6332

C:\Windows\system32\calc.exe
calc
5⤵
PID:13300

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:7396

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:9968

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:12516

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:5856

C:\Windows\system32\calc.exe
calc
5⤵
PID:11564

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:12052

C:\Windows\system32\cmd.exe
cmd.exe
5⤵
PID:2984

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:5348

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:3928

C:\Windows\system32\calc.exe
calc
5⤵
PID:4724

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:9312

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:10604

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:13200

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:2832

C:\Windows\system32\calc.exe
calc
5⤵
PID:7664

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:12000

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:13132

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:13116

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:6268

C:\Windows\system32\calc.exe
calc
5⤵
PID:7424

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:1020

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:12796

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:2348

C:\Windows\system32\calc.exe
calc
3⤵
- Modifies registry class
PID:2868

C:\Windows\explorer.exe
explorer.exe
3⤵
- Modifies registry class
PID:904

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2068

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:2820

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:2804

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:4832

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:3912

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:4552

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:5080

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4608

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:712

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4592

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5456

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5760

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5400

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6508

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:4608

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5652

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:8280

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8608

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9164

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8488

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4284

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8456

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9868

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1148

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11216

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7884

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4724

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11952

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8856

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9680

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11624

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9548

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10088

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1480

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:12544

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:12704

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:12520

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10968

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:4204

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 4204 -s 7300
2⤵
- Program crash
PID:6960

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5560

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:12420

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5240

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:12512

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 448 -p 4204 -ip 4204
1⤵
PID:1792

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1780

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:12128

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8992

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Replication Through Removable Media

T1091

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

File Permissions Modification

T1222

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\158.tmp\159.tmp\169.bat
Filesize
13KB

MD5
4da6ee3c7ebcf9ff3c27a0bfcc7e78aa

SHA1
05b3c9cce2ded7e0cd02ba0c1b4dfd9ec6a09e1b

SHA256
167d1c93bf7a0dd446b437e9035b28aff8edd9c5828b5cd1e28e88c507eb4d14

SHA512
d3520a9185851155f6eb80b27241a24b992daaf726e494327fb6cc7ff48814d4fc6a02d31e7a91ea6eb57d221db58def902c3818b3f65e1baa4bbba1e56a9ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ED0.tmp\2ED1.tmp\2ED2.bat
Filesize
13KB

MD5
4da6ee3c7ebcf9ff3c27a0bfcc7e78aa

SHA1
05b3c9cce2ded7e0cd02ba0c1b4dfd9ec6a09e1b

SHA256
167d1c93bf7a0dd446b437e9035b28aff8edd9c5828b5cd1e28e88c507eb4d14

SHA512
d3520a9185851155f6eb80b27241a24b992daaf726e494327fb6cc7ff48814d4fc6a02d31e7a91ea6eb57d221db58def902c3818b3f65e1baa4bbba1e56a9ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B44.tmp\3B45.tmp\3B46.bat
Filesize
13KB

MD5
4da6ee3c7ebcf9ff3c27a0bfcc7e78aa

SHA1
05b3c9cce2ded7e0cd02ba0c1b4dfd9ec6a09e1b

SHA256
167d1c93bf7a0dd446b437e9035b28aff8edd9c5828b5cd1e28e88c507eb4d14

SHA512
d3520a9185851155f6eb80b27241a24b992daaf726e494327fb6cc7ff48814d4fc6a02d31e7a91ea6eb57d221db58def902c3818b3f65e1baa4bbba1e56a9ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\81E.tmp\81F.tmp\820.bat
Filesize
13KB

MD5
4da6ee3c7ebcf9ff3c27a0bfcc7e78aa

SHA1
05b3c9cce2ded7e0cd02ba0c1b4dfd9ec6a09e1b

SHA256
167d1c93bf7a0dd446b437e9035b28aff8edd9c5828b5cd1e28e88c507eb4d14

SHA512
d3520a9185851155f6eb80b27241a24b992daaf726e494327fb6cc7ff48814d4fc6a02d31e7a91ea6eb57d221db58def902c3818b3f65e1baa4bbba1e56a9ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\81E.tmp\81F.tmp\820.bat
Filesize
13KB

MD5
4da6ee3c7ebcf9ff3c27a0bfcc7e78aa

SHA1
05b3c9cce2ded7e0cd02ba0c1b4dfd9ec6a09e1b

SHA256
167d1c93bf7a0dd446b437e9035b28aff8edd9c5828b5cd1e28e88c507eb4d14

SHA512
d3520a9185851155f6eb80b27241a24b992daaf726e494327fb6cc7ff48814d4fc6a02d31e7a91ea6eb57d221db58def902c3818b3f65e1baa4bbba1e56a9ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AC33.tmp\AC34.tmp\AC35.bat
Filesize
13KB

MD5
4da6ee3c7ebcf9ff3c27a0bfcc7e78aa

SHA1
05b3c9cce2ded7e0cd02ba0c1b4dfd9ec6a09e1b

SHA256
167d1c93bf7a0dd446b437e9035b28aff8edd9c5828b5cd1e28e88c507eb4d14

SHA512
d3520a9185851155f6eb80b27241a24b992daaf726e494327fb6cc7ff48814d4fc6a02d31e7a91ea6eb57d221db58def902c3818b3f65e1baa4bbba1e56a9ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
60B

MD5
b03d725270397f929c6c0468784dee09

SHA1
26db9264edc3c8dfb6fe4c65a9b2d51aedd2f783

SHA256
1208ed242d315e0eeeb90ca1539dd416003c680ec5eb9b347899b4b8df04c951

SHA512
232de6bd012c5e695f387f038bb5c958679c0f21f022dd355b58baa508f851ef46856bf3574fa53455326f7f8451987bffe92393e06705c410b634e757e740bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
60B

MD5
b03d725270397f929c6c0468784dee09

SHA1
26db9264edc3c8dfb6fe4c65a9b2d51aedd2f783

SHA256
1208ed242d315e0eeeb90ca1539dd416003c680ec5eb9b347899b4b8df04c951

SHA512
232de6bd012c5e695f387f038bb5c958679c0f21f022dd355b58baa508f851ef46856bf3574fa53455326f7f8451987bffe92393e06705c410b634e757e740bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
120B

MD5
90360947c538cfc2daf9d0e700023dc4

SHA1
1b354d121ed5169632cfd1345de0f7711bf3de45

SHA256
6e276df5ff177e0cce94894816603626a0ce487fd9578377f6cf92713c804f23

SHA512
b23523b14a00c1899279903f59af71c93de97eeb956f8b8076e41b9207f95b4da8dc0461e83e0a254e69c0e76249bdf04eaf099b8ce6d5870a3c89d8900aa6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
180B

MD5
7b395f508154d38bd0264eb00d4f4c18

SHA1
7bd97cc1e1166ffc71d2f15300b62100c1370d67

SHA256
7f8a19d48847eaa441471ae71d3f0de90e4afbde36ce578f48fbcf0d1c9ed505

SHA512
f8df923273db406c981853148680f16881ea316b11238dc90b001f77a7a6960eeecdc12d249a707d6922bd3c2bf124b12c179ac2b01e8e33f9ab8be229303b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
240B

MD5
e31c1648a288e2ef4e21f0aaae9ccba7

SHA1
adbef211d8396f1753df2b1cd09b830611ff3562

SHA256
2a4d51fd0b777549d93d3f82d1269624dab99d7cb7cc1a6fa5d43621a9a64451

SHA512
df2878b818b9a31ecc609f746497ab3601ba36d9004cb21c31a68fdea2191d039a4c703011b94fee63e4942bd800c6dd37227410e6566bbc352cf3c7e73f290b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
300B

MD5
a310a723ad88e7c64b85a570aec7ae6f

SHA1
a392dc21bdf5edac05dd1a48c5d7499367dcd563

SHA256
773ddde9d3e3d77f362e746d2da439d09b364805a77c6e11280c261390d0b6bb

SHA512
831d65c0764db6bab898d48e829f511755dbd11fccedd447267bef9c9bdb8d7750428e16aa3d481025146b60cfea09ba95fbfbd7e348eee691358729a8d05eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
360B

MD5
2a63f1726aa986321b96b7dc4156e87a

SHA1
0479ce7a03b737f683cbef644e706c4b8970c742

SHA256
101d8fb236ea323054e6ee6824d5f46fa4498fa9ddf715653a504100f8252689

SHA512
ae96844de5a17dd0e553b29d87433997536f327b43888324f0c51f864aec54986ec7128508f5d4a30b8fb6a86e1fb17ea09fa3f660ff85b34b8e62c8f7814181

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
364B

MD5
1c3333ef1eb15fee11f3c9c70d53e9db

SHA1
06a946850a92a310d157ff0d4e20c4cd4e74a75c

SHA256
106804ad33d43d72caba0f2ffdf43c281620be4b2edada926363284965addaa1

SHA512
4a45ed87c63387ec83063f5b1a2b3c63b2b95078f551e104cfa0635893fb2aa165b5274335ac1b57ba0b38d9482cacd14c8f7fb9abf1651a57afd3535bfe3cb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
414B

MD5
fe155cae38952bd953eaa6c9c35d4cfe

SHA1
0aa83b20edae72900be948124569e8043fccad64

SHA256
405552459501759d6a77e8b12dca2db1576dc25e23498abb5383b98fa1d939b0

SHA512
b6a3e92d88304f6279a302d97993d7776cc8571aabc255150e2eb944d8ad6cd5b40b8b54cd1b45d08869bb7c543fe253800f09d7bb4d1ae45ff65006a47975ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
420B

MD5
44e3720485c11a1db780c25877c87c45

SHA1
188f37b8e13e951d547e53cb0c561a5e64704a69

SHA256
a79135f6dd8435292f1d40e12e27d6d07250abd840d560b8e889bc2a26de9907

SHA512
130e3e89e4806ee826748bf824fc9426bc80ec2c3122ad43203757ed5ebddca61a0cd0f7145e16d17fe36788377f15a3086fce95909172ba9db6ceefd0202c60

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf
Filesize
184B

MD5
b819392c79117c489a08377a8eb5af5b

SHA1
d2ab8294c619c456a1b5d1cd6ad944e9df01037c

SHA256
633fa453c6b9dac6dc7d5b9c603e3c13da596855daaa91a6d1bf247b497ed8f7

SHA512
f4f315f35d31116e0487f73c5dcbbf839828ea9da26df7ab416f905e17169ca2efbfb848146c80e4337641039916db0a517dade581752db063795b0c898af093

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf
Filesize
184B

MD5
b819392c79117c489a08377a8eb5af5b

SHA1
d2ab8294c619c456a1b5d1cd6ad944e9df01037c

SHA256
633fa453c6b9dac6dc7d5b9c603e3c13da596855daaa91a6d1bf247b497ed8f7

SHA512
f4f315f35d31116e0487f73c5dcbbf839828ea9da26df7ab416f905e17169ca2efbfb848146c80e4337641039916db0a517dade581752db063795b0c898af093

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf
Filesize
184B

MD5
b819392c79117c489a08377a8eb5af5b

SHA1
d2ab8294c619c456a1b5d1cd6ad944e9df01037c

SHA256
633fa453c6b9dac6dc7d5b9c603e3c13da596855daaa91a6d1bf247b497ed8f7

SHA512
f4f315f35d31116e0487f73c5dcbbf839828ea9da26df7ab416f905e17169ca2efbfb848146c80e4337641039916db0a517dade581752db063795b0c898af093

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf
Filesize
276B

MD5
4ea34b8d7a32a9450e7442795fc81dae

SHA1
23a5a58a8be82aa2515fda1df6c420b4d1ee39de

SHA256
bc4f34fc1f075a031131564b1fa25962ea670e29ca3f778345bd4536860ade01

SHA512
3c5dba85721c1cd4fcbc7016dbfe83e252beb8d140e3d398e581c1489e53c92a65312e641809d7f226cb66ce056038ea53b2adf2dc41131555a58059dd061a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf
Filesize
368B

MD5
ea3f8a85d57ce278b69a08243cf9508e

SHA1
6bfa222c0e4e493d3b78e929274c13050eae02a1

SHA256
0fafe439f4dade61bba5e8f50760f81222c120f494866922aec02ca3d74195eb

SHA512
4e2d0de237014394b945f21b28e2f26cc06f55fb72aa90774d1fddfdf591b0ded6e9a1b1a38d3d4efe90a5389ba01771a1041289f760d96c4456ea4b71ff4fd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf
Filesize
460B

MD5
64dbc1aaf9b0e3711b601de3e8df38b0

SHA1
93d0220c4a23bc0752d8df1b0578bbad168d1e55

SHA256
b251c93391a75a57e78f233a0acdad102f2f2e34cf8ae1bb486286d1ea2f8194

SHA512
a7bde40bcb4cdab1abe69bbeef59b34a44faa3134bff9832156185f18f933fe0ea9467aacdc90e2b3c53e866f4e9bf6122ec31e7145adfce6bf387cfe74de061

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf
Filesize
552B

MD5
5754f3d49d4dc04f0a43338f662996a8

SHA1
8529101fd0f7d7438136660db1963ae9760d9804

SHA256
46b1b0665d1be33d3946e9b58f53a1c9ebab5476188a26dcba71db28c9361d99

SHA512
7d50b342b9e80361c9b4db27be47d494ec56732c02cb4bff9254540f592a0750bd28a4f69b425eef325c89a920a538ac1ce9c39e14a72fe7dded5ba1ae5d1008

Download Submit
C:\Users\Admin\AppData\Local\Temp\BB27.tmp\BB28.tmp\BB29.bat
Filesize
13KB

MD5
4da6ee3c7ebcf9ff3c27a0bfcc7e78aa

SHA1
05b3c9cce2ded7e0cd02ba0c1b4dfd9ec6a09e1b

SHA256
167d1c93bf7a0dd446b437e9035b28aff8edd9c5828b5cd1e28e88c507eb4d14

SHA512
d3520a9185851155f6eb80b27241a24b992daaf726e494327fb6cc7ff48814d4fc6a02d31e7a91ea6eb57d221db58def902c3818b3f65e1baa4bbba1e56a9ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDF6.tmp\BDF7.tmp\BDF8.bat
Filesize
13KB

MD5
4da6ee3c7ebcf9ff3c27a0bfcc7e78aa

SHA1
05b3c9cce2ded7e0cd02ba0c1b4dfd9ec6a09e1b

SHA256
167d1c93bf7a0dd446b437e9035b28aff8edd9c5828b5cd1e28e88c507eb4d14

SHA512
d3520a9185851155f6eb80b27241a24b992daaf726e494327fb6cc7ff48814d4fc6a02d31e7a91ea6eb57d221db58def902c3818b3f65e1baa4bbba1e56a9ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
54B

MD5
888e64c554686bbbc0499057cce1af36

SHA1
5a7f51c66e3ae7dd0e0231c9817aee8c9fc54006

SHA256
616cf19739e00c69e9606d9c94869f6fcb6a7b3860e7b8af9bc896f3081dad0d

SHA512
9882375fdd09d489258447d49b8b63d0bc8db57cdb7186500c00c79d57f30af5f37a69e8fab70683a7c9d730e3484ef537ee57bb1892a84f92e9aba639d1d227

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
112B

MD5
42358fda8075b544bd30b846c6b0ffad

SHA1
d1cec067376591089afdc39f4d2fdff60d68a8f1

SHA256
efe04a8acb9cda8561d0076f51332784814b78cd4e52e6f6bdf3d7e3b2835405

SHA512
78aab3fef009ccee6b7fa012aec650504961694aa692801f05b0058a8bc8ca308c2827b416086497fc3ceb94a56905ebfbe60def463f09b1ec699fff6d978bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
162B

MD5
d5980bf4b018e4c397df95afe8941c66

SHA1
ce53c669a898d09479831bc59bc31a5fba2a6f2b

SHA256
9afd004a8cb9b9e8b1eeab780fb0c4ffa39c3ec2ded034b1a7cd69db7f67872a

SHA512
c995f9d3252b9a7af52a398562261baf3297fee64fade9de22895cce017e5aa097c7935a0519e474253a181e1e018348a1ade3d953bfaff5dc43e30e2d9fde5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
216B

MD5
7659392a12010d8c761cb9888f6fd5ac

SHA1
b8829c26628740b77ab7405c231f420e860d8c1f

SHA256
71bd0bffdeca9dce2b4e9e1d767a0732657032171f3ad33903dec353ef95a431

SHA512
5caf94b288649b687f411cbb5519168e09e161f8d9545a6bad1b0d08876a542d153a115f8b44e3f15d973812ce8ec7471bba7d8bd0b9a22d0abf6fdf2914a2bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
270B

MD5
adad2cd23a8880d4b3bdb1481c5b7998

SHA1
823fc1acc3e7a3f0cffab5cb8fa453a8c0d1872c

SHA256
838ba55eb15df2e0145178a20b4d01314d0fcde04ff871649012eaeba6bbfb69

SHA512
8c600e32157daef85549d0a19a40f38e812e05cbf24e51453fa1ea94435e55fe4a705e77d42a4f63f3c565da98b4e69f1ed7bb6f3dbca65e80b17526954e60e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
318B

MD5
ce1c128f0e16794ab3a171ad6c28b5bb

SHA1
5dbc3923a14e118c089b72a29b9c045092610a43

SHA256
e7ee59348d83fbdf33f907c0cc5e3e417cb1ca4ae608541d08dd6d1c71cf222e

SHA512
ddd22462cd5346f5ae30082cf2a1b8b220a7b6fd42ce691d760084ec9581f0912c72d075f6118d1198968ebfc80749085c820f22e88f1399b8b9e963b86865a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
318B

MD5
ce1c128f0e16794ab3a171ad6c28b5bb

SHA1
5dbc3923a14e118c089b72a29b9c045092610a43

SHA256
e7ee59348d83fbdf33f907c0cc5e3e417cb1ca4ae608541d08dd6d1c71cf222e

SHA512
ddd22462cd5346f5ae30082cf2a1b8b220a7b6fd42ce691d760084ec9581f0912c72d075f6118d1198968ebfc80749085c820f22e88f1399b8b9e963b86865a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
324B

MD5
b260589bc116e407e75412be10ce0c7c

SHA1
b3498d228b26ad13ba76b27d624ef5eef940221c

SHA256
61bf3a4e7eb43119fb6f69c2d63872f35b9b6d79fd5a846ad824951ccea9898f

SHA512
007b78a36ea10d91360610ceec313bfa51c663c719859edf95dae0cdb75bdbbe6908bf0cb4c3f2e237539e0e20dc64266328e8a82ad5a7c90b59b6f56f683c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
328B

MD5
b293c638fb6956e5db1746725a79d8e3

SHA1
a459cc36557de50b755d1b23019f5277501269cf

SHA256
08b0083253679dc3b6f7d1099e079e8e277f80a847df9e4663dcb0052146f218

SHA512
340ba163a9e2bb4f3e0c2dd15354d5d9ad002753a3ba56407688c224fa3d854e5f6ac30c34835eca424fb7005feb7dd8a3965b96d9ed4c8d3cef79a26c51bf0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
378B

MD5
598e89776a2342ea6d8b4035643da929

SHA1
714cac1cbe4ba77bbd270faeffa3ea3c9bab61ba

SHA256
53547edb5bd2cda23359fbb7c577e0bda6d5a8e984b5f2a228ee9c60feaed3a4

SHA512
6ff3eac0032560c6e7f2a9518511cdf6a62d3dc6e2792df10fac0b4d9bbb598822eb168e4c921230f5f90905c3e7074eec70f40805518041394e8a0e838d68c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs
Filesize
2KB

MD5
d4fa5ff797aa3366c59deefb1da2aa70

SHA1
9d29534ef8e7ccc3dcaf0c03f3792d36a0dc4538

SHA256
dc0ba522f8e324d5f72c82582df78fdf3d474d866009ce361d6c190ecf360197

SHA512
f8fc13e5dc12736da12187a9b7609e859856a0bc91fd811a597b1535bd2a2e6c5a61c35e99f9c3492938b717c620a4ce94bb9f59eda401fee31cfcc5a5d302d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs
Filesize
69B

MD5
72946942abf5cf295f726b816c531ebf

SHA1
8ac5ccae8003c3776c2e0ee0959a76c8bc913495

SHA256
d9fc0446467e00e640f0dd0bf36882943a6993dcc1038ba8f73239152896eb25

SHA512
2f42b10e2c1359a690e1a69e307008e3beb4712e4c071d916fb1380c61cb2ed3ae48c86af44c6f1c9d613e85dd75d8cfd66fd01de0649444ee6d5193d9789d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs
Filesize
138B

MD5
fdac6c0d6442c0cfe7c0b69e80227f0a

SHA1
d0d9aea2bf7a4bf1b45237e2207d37830a578d8c

SHA256
b759fa635b2bbce2570feea401c7d2a9735844d204f5bcdbc88f3a3a761f3959

SHA512
7e5dc4b0876173f05f69f523d50ad573f5dfced10a771d1b28315c2a068b6f6c39ae5edd2433223f79e7d32b9180801746c9621de02cba026f93412b83339da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs
Filesize
207B

MD5
d3715d7f77349116a701484780269375

SHA1
589c48410637ac33431569b867070a51c4de5b1c

SHA256
ea0bdd86d283aba33d619aeecb5087ad9132b58e8ae7121e3c3774504abb976a

SHA512
9526a79ac4f9a18104f8e84d684136eef9b6bbccfe772d1d1030d9be02de2f7221cdee248ec748971551a42ed1d8fb1c8a9d820b837164f68376cdee1dc8ff3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs
Filesize
276B

MD5
089381a847f01ba0962ae00f0d92d5e8

SHA1
9f3240f89871639778a318e0cadccafcf9d7c55e

SHA256
2cda289b5067c9daf8b4dffdf323b2fe9d0a47bfdbb91b4a017029bc74729c05

SHA512
89fbf1b423f17101970290b070d740b8d58beecc6723e64edb7ae23b9285afe3a612b8e8f5ec202d60aca3875a28dbc556a43af9fe4113ac0bdba1fa83c5213a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs
Filesize
345B

MD5
baa511e0932e6c0781dd1488615d17a6

SHA1
e3218aefe8c272ade02eb6cc5188df6d50b04de0

SHA256
20fa853d5be5b8f30eeb6ae3e24558a2091d80102944ab26b9861df5cea6c6fa

SHA512
24be7fabda63dd82dfb5307e2ae0dc7176bf59c0918f1316bddb7515e0695b10cd6e24420af4afcda3d5f1b01e3d540a2d75a629f40c381da05eb3c28ff4697e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs
Filesize
414B

MD5
873781e160d6c7a2c7100536f95e373a

SHA1
439389553b0f4b61327c0160a92e4c8ddca8f84d

SHA256
e244905c9acc529b7d7dbd58453f44dbd3f3d627bba23adcf375afde9b6b2a35

SHA512
1116b365d1e44dbad9fcdf462bb3467dbe3ab8b40a01c7dc6d516b24d2b1260c405cbda80f7a1177f89412a2db726a68e6ae2ceee839c117061ecbb75a06a4aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs
Filesize
477B

MD5
0e32716d5981f8027511862bd47ed483

SHA1
c1ccc3e32a32c8d81bf6cd84ebd633ccc16655da

SHA256
4628641b8b8230d90f250dd11692899970bde93ec36f5f0fdb4689eb40e560f2

SHA512
ea33e5f71040e2fc4a78f5294084b3de8e873adf8c6107ee8a859cb536ac75569b14b3555e44fcfc15db7f923e92f95d43640032ee85d6dda7aaa7a7562a96c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs
Filesize
483B

MD5
21321634b2c2bf8223d389be19d13d4e

SHA1
116c0af8712cc2120fbb6c4893f9a99a77242960

SHA256
fa1ddb950fadc33035dc70e015155e7db6fefaddc05d83cc1fab233e3c416f60

SHA512
feea91421292af2cb0348c6c09b2bbe810f3a3385c5b5ddbb7e6312aa7f97f48eebf10d6f9966b2fee8f4e843e87ceabf78318c9ac9b070478f0372471acce20

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat
Filesize
4KB

MD5
6b235b86d1abd68e56dfc52018562fed

SHA1
a84ec292781fb7b2d1bf6d6c906b38563f10027e

SHA256
2cce0f690c09625519edff5a88456252888ddda9057af76542c36215a7240715

SHA512
c0eabcf5fb8273625e6a8568e3d710be726c363b3518497ecff840efaea7b182a62d7f07ec3c4a0aacb29ec2e0f324b78d5c3d4621693b914f704ab626a41fc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat
Filesize
206B

MD5
b8745a8fdae2b060fbdba1582893e071

SHA1
4631a5ae272dfde8921c33ae701bd7d4f055a637

SHA256
a67bec1e701ea02a6ad53b706d8c7dcfba577f62db1d91a0decd75abc2657ed5

SHA512
37dddb78f0ce713274725b24497ee3203f66d5c21a7b150037b946c44555dd7650f2e81b168a500aebf73b5c92e3a694d2a886538a3e1af3c8abe775b14ee1ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat
Filesize
412B

MD5
64c1a9b6bb30775cd6ebca0cb8cdedcb

SHA1
a66b216f47aeca1cc964fee8400fa2c272408eeb

SHA256
b4202bbbd268e1fd6391a7c1899d7c34ffe5f62d7468cb186975be60c86dc59c

SHA512
2f4037179d778d22a8e407e0b677920307d1c9513a8211919226a9522d63ef63f9af3e4732937dc04bfeb75686731890b56fa38bb9bcf6d2109437c9d8633681

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat
Filesize
618B

MD5
a74feb473b2a1c416fce81edb6859ddd

SHA1
2ae1f661587cc891c3170c6c5d237dd9ba7ef411

SHA256
10ba4e27b1332f6dab91378f9a911878be41a4d587dc04618838eb7249fd99fe

SHA512
45de02ae0d80d62c5e3df19e03f8f27228b0f2eb26c8c847326a37c75650f44263e707c5af8576fa32e4e662dba220813a6c599bbd6ead3d55e3df66f0cb48f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat
Filesize
824B

MD5
7557eef659e8d22cb74dee793f0fac3c

SHA1
f467c5454bc5f1bfb653f054edee9fa088a5bcbe

SHA256
3d7b96722887ea0a88f013b756e6f0975f2c856497967abeee6aa8c43101d5bb

SHA512
54070304b9fa25cd92eeee2a097ccc106c39883ef174e661c8b319c224f1b4d04dc45e508215a9888ca0198644762f3884707e4b1505d696eff4fa8fb3a84b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat
Filesize
1KB

MD5
a1e395827406a41fb3ee6ad163dcd3f1

SHA1
19d54e59221c9c0c70a8d1dd89ed3dd366e50f82

SHA256
4b62e603320ac2095fea42ce89e24be3671f59ba35be3fe5ddcf2c9a878802fb

SHA512
e1f9b84dbec954ce3f446cb34ee1a6a1614ba3c95ec8fe6b5ecee976933dd5ddec353b482cd9b3a22c8c8d02e219933150a9592d51923bf3bf519738167997c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat
Filesize
1KB

MD5
a4bec65459d41f9cd6e04e946839d919

SHA1
8b02a52d623ee606a357fcbc0595ac7328606f4b

SHA256
7fcdeaf591562b2b559fc61f0894c1869f8826ad1733e8bfd99828ecdbe91423

SHA512
58f9ebc1c0564f319fbb833cdafed7f7ef6d581a2652d60e36f693c8da73e9e2217eba941fea59849e89211f91d888d329730d7299e06b0379ab02f6ea8d7a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat
Filesize
1KB

MD5
63691ef46dcf95f55e16855ca489b4e4

SHA1
9bff1a6e597ac7efbc698530f957c5da3f80b3e8

SHA256
ff51c2f7f16d46a6e4c58da55dd413fc55c713fc5d031d22b5b377b04d5fbab6

SHA512
24cf11595de33805f36a04ca292195b4319c560a64747abe1cc8c3479fe3ed04c42684210a577659b34e226c3af16ed66212ff62e703dd1fc10b2a240025c2c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat
Filesize
1KB

MD5
0eda86217329d903179de52d9e39c5ad

SHA1
d0eb25b38e81371b0270c8cd2b2719407009d55d

SHA256
7af543fd037949262dbb9122eea9b4e5442c9d6559d45e7cfe57142f733c13a6

SHA512
ac4967d543a31bc757e9c0a544b180fd739af8728cd4ce25c263166ff3142a83e77c00f6986c8c3c1a018e4b3bafccaf20ff312a15595a10917c1c15a5d69956

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe
Filesize
5KB

MD5
0b93e0b54355d3fec1ca8a9fa34a0354

SHA1
ce578cf63e26a3676eac57d53eb24a6d2d205118

SHA256
a01428209bc3e038d9c5ef9c3904f30628067b000295d7478aefa69fae3c0375

SHA512
5ca21db00016b9d2bc9ac6fac1b2311a62bf5d377837fdb4ec272c2c0ff2090c2524cbeb9ba8fd4d968c873fa2c4ecfd68b35ac85b890b567f81273fa28b1b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe
Filesize
5KB

MD5
0b93e0b54355d3fec1ca8a9fa34a0354

SHA1
ce578cf63e26a3676eac57d53eb24a6d2d205118

SHA256
a01428209bc3e038d9c5ef9c3904f30628067b000295d7478aefa69fae3c0375

SHA512
5ca21db00016b9d2bc9ac6fac1b2311a62bf5d377837fdb4ec272c2c0ff2090c2524cbeb9ba8fd4d968c873fa2c4ecfd68b35ac85b890b567f81273fa28b1b0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe
Filesize
6KB

MD5
7a272d98ee71b94c40ea2c293a9c1e4c

SHA1
475fc39dfb91040bc3745503c9919df27d57a6e3

SHA256
23e20b75619f7d5ca1aeb72d74ee5e54ca8db9f26574a9cb78d066da94693e5e

SHA512
39dcd56cbd0174a92a20c63170ba5723b170bde8f298821494cc905b87c3f388ab5340c8ba0b572d3fe0457f2e900e3d6a371672a26bd92b035facbfa7e1c87a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe
Filesize
10KB

MD5
2cbbf7d5ae0a543e802b9bd2812f9aa1

SHA1
519e314f079b19980bcc4bc8055c0f428b8baa74

SHA256
79c0b3eea522413e366bf2344d4e85fb4637ae35a632798e7639dd9371e26e43

SHA512
390671c1aad125ae6c47a835c11016ff9a513e4efc328d880d40dc924d093394235386cbaa4882dd6ce7e5a50d107daa07b9eef6692d6002f02b0c7ec0f84d35

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe
Filesize
13KB

MD5
d12d9d1c85abeeed697ebd9660bba273

SHA1
f9696def203075a8d3e9b20a559068bd17daa21f

SHA256
d8b831bde8599b0d72947938585dc5f299603ca9af295425f504f498e1c1ea0b

SHA512
1de32b99de0dff6b0b7b2fc950ef9364bd98741549f90bbff1831bfc1f3b023c370689e3e7e8126a051efdb9cdc7c06f9e515a9b5cdeab446378a881cc6d6acc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe
Filesize
17KB

MD5
3ef96a5670ceb699dbadf9e965561fc3

SHA1
796d95ecfe43be29489c5cf8490e79857115e70f

SHA256
3c996ccc8839db84473bd14c8afc36607d15de8b32d40853876263c59c7f0752

SHA512
2a174d865a7ab6adc11c965893a4c0578030cf471b0b1923fbcd1a0b1797988c3ee62bad2da093c7f32f08425fa73a8795514b65805ea607f6a9b65b28193222

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe
Filesize
20KB

MD5
32e0193b8d7275720e30568b6cdef698

SHA1
acbd98e1c70c43512abf0e5934574648c5b5b9f9

SHA256
51feedaa54185a5bfdd2d98437487a7611f5295d23c76b0c985990110b4012a0

SHA512
a74c273fff1558962fd292325db99cb4d1074d941aa1f875989e1e4fc63eb4f64bd79f850c34db7c7fab219bb9a3af171c31ca91b67815cf535921f77b803ea6

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat
Filesize
11B

MD5
9905e5a33c6edd8eb5f59780afbf74de

SHA1
64b2cd0186ff6fe05072ee88e2bb54476023772e

SHA256
c134b2f85415ba5cfce3e3fe4745688335745a9bb22152ac8f5c77f190d8aee3

SHA512
e10711d0fb09db27192e9af05ae45b83cf3882d98e904a7f1f969cf24c2f9626f70f35d76f57477fe9c64a58bc74100410740e9d506d4e72d3e2900d6277816e

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat
Filesize
11B

MD5
9905e5a33c6edd8eb5f59780afbf74de

SHA1
64b2cd0186ff6fe05072ee88e2bb54476023772e

SHA256
c134b2f85415ba5cfce3e3fe4745688335745a9bb22152ac8f5c77f190d8aee3

SHA512
e10711d0fb09db27192e9af05ae45b83cf3882d98e904a7f1f969cf24c2f9626f70f35d76f57477fe9c64a58bc74100410740e9d506d4e72d3e2900d6277816e

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat
Filesize
11B

MD5
9905e5a33c6edd8eb5f59780afbf74de

SHA1
64b2cd0186ff6fe05072ee88e2bb54476023772e

SHA256
c134b2f85415ba5cfce3e3fe4745688335745a9bb22152ac8f5c77f190d8aee3

SHA512
e10711d0fb09db27192e9af05ae45b83cf3882d98e904a7f1f969cf24c2f9626f70f35d76f57477fe9c64a58bc74100410740e9d506d4e72d3e2900d6277816e

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat
Filesize
22B

MD5
fe669e0a3a56961fba38ef9b7f7d01dd

SHA1
338b6f4a3ec71587d53aec450ca5448928f966a1

SHA256
138b48a413afa60daa506090fa4332d913a1f9d895b6c289c36dd7db00019d64

SHA512
ff0bc50cef59421253578172602a56f9f9b3a8988a16576eaf8a004792d330c708dbed95f5f4074fb2eec36d7df7f4a0392c88420d2b0678cd907056a23cd41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat
Filesize
44B

MD5
ea260c435f9eb83e2b5041e734ff3598

SHA1
ca70d64367cbdffbbf24e82baff4048119203a2e

SHA256
3ade659fdae17c11c3f42b712f94045691fbd0b413428b73e1de8fe699e74615

SHA512
548624cc523aeb4136376f792d23b3f2aee4a676362f8a0dd0e8161f0df87ab926b82f67fc174eb5d9473c23f49e6ca962bc84479967f7e624250d94efa66876

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat
Filesize
49B

MD5
cfb046d3c9513b92c1b287da26f97c28

SHA1
ea8208c4dad826b7fdb3b5b728863a95e86d4383

SHA256
a06f170d4f92bf290e38b0ce1c05bb59c95de2797b1a5253b949ad7e1be9818b

SHA512
dbeeea4d284f59e1455a5426334caa02458e88833aeece9817c51be616697ca4c399b2a9d0e8e44bf4a5ee63d0b37c0aed68c01f1748fa5a23ed6d2af62b3340

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat
Filesize
11B

MD5
9905e5a33c6edd8eb5f59780afbf74de

SHA1
64b2cd0186ff6fe05072ee88e2bb54476023772e

SHA256
c134b2f85415ba5cfce3e3fe4745688335745a9bb22152ac8f5c77f190d8aee3

SHA512
e10711d0fb09db27192e9af05ae45b83cf3882d98e904a7f1f969cf24c2f9626f70f35d76f57477fe9c64a58bc74100410740e9d506d4e72d3e2900d6277816e

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\Debug\WIA\wiatrace.log
Filesize
3KB

MD5
e586f770486692b8987131c02aa87e0e

SHA1
43b1993f815a83d2243a1c4b84471f6b23830feb

SHA256
28945620357e16d610af1dcce84ca3674db4afa9c9a15324b64b43452ce7f920

SHA512
67f0cf50eb18efea00455b506974b1b2983bfb5e894b8c18650cee4517b2b14c6dc56a3d1506dce6217042b5f322a1da42d1ffdfc5290b74a701de1e685fedad

Download Submit
C:\Windows\Debug\WIA\wiatrace.log
Filesize
4KB

MD5
14aaccc516fe6586a7727847a3aae04e

SHA1
1093b7b7a390b6d0caf58a7667b3b35a122a97c6

SHA256
34a5e7f6ca9bca44b2374398cb28ac6c92bb71353881fda8e3e3233e15f52339

SHA512
6b0984e83165ed1fd02991f10d269130caaf6efddfbd8c2dc9ea8bc467cffcea34bbeb974610ebdea2ab99283484fc36560a31bffa77a24a2e112911cb36c513

Download Submit
C:\Windows\Debug\WIA\wiatrace.log
Filesize
6KB

MD5
9c520638c1c82d16486d9783d064103b

SHA1
9152a1ba79f0eaed3dd9ae4a3fa0b4f3933c6d21

SHA256
1961ef44c78e53aa0ef7a1ff48bd1b3e4e9aa44f984c59396c2ea4e9c844ad1b

SHA512
636e45c98810b445cff88de08c13033dd9b8df687636cf1998f10801f22fdca55ad7beb7d01f5279bcb17f9180b47822a9ab47cb908d78ba3cdb2cc3e252587e

Download Submit
C:\Windows\Debug\WIA\wiatrace.log
Filesize
7KB

MD5
a064005efab00c51438d7202741bce37

SHA1
70f21ee3c6fed50893519aac60822dd5a21f87d7

SHA256
1ce7c216ce76e4af914095eaeee9c41eea2a8a8dbe9bb52e7db19dce09424d33

SHA512
fabbf633dba91acb4064ca4b7ea3acc379543c3928123b7e811a3b97068059c3eaba929e3e3bef3c02cde60ec7ccfb45e36a069a98bb03b038ea9b42c92e8f26

Download Submit