badrabbit | d8270d57a3b02ad700dd88eb35bd00c24899e193efe4d60a1c1d3c5947eaf3ea

Analysis

max time kernel
16s
max time network
159s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
13-04-2024 17:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

FileCrypter.exe
Size

1.0MB
MD5

ab566bd2a0f20afa6817214cf66269f0
SHA1

31cb35812778d4bbb0c7a496c9d789a13625b056
SHA256

d8270d57a3b02ad700dd88eb35bd00c24899e193efe4d60a1c1d3c5947eaf3ea
SHA512

353d36b414bfaef79f7c3703f33d12ec8467ca6bd71d7dab9aaf4546d60c9b74941fbf41eaa5e0352e34a3bd51b56baefd15183168ee519985eba81fe5399447
SSDEEP

24576:TR+cl7X1BRnI6hmebOe1gmf2Jg+DTcTugiIwsQhlRv9x/9K4CfFiEr0CJ:l+clb1BRntmeSKJStRv9xFK1gEr0E

Score

10^/10

badrabbit mimikatz discovery evasion persistence ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

Processes:

resource	yara_rule
C:\Windows\2304.tmp	mimikatz

Modifies Windows Firewall 2 TTPs 4 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exe

pid process

6108 netsh.exe
7124 netsh.exe
6204 netsh.exe
1728 netsh.exe

pid	process
6108	netsh.exe
7124	netsh.exe
6204	netsh.exe
1728	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

FileCrypter.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	FileCrypter.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 5 IoCs

Processes:

A2-Cryptor.exeBadRabbit.exeFMLN.exeShingapi.exe2304.tmp

pid process

2680 A2-Cryptor.exe
4420 BadRabbit.exe
1720 FMLN.exe
4632 Shingapi.exe
3664 2304.tmp
Loads dropped DLL 1 IoCs

Processes:

rundll32.exe

pid process

3912 rundll32.exe
Modifies file permissions 1 TTPs 4 IoCs
discovery

File and Directory Permissions Modification
T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exe

pid process

1788 takeown.exe
7016 takeown.exe
5952 takeown.exe
5928 takeown.exe

pid	process
2680	A2-Cryptor.exe
4420	BadRabbit.exe
1720	FMLN.exe
4632	Shingapi.exe
3664	2304.tmp

pid	process
1788	takeown.exe
7016	takeown.exe
5952	takeown.exe
5928	takeown.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Twain_20 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Twain_20.cmd"	reg.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

cmd.exeattrib.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe

Drops file in Windows directory 5 IoCs

Processes:

BadRabbit.exerundll32.exe

description	ioc	process
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\2304.tmp	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3004 schtasks.exe
1996 schtasks.exe

pid	process
3004	schtasks.exe
1996	schtasks.exe

Delays execution with timeout.exe 12 IoCs

evasion

Processes:

timeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exetimeout.exe

pid	process
4264	timeout.exe
1076	timeout.exe
2936	timeout.exe
5908	timeout.exe
5796	timeout.exe
3480	timeout.exe
6372	timeout.exe
2664	timeout.exe
1600	timeout.exe
5864	timeout.exe
7164	timeout.exe
4404	timeout.exe

Gathers network information 2 TTPs 4 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exeipconfig.exe

pid process

4420 ipconfig.exe
6232 ipconfig.exe
2320 ipconfig.exe
6364 ipconfig.exe
Kills process with taskkill 4 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

832 taskkill.exe
5260 taskkill.exe
6324 taskkill.exe
6744 taskkill.exe
Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings cmd.exe

pid	process
4420	ipconfig.exe
6232	ipconfig.exe
2320	ipconfig.exe
6364	ipconfig.exe

pid	process
832	taskkill.exe
5260	taskkill.exe
6324	taskkill.exe
6744	taskkill.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 11 IoCs

Processes:

rundll32.exe2304.tmp

pid	process
3912	rundll32.exe
3912	rundll32.exe
3912	rundll32.exe
3912	rundll32.exe
3664	2304.tmp
3664	2304.tmp
3664	2304.tmp
3664	2304.tmp
3664	2304.tmp
3664	2304.tmp
3664	2304.tmp

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

rundll32.exetakeown.exetaskkill.exe2304.tmp

description	pid	process
Token: SeShutdownPrivilege	3912	rundll32.exe
Token: SeDebugPrivilege	3912	rundll32.exe
Token: SeTcbPrivilege	3912	rundll32.exe
Token: SeTakeOwnershipPrivilege	1788	takeown.exe
Token: SeDebugPrivilege	832	taskkill.exe
Token: SeDebugPrivilege	3664	2304.tmp

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

FMLN.exe

pid process

1720 FMLN.exe

pid	process
1720	FMLN.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

FileCrypter.exeBadRabbit.exeA2-Cryptor.exeShingapi.exeFMLN.execmd.execmd.execmd.execmd.exerundll32.execmd.execmd.exe

description	pid	process	target process
PID 536 wrote to memory of 2680	536	FileCrypter.exe	A2-Cryptor.exe
PID 536 wrote to memory of 2680	536	FileCrypter.exe	A2-Cryptor.exe
PID 536 wrote to memory of 2680	536	FileCrypter.exe	A2-Cryptor.exe
PID 536 wrote to memory of 4420	536	FileCrypter.exe	BadRabbit.exe
PID 536 wrote to memory of 4420	536	FileCrypter.exe	BadRabbit.exe
PID 536 wrote to memory of 4420	536	FileCrypter.exe	BadRabbit.exe
PID 536 wrote to memory of 1720	536	FileCrypter.exe	FMLN.exe
PID 536 wrote to memory of 1720	536	FileCrypter.exe	FMLN.exe
PID 536 wrote to memory of 1720	536	FileCrypter.exe	FMLN.exe
PID 536 wrote to memory of 4632	536	FileCrypter.exe	Shingapi.exe
PID 536 wrote to memory of 4632	536	FileCrypter.exe	Shingapi.exe
PID 536 wrote to memory of 4632	536	FileCrypter.exe	Shingapi.exe
PID 4420 wrote to memory of 3912	4420	BadRabbit.exe	rundll32.exe
PID 4420 wrote to memory of 3912	4420	BadRabbit.exe	rundll32.exe
PID 4420 wrote to memory of 3912	4420	BadRabbit.exe	rundll32.exe
PID 2680 wrote to memory of 3540	2680	A2-Cryptor.exe	cmd.exe
PID 2680 wrote to memory of 3540	2680	A2-Cryptor.exe	cmd.exe
PID 4632 wrote to memory of 2400	4632	Shingapi.exe	cmd.exe
PID 4632 wrote to memory of 2400	4632	Shingapi.exe	cmd.exe
PID 1720 wrote to memory of 516	1720	FMLN.exe	cmd.exe
PID 1720 wrote to memory of 516	1720	FMLN.exe	cmd.exe
PID 3540 wrote to memory of 2300	3540	cmd.exe	mode.com
PID 3540 wrote to memory of 2300	3540	cmd.exe	mode.com
PID 516 wrote to memory of 4264	516	cmd.exe	mode.com
PID 516 wrote to memory of 4264	516	cmd.exe	mode.com
PID 3540 wrote to memory of 2588	3540	cmd.exe	mode.com
PID 3540 wrote to memory of 2588	3540	cmd.exe	mode.com
PID 2400 wrote to memory of 3968	2400	cmd.exe	cmd.exe
PID 2400 wrote to memory of 3968	2400	cmd.exe	cmd.exe
PID 2400 wrote to memory of 1728	2400	cmd.exe	netsh.exe
PID 2400 wrote to memory of 1728	2400	cmd.exe	netsh.exe
PID 3540 wrote to memory of 4352	3540	cmd.exe	certutil.exe
PID 3540 wrote to memory of 4352	3540	cmd.exe	certutil.exe
PID 516 wrote to memory of 2660	516	cmd.exe	certutil.exe
PID 516 wrote to memory of 2660	516	cmd.exe	certutil.exe
PID 3968 wrote to memory of 1072	3968	cmd.exe	reg.exe
PID 3968 wrote to memory of 1072	3968	cmd.exe	reg.exe
PID 3912 wrote to memory of 3148	3912	rundll32.exe	cmd.exe
PID 3912 wrote to memory of 3148	3912	rundll32.exe	cmd.exe
PID 3912 wrote to memory of 3148	3912	rundll32.exe	cmd.exe
PID 516 wrote to memory of 4404	516	cmd.exe	timeout.exe
PID 516 wrote to memory of 4404	516	cmd.exe	timeout.exe
PID 3540 wrote to memory of 2664	3540	cmd.exe	timeout.exe
PID 3540 wrote to memory of 2664	3540	cmd.exe	timeout.exe
PID 3148 wrote to memory of 1168	3148	cmd.exe	schtasks.exe
PID 3148 wrote to memory of 1168	3148	cmd.exe	schtasks.exe
PID 3148 wrote to memory of 1168	3148	cmd.exe	schtasks.exe
PID 2400 wrote to memory of 2076	2400	cmd.exe	cmd.exe
PID 2400 wrote to memory of 2076	2400	cmd.exe	cmd.exe
PID 2400 wrote to memory of 2980	2400	cmd.exe	WScript.exe
PID 2400 wrote to memory of 2980	2400	cmd.exe	WScript.exe
PID 2400 wrote to memory of 4512	2400	cmd.exe	cmd.exe
PID 2400 wrote to memory of 4512	2400	cmd.exe	cmd.exe
PID 2400 wrote to memory of 4840	2400	cmd.exe	reg.exe
PID 2400 wrote to memory of 4840	2400	cmd.exe	reg.exe
PID 2400 wrote to memory of 2252	2400	cmd.exe	reg.exe
PID 2400 wrote to memory of 2252	2400	cmd.exe	reg.exe
PID 2400 wrote to memory of 4420	2400	cmd.exe	ipconfig.exe
PID 2400 wrote to memory of 4420	2400	cmd.exe	ipconfig.exe
PID 3912 wrote to memory of 2888	3912	rundll32.exe	cmd.exe
PID 3912 wrote to memory of 2888	3912	rundll32.exe	cmd.exe
PID 3912 wrote to memory of 2888	3912	rundll32.exe	cmd.exe
PID 2888 wrote to memory of 1996	2888	cmd.exe	schtasks.exe
PID 2888 wrote to memory of 1996	2888	cmd.exe	schtasks.exe

Views/modifies file attributes 1 TTPs 4 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

6296 attrib.exe
6792 attrib.exe
6612 attrib.exe
2436 attrib.exe

pid	process
6296	attrib.exe
6792	attrib.exe
6612	attrib.exe
2436	attrib.exe

C:\Users\Admin\AppData\Local\Temp\FileCrypter.exe
"C:\Users\Admin\AppData\Local\Temp\FileCrypter.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:536
- C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exe
  "C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\117F.tmp\1190.tmp\1191.bat C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3540
  - - C:\Windows\system32\mode.com
      MODE CON: COLS=100 LINES=25
      4⤵
      PID:2300
  - - C:\Windows\system32\mode.com
      MODE CON: COLS=100 LINES=25
      4⤵
      PID:2588
  - - C:\Windows\system32\certutil.exe
      certutil -decode "Image.bin" "Encrypted.jpeg"
      4⤵
      PID:4352
  - - C:\Windows\system32\timeout.exe
      timeout /t 3
      4⤵
      Delays execution with timeout.exe
      PID:2664
  - - C:\Windows\system32\timeout.exe
      timeout /t 3
      4⤵
      Delays execution with timeout.exe
      PID:1600
  - - C:\Windows\system32\timeout.exe
      timeout /t 3
      4⤵
      Delays execution with timeout.exe
      PID:2936
  - - C:\Windows\system32\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:5908
  - - C:\Windows\system32\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:5796
  - - C:\Windows\system32\wscript.exe
      wscript "0.vbs"
      4⤵
      PID:1500
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:6204
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:6436
  - - C:\Windows\system32\wscript.exe
      wscript "0.vbs"
      4⤵
      PID:5988
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:6276
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:6500
  - - C:\Windows\system32\wscript.exe
      wscript "0.vbs"
      4⤵
      PID:5520
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:6228
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:6408
  - - C:\Windows\system32\wscript.exe
      wscript "0.vbs"
      4⤵
      PID:6052
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:6348
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:6632
  - - C:\Windows\system32\wscript.exe
      wscript "0.vbs"
      4⤵
      PID:5968
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:6516
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:6692
  - - C:\Windows\system32\timeout.exe
      timeout /t 4
      4⤵
      Delays execution with timeout.exe
      PID:6372
  - - C:\Windows\system32\wscript.exe
      wscript "m.vbs"
      4⤵
      PID:6588
- C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe
  "C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4420
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3912
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Delete /F /TN rhaegal
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3148
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /F /TN rhaegal
        5⤵
        
        PID:1168
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 4143277405 && exit"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2888
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 4143277405 && exit"
        5⤵
        Creates scheduled task(s)
        
        PID:1996
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:28:00
      4⤵
      PID:4444
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 17:28:00
        5⤵
        Creates scheduled task(s)
        
        PID:3004
  - - C:\Windows\2304.tmp
      "C:\Windows\2304.tmp" \\.\pipe\{A4C7013E-1F5A-4801-8E27-A4D177FEACAA}
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3664
- C:\Users\Admin\AppData\Local\Temp\FMLN.exe
  "C:\Users\Admin\AppData\Local\Temp\FMLN.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\117F.tmp\1191.tmp\1191.bat C:\Users\Admin\AppData\Local\Temp\FMLN.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:516
  - - C:\Windows\system32\mode.com
      mode con: cols=170 lines=45
      4⤵
      PID:4264
  - - C:\Windows\system32\certutil.exe
      certutil -decode "Image.bin" "Wallpaper.jpeg"
      4⤵
      PID:2660
  - - C:\Windows\system32\timeout.exe
      timeout /t 3
      4⤵
      Delays execution with timeout.exe
      PID:4404
  - - C:\Windows\system32\timeout.exe
      timeout /t 3
      4⤵
      Delays execution with timeout.exe
      PID:4264
  - - C:\Windows\system32\timeout.exe
      timeout /t 3
      4⤵
      Delays execution with timeout.exe
      PID:1076
  - - C:\Windows\system32\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:5864
  - - C:\Windows\system32\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:3480
  - - C:\Windows\system32\wscript.exe
      wscript "0.vbs"
      4⤵
      PID:5044
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:6196
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:6508
  - - C:\Windows\system32\wscript.exe
      wscript "0.vbs"
      4⤵
      PID:5880
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:6268
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:6580
  - - C:\Windows\system32\wscript.exe
      wscript "0.vbs"
      4⤵
      PID:5260
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:6300
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:6556
  - - C:\Windows\system32\wscript.exe
      wscript "0.vbs"
      4⤵
      PID:6168
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:6644
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:6724
  - - C:\Windows\system32\wscript.exe
      wscript "0.vbs"
      4⤵
      PID:6444
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:6740
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:6784
  - - C:\Windows\system32\timeout.exe
      timeout /t 4
      4⤵
      Delays execution with timeout.exe
      PID:7164
  - - C:\Windows\system32\certutil.exe
      certutil -decode "Data.lp" "KillWin.exe"
      4⤵
      PID:6700
  - - C:\Windows\system32\wscript.exe
      wscript "m.vbs"
      4⤵
      PID:5596
- C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
  "C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4632
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\118F.tmp\1190.tmp\1191.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
    3⤵
    - Checks computer location settings
    - Drops autorun.inf file
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K Twain_20.cmd
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3968
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
        5⤵
        Adds Run key to start application
        
        PID:1072
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set publicprofile state off
      4⤵
      Modifies Windows Firewall
      PID:1728
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K Twain_20.cmd
      4⤵
      PID:2076
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
      4⤵
      PID:2980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K Taskdl.bat
      4⤵
      PID:4512
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        5⤵
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
  - - C:\Windows\system32\reg.exe
      reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
      4⤵
      PID:4840
  - - C:\Windows\system32\reg.exe
      reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
      4⤵
      PID:2252
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /release
      4⤵
      Gathers network information
      PID:4420
  - - C:\Windows\system32\taskkill.exe
      taskkill /im DiskPart /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:832
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h *.*
      4⤵
      Drops autorun.inf file
      Views/modifies file attributes
      PID:2436
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:2984
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:2236
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:3984
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:1476
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:4900
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:940
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:4272
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:3676
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:1156
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:4624
  - - C:\Windows\system32\msg.exe
      msg * Virus Detectado
      4⤵
      PID:444
  - - C:\Windows\system32\msg.exe
      msg * Virus Detectado
      4⤵
      PID:3772
  - - C:\Windows\system32\msg.exe
      msg * Has Sido Hackeado!
      4⤵
      PID:2832
  - - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      4⤵
      PID:1664
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3A45.tmp\3A46.tmp\3A47.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        5⤵
        
        PID:2008
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        6⤵
        
        PID:7076
        
        C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
        7⤵
        
        PID:6328
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        6⤵
        Modifies Windows Firewall
        
        PID:6204
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        6⤵
        
        PID:6636
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        6⤵
        
        PID:6648
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        7⤵
        Modifies file permissions
        
        PID:5928
      - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        6⤵
        
        PID:5936
      - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        6⤵
        
        PID:6640
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        6⤵
        Gathers network information
        
        PID:6364
      - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        6⤵
        Kills process with taskkill
        
        PID:6324
      - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        6⤵
        Views/modifies file attributes
        
        PID:6612
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:6784
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:6640
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:7248
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:7520
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:7756
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:7956
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:8128
      - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        6⤵
        
        PID:3492
      - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        6⤵
        
        PID:6736
      - C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        6⤵
        
        PID:2064
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        
        PID:5832
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\694F.tmp\92D1.tmp\92D2.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        7⤵
        
        PID:8240
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:8036
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:4736
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:7512
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        
        PID:2240
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        
        PID:7180
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\88ED.tmp\9206.tmp\92D2.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        7⤵
        
        PID:8252
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:6712
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:2184
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:5420
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        
        PID:8312
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        
        PID:8500
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\AB2A.tmp\AB2B.tmp\AB2C.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        7⤵
        
        PID:8716
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:8620
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:8760
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:8824
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        
        PID:8956
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:1020
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:8824
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:8196
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:8272
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:7384
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:1588
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:3864
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:2484
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      PID:4452
  - - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      4⤵
      PID:4860
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:832
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4040.tmp\4041.tmp\4042.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        5⤵
        
        PID:5332
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        6⤵
        
        PID:7108
        
        C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
        7⤵
        
        PID:6404
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        6⤵
        Modifies Windows Firewall
        
        PID:7124
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        6⤵
        
        PID:6464
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        6⤵
        
        PID:6532
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        6⤵
        
        PID:5992
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        7⤵
        Modifies file permissions
        
        PID:5952
      - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        6⤵
        
        PID:6088
      - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        6⤵
        
        PID:5892
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        6⤵
        Gathers network information
        
        PID:2320
      - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        6⤵
        Kills process with taskkill
        
        PID:6744
      - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        6⤵
        Views/modifies file attributes
        
        PID:6792
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:6300
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:2664
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:1500
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:6284
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:6832
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:6052
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:7256
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:7500
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:7744
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:7948
      - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        6⤵
        
        PID:8080
      - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        6⤵
        
        PID:3100
      - C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        6⤵
        
        PID:7408
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        
        PID:6088
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5F4D.tmp\92C1.tmp\92C2.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        7⤵
        
        PID:8212
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:4396
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:6556
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:5052
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        
        PID:5288
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        
        PID:5448
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\68A3.tmp\92D1.tmp\92D2.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        7⤵
        
        PID:8224
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:5412
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:7696
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:7876
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        
        PID:5616
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        
        PID:5860
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7B70.tmp\91E7.tmp\91E8.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        7⤵
        
        PID:4640
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:3860
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:1020
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:4964
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        
        PID:6324
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:1048
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:8876
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:2992
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:5568
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:7148
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:8936
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:4364
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:1852
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:4288
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      PID:2988
  - - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      4⤵
      PID:5240
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\430F.tmp\4310.tmp\4311.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        5⤵
        
        PID:5488
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        6⤵
        
        PID:5996
        
        C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
        7⤵
        
        PID:5252
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        6⤵
        Modifies Windows Firewall
        
        PID:6108
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        6⤵
        
        PID:6216
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        6⤵
        
        PID:6844
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        6⤵
        
        PID:6900
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        7⤵
        Modifies file permissions
        
        PID:7016
      - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        6⤵
        
        PID:6940
      - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        6⤵
        
        PID:7000
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        6⤵
        Gathers network information
        
        PID:6232
      - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        6⤵
        Kills process with taskkill
        
        PID:5260
      - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        6⤵
        Views/modifies file attributes
        
        PID:6296
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:6776
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:6912
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:2152
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:6948
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:2304
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:6972
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:5648
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:7060
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:7096
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:6376
      - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        6⤵
        
        PID:6228
      - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        6⤵
        
        PID:628
      - C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        6⤵
        
        PID:2180
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        
        PID:3160
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\EA0D.tmp\EA0E.tmp\EA0F.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        7⤵
        
        PID:5260
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:5676
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:6088
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:6660
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        
        PID:6652
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        
        PID:6756
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\EFF9.tmp\F009.tmp\F00A.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        7⤵
        
        PID:7128
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:6612
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:5196
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:6696
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        
        PID:2340
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        
        PID:7228
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C1C.tmp\C1D.tmp\C1E.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        7⤵
        
        PID:7412
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:7332
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:7436
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:7600
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        
        PID:7680
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:8584
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:8812
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:9056
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:9152
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:5900
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:5376
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:5536
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:5716
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      PID:5764
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:6060
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:5032
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:5652
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:5800
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:3864
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:5228

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2832

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5388

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:5544

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5820

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:5388

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6364

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2444

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7644

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4944

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6924

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3100

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7028

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8348

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8980

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0.vbs

Filesize
104B

MD5
e6a895af1b1279e87b2cb69220cd2227

SHA1
e178224b3682638de8c6a0ecf4a29dbfa2b81169

SHA256
e1c8ee7a333e1a888b14c00e57c9aa8ac78d65dfb0cd7ef95839c40ef1eb1c63

SHA512
10078f50c13b474e0de7c3707d3d7fc4786c1d9e7b36815aa5e0506d167bc2607a8e78fa5b4d0ace17fc6b8b93fe3b8fa161c0408b7bcd6e2691d534382e5441

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.vbs

Filesize
202B

MD5
f3e4b8c7fbbb6b4163a619537bbc19d8

SHA1
29a841985e89d0167224797c05bcd8c020c12b1a

SHA256
c0537c7cd406dbe58403885e7ab9fa4d650eacf3c00e89a5789974004a5b90ca

SHA512
4deaf0bce830805984b4567e03aa03dc3cac612f940294cfe0202041e45dd1eb933f6d458c190f5ec4c2cbd1b5ede01d60e3af756d3e07124fbb0cb3e5651396

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.vbs

Filesize
257B

MD5
bd352e98beb2926ec271eeabe6b6c13a

SHA1
5b1a9e977c746909d37247773ce4e378cdbaff45

SHA256
20f926f6f5cc363d24a989a84d874caf427c85c596538706cccd09e53d57386a

SHA512
6171425a0327a2fc47eb4ff24e7171c240438bffb2dc6d40afa2b16a5c10a3de706fa357cf63568c5d2fb65467982547795c97bd059d96e95ad8d3c26f690f64

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.vbs

Filesize
312B

MD5
26c49c22b25b1a732823e8865a66e999

SHA1
d881b746ac20e96f2705044e4cced729c9951cf4

SHA256
e6ac7069c7c323186b5e101a1ae1c072596899386fb1a03ae1bf34d9b584b80f

SHA512
3139ef16387adf287c145ef73054d61775bcaf02edbe3296f5bec7e536d102bb01a9e601fd7bb791c0094069589bfbd750a901a1011bd766095c43bbf0d07c60

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.vbs

Filesize
376B

MD5
be0a70a6dd8ded0d469f1d63df593c2e

SHA1
510a6c4551ca9ad472ffcad7bb7aed2beee8f4fa

SHA256
4445fdcf198b450a45ede4e8f5d89c9eb3db8eb485e7729181745c481c483696

SHA512
7d1e2570b126e032a1384bff8f48535f66cb2ba3bbcb58ad58645fd00d04c95d2e6962aca870dc9e8262b094564793ee2444723eaeb94929b16ebb667df24e1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.vbs

Filesize
508B

MD5
da9cf1ad92a68fb725c962e727dee165

SHA1
f596b2ae6a5b03abff7e2f5e95449a3f5ab5c815

SHA256
cbd273d64df4c5177f2379017f39a8c2f8b8c78163777c75cdcce0642dd2d9a8

SHA512
cfca80b5a3765f9365de62a781f3487bd3b9e27864d3897cc58a9173f4ee9d833e479ffd3e134f18995df18265f06cd3ee95aa2de3807b0c464414a2c7f6b9b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.vbs

Filesize
702B

MD5
d621b5f38ca8aa01e8a58a3ca80c804a

SHA1
2aba42770e3c97619467ff5b8264e036241245fe

SHA256
1715ba51f8af626b5ee67e937356fe717d96c81090d58672fc895b4bf9ae373e

SHA512
c05b816840e07c646e25e377ec3bfe25e55ec462e5e8ae5b11e7b1360e9e775239251cde9a49bad24324cd8ed43212d9d1d351a26e0f7e8bd4a449fb9a4cd0f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000.eky

Filesize
100B

MD5
f0cd9b9c6d827232cf2206096218ae3c

SHA1
08284ecf30fd5adf4b4c70ca4e47199698f7a16f

SHA256
b7fd9b149526aa875a9bb37c3072c26fa011d2a15511cde60e0fcc10cffcef02

SHA512
159e3ced30033b830830679fb33ece77c8f8afc8fc965776833ed5273915f449baa085f721550acf68ccb8cc2217f03ae2f226703e060e05eb609335d0adcbfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000.ple

Filesize
98B

MD5
291c13f19b441b1ea6202e23ba6cf956

SHA1
1a7c9e2c422a6766e2bbf6ec6f239d4b15bc3a7d

SHA256
bb1695d9b8426d87d906c906dc4afe95c6cf64adc8bee153b5b16eb5d8de598e

SHA512
78dc6939bf461dbd63f724660945c044b26a45a5ff0e77508f74eb55bcdb4f1542a562e9eed747ce8b4ab2cd55715ac4609e402907906ef279686a5bbe53ec47

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000.vhc

Filesize
98B

MD5
dc2cbd09f0e279de78c77cb826a6ec92

SHA1
b71dbff1d120edb705ca47db85c694450e6609f5

SHA256
bfc9c3947c2cbb638b77dadf9feae8eadf4a8e1d3e0698979d2c9bddd959d8d9

SHA512
e3b8e1ee65fd9e34a6b10ca0599a21a9bfc218eeba2ee0142cde0805c3377055f0fb66868271122b26ba4a6cb50ee8bd774e0986b9395fdd185bb4a5be909753

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000.zsc

Filesize
98B

MD5
8c21cef19d87910673fb35f5870ca0a0

SHA1
fa3ab168d7c6bb22c7abb671457472883fe5b85b

SHA256
55970ea0b5e68fad9b60cdba48159f14df0442f0612172321c9f6fb16fb8e988

SHA512
3c13e59eb3e4d1947025cf8889f985c0fe14e73941382b19c84905355029e9fa10e95d50f2e79d722141ff8ba1fe9ec07c1b3b6847fd2cab4583fba8967a833f

Download Submit
C:\Users\Admin\AppData\Local\Temp\117F.tmp\1190.tmp\1191.bat

Filesize
33KB

MD5
4b42191175209ea23203acc526307c00

SHA1
a77abea54f5b2a0084fd1574a1c5b6e1df1df054

SHA256
4ce518699c3f97015eb2f81b09325c8f67213d0efaec73bbf924a5bdf3d5152c

SHA512
fb35705095153a587a253160a92268c8e03605f87ecbb45dd3a0c4ca59e255046188cb9476d99f8164458506d2e5057e6127f0e0fe7997471e7381cc4a08ec42

Download Submit
C:\Users\Admin\AppData\Local\Temp\117F.tmp\1191.tmp\1191.bat

Filesize
54KB

MD5
93841169c4264ce13735e8b116d06226

SHA1
1ceac2fe01f6bdb37bdeb73ba13cd7ed99d0f608

SHA256
82bf8fbb4b79fdd9a21518373ddd57fc2d6c53599458a055f64e20d40dc85f2b

SHA512
ce98cac504828ac676d1069f6d0cedc55ff68bf51d2b01df0108ec632bdc0aa1f809ef6ddb000fa1c59ea66723c903cf37412d98f59ff7032777a45b2c72e871

Download Submit
C:\Users\Admin\AppData\Local\Temp\118F.tmp\1190.tmp\1191.bat

Filesize
17KB

MD5
190e7cfa7d6de532ba4498ca3d38b47d

SHA1
7d4ea5ce61962c0445d955a44dd31226fa8c736e

SHA256
faee2b0ac2218435a6973b87277b29010c988efefdcd7fe0e107808c2cc0f282

SHA512
5a87b4bac67957acbc6dfab08cf9b3e1110e4b496b66110a44f7b2d0ec75b950d7569b6220c4a5ab3597db032e70b16d5a5e6ee4ab23102f6d12fea7bdc11598

Download Submit
C:\Users\Admin\AppData\Local\Temp\12723_14435.bat

Filesize
116B

MD5
36c596219d6d34fca1584018614b15d0

SHA1
19f4a35243cc0e6ef348745d81a334a64a1fe70b

SHA256
0658505d2ae526d40838996fafc12e3ad8b233a8c79667c495f8f9c346107ff8

SHA512
30191eeeef6c4d5ff024fe0a85378ad615bcb953c417a6b673fac2327dab49e050b33aad341f5fb5b0c63e3b7896f3d57872657a1d2278f4ce8be7e5fbafe58f

Download Submit
C:\Users\Admin\AppData\Local\Temp\12723_14435.bat

Filesize
138B

MD5
473f288876a45a055fb197e9a4e3f479

SHA1
f4d9430c298e1b55f75687591d6f17b34aa0285d

SHA256
5e2d306aa4ddba0b154a4b89e78ad58745a7d4eade08615f067381c45d63b15a

SHA512
6672ccbe316635dfa1e3f0e2546c434b95c570ee9e1124feb8bd17345dc087fba4c7faa2e191de78b1033ef53b6b2c26704acd162234334ff42bfb15197377aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\12723_14435.bat

Filesize
149B

MD5
db494bb16cc77ade1fddf4dc5daaa49d

SHA1
077101ed2a4b5daec90fe15ef78b05de159bcd13

SHA256
d1163f647dbe0056a361381ba10f200aee128a45fa605edf25638bfd39cfd61b

SHA512
b63510a72ae61c3534f9ef48cdc7a54eefac574034011b93b61072d842dcb3db349956c8efd598e02cb04c52b3dbdef2e1ec08079e5ebe8c61da51e8341acdb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\12723_14435.bat

Filesize
160B

MD5
a317d9465cc7b4b3c668ba4db8d45032

SHA1
f34486827bf3e0992b8fae9512f410d40e981030

SHA256
6dc624db3e49db8d4a83c151c726237ea629c6df39e24d7a0d2a4878d7c97d3f

SHA512
c7501b3143244691995cccd23a79e9391e596f924ff4e36e29c532a6fcdaf92c0fd19f7e44724d34b7f61ad1efc11d98cec4044c37797e669f2ed2217345677f

Download Submit
C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exe

Filesize
122KB

MD5
d6e36f6b145a4601a84835b7e8a0bbc2

SHA1
3c7e26433f5f42fe69fbe4b3c2e6d9d7b196697c

SHA256
46038db7643482e1d25939e6c7be35a7e7529fd716570e25e4137f6a79a1c316

SHA512
e10acbaa6e1cd5cc4350dc789841e2638fb50b152aebc65bee2c07ad94f7e6ae1ce6bd51c5f5f6952f970ee364f2515417608e872c3b97b0cf749bb86fa0b72e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
60B

MD5
11aa52a7eca2cf8fdcd1584b5a8b6026

SHA1
01ae6066e6b3879cb0caf306cc91077b7c0bea1e

SHA256
8dfd0a6db2df60455840dbbbcc4f8b70d730ba1c2afbf300316898b3dd3e9b11

SHA512
07f37c050eb59e7a1a228ca851d05ca9b62bb3de97f988fb36c374c827833c8c551e5cb51eb05130861c0b35515ca77ae667ca97ee4f08c86cdf9f6fb64533c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
120B

MD5
6bc9ab9854695874c5338bd08dde7db5

SHA1
8ae8dc91cd8b80dd688378a3eacb2750e2de8c3c

SHA256
d4249fbe2df7ddc684f61bbba98e5d3312c85e5787d5500a73ff18a5abce76eb

SHA512
e8fda27e7d1144816879b84fa04b8b3a7063f3841e57a1aaa918b5dfa1dc35f0f4380f89ca861c59ea45d884488e68309dabff15200e6b99038df4431e439f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
180B

MD5
b2206e980c51067d6e9dd7575d842bdc

SHA1
5aa6f76eee9efd569089be7f363e30ebf0531a22

SHA256
add106f3d6e9cfd2fac3d14a74d6791a9caa257b9c7e105a9a5fc2a309337ecd

SHA512
89ab3ca635f8fdcb1206f0a1d585355a730506cc1d72ca666f1e9d650b24107368349b44ab0b3d3132442a2fc61c0c9404d00b717a61f305d9c93d5d638d9bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
234B

MD5
1dfb202bc17c908ae208d27dc8acb590

SHA1
a9641e0c3fb9205d8c3a3adf4c3226dd92595f3c

SHA256
850a990a0a29e8961cacd91faa7f9c639febab3d8dccd2ae59a845749f048669

SHA512
cbd8d3980ecdcc54688978fac8f56bf401e89ebe968c2cdea52db54cbb02f4079b4d4e55ced16dbe114def8a85cb714a53f5a927e50cd7648bae51a87ec65a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf

Filesize
74B

MD5
b39df423c6e5978065a9a8ec4879a3b4

SHA1
96441a7a7d8090f7a96a1160f539531f66568e88

SHA256
12a5135510016abcfe1192aceb6fec42634346661d778d68be1debaa3d75e967

SHA512
2d583fcae1ec73f836c5b66b8b1337bb4250a8230073de96d501a4fab5f522b75599ac2a1fcf1457a841d8c84bcccb88feade82f49357b28345c63d9526cfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Encrypt.sk

Filesize
710B

MD5
5344d662281664c3ecaef3f6e9f8b319

SHA1
8c3b5d24be0829e0b09bb4bd95edef0083da90c3

SHA256
8c1e0fe4d3fa0f42155dba2e952762c7aa3365d8986ed463e74f1cc742e7aa00

SHA512
2c55ec7c9b4f1ff5e35c775903290e253cc2e6fb3cfe48f108ad52e78051f74eb015bf9ef2a64ff80c17ec3c63539b08ff1bc368c32ee1f8fd3d8e0deb0fd40e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Encrypt.sk

Filesize
426B

MD5
1c6615d419655469ffa9160df636b033

SHA1
802dc4fc354703b893aae902319263732f080713

SHA256
5cc949dbd1f5f969764d3f87dfe6482606d2e2bd23a51d0532f9e3822f94b9e5

SHA512
247daafe471bd75b098e83fa2d916524faa0415cbc577e5f3314ecff7fd4badf68c22fb50daf66ae8e49cec8a2ca18fc58af3e9dccde8a6692cbe8e7798b9986

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
54B

MD5
888e64c554686bbbc0499057cce1af36

SHA1
5a7f51c66e3ae7dd0e0231c9817aee8c9fc54006

SHA256
616cf19739e00c69e9606d9c94869f6fcb6a7b3860e7b8af9bc896f3081dad0d

SHA512
9882375fdd09d489258447d49b8b63d0bc8db57cdb7186500c00c79d57f30af5f37a69e8fab70683a7c9d730e3484ef537ee57bb1892a84f92e9aba639d1d227

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
108B

MD5
aea78da25dd9a4226b49abfadcc3977c

SHA1
1ae73fa0157801a3c42074f6d057712de6427e31

SHA256
18d5c5a71bb9b2414e4a08a52eeacf10961f29c5c582964b3507896be885b3a4

SHA512
f4a2c037f59680fe9d7931866fac1d28c3006e1fbf128ff8b6cb8f3edd54b32854e3a51839f8aca9288e657ece7dd645875ef4db1160c92d1f515137fb245ada

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
162B

MD5
d5980bf4b018e4c397df95afe8941c66

SHA1
ce53c669a898d09479831bc59bc31a5fba2a6f2b

SHA256
9afd004a8cb9b9e8b1eeab780fb0c4ffa39c3ec2ded034b1a7cd69db7f67872a

SHA512
c995f9d3252b9a7af52a398562261baf3297fee64fade9de22895cce017e5aa097c7935a0519e474253a181e1e018348a1ade3d953bfaff5dc43e30e2d9fde5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
216B

MD5
7659392a12010d8c761cb9888f6fd5ac

SHA1
b8829c26628740b77ab7405c231f420e860d8c1f

SHA256
71bd0bffdeca9dce2b4e9e1d767a0732657032171f3ad33903dec353ef95a431

SHA512
5caf94b288649b687f411cbb5519168e09e161f8d9545a6bad1b0d08876a542d153a115f8b44e3f15d973812ce8ec7471bba7d8bd0b9a22d0abf6fdf2914a2bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\FMLN.exe

Filesize
258KB

MD5
c87988e35ec34779191f42b6213fdec1

SHA1
81036dcf6ea331243f2d512b8ac9611a95a18ea1

SHA256
96f3ce153153f922fb18e4722b0348aee2c76022bcdee75fadab97023003fe10

SHA512
ba32f9bc18fb187fa4dc03bb1db903255c16af62dc903521ddd8fb120e5599bbccb4fa12255f0195a5e51b6a99ee5228bc0515f299c0ebb1b1a5134e61aab9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Image.bin

Filesize
18KB

MD5
eb05f382514e1a62572f9afd06a0a50d

SHA1
86a601e6b8a6e0dee089a66707a9a1d80bd33ba5

SHA256
24c3df9a48a7d1abd01b3a608505a33a3a2d3d907c7b6dad79c0f0da01125ab9

SHA512
2b46fcbcd1a35e09c22f3230b690783121fbdd504e4f3f34d3e1753db63d6720e5c6d752bad2d2015326e165b08b13d4c4ed7611cdaaad0e1f52a357e270a79f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
69B

MD5
72946942abf5cf295f726b816c531ebf

SHA1
8ac5ccae8003c3776c2e0ee0959a76c8bc913495

SHA256
d9fc0446467e00e640f0dd0bf36882943a6993dcc1038ba8f73239152896eb25

SHA512
2f42b10e2c1359a690e1a69e307008e3beb4712e4c071d916fb1380c61cb2ed3ae48c86af44c6f1c9d613e85dd75d8cfd66fd01de0649444ee6d5193d9789d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
138B

MD5
fdac6c0d6442c0cfe7c0b69e80227f0a

SHA1
d0d9aea2bf7a4bf1b45237e2207d37830a578d8c

SHA256
b759fa635b2bbce2570feea401c7d2a9735844d204f5bcdbc88f3a3a761f3959

SHA512
7e5dc4b0876173f05f69f523d50ad573f5dfced10a771d1b28315c2a068b6f6c39ae5edd2433223f79e7d32b9180801746c9621de02cba026f93412b83339da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\README.txt

Filesize
542B

MD5
74482ac7796bec769f53693ed8dfb0a2

SHA1
df338ffb9c65f694fcc05485953ad910946de000

SHA256
55278bf6e7610b3cf351974d208129b4af12ec66d2a4344e0e8fa137fe4b89c4

SHA512
5f018d90a39a4a91a52be59849b30002445e8aa6b358180c7b4510ec0cb64607f1374f8345bb30131688263db1af1b85ba43b767ff5b6195f8579b5db48cd775

Download Submit
C:\Users\Admin\AppData\Local\Temp\README.txt

Filesize
1KB

MD5
6ca9c111719a01f047617b45c0b1f8fb

SHA1
2e5c248397f0f3151184da107b95d2b10b39e93a

SHA256
7ebed5bfeb4e72aec5b85d70768cffcae3d2dab8af86bf41f2082f2649b1d7bd

SHA512
02a033ac713f6ddeb194765d094bde657161a68b1156b92a9d3e8b75b8b64aba6099006cf56479d371bd165795a87bf35aebe60f33c9aafe94662d713d7ab2ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\README.txt

Filesize
317B

MD5
3bee14ecb4950b0857c3d75f2bc7b5df

SHA1
fc3896ff2f9be512bcce5b5ddaf42d073175c9bb

SHA256
6ee0a70a317625959d1cbbb7a58fda1bd71c0604dbebd330af79b078f24c759d

SHA512
3734910316508307e0cc4abe46354b78021e026bd19c26b10480e410b0ec665593c2dddde2e6d4f4be2d84b12f77d4f8d4ef5c10f24710af6a61741d794f952f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shingapi.exe

Filesize
106KB

MD5
8b6a377f9a67d5482a8eba5708f45bb2

SHA1
7197436525e568606850ee5e033c43aea1c3bc91

SHA256
6ca11c8b6442db97c02f3b0f73db61f58c96d52e8a880e33abee5b10807d993f

SHA512
644e51798399168530b05e629b414dd80cac678bd3c8d4a5d164f55736a2b2fd380d3ca4640f7a034c8f043c06b1527b473e2d17da088d5e97de6ea04120dd72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
173B

MD5
0c998e3681eb9f67fbacda38281c5fa7

SHA1
bd3e89780f374c54c5dfbe3fab83a926ca5803de

SHA256
3c656f47268598c5bbe3ee4661b4f8c7dc09420cf393a6e417541db3c6020205

SHA512
11e3fd1d141bd23a2b0f17665f0f57e5a606fdd82555a7bd88cd533863ce4269d8395f8963d1cdfde93efbb0817486db48c3b593f8de35e150e2395daadb762e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
346B

MD5
4e71aaa85b945ab5dc2680ce12d8474f

SHA1
a00ff196706e8282b02187281a7fa71f20c59eba

SHA256
411d8fc3a482880ec2b56a7193a4104130ca9554f1feb96db27c59a2b61303a5

SHA512
cea3cdb3eb537454ccf9773c80c111d8172dace2c79c62ffe18ac7c4373669d055fd9cc4929f9b6f4f376507a1319e37b0ba26373e40f4332d1acb025792b430

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
4KB

MD5
c3e74f9a3502f228cd1e01685ecf3779

SHA1
d1e65a6ff8197617f6a67d5046bbaf5594240b16

SHA256
1794344a1a3f6a1708405825d15f1b7dd7425bb192dd682c5ca58562914b4756

SHA512
df181e76f2e00ce997201b0b3d261dda286906fc90be150bed69db18e711214e4169b5ca362626d361cbfffcf925c97715eb6c514373231bca07da538eedb858

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
9KB

MD5
3d1eb67f717f4c745d8510f3816f01e6

SHA1
fda93259504c83e174ead7c65fceef14a9579d97

SHA256
b6054ee0ff3aaa2b5ed5ff77d6a748910dc2d28118520c2812254d13cd2b3236

SHA512
d7ebd8fdd83e502126af42d4a791ab45a887edaba5d00ee2afb5160716ba9c5ae464cc9b4f513ca178ac86996cdf01cb4e97ed6d966a8309ddf7e3cf33ab9526

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd

Filesize
11B

MD5
9905e5a33c6edd8eb5f59780afbf74de

SHA1
64b2cd0186ff6fe05072ee88e2bb54476023772e

SHA256
c134b2f85415ba5cfce3e3fe4745688335745a9bb22152ac8f5c77f190d8aee3

SHA512
e10711d0fb09db27192e9af05ae45b83cf3882d98e904a7f1f969cf24c2f9626f70f35d76f57477fe9c64a58bc74100410740e9d506d4e72d3e2900d6277816e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd

Filesize
231B

MD5
da5f8d71afd8ce9598ec5e5443c459d9

SHA1
abd2267aaea39b0a9208bc7f094df5fb2754d233

SHA256
a1d679d97c8ab326b9578d18de310789709482bf270d350786e1b30895c92c80

SHA512
1318f1471a536244523141d14c8c73b8dc52de3843eb8b8b3e9b2ae0348eb4f41c085931b8053c5fc68182f0a493d15de7bb086cc872f48203e8f9916886452b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wallpaper.jpeg

Filesize
13KB

MD5
1285cd98536d791db631ac4bbc4520b1

SHA1
c0cf2a608361742736fc886ee837c6a501cc1ed1

SHA256
8f16b68a09fb1ac498e34054c6b31634a7fba08204678b19d449f617c303c674

SHA512
f67065feb33b555748e5e82dd8c2b3da4992d03eab7444481b8d060fd74a579859bbbbf6f8f37aeb6e267ab4594a2c4732e90b5e2cf2cec006191885359f8826

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat

Filesize
49B

MD5
cfb046d3c9513b92c1b287da26f97c28

SHA1
ea8208c4dad826b7fdb3b5b728863a95e86d4383

SHA256
a06f170d4f92bf290e38b0ce1c05bb59c95de2797b1a5253b949ad7e1be9818b

SHA512
dbeeea4d284f59e1455a5426334caa02458e88833aeece9817c51be616697ca4c399b2a9d0e8e44bf4a5ee63d0b37c0aed68c01f1748fa5a23ed6d2af62b3340

Download Submit
C:\Windows\2304.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
3KB

MD5
0388f7be74547eabf2ba7ca9a2acc5fb

SHA1
455cc42c7f8b1c962ef82c2df49b1ee9b0e4eee3

SHA256
6bba1a51c545cd917aa5d1730f41f0390d6b60aacd317e3996a35f33ea541b59

SHA512
fc800a8491028ca49dc866b24d8735917e18089a2bb8dd440938bc9b24861fa4b073ebe2eff472ea7a4bfed5f238434acce758e260221069596ee47a158e8bac

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/3912-168-0x0000000002820000-0x0000000002888000-memory.dmp

Filesize
416KB

Download
memory/3912-130-0x0000000002820000-0x0000000002888000-memory.dmp

Filesize
416KB

Download
memory/3912-120-0x0000000002820000-0x0000000002888000-memory.dmp

Filesize
416KB

Download