Analysis
-
max time kernel
667s -
max time network
1022s -
platform
windows11-21h2_x64 -
resource
win11-20240508-en -
resource tags
arch:x64arch:x86image:win11-20240508-enlocale:en-usos:windows11-21h2-x64system -
submitted
10-05-2024 23:11
Static task
static1
Behavioral task
behavioral1
Sample
ADZP 20 Complex.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral2
Sample
ADZP 20 Complex.exe
Resource
win11-20240508-en
General
-
Target
ADZP 20 Complex.exe
-
Size
106KB
-
MD5
8b6a377f9a67d5482a8eba5708f45bb2
-
SHA1
7197436525e568606850ee5e033c43aea1c3bc91
-
SHA256
6ca11c8b6442db97c02f3b0f73db61f58c96d52e8a880e33abee5b10807d993f
-
SHA512
644e51798399168530b05e629b414dd80cac678bd3c8d4a5d164f55736a2b2fd380d3ca4640f7a034c8f043c06b1527b473e2d17da088d5e97de6ea04120dd72
-
SSDEEP
3072:v7DhdC6kzWypvaQ0FxyNTBfqMXERseQF8:vBlkZvaF4NTBSAesPF8
Malware Config
Extracted
C:\Users\Admin\Desktop\@[email protected]
wannacry
13AM4VW2dhxYgXeQepoHkHSQuy6NgaEb94
Signatures
-
BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
-
Wannacry
WannaCry is a ransomware cryptoworm.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Downloads MZ/PE file
-
Possible privilege escalation attempt 42 IoCs
pid Process 2920 icacls.exe 14536 takeown.exe 15952 takeown.exe 20556 Process not Found 6812 takeown.exe 5308 takeown.exe 15832 takeown.exe 16984 Process not Found 18620 Process not Found 18268 Process not Found 20264 Process not Found 5972 takeown.exe 6184 takeown.exe 13740 takeown.exe 16784 Process not Found 20592 Process not Found 20756 Process not Found 13036 takeown.exe 9620 Process not Found 17320 Process not Found 8940 takeown.exe 13144 takeown.exe 7664 takeown.exe 10440 takeown.exe 12780 takeown.exe 4072 takeown.exe 17324 takeown.exe 2332 takeown.exe 3540 takeown.exe 9444 takeown.exe 17272 takeown.exe 15060 takeown.exe 5564 takeown.exe 5484 takeown.exe 2116 takeown.exe 5296 takeown.exe 12284 takeown.exe 14268 takeown.exe 12156 takeown.exe 12244 takeown.exe 17180 Process not Found 18240 Process not Found -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\~SDECB4.tmp WannaCry.EXE File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Word\STARTUP\~SDECCA.tmp WannaCry.EXE -
Executes dropped EXE 64 IoCs
pid Process 3564 WannaCry.EXE 3140 taskdl.exe 2492 @[email protected] 3160 @[email protected] 4716 taskhsvc.exe 4948 taskdl.exe 4784 taskse.exe 1068 @[email protected] 3872 taskdl.exe 3112 taskse.exe 1640 @[email protected] 2344 taskse.exe 2840 @[email protected] 2916 taskdl.exe 1756 taskse.exe 2212 @[email protected] 940 taskdl.exe 2772 taskse.exe 2036 @[email protected] 2192 taskdl.exe 2880 main.exe 1336 taskse.exe 1900 @[email protected] 3060 taskdl.exe 4800 taskse.exe 1204 @[email protected] 4888 taskdl.exe 4832 taskse.exe 1952 @[email protected] 3028 taskdl.exe 4900 taskse.exe 2908 @[email protected] 4640 taskdl.exe 1592 taskse.exe 784 @[email protected] 2528 taskdl.exe 2860 taskse.exe 2908 @[email protected] 2840 taskdl.exe 5104 taskse.exe 2544 @[email protected] 684 taskdl.exe 5004 taskse.exe 1892 @[email protected] 1272 taskdl.exe 3204 taskse.exe 1676 @[email protected] 1140 taskdl.exe 684 taskse.exe 3408 @[email protected] 1560 taskdl.exe 424 taskse.exe 796 @[email protected] 4700 taskdl.exe 1180 taskse.exe 752 @[email protected] 1652 taskdl.exe 3064 Klez.e.exe 1556 Winkueu.exe 3428 Klez.e.exe 3120 Klez.e.exe 4396 BadRabbit.exe 2508 A6F.tmp 4988 Klez.e.exe -
Loads dropped DLL 7 IoCs
pid Process 4716 taskhsvc.exe 4716 taskhsvc.exe 4716 taskhsvc.exe 4716 taskhsvc.exe 4716 taskhsvc.exe 4716 taskhsvc.exe 2668 rundll32.exe -
Modifies file permissions 1 TTPs 42 IoCs
pid Process 2920 icacls.exe 2116 takeown.exe 5296 takeown.exe 12284 takeown.exe 18620 Process not Found 3540 takeown.exe 12244 takeown.exe 15952 takeown.exe 9444 takeown.exe 5308 takeown.exe 14268 takeown.exe 12156 takeown.exe 15832 takeown.exe 15060 takeown.exe 4072 takeown.exe 17324 takeown.exe 16984 Process not Found 16784 Process not Found 18268 Process not Found 20264 Process not Found 2332 takeown.exe 10440 takeown.exe 12780 takeown.exe 14536 takeown.exe 9620 Process not Found 20556 Process not Found 20756 Process not Found 6184 takeown.exe 5484 takeown.exe 13740 takeown.exe 17320 Process not Found 20592 Process not Found 5564 takeown.exe 13144 takeown.exe 18240 Process not Found 17272 takeown.exe 17180 Process not Found 5972 takeown.exe 7664 takeown.exe 6812 takeown.exe 8940 takeown.exe 13036 takeown.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\vrdysqporewuolg188 = "\"C:\\Users\\Admin\\Desktop\\tasksche.exe\"" reg.exe Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Software\Microsoft\Windows\CurrentVersion\Run\Twain_20 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Twain_20.cmd" reg.exe -
Drops desktop.ini file(s) 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\Desktop\desktop.ini attrib.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini attrib.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini attrib.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini attrib.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini attrib.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini attrib.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
flow ioc 2 camo.githubusercontent.com 32 camo.githubusercontent.com 35 raw.githubusercontent.com 42 raw.githubusercontent.com 96 raw.githubusercontent.com -
Drops autorun.inf file 1 TTPs 14 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\Users\Admin\Desktop\Autorun.inf attrib.exe File opened for modification C:\Users\Admin\Desktop\Autorun.inf cmd.exe File opened for modification C:\Users\Admin\Desktop\Autorun.inf attrib.exe File opened for modification C:\Users\Admin\Desktop\Autorun.inf attrib.exe File opened for modification C:\Users\Admin\Desktop\Autorun.inf cmd.exe File opened for modification C:\Users\Admin\Desktop\Autorun.inf attrib.exe File opened for modification C:\Users\Admin\Desktop\Autorun.inf cmd.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\Autorun.inf cmd.exe File opened for modification C:\Users\Admin\Desktop\Autorun.inf attrib.exe File opened for modification C:\Users\Admin\Desktop\Autorun.inf cmd.exe File opened for modification C:\Users\Admin\Desktop\Autorun.inf cmd.exe File opened for modification C:\Users\Admin\Desktop\Autorun.inf cmd.exe File opened for modification C:\Users\Admin\Desktop\Autorun.inf cmd.exe File opened for modification C:\Users\Admin\Desktop\Autorun.inf attrib.exe -
Drops file in System32 directory 19 IoCs
description ioc Process File created C:\Windows\SysWOW64\Winkueu.exe Klez.e.exe File created C:\Windows\System32\Twain_20.dll cmd.exe File opened for modification C:\Windows\System32\Twain_20.dll cmd.exe File opened for modification C:\Windows\System32\Twain_20.dll cmd.exe File created C:\Windows\SysWOW64\Winkueu.exe Winkueu.exe File created C:\Windows\SysWOW64\Winkueu.exe Klez.e.exe File opened for modification C:\Windows\SysWOW64\Winkueu.exe Klez.e.exe File opened for modification C:\Windows\System32\Twain_20.dll cmd.exe File created C:\Windows\SysWOW64\Winkueu.exe Klez.e.exe File opened for modification C:\Windows\System32\Twain_20.dll cmd.exe File opened for modification C:\Windows\System32\Twain_20.dll cmd.exe File opened for modification C:\Windows\System32\Twain_20.dll cmd.exe File opened for modification C:\Windows\SysWOW64\Winkueu.exe Klez.e.exe File created C:\Windows\SysWOW64\Winkueu.exe Klez.e.exe File opened for modification C:\Windows\SysWOW64\Winkueu.exe Winkueu.exe File opened for modification C:\Windows\SysWOW64\Winkueu.exe Klez.e.exe File created C:\Windows\SysWOW64\Winkueu.exe:SmartScreen:$DATA Klez.e.exe File opened for modification C:\Windows\SysWOW64\Winkueu.exe Klez.e.exe File opened for modification C:\Windows\System32\Twain_20.dll cmd.exe -
Sets desktop wallpaper using registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" WannaCry.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\Desktop\\@[email protected]" @[email protected] -
Drops file in Windows directory 5 IoCs
description ioc Process File opened for modification C:\Windows\A6F.tmp rundll32.exe File created C:\Windows\infpub.dat BadRabbit.exe File opened for modification C:\Windows\infpub.dat rundll32.exe File created C:\Windows\cscc.dat rundll32.exe File created C:\Windows\dispci.exe rundll32.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 3024 schtasks.exe 2604 schtasks.exe -
Enumerates system info in registry 2 TTPs 9 IoCs
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe -
Gathers network information 2 TTPs 41 IoCs
Uses commandline utility to view network configuration.
pid Process 8956 ipconfig.exe 9452 ipconfig.exe 10424 ipconfig.exe 13168 ipconfig.exe 14768 ipconfig.exe 15904 Process not Found 13084 Process not Found 18772 Process not Found 20488 Process not Found 5616 ipconfig.exe 12284 ipconfig.exe 11636 ipconfig.exe 15808 ipconfig.exe 20868 Process not Found 1016 ipconfig.exe 5708 ipconfig.exe 13308 ipconfig.exe 13032 Process not Found 6008 ipconfig.exe 6500 ipconfig.exe 6684 ipconfig.exe 9008 ipconfig.exe 7096 ipconfig.exe 17280 ipconfig.exe 14048 Process not Found 20316 Process not Found 16776 Process not Found 7680 ipconfig.exe 3616 ipconfig.exe 14260 ipconfig.exe 15080 ipconfig.exe 15912 ipconfig.exe 22072 Process not Found 2772 ipconfig.exe 9412 ipconfig.exe 9880 ipconfig.exe 9704 Process not Found 8316 ipconfig.exe 10708 ipconfig.exe 7216 ipconfig.exe 5164 Process not Found -
Kills process with taskkill 41 IoCs
pid Process 6524 taskkill.exe 12268 taskkill.exe 13200 taskkill.exe 14296 taskkill.exe 18804 Process not Found 8972 taskkill.exe 10456 taskkill.exe 17352 taskkill.exe 20416 Process not Found 19324 Process not Found 1200 taskkill.exe 14300 taskkill.exe 17704 Process not Found 20428 Process not Found 13776 Process not Found 7708 taskkill.exe 14820 taskkill.exe 17328 taskkill.exe 14676 Process not Found 11532 taskkill.exe 8984 taskkill.exe 2840 taskkill.exe 6024 taskkill.exe 6076 taskkill.exe 9588 taskkill.exe 3556 taskkill.exe 13108 taskkill.exe 14364 taskkill.exe 15908 taskkill.exe 22100 Process not Found 8868 taskkill.exe 8596 taskkill.exe 11512 taskkill.exe 15108 taskkill.exe 15856 taskkill.exe 9520 Process not Found 10612 Process not Found 16392 Process not Found 7436 taskkill.exe 5792 taskkill.exe 18748 Process not Found -
Modifies registry class 22 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings calc.exe Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings calc.exe Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings calc.exe Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1672260578-815027929-964132517-1000\{2DCBF00C-1623-4173-82A0-E298E772F01E} msedge.exe Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1672260578-815027929-964132517-1000\{02569505-1788-4B76-9E84-72221E043479} msedge.exe Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings calc.exe Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings calc.exe Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1672260578-815027929-964132517-1000_Classes\Local Settings calc.exe -
Modifies registry key 1 TTPs 1 IoCs
pid Process 3716 reg.exe -
NTFS ADS 6 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\BadRabbit.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\WannaCry.EXE:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\BcatCrypto.zip:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 487298.crdownload:SmartScreen msedge.exe File opened for modification C:\Users\Admin\Downloads\Klez.e.exe:Zone.Identifier msedge.exe File opened for modification C:\Users\Admin\Downloads\Unconfirmed 902501.crdownload:SmartScreen msedge.exe -
Suspicious behavior: EnumeratesProcesses 58 IoCs
pid Process 3752 msedge.exe 3752 msedge.exe 2068 msedge.exe 2068 msedge.exe 1696 identity_helper.exe 1696 identity_helper.exe 4948 msedge.exe 4948 msedge.exe 4856 msedge.exe 4856 msedge.exe 2920 msedge.exe 2920 msedge.exe 4716 taskhsvc.exe 4716 taskhsvc.exe 4716 taskhsvc.exe 4716 taskhsvc.exe 4716 taskhsvc.exe 4716 taskhsvc.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 2916 msedge.exe 3460 msedge.exe 3460 msedge.exe 2612 msedge.exe 2612 msedge.exe 2704 msedge.exe 2704 msedge.exe 3176 identity_helper.exe 3176 identity_helper.exe 3648 msedge.exe 3648 msedge.exe 3760 msedge.exe 3760 msedge.exe 2880 msedge.exe 2880 msedge.exe 2880 msedge.exe 2880 msedge.exe 4656 msedge.exe 4656 msedge.exe 5064 msedge.exe 5064 msedge.exe 3572 msedge.exe 3572 msedge.exe 440 msedge.exe 440 msedge.exe 2900 msedge.exe 2900 msedge.exe 2668 rundll32.exe 2668 rundll32.exe 2668 rundll32.exe 2668 rundll32.exe 2508 A6F.tmp 2508 A6F.tmp 2508 A6F.tmp 2508 A6F.tmp 2508 A6F.tmp 2508 A6F.tmp -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 35 IoCs
pid Process 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 440 msedge.exe 440 msedge.exe 440 msedge.exe 440 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1328 WMIC.exe Token: SeSecurityPrivilege 1328 WMIC.exe Token: SeTakeOwnershipPrivilege 1328 WMIC.exe Token: SeLoadDriverPrivilege 1328 WMIC.exe Token: SeSystemProfilePrivilege 1328 WMIC.exe Token: SeSystemtimePrivilege 1328 WMIC.exe Token: SeProfSingleProcessPrivilege 1328 WMIC.exe Token: SeIncBasePriorityPrivilege 1328 WMIC.exe Token: SeCreatePagefilePrivilege 1328 WMIC.exe Token: SeBackupPrivilege 1328 WMIC.exe Token: SeRestorePrivilege 1328 WMIC.exe Token: SeShutdownPrivilege 1328 WMIC.exe Token: SeDebugPrivilege 1328 WMIC.exe Token: SeSystemEnvironmentPrivilege 1328 WMIC.exe Token: SeRemoteShutdownPrivilege 1328 WMIC.exe Token: SeUndockPrivilege 1328 WMIC.exe Token: SeManageVolumePrivilege 1328 WMIC.exe Token: 33 1328 WMIC.exe Token: 34 1328 WMIC.exe Token: 35 1328 WMIC.exe Token: 36 1328 WMIC.exe Token: SeIncreaseQuotaPrivilege 1328 WMIC.exe Token: SeSecurityPrivilege 1328 WMIC.exe Token: SeTakeOwnershipPrivilege 1328 WMIC.exe Token: SeLoadDriverPrivilege 1328 WMIC.exe Token: SeSystemProfilePrivilege 1328 WMIC.exe Token: SeSystemtimePrivilege 1328 WMIC.exe Token: SeProfSingleProcessPrivilege 1328 WMIC.exe Token: SeIncBasePriorityPrivilege 1328 WMIC.exe Token: SeCreatePagefilePrivilege 1328 WMIC.exe Token: SeBackupPrivilege 1328 WMIC.exe Token: SeRestorePrivilege 1328 WMIC.exe Token: SeShutdownPrivilege 1328 WMIC.exe Token: SeDebugPrivilege 1328 WMIC.exe Token: SeSystemEnvironmentPrivilege 1328 WMIC.exe Token: SeRemoteShutdownPrivilege 1328 WMIC.exe Token: SeUndockPrivilege 1328 WMIC.exe Token: SeManageVolumePrivilege 1328 WMIC.exe Token: 33 1328 WMIC.exe Token: 34 1328 WMIC.exe Token: 35 1328 WMIC.exe Token: 36 1328 WMIC.exe Token: SeBackupPrivilege 2908 vssvc.exe Token: SeRestorePrivilege 2908 vssvc.exe Token: SeAuditPrivilege 2908 vssvc.exe Token: SeTcbPrivilege 4784 taskse.exe Token: SeTcbPrivilege 4784 taskse.exe Token: SeTcbPrivilege 3112 taskse.exe Token: SeTcbPrivilege 3112 taskse.exe Token: SeTcbPrivilege 2344 taskse.exe Token: SeTcbPrivilege 2344 taskse.exe Token: SeTcbPrivilege 1756 taskse.exe Token: SeTcbPrivilege 1756 taskse.exe Token: SeTcbPrivilege 2772 taskse.exe Token: SeTcbPrivilege 2772 taskse.exe Token: SeTcbPrivilege 1336 taskse.exe Token: SeTcbPrivilege 1336 taskse.exe Token: SeTcbPrivilege 4800 taskse.exe Token: SeTcbPrivilege 4800 taskse.exe Token: SeTcbPrivilege 4832 taskse.exe Token: SeTcbPrivilege 4832 taskse.exe Token: SeTcbPrivilege 4900 taskse.exe Token: SeTcbPrivilege 4900 taskse.exe Token: SeTcbPrivilege 1592 taskse.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe -
Suspicious use of SendNotifyMessage 40 IoCs
pid Process 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2068 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 2704 msedge.exe 440 msedge.exe 440 msedge.exe 440 msedge.exe 440 msedge.exe 440 msedge.exe 440 msedge.exe 440 msedge.exe 440 msedge.exe 440 msedge.exe 440 msedge.exe 440 msedge.exe 440 msedge.exe -
Suspicious use of SetWindowsHookEx 30 IoCs
pid Process 2492 @[email protected] 2492 @[email protected] 3160 @[email protected] 3160 @[email protected] 1068 @[email protected] 1068 @[email protected] 1640 @[email protected] 2840 @[email protected] 2212 @[email protected] 2036 @[email protected] 1900 @[email protected] 1204 @[email protected] 1952 @[email protected] 2908 @[email protected] 784 @[email protected] 2908 @[email protected] 2544 @[email protected] 1892 @[email protected] 1676 @[email protected] 3408 @[email protected] 796 @[email protected] 752 @[email protected] 2632 @[email protected] 3856 OpenWith.exe 5520 OpenWith.exe 6012 OpenWith.exe 6892 OpenWith.exe 6912 OpenWith.exe 8112 @[email protected] 6156 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2216 wrote to memory of 2532 2216 ADZP 20 Complex.exe 80 PID 2216 wrote to memory of 2532 2216 ADZP 20 Complex.exe 80 PID 2068 wrote to memory of 4528 2068 msedge.exe 86 PID 2068 wrote to memory of 4528 2068 msedge.exe 86 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 4840 2068 msedge.exe 87 PID 2068 wrote to memory of 3752 2068 msedge.exe 88 PID 2068 wrote to memory of 3752 2068 msedge.exe 88 PID 2068 wrote to memory of 2228 2068 msedge.exe 89 PID 2068 wrote to memory of 2228 2068 msedge.exe 89 PID 2068 wrote to memory of 2228 2068 msedge.exe 89 PID 2068 wrote to memory of 2228 2068 msedge.exe 89 PID 2068 wrote to memory of 2228 2068 msedge.exe 89 PID 2068 wrote to memory of 2228 2068 msedge.exe 89 PID 2068 wrote to memory of 2228 2068 msedge.exe 89 PID 2068 wrote to memory of 2228 2068 msedge.exe 89 PID 2068 wrote to memory of 2228 2068 msedge.exe 89 PID 2068 wrote to memory of 2228 2068 msedge.exe 89 PID 2068 wrote to memory of 2228 2068 msedge.exe 89 PID 2068 wrote to memory of 2228 2068 msedge.exe 89 PID 2068 wrote to memory of 2228 2068 msedge.exe 89 PID 2068 wrote to memory of 2228 2068 msedge.exe 89 PID 2068 wrote to memory of 2228 2068 msedge.exe 89 PID 2068 wrote to memory of 2228 2068 msedge.exe 89 PID 2068 wrote to memory of 2228 2068 msedge.exe 89 PID 2068 wrote to memory of 2228 2068 msedge.exe 89 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Views/modifies file attributes 1 TTPs 43 IoCs
pid Process 9024 attrib.exe 7148 attrib.exe 17908 Process not Found 4864 Process not Found 14928 Process not Found 1372 attrib.exe 9612 attrib.exe 16092 Process not Found 5300 Process not Found 5592 attrib.exe 7500 attrib.exe 16400 Process not Found 20808 Process not Found 6604 attrib.exe 10488 attrib.exe 9136 attrib.exe 5000 attrib.exe 7736 attrib.exe 12392 attrib.exe 9044 Process not Found 3756 attrib.exe 6056 attrib.exe 16400 attrib.exe 11312 Process not Found 13240 attrib.exe 8604 attrib.exe 1764 attrib.exe 6184 attrib.exe 6720 attrib.exe 11660 attrib.exe 5540 Process not Found 9032 attrib.exe 10952 attrib.exe 11272 attrib.exe 20632 Process not Found 15948 attrib.exe 6044 attrib.exe 4492 attrib.exe 18876 Process not Found 700 attrib.exe 5736 attrib.exe 15136 attrib.exe 4516 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe" cmd /k "taskkill /im cmd.exe /f"1⤵
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7436.tmp\7437.tmp\7438.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe" cmd /k "taskkill /im cmd.exe /f""2⤵
- Drops autorun.inf file
PID:2532
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa2d9d3cb8,0x7ffa2d9d3cc8,0x7ffa2d9d3cd82⤵PID:4528
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:22⤵PID:4840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2284 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3752
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2528 /prefetch:82⤵PID:2228
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:12⤵PID:4184
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3268 /prefetch:12⤵PID:1964
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4404 /prefetch:12⤵PID:4736
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4764 /prefetch:12⤵PID:2544
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:1696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5340 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5148 /prefetch:12⤵PID:4988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4960 /prefetch:12⤵PID:244
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5348 /prefetch:82⤵PID:3420
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5360 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:4856
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:12⤵PID:2360
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4976 /prefetch:12⤵PID:2008
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5568 /prefetch:12⤵PID:3372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5424 /prefetch:12⤵PID:1516
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:12⤵PID:1472
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:12⤵PID:4352
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:12⤵PID:400
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:12⤵PID:1456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5752 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:2920
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6288 /prefetch:82⤵PID:3716
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5828 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=27 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1716 /prefetch:12⤵PID:3880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:12⤵PID:3056
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:12⤵PID:3108
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1900,16919881843612476089,6069703591489626835,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5936 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:3460
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5024
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4172
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3268
-
C:\Users\Admin\Desktop\WannaCry.EXE"C:\Users\Admin\Desktop\WannaCry.EXE"1⤵
- Drops startup file
- Executes dropped EXE
- Sets desktop wallpaper using registry
PID:3564 -
C:\Windows\SysWOW64\attrib.exeattrib +h .2⤵
- Views/modifies file attributes
PID:1764
-
-
C:\Windows\SysWOW64\icacls.exeicacls . /grant Everyone:F /T /C /Q2⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2920
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:3140
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c 45421715382876.bat2⤵PID:2144
-
C:\Windows\SysWOW64\cscript.execscript.exe //nologo m.vbs3⤵PID:3760
-
-
-
C:\Windows\SysWOW64\attrib.exeattrib +h +s F:\$RECYCLE2⤵
- Views/modifies file attributes
PID:700
-
-
C:\Users\Admin\Desktop\@[email protected]PID:2492
-
C:\Users\Admin\Desktop\TaskData\Tor\taskhsvc.exeTaskData\Tor\taskhsvc.exe3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:4716
-
-
-
C:\Windows\SysWOW64\cmd.exePID:4176
-
C:\Users\Admin\Desktop\@[email protected]PID:3160
-
C:\Windows\SysWOW64\cmd.execmd.exe /c vssadmin delete shadows /all /quiet & wmic shadowcopy delete & bcdedit /set {default} bootstatuspolicy ignoreallfailures & bcdedit /set {default} recoveryenabled no & wbadmin delete catalog -quiet4⤵PID:4976
-
C:\Windows\SysWOW64\Wbem\WMIC.exewmic shadowcopy delete5⤵
- Suspicious use of AdjustPrivilegeToken
PID:1328
-
-
-
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:4948
-
-
C:\Users\Admin\Desktop\taskse.exetaskse.exe C:\Users\Admin\Desktop\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4784
-
-
C:\Users\Admin\Desktop\@[email protected]2⤵
- Executes dropped EXE
- Sets desktop wallpaper using registry
- Suspicious use of SetWindowsHookEx
PID:1068
-
-
C:\Windows\SysWOW64\cmd.execmd.exe /c reg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "vrdysqporewuolg188" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f2⤵PID:1356
-
C:\Windows\SysWOW64\reg.exereg add HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /v "vrdysqporewuolg188" /t REG_SZ /d "\"C:\Users\Admin\Desktop\tasksche.exe\"" /f3⤵
- Adds Run key to start application
- Modifies registry key
PID:3716
-
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:3872
-
-
C:\Users\Admin\Desktop\taskse.exetaskse.exe C:\Users\Admin\Desktop\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3112
-
-
C:\Users\Admin\Desktop\@[email protected]PID:1640
-
-
C:\Users\Admin\Desktop\taskse.exetaskse.exe C:\Users\Admin\Desktop\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2344
-
-
C:\Users\Admin\Desktop\@[email protected]PID:2840
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:2916
-
-
C:\Users\Admin\Desktop\taskse.exetaskse.exe C:\Users\Admin\Desktop\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1756
-
-
C:\Users\Admin\Desktop\@[email protected]PID:2212
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:940
-
-
C:\Users\Admin\Desktop\taskse.exetaskse.exe C:\Users\Admin\Desktop\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2772
-
-
C:\Users\Admin\Desktop\@[email protected]PID:2036
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:2192
-
-
C:\Users\Admin\Desktop\taskse.exetaskse.exe C:\Users\Admin\Desktop\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1336
-
-
C:\Users\Admin\Desktop\@[email protected]PID:1900
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:3060
-
-
C:\Users\Admin\Desktop\taskse.exetaskse.exe C:\Users\Admin\Desktop\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4800
-
-
C:\Users\Admin\Desktop\@[email protected]PID:1204
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:4888
-
-
C:\Users\Admin\Desktop\taskse.exetaskse.exe C:\Users\Admin\Desktop\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4832
-
-
C:\Users\Admin\Desktop\@[email protected]PID:1952
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:3028
-
-
C:\Users\Admin\Desktop\taskse.exetaskse.exe C:\Users\Admin\Desktop\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4900
-
-
C:\Users\Admin\Desktop\@[email protected]PID:2908
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:4640
-
-
C:\Users\Admin\Desktop\taskse.exetaskse.exe C:\Users\Admin\Desktop\@[email protected]2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1592
-
-
C:\Users\Admin\Desktop\@[email protected]PID:784
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:2528
-
-
C:\Users\Admin\Desktop\taskse.exePID:2860
-
-
C:\Users\Admin\Desktop\@[email protected]PID:2908
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:2840
-
-
C:\Users\Admin\Desktop\taskse.exePID:5104
-
-
C:\Users\Admin\Desktop\@[email protected]PID:2544
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:684
-
-
C:\Users\Admin\Desktop\taskse.exePID:5004
-
-
C:\Users\Admin\Desktop\@[email protected]PID:1892
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:1272
-
-
C:\Users\Admin\Desktop\taskse.exePID:3204
-
-
C:\Users\Admin\Desktop\@[email protected]PID:1676
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:1140
-
-
C:\Users\Admin\Desktop\taskse.exePID:684
-
-
C:\Users\Admin\Desktop\@[email protected]PID:3408
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:1560
-
-
C:\Users\Admin\Desktop\taskse.exePID:424
-
-
C:\Users\Admin\Desktop\@[email protected]PID:796
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:4700
-
-
C:\Users\Admin\Desktop\taskse.exePID:1180
-
-
C:\Users\Admin\Desktop\@[email protected]PID:752
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵
- Executes dropped EXE
PID:1652
-
-
C:\Users\Admin\Desktop\taskse.exePID:3040
-
-
C:\Users\Admin\Desktop\@[email protected]PID:2632
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵PID:2564
-
-
C:\Users\Admin\Desktop\taskse.exePID:8104
-
-
C:\Users\Admin\Desktop\@[email protected]PID:8112
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵PID:7320
-
-
C:\Users\Admin\Desktop\taskse.exePID:10244
-
-
C:\Users\Admin\Desktop\@[email protected]PID:10256
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵PID:10504
-
-
C:\Users\Admin\Desktop\taskse.exePID:12268
-
-
C:\Users\Admin\Desktop\@[email protected]PID:8508
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵PID:7068
-
-
C:\Users\Admin\Desktop\taskse.exePID:11932
-
-
C:\Users\Admin\Desktop\@[email protected]PID:10052
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵PID:13996
-
-
C:\Users\Admin\Desktop\taskse.exePID:6368
-
-
C:\Users\Admin\Desktop\@[email protected]PID:7724
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵PID:5592
-
-
C:\Users\Admin\Desktop\taskse.exePID:3196
-
-
C:\Users\Admin\Desktop\@[email protected]PID:15824
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵PID:13536
-
-
C:\Users\Admin\Desktop\taskse.exePID:16496
-
-
C:\Users\Admin\Desktop\@[email protected]PID:16512
-
-
C:\Users\Admin\Desktop\taskdl.exetaskdl.exe2⤵PID:16664
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2908
-
C:\Users\Admin\Desktop\BcatCrypto.exe"C:\Users\Admin\Desktop\BcatCrypto.exe"1⤵PID:3232
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.exe"C:\Users\Admin\AppData\Local\Temp\RarSFX0\main.exe"2⤵
- Executes dropped EXE
PID:2880 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c pause3⤵PID:3760
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2704 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa2d9d3cb8,0x7ffa2d9d3cc8,0x7ffa2d9d3cd82⤵PID:1440
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1868 /prefetch:22⤵PID:3524
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:2612
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:82⤵PID:4940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:12⤵PID:3696
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3480 /prefetch:12⤵PID:3164
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3028 /prefetch:12⤵PID:8
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3236 /prefetch:12⤵PID:1512
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5392 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3176
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:12⤵PID:2496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4992 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3648
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4916 /prefetch:82⤵PID:1080
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5076 /prefetch:82⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:3760
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2980 /prefetch:12⤵PID:2156
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5420 /prefetch:12⤵PID:4880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4272 /prefetch:12⤵PID:1540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3684 /prefetch:12⤵PID:332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:12⤵PID:2444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3336 /prefetch:12⤵PID:2956
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5984 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:2880
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:12⤵PID:868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6528 /prefetch:82⤵PID:2916
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:12⤵PID:4924
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6112 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=28 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:12⤵PID:2668
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6404 /prefetch:82⤵PID:4012
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1852,1348841936387360948,11104694718088347371,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1524 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:5064
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3468
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4724
-
C:\Users\Admin\Desktop\Klez.e.exe"C:\Users\Admin\Desktop\Klez.e.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3064
-
C:\Windows\SysWOW64\Winkueu.exeC:\Windows\SysWOW64\Winkueu.exe1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:1556
-
C:\Users\Admin\Desktop\Klez.e.exe"C:\Users\Admin\Desktop\Klez.e.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3428
-
C:\Users\Admin\Desktop\Klez.e.exe"C:\Users\Admin\Desktop\Klez.e.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:3120
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of SendNotifyMessage
PID:440 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffa2d9d3cb8,0x7ffa2d9d3cc8,0x7ffa2d9d3cd82⤵PID:4172
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1860,10980832815520756075,17681677437511231382,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1884 /prefetch:22⤵PID:3212
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1860,10980832815520756075,17681677437511231382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:3572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1860,10980832815520756075,17681677437511231382,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2724 /prefetch:82⤵PID:4660
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,10980832815520756075,17681677437511231382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3340 /prefetch:12⤵PID:3408
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,10980832815520756075,17681677437511231382,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:12⤵PID:4332
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,10980832815520756075,17681677437511231382,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:12⤵PID:2764
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1860,10980832815520756075,17681677437511231382,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4952 /prefetch:12⤵PID:656
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1860,10980832815520756075,17681677437511231382,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3656 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2900
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3532
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4676
-
C:\Users\Admin\Desktop\BadRabbit.exe"C:\Users\Admin\Desktop\BadRabbit.exe"1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:4396 -
C:\Windows\SysWOW64\rundll32.exeC:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 152⤵
- Loads dropped DLL
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2668 -
C:\Windows\SysWOW64\cmd.exe/c schtasks /Delete /F /TN rhaegal3⤵PID:3140
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Delete /F /TN rhaegal4⤵PID:2860
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 641625928 && exit"3⤵PID:3536
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 641625928 && exit"4⤵
- Creates scheduled task(s)
PID:3024
-
-
-
C:\Windows\SysWOW64\cmd.exe/c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 23:41:003⤵PID:4056
-
C:\Windows\SysWOW64\schtasks.exeschtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 23:41:004⤵
- Creates scheduled task(s)
PID:2604
-
-
-
C:\Windows\A6F.tmp"C:\Windows\A6F.tmp" \\.\pipe\{249CB339-C67D-48C5-978D-AF90FB8EDC9E}3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2508
-
-
-
C:\Users\Admin\Desktop\Klez.e.exe"C:\Users\Admin\Desktop\Klez.e.exe"1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4988
-
C:\Users\Admin\Desktop\ADZP 20 Complex.exe"C:\Users\Admin\Desktop\ADZP 20 Complex.exe"1⤵PID:3912
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\31AE.tmp\31AF.tmp\31B0.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""2⤵
- Drops autorun.inf file
- Drops file in System32 directory
- Modifies registry class
PID:2052 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd3⤵PID:684
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd3⤵PID:3724
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"3⤵PID:3572
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat3⤵PID:4960
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r4⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2332
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f3⤵PID:2132
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f3⤵PID:968
-
-
C:\Windows\system32\ipconfig.exeipconfig /release3⤵
- Gathers network information
PID:1016
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f3⤵
- Kills process with taskkill
PID:2840
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*3⤵
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Views/modifies file attributes
PID:3756
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"3⤵PID:2608
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"3⤵PID:3648
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"3⤵PID:1820
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"3⤵PID:4740
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"3⤵PID:3700
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"3⤵PID:2072
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"3⤵PID:3504
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"3⤵PID:4456
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"3⤵PID:3500
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"3⤵PID:1392
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado3⤵PID:1680
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado3⤵PID:1060
-
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!3⤵PID:4700
-
-
C:\Users\Admin\Desktop\ADZP 20 Complex.exe"C:\Users\Admin\Desktop\ADZP 20 Complex.exe"3⤵PID:3464
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\372C.tmp\374C.tmp\374D.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""4⤵
- Drops autorun.inf file
- Drops file in System32 directory
- Modifies registry class
PID:4504 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd5⤵PID:4924
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd5⤵PID:3508
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"5⤵PID:4480
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat5⤵PID:2268
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r6⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3540
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f5⤵PID:4700
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f5⤵PID:952
-
-
C:\Windows\system32\ipconfig.exeipconfig /release5⤵
- Gathers network information
PID:2772
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f5⤵
- Kills process with taskkill
PID:1200
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*5⤵
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Views/modifies file attributes
PID:1372
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"5⤵PID:3620
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"5⤵PID:1060
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"5⤵PID:3916
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"5⤵PID:1600
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"5⤵PID:3760
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"5⤵PID:1652
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"5⤵PID:4796
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"5⤵PID:3028
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"5⤵PID:5144
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"5⤵PID:5172
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado5⤵PID:5212
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado5⤵PID:5228
-
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!5⤵PID:5244
-
-
C:\Users\Admin\Desktop\ADZP 20 Complex.exe"C:\Users\Admin\Desktop\ADZP 20 Complex.exe"5⤵PID:5260
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\46EB.tmp\46EC.tmp\46ED.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""6⤵
- Drops autorun.inf file
- Drops file in System32 directory
- Modifies registry class
PID:5416 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd7⤵PID:5720
-
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"8⤵
- Adds Run key to start application
PID:5792
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd7⤵PID:5764
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"7⤵PID:5864
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat7⤵PID:5872
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r8⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5972
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f7⤵PID:5916
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f7⤵PID:5984
-
-
C:\Windows\system32\ipconfig.exeipconfig /release7⤵
- Gathers network information
PID:6008
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f7⤵
- Kills process with taskkill
PID:6024
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*7⤵
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Views/modifies file attributes
PID:6056
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"7⤵PID:6104
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"7⤵PID:6120
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"7⤵PID:6140
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"7⤵PID:5256
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"7⤵PID:5448
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"7⤵PID:5468
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"7⤵PID:5500
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"7⤵PID:5360
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"7⤵PID:5528
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"7⤵PID:5316
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado7⤵PID:5284
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado7⤵PID:1812
-
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!7⤵PID:5584
-
-
C:\Users\Admin\Desktop\ADZP 20 Complex.exe"C:\Users\Admin\Desktop\ADZP 20 Complex.exe"7⤵PID:5684
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5E0D.tmp\5E0E.tmp\5E0F.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""8⤵
- Drops autorun.inf file
- Drops file in System32 directory
- Modifies registry class
PID:2000 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd9⤵PID:6024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd9⤵PID:6064
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"9⤵PID:5668
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat9⤵PID:6080
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r10⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5564
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f9⤵PID:5700
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f9⤵PID:5852
-
-
C:\Windows\system32\ipconfig.exeipconfig /release9⤵
- Gathers network information
PID:5708
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f9⤵
- Kills process with taskkill
PID:6076
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*9⤵
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Views/modifies file attributes
PID:6184
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"9⤵PID:6204
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"9⤵PID:6220
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"9⤵PID:6236
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"9⤵PID:6248
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"9⤵PID:6316
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"9⤵PID:6332
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"9⤵PID:6360
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"9⤵PID:6400
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"9⤵PID:6428
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"9⤵PID:6448
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado9⤵PID:6468
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado9⤵PID:6500
-
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!9⤵PID:6516
-
-
C:\Users\Admin\Desktop\ADZP 20 Complex.exe"C:\Users\Admin\Desktop\ADZP 20 Complex.exe"9⤵PID:6536
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\75EB.tmp\75EC.tmp\75ED.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""10⤵
- Drops autorun.inf file
- Drops file in System32 directory
- Modifies registry class
PID:6688 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd11⤵PID:6988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd11⤵PID:7000
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"11⤵PID:7140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat11⤵PID:7152
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r12⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6184
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f11⤵PID:6148
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f11⤵PID:6472
-
-
C:\Windows\system32\ipconfig.exeipconfig /release11⤵
- Gathers network information
PID:6500
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f11⤵
- Kills process with taskkill
PID:6524
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*11⤵
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Views/modifies file attributes
PID:6720
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"11⤵PID:6732
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"11⤵PID:6748
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"11⤵PID:6772
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"11⤵PID:6028
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"11⤵PID:6580
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"11⤵PID:6820
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"11⤵PID:6876
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"11⤵PID:6932
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"11⤵PID:6652
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"11⤵PID:6972
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado11⤵PID:6980
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado11⤵PID:7132
-
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!11⤵PID:6172
-
-
C:\Users\Admin\Desktop\ADZP 20 Complex.exe"C:\Users\Admin\Desktop\ADZP 20 Complex.exe"11⤵PID:6148
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV112⤵PID:6472
-
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\825E.tmp\825F.tmp\8260.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""12⤵
- Drops autorun.inf file
- Drops file in System32 directory
- Modifies registry class
PID:5852 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd13⤵PID:7400
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd13⤵PID:7416
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"13⤵PID:7544
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat13⤵PID:7552
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r14⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:7664
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f13⤵PID:7592
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f13⤵PID:7648
-
-
C:\Windows\system32\ipconfig.exeipconfig /release13⤵
- Gathers network information
PID:7680
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f13⤵
- Kills process with taskkill
PID:7708
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*13⤵
- Drops desktop.ini file(s)
- Drops autorun.inf file
- Views/modifies file attributes
PID:7736
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"13⤵PID:7792
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"13⤵PID:7800
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"13⤵PID:7824
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"13⤵PID:7864
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"13⤵PID:7892
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"13⤵PID:7932
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"13⤵PID:7956
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"13⤵PID:7988
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"13⤵PID:8004
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"13⤵PID:8024
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado13⤵PID:8044
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado13⤵PID:8088
-
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!13⤵PID:8132
-
-
C:\Users\Admin\Desktop\ADZP 20 Complex.exe"C:\Users\Admin\Desktop\ADZP 20 Complex.exe"13⤵PID:8148
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9579.tmp\957A.tmp\957B.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""14⤵
- Drops autorun.inf file
- Drops file in System32 directory
PID:7252 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd15⤵PID:4836
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV116⤵PID:7708
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd15⤵PID:7684
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"15⤵PID:8112
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat15⤵PID:8136
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r16⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6812
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f15⤵PID:7284
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f15⤵PID:6012
-
-
C:\Windows\system32\ipconfig.exeipconfig /release15⤵
- Gathers network information
PID:6684
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f15⤵
- Kills process with taskkill
PID:7436
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*15⤵
- Views/modifies file attributes
PID:6604
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"15⤵PID:7760
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"15⤵PID:8120
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"15⤵PID:7596
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"15⤵PID:6200
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"15⤵PID:6012
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"15⤵PID:6684
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"15⤵PID:6172
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"15⤵PID:6604
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"15⤵PID:400
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"15⤵PID:1132
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado15⤵PID:1588
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado15⤵PID:3204
-
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!15⤵PID:856
-
-
C:\Users\Admin\Desktop\ADZP 20 Complex.exe"C:\Users\Admin\Desktop\ADZP 20 Complex.exe"15⤵PID:3204
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B361.tmp\B362.tmp\B363.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""16⤵PID:8340
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd17⤵PID:8680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd17⤵PID:8688
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"17⤵PID:8824
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat17⤵PID:8840
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r18⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:8940
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f17⤵PID:8864
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f17⤵PID:8924
-
-
C:\Windows\system32\ipconfig.exeipconfig /release17⤵
- Gathers network information
PID:8956
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f17⤵
- Kills process with taskkill
PID:8972
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*17⤵
- Views/modifies file attributes
PID:9032
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"17⤵PID:9068
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"17⤵PID:9088
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"17⤵PID:9128
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"17⤵PID:9144
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"17⤵PID:9192
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"17⤵PID:9208
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"17⤵PID:8336
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"17⤵PID:8224
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"17⤵PID:8424
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"17⤵PID:8228
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado17⤵PID:8328
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado17⤵PID:1460
-
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!17⤵PID:8540
-
-
C:\Users\Admin\Desktop\ADZP 20 Complex.exe"C:\Users\Admin\Desktop\ADZP 20 Complex.exe"17⤵PID:8568
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\CA06.tmp\CA07.tmp\CA08.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""18⤵PID:8856
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd19⤵PID:8804
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd19⤵PID:8644
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"19⤵PID:8520
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat19⤵PID:1780
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r20⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5484
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f19⤵PID:8256
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f19⤵PID:8656
-
-
C:\Windows\system32\ipconfig.exeipconfig /release19⤵
- Gathers network information
PID:9008
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f19⤵
- Kills process with taskkill
PID:8868
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*19⤵
- Views/modifies file attributes
PID:9024
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"19⤵PID:8672
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"19⤵PID:9008
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"19⤵PID:8868
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"19⤵PID:9000
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"19⤵PID:6092
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"19⤵PID:9252
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"19⤵PID:9268
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"19⤵PID:9308
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"19⤵PID:9340
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"19⤵PID:9368
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado19⤵PID:9380
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado19⤵PID:9412
-
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!19⤵PID:9428
-
-
C:\Users\Admin\Desktop\ADZP 20 Complex.exe"C:\Users\Admin\Desktop\ADZP 20 Complex.exe"19⤵PID:9456
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E0CA.tmp\E0CB.tmp\E0CC.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""20⤵PID:9596
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd21⤵PID:9996
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd21⤵PID:10004
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"21⤵PID:10188
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat21⤵PID:10216
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r22⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:9444
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f21⤵PID:9396
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f21⤵PID:9428
-
-
C:\Windows\system32\ipconfig.exeipconfig /release21⤵
- Gathers network information
PID:9452
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f21⤵
- Kills process with taskkill
PID:9588
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*21⤵
- Views/modifies file attributes
PID:9612
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"21⤵PID:9904
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"21⤵PID:9924
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"21⤵PID:9936
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"21⤵PID:9956
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"21⤵PID:4704
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"21⤵PID:10032
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"21⤵PID:4756
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"21⤵PID:10096
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"21⤵PID:10120
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"21⤵PID:9764
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado21⤵PID:9752
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado21⤵PID:9688
-
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!21⤵PID:9652
-
-
C:\Users\Admin\Desktop\ADZP 20 Complex.exe"C:\Users\Admin\Desktop\ADZP 20 Complex.exe"21⤵PID:9552
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\FCDE.tmp\FCDF.tmp\FCE0.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""22⤵PID:3748
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd23⤵PID:6356
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd23⤵PID:6408
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"23⤵PID:10296
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat23⤵PID:10308
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r24⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:10440
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f23⤵PID:10332
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f23⤵PID:10408
-
-
C:\Windows\system32\ipconfig.exeipconfig /release23⤵
- Gathers network information
PID:10424
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f23⤵
- Kills process with taskkill
PID:10456
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*23⤵
- Views/modifies file attributes
PID:10488
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"23⤵PID:10564
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"23⤵PID:10580
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"23⤵PID:10588
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"23⤵PID:10640
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"23⤵PID:10684
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"23⤵PID:10712
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"23⤵PID:10732
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"23⤵PID:10776
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"23⤵PID:10792
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"23⤵PID:10848
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado23⤵PID:10876
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado23⤵PID:10904
-
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!23⤵PID:10920
-
-
C:\Users\Admin\Desktop\ADZP 20 Complex.exe"C:\Users\Admin\Desktop\ADZP 20 Complex.exe"23⤵PID:10936
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1AB6.tmp\1AB7.tmp\1AB8.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""24⤵PID:11100
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd25⤵PID:10488
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd25⤵PID:10504
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"25⤵PID:11140
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat25⤵PID:11012
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r26⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:2116
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f25⤵PID:5028
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f25⤵PID:4396
-
-
C:\Windows\system32\ipconfig.exeipconfig /release25⤵
- Gathers network information
PID:3616
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f25⤵
- Kills process with taskkill
PID:3556
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*25⤵
- Views/modifies file attributes
PID:10952
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"25⤵PID:3096
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"25⤵PID:1512
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"25⤵PID:7232
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"25⤵PID:8184
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"25⤵PID:10408
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"25⤵PID:8332
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"25⤵PID:10496
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"25⤵PID:9680
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"25⤵PID:1840
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"25⤵PID:5180
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado25⤵PID:11220
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado25⤵PID:11132
-
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!25⤵PID:332
-
-
C:\Users\Admin\Desktop\ADZP 20 Complex.exe"C:\Users\Admin\Desktop\ADZP 20 Complex.exe"25⤵PID:592
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3F36.tmp\3F37.tmp\3F38.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""26⤵PID:5884
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd27⤵PID:5456
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd27⤵PID:5488
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"27⤵PID:5772
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat27⤵PID:8708
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r28⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5296
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f27⤵PID:5296
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f27⤵PID:5792
-
-
C:\Windows\system32\ipconfig.exeipconfig /release27⤵
- Gathers network information
PID:5616
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f27⤵
- Kills process with taskkill
PID:5792
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*27⤵
- Views/modifies file attributes
PID:5736
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"27⤵PID:11132
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"27⤵PID:3624
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"27⤵PID:5368
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"27⤵PID:5792
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"27⤵PID:5736
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"27⤵PID:11300
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"27⤵PID:11324
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"27⤵PID:11348
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"27⤵PID:11416
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"27⤵PID:11460
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado27⤵PID:11496
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado27⤵PID:11512
-
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!27⤵PID:11528
-
-
C:\Users\Admin\Desktop\ADZP 20 Complex.exe"C:\Users\Admin\Desktop\ADZP 20 Complex.exe"27⤵PID:11544
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\54C2.tmp\54C3.tmp\54C4.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""28⤵PID:11720
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd29⤵PID:11988
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd29⤵PID:12024
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"29⤵PID:12168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat29⤵PID:12188
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r30⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5308
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f29⤵PID:12220
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f29⤵PID:12268
-
-
C:\Windows\system32\ipconfig.exeipconfig /release29⤵
- Gathers network information
PID:12284
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f29⤵
- Kills process with taskkill
PID:11512
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*29⤵
- Views/modifies file attributes
PID:11660
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"29⤵PID:11736
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"29⤵PID:11624
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"29⤵PID:11812
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"29⤵PID:11712
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"29⤵PID:11852
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"29⤵PID:11888
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"29⤵PID:6280
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"29⤵PID:11916
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"29⤵PID:11972
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"29⤵PID:12040
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado29⤵PID:12076
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado29⤵PID:12116
-
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!29⤵PID:7784
-
-
C:\Users\Admin\Desktop\ADZP 20 Complex.exe"C:\Users\Admin\Desktop\ADZP 20 Complex.exe"29⤵PID:11868
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\72AA.tmp\72AB.tmp\72AC.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""30⤵PID:11716
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd31⤵PID:11748
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV132⤵PID:6560
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd31⤵PID:11528
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"31⤵PID:7816
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat31⤵PID:7876
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r32⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:12284
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f31⤵PID:8012
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f31⤵PID:10680
-
-
C:\Windows\system32\ipconfig.exeipconfig /release31⤵
- Gathers network information
PID:7216
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f31⤵
- Kills process with taskkill
PID:12268
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*31⤵
- Views/modifies file attributes
PID:7148
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"31⤵PID:8012
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"31⤵PID:6740
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"31⤵PID:10232
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"31⤵PID:10448
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"31⤵PID:6556
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"31⤵PID:12200
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"31⤵PID:7744
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"31⤵PID:12312
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"31⤵PID:12336
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"31⤵PID:12376
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado31⤵PID:12392
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado31⤵PID:12420
-
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!31⤵PID:12444
-
-
C:\Users\Admin\Desktop\ADZP 20 Complex.exe"C:\Users\Admin\Desktop\ADZP 20 Complex.exe"31⤵PID:12460
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\914E.tmp\914F.tmp\9150.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""32⤵PID:12588
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd33⤵PID:12884
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd33⤵PID:12920
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"33⤵PID:13024
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat33⤵PID:13044
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r34⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:13144
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f33⤵PID:13104
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f33⤵PID:13128
-
-
C:\Windows\system32\ipconfig.exeipconfig /release33⤵
- Gathers network information
PID:13168
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f33⤵
- Kills process with taskkill
PID:13200
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*33⤵
- Views/modifies file attributes
PID:13240
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"33⤵PID:13252
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"33⤵PID:13272
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"33⤵PID:13296
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"33⤵PID:7208
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"33⤵PID:12432
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"33⤵PID:12452
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"33⤵PID:12584
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"33⤵PID:12616
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"33⤵PID:12700
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"33⤵PID:12624
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado33⤵PID:12544
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado33⤵PID:7764
-
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!33⤵PID:12796
-
-
C:\Users\Admin\Desktop\ADZP 20 Complex.exe"C:\Users\Admin\Desktop\ADZP 20 Complex.exe"33⤵PID:12808
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\AD23.tmp\AD24.tmp\AD25.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""34⤵PID:8248
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd35⤵PID:12776
-
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"36⤵PID:12768
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd35⤵PID:464
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"35⤵PID:9168
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat35⤵PID:9200
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r36⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:12780
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f35⤵PID:8916
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f35⤵PID:8448
-
-
C:\Windows\system32\ipconfig.exeipconfig /release35⤵
- Gathers network information
PID:8316
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f35⤵
- Kills process with taskkill
PID:13108
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*35⤵
- Views/modifies file attributes
PID:9136
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"35⤵PID:8920
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"35⤵PID:11216
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"35⤵PID:12980
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"35⤵PID:6524
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"35⤵PID:8728
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"35⤵PID:9020
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"35⤵PID:8276
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"35⤵PID:9048
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"35⤵PID:13336
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"35⤵PID:13396
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado35⤵PID:13408
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado35⤵PID:13456
-
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!35⤵PID:13480
-
-
C:\Users\Admin\Desktop\ADZP 20 Complex.exe"C:\Users\Admin\Desktop\ADZP 20 Complex.exe"35⤵PID:13496
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\CB1A.tmp\CB1B.tmp\CB1C.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""36⤵PID:13652
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd37⤵PID:13980
-
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"38⤵PID:14092
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd37⤵PID:14020
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"37⤵PID:14144
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat37⤵PID:14176
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r38⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:14268
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f37⤵PID:14228
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f37⤵PID:14248
-
-
C:\Windows\system32\ipconfig.exeipconfig /release37⤵
- Gathers network information
PID:14260
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f37⤵
- Kills process with taskkill
PID:14300
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*37⤵
- Views/modifies file attributes
PID:11272
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"37⤵PID:13464
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"37⤵PID:9388
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"37⤵PID:1540
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"37⤵PID:9556
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"37⤵PID:13592
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"37⤵PID:13756
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"37⤵PID:13636
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"37⤵PID:13720
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"37⤵PID:13804
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"37⤵PID:13828
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado37⤵PID:13896
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado37⤵PID:13912
-
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!37⤵PID:13924
-
-
C:\Users\Admin\Desktop\ADZP 20 Complex.exe"C:\Users\Admin\Desktop\ADZP 20 Complex.exe"37⤵PID:12264
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\EBD1.tmp\EBD2.tmp\EBD3.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""38⤵PID:13768
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd39⤵PID:13976
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd39⤵PID:11744
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"39⤵PID:8040
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat39⤵PID:4656
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r40⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:12156
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f39⤵PID:10368
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f39⤵PID:11932
-
-
C:\Windows\system32\ipconfig.exeipconfig /release39⤵
- Gathers network information
PID:9412
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f39⤵
- Kills process with taskkill
PID:11532
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*39⤵
- Views/modifies file attributes
PID:5000
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"39⤵PID:14064
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"39⤵PID:11640
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"39⤵PID:10596
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"39⤵PID:10656
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"39⤵PID:2456
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"39⤵PID:10052
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"39⤵PID:14228
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"39⤵PID:11272
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"39⤵PID:10752
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"39⤵PID:2112
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado39⤵PID:10808
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado39⤵PID:12124
-
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!39⤵PID:12328
-
-
C:\Users\Admin\Desktop\ADZP 20 Complex.exe"C:\Users\Admin\Desktop\ADZP 20 Complex.exe"39⤵PID:7460
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\13AD.tmp\13AE.tmp\13AF.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""40⤵PID:14388
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd41⤵PID:14788
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd41⤵PID:14796
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"41⤵PID:14940
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat41⤵PID:14948
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r42⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:15060
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f41⤵PID:14972
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f41⤵PID:15048
-
-
C:\Windows\system32\ipconfig.exeipconfig /release41⤵
- Gathers network information
PID:15080
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f41⤵
- Kills process with taskkill
PID:15108
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*41⤵
- Views/modifies file attributes
PID:15136
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"41⤵PID:15244
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"41⤵PID:15268
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"41⤵PID:15292
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"41⤵PID:15316
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"41⤵PID:15348
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"41⤵PID:6840
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"41⤵PID:14408
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"41⤵PID:4956
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"41⤵PID:13152
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"41⤵PID:14504
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado41⤵PID:4672
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado41⤵PID:12068
-
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!41⤵PID:11128
-
-
C:\Users\Admin\Desktop\ADZP 20 Complex.exe"C:\Users\Admin\Desktop\ADZP 20 Complex.exe"41⤵PID:11080
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\34F0.tmp\34F1.tmp\34F2.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""42⤵PID:12732
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd43⤵PID:15160
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd43⤵PID:13052
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"43⤵PID:14580
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat43⤵PID:5404
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r44⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:14536
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f43⤵PID:2564
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f43⤵PID:5300
-
-
C:\Windows\system32\ipconfig.exeipconfig /release43⤵
- Gathers network information
PID:14768
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f43⤵
- Kills process with taskkill
PID:14820
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*43⤵
- Views/modifies file attributes
PID:5592
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"43⤵PID:11284
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"43⤵PID:11320
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"43⤵PID:15132
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"43⤵PID:7236
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"43⤵PID:1908
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"43⤵PID:15140
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"43⤵PID:396
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"43⤵PID:11676
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"43⤵PID:7396
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"43⤵PID:6952
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado43⤵PID:7732
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado43⤵PID:752
-
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!43⤵PID:3948
-
-
C:\Users\Admin\Desktop\ADZP 20 Complex.exe"C:\Users\Admin\Desktop\ADZP 20 Complex.exe"43⤵PID:4028
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5951.tmp\5952.tmp\5953.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""44⤵PID:4292
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd45⤵PID:15172
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd45⤵PID:11984
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"45⤵PID:11660
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat45⤵PID:14660
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r46⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:13740
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f45⤵PID:14652
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f45⤵PID:11780
-
-
C:\Windows\system32\ipconfig.exeipconfig /release45⤵
- Gathers network information
PID:11636
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f45⤵
- Kills process with taskkill
PID:8984
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*45⤵
- Views/modifies file attributes
PID:4516
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"45⤵PID:6912
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"45⤵PID:5140
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"45⤵PID:5652
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"45⤵PID:7732
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"45⤵PID:2832
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"45⤵PID:14500
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"45⤵PID:7844
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"45⤵PID:8496
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"45⤵PID:6160
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"45⤵PID:14648
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado45⤵PID:4916
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado45⤵PID:13120
-
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!45⤵PID:6680
-
-
C:\Users\Admin\Desktop\ADZP 20 Complex.exe"C:\Users\Admin\Desktop\ADZP 20 Complex.exe"45⤵PID:5380
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\813B.tmp\813C.tmp\813D.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""46⤵PID:11780
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd47⤵PID:12484
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd47⤵PID:10368
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"47⤵PID:5460
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat47⤵PID:12988
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r48⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:13036
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f47⤵PID:9860
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f47⤵PID:10340
-
-
C:\Windows\system32\ipconfig.exeipconfig /release47⤵
- Gathers network information
PID:9880
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f47⤵
- Kills process with taskkill
PID:8596
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*47⤵
- Views/modifies file attributes
PID:7500
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"47⤵PID:1856
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"47⤵PID:10184
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"47⤵PID:7812
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"47⤵PID:2004
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"47⤵PID:1964
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"47⤵PID:12628
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"47⤵PID:6928
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"47⤵PID:7120
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"47⤵PID:12268
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"47⤵PID:5640
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado47⤵PID:12760
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado47⤵PID:14908
-
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!47⤵PID:9884
-
-
C:\Users\Admin\Desktop\ADZP 20 Complex.exe"C:\Users\Admin\Desktop\ADZP 20 Complex.exe"47⤵PID:15040
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9DAD.tmp\9DAE.tmp\9DAF.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""48⤵PID:9452
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd49⤵PID:15500
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd49⤵PID:15528
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"49⤵PID:15680
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat49⤵PID:15688
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r50⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:15832
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f49⤵PID:15716
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f49⤵PID:15796
-
-
C:\Windows\system32\ipconfig.exeipconfig /release49⤵
- Gathers network information
PID:15808
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f49⤵
- Kills process with taskkill
PID:15856
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*49⤵
- Views/modifies file attributes
PID:15948
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"49⤵PID:16008
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"49⤵PID:16028
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"49⤵PID:16052
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"49⤵PID:16080
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"49⤵PID:16112
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"49⤵PID:16148
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"49⤵PID:16176
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"49⤵PID:16192
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"49⤵PID:16232
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"49⤵PID:16252
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado49⤵PID:16292
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado49⤵PID:16308
-
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!49⤵PID:16324
-
-
C:\Users\Admin\Desktop\ADZP 20 Complex.exe"C:\Users\Admin\Desktop\ADZP 20 Complex.exe"49⤵PID:16348
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\BC60.tmp\BC61.tmp\BC62.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""50⤵PID:15444
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd51⤵PID:15948
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd51⤵PID:8316
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"51⤵PID:13552
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat51⤵PID:13632
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r52⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:4072
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f51⤵PID:16300
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f51⤵PID:10276
-
-
C:\Windows\system32\ipconfig.exeipconfig /release51⤵
- Gathers network information
PID:7096
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f51⤵
- Kills process with taskkill
PID:14364
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*51⤵
- Views/modifies file attributes
PID:6044
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"51⤵PID:15404
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"51⤵PID:16372
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"51⤵PID:7508
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"51⤵PID:10244
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"51⤵PID:15800
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"51⤵PID:14040
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"51⤵PID:15480
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"51⤵PID:13120
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"51⤵PID:11164
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"51⤵PID:4900
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado51⤵PID:15952
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado51⤵PID:10824
-
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!51⤵PID:5620
-
-
C:\Users\Admin\Desktop\ADZP 20 Complex.exe"C:\Users\Admin\Desktop\ADZP 20 Complex.exe"51⤵PID:4896
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E6DB.tmp\E6DC.tmp\E6DD.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""52⤵PID:13824
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd53⤵PID:11432
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd53⤵PID:16288
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"53⤵PID:5108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat53⤵PID:4104
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r54⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:15952
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f53⤵PID:11792
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f53⤵PID:13868
-
-
C:\Windows\system32\ipconfig.exeipconfig /release53⤵
- Gathers network information
PID:15912
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f53⤵
- Kills process with taskkill
PID:15908
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*53⤵
- Views/modifies file attributes
PID:4492
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"53⤵PID:11384
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"53⤵PID:3216
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"53⤵PID:14248
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"53⤵PID:11728
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"53⤵PID:15676
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"53⤵PID:15740
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"53⤵PID:13868
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"53⤵PID:15912
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"53⤵PID:196
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"53⤵PID:11944
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado53⤵PID:14652
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado53⤵PID:12032
-
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!53⤵PID:10532
-
-
C:\Users\Admin\Desktop\ADZP 20 Complex.exe"C:\Users\Admin\Desktop\ADZP 20 Complex.exe"53⤵PID:9692
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\25A9.tmp\25AA.tmp\25AB.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""54⤵PID:10252
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd55⤵PID:10264
-
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"56⤵PID:9320
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd55⤵PID:11056
-
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"56⤵PID:11496
-
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"55⤵PID:708
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat55⤵PID:7560
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r56⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:12244
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f55⤵PID:11540
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f55⤵PID:15908
-
-
C:\Windows\system32\ipconfig.exeipconfig /release55⤵
- Gathers network information
PID:10708
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f55⤵
- Kills process with taskkill
PID:14296
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*55⤵
- Views/modifies file attributes
PID:12392
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"55⤵PID:6168
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"55⤵PID:7284
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"55⤵PID:9516
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"55⤵PID:13192
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"55⤵PID:4184
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"55⤵PID:11092
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"55⤵PID:7968
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"55⤵PID:7376
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"55⤵PID:1860
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"55⤵PID:13204
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado55⤵PID:15980
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado55⤵PID:6728
-
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!55⤵PID:8220
-
-
C:\Users\Admin\Desktop\ADZP 20 Complex.exe"C:\Users\Admin\Desktop\ADZP 20 Complex.exe"55⤵PID:5212
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\546A.tmp\546B.tmp\546C.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""56⤵PID:16404
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd57⤵PID:16960
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd57⤵PID:16976
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"57⤵PID:17108
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat57⤵PID:17156
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r58⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:17272
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f57⤵PID:17188
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f57⤵PID:17224
-
-
C:\Windows\system32\ipconfig.exeipconfig /release57⤵
- Gathers network information
PID:17280
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f57⤵
- Kills process with taskkill
PID:17352
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*57⤵
- Views/modifies file attributes
PID:16400
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"57⤵PID:7788
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"57⤵PID:6004
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"57⤵PID:16532
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"57⤵PID:16528
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"57⤵PID:14636
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"57⤵PID:16472
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"57⤵PID:16616
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"57⤵PID:16364
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"57⤵PID:16396
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"57⤵PID:13444
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado57⤵PID:16684
-
-
C:\Windows\system32\msg.exemsg * Virus Detectado57⤵PID:13472
-
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!57⤵PID:16744
-
-
C:\Users\Admin\Desktop\ADZP 20 Complex.exe"C:\Users\Admin\Desktop\ADZP 20 Complex.exe"57⤵PID:16760
-
C:\Windows\system32\cmd.exe"C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8F02.tmp\8F03.tmp\8F04.bat "C:\Users\Admin\Desktop\ADZP 20 Complex.exe""58⤵PID:16856
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd59⤵PID:15036
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd59⤵PID:11596
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Informacion.vbs"59⤵PID:9284
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat59⤵PID:11628
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r60⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:17324
-
-
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f59⤵PID:10160
-
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f59⤵PID:12076
-
-
C:\Windows\system32\ipconfig.exeipconfig /release59⤵
- Gathers network information
PID:13308
-
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f59⤵
- Kills process with taskkill
PID:17328
-
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*59⤵
- Views/modifies file attributes
PID:8604
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"59⤵PID:16704
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"59⤵PID:16684
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"59⤵PID:15524
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"59⤵PID:15584
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"59⤵PID:15596
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\Advertencia.vbs"59⤵PID:12132
-
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\ErrorCritico.vbs"59⤵PID:13836
-
-
-
-
C:\Windows\system32\notepad.exenotepad57⤵PID:16832
-
-
C:\Windows\system32\calc.execalc57⤵PID:16864
-
-
C:\Windows\explorer.exeexplorer.exe57⤵PID:7996
-
-
-
-
C:\Windows\system32\notepad.exenotepad55⤵PID:6128
-
-
C:\Windows\system32\calc.execalc55⤵PID:13724
-
-
C:\Windows\explorer.exeexplorer.exe55⤵PID:16440
-
-
-
-
C:\Windows\system32\notepad.exenotepad53⤵PID:9604
-
-
C:\Windows\system32\calc.execalc53⤵PID:7972
-
-
C:\Windows\explorer.exeexplorer.exe53⤵PID:14980
-
-
-
-
C:\Windows\system32\notepad.exenotepad51⤵PID:9352
-
-
C:\Windows\system32\calc.execalc51⤵PID:5108
-
-
C:\Windows\explorer.exeexplorer.exe51⤵PID:10416
-
-
-
-
C:\Windows\system32\notepad.exenotepad49⤵PID:16356
-
-
C:\Windows\system32\calc.execalc49⤵PID:16364
-
-
C:\Windows\explorer.exeexplorer.exe49⤵PID:16372
-
-
-
-
C:\Windows\system32\notepad.exenotepad47⤵PID:2812
-
-
C:\Windows\system32\calc.execalc47⤵PID:6180
-
-
C:\Windows\explorer.exeexplorer.exe47⤵PID:7500
-
-
-
-
C:\Windows\system32\notepad.exenotepad45⤵PID:11016
-
-
C:\Windows\system32\calc.execalc45⤵PID:1396
-
-
C:\Windows\explorer.exeexplorer.exe45⤵PID:12844
-
-
-
-
C:\Windows\system32\notepad.exenotepad43⤵PID:7712
-
-
C:\Windows\system32\calc.execalc43⤵PID:7248
-
-
C:\Windows\explorer.exeexplorer.exe43⤵PID:15180
-
-
-
-
C:\Windows\system32\notepad.exenotepad41⤵PID:14584
-
-
C:\Windows\system32\calc.execalc41⤵PID:14592
-
-
C:\Windows\explorer.exeexplorer.exe41⤵PID:14600
-
-
-
-
C:\Windows\system32\notepad.exenotepad39⤵PID:10976
-
-
C:\Windows\system32\calc.execalc39⤵PID:11020
-
-
C:\Windows\explorer.exeexplorer.exe39⤵PID:11084
-
-
-
-
C:\Windows\system32\notepad.exenotepad37⤵PID:10072
-
-
C:\Windows\system32\calc.execalc37⤵PID:10060
-
-
C:\Windows\explorer.exeexplorer.exe37⤵PID:9304
-
-
-
-
C:\Windows\system32\notepad.exenotepad35⤵PID:13512
-
-
C:\Windows\system32\calc.execalc35⤵PID:13520
-
-
C:\Windows\explorer.exeexplorer.exe35⤵PID:13560
-
-
-
-
C:\Windows\system32\notepad.exenotepad33⤵PID:12824
-
-
C:\Windows\system32\calc.execalc33⤵PID:12836
-
-
C:\Windows\explorer.exeexplorer.exe33⤵PID:7392
-
-
-
-
C:\Windows\system32\notepad.exenotepad31⤵PID:12468
-
-
C:\Windows\system32\calc.execalc31⤵PID:12520
-
-
C:\Windows\explorer.exeexplorer.exe31⤵PID:12552
-
-
-
-
C:\Windows\system32\notepad.exenotepad29⤵PID:11856
-
-
C:\Windows\system32\calc.execalc29⤵PID:11756
-
-
C:\Windows\explorer.exeexplorer.exe29⤵PID:11748
-
-
-
-
C:\Windows\system32\notepad.exenotepad27⤵PID:11560
-
-
C:\Windows\system32\calc.execalc27⤵PID:11580
-
-
C:\Windows\explorer.exeexplorer.exe27⤵PID:11588
-
-
-
-
C:\Windows\system32\notepad.exenotepad25⤵PID:4396
-
-
C:\Windows\system32\calc.execalc25⤵PID:5300
-
-
C:\Windows\explorer.exeexplorer.exe25⤵PID:5336
-
-
-
-
C:\Windows\system32\notepad.exenotepad23⤵PID:10944
-
-
C:\Windows\system32\calc.execalc23⤵PID:10952
-
-
C:\Windows\explorer.exeexplorer.exe23⤵PID:10960
-
-
-
-
C:\Windows\system32\notepad.exenotepad21⤵PID:7108
-
-
C:\Windows\system32\calc.execalc21⤵PID:9452
-
-
C:\Windows\explorer.exeexplorer.exe21⤵PID:4656
-
-
-
-
C:\Windows\system32\notepad.exenotepad19⤵PID:9464
-
-
C:\Windows\system32\calc.execalc19⤵PID:9472
-
-
C:\Windows\explorer.exeexplorer.exe19⤵PID:9560
-
-
-
-
C:\Windows\system32\notepad.exenotepad17⤵PID:8592
-
-
C:\Windows\system32\calc.execalc17⤵PID:5164
-
-
C:\Windows\explorer.exeexplorer.exe17⤵PID:8616
-
-
-
-
C:\Windows\system32\notepad.exenotepad15⤵PID:3104
-
-
C:\Windows\system32\calc.execalc15⤵PID:4324
-
-
C:\Windows\explorer.exeexplorer.exe15⤵PID:8196
-
-
-
-
C:\Windows\system32\notepad.exenotepad13⤵PID:8156
-
-
C:\Windows\system32\calc.execalc13⤵
- Modifies registry class
PID:8164
-
-
C:\Windows\explorer.exeexplorer.exe13⤵
- Modifies registry class
PID:7224
-
-
-
-
C:\Windows\system32\notepad.exenotepad11⤵PID:6512
-
-
C:\Windows\system32\calc.execalc11⤵
- Modifies registry class
PID:6684
-
-
C:\Windows\explorer.exeexplorer.exe11⤵
- Modifies registry class
PID:6664
-
-
-
-
C:\Windows\system32\notepad.exenotepad9⤵PID:6544
-
-
C:\Windows\system32\calc.execalc9⤵
- Modifies registry class
PID:6560
-
-
C:\Windows\explorer.exeexplorer.exe9⤵
- Modifies registry class
PID:6580
-
-
-
-
C:\Windows\system32\notepad.exenotepad7⤵PID:5688
-
-
C:\Windows\system32\calc.execalc7⤵
- Modifies registry class
PID:5692
-
-
C:\Windows\explorer.exeexplorer.exe7⤵
- Modifies registry class
PID:5712
-
-
-
-
C:\Windows\system32\notepad.exenotepad5⤵PID:5276
-
-
C:\Windows\system32\calc.execalc5⤵
- Modifies registry class
PID:5284
-
-
C:\Windows\explorer.exeexplorer.exe5⤵
- Modifies registry class
PID:5292
-
-
-
-
C:\Windows\system32\notepad.exenotepad3⤵PID:2600
-
-
C:\Windows\system32\calc.execalc3⤵
- Modifies registry class
PID:1688
-
-
C:\Windows\explorer.exeexplorer.exe3⤵
- Modifies registry class
PID:1840
-
-
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:3856
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:5520
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:6012
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:6892
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:6912
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
PID:6156
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:8364
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:8480
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:9644
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:7136
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:11196
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:8308
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:11728
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:6192
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:12648
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:12976
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:13724
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:14204
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:14468
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:14824
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:12596
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:5640
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:9588
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:15512
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:13836
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:8312
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:16420
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵PID:16928
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1Scheduled Task/Job
1Windows Management Instrumentation
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\@[email protected]
Filesize583B
MD5e57002316f65c285f0f4ef6607c64696
SHA10d532ade37409eb6f462ef01d26e18b977f041a0
SHA2563d2d4dbc33f05c2a04ba1f5f4af3fe2a53dba6a2ba49556f84e5e266b4787b16
SHA51243a2559e603c6fe7ee803d4614c4c3fe47fc8f2671da42c8dce68bc529bf256472e958996caef2645cb0169196d4639aecab490852fcc70cb15e7c821bccf88a
-
Filesize
152B
MD5fb66608a2f2901048b33ce108bc11d20
SHA1f6f0bed739b47bd6ec2bcd66dab5ae19254c66bf
SHA256be34f565ef2c28eda3a1b58f422327e82cbad77b5f67e16b6310bbc2acbdc49c
SHA512e79c16a00db5905eb37d37577e560bddc0d5707f03b974b3378801f9a65c1fcdfa818d84bfd7dcf3ecf19ba7b7697f33be2a3770f5bfb363cf4063cbf01e483e
-
Filesize
152B
MD5a735e441a6eb3b51242e8b3c6222af55
SHA14cb3b5c04471a79cc9cab9eb53eadc38107dbb46
SHA256a12758c2f1c6cd95aa4e57daf6951872b80680a4b17bc6fdd69daaf4e8b34b1a
SHA51236e9356a7c96b0543a84efb4f28268800204fee40b9fdf25641a3b6013a3af1ab730f95ed5e75e029d260501bfad744b4edb6c9b782f8bda83b85b3cfbd9f3e5
-
Filesize
152B
MD58f2eb94e31cadfb6eb07e6bbe61ef7ae
SHA13f42b0d5a90408689e7f7941f8db72a67d5a2eab
SHA256d222c8e3b19cda2657629a486faf32962e016fc66561ce0d17010afdb283c9de
SHA5129f7f84149885b851e0bf7173c540e466a2b2eb9907d8b608f60360933328cc75d9d1b63640ea4ecc1e64ecc5dd7ee74d82903f96a8b4418ca56296641a8c0703
-
Filesize
152B
MD5e1c0318b1fb071fd5b70ed1ff93a0561
SHA10c17972edacf4cc4ae0a3bedc260e67ea2f9dfbf
SHA25628070052e9c03e755ff5d5730f2eee4376158f459b183f6eeb219e994941574b
SHA512036199ccd7bfc9741e86bc07b2b21813be896d4c79ca4093f0799d32dce1920f4b6f93c6dc66b920e94a025a1395b1d3b5a5fbe3fc1ab435c1c4198606ea55c1
-
Filesize
152B
MD5d56e8f308a28ac4183257a7950ab5c89
SHA1044969c58cef041a073c2d132fa66ccc1ee553fe
SHA2560bc24451c65457abc1e4e340be2f8faceae6b6ec7768a21d44bcd14636543bae
SHA512fd5798559f4025ec3408f5550b8671d394b1ec83b85fdac8c005b0cc3e183272bdd07db15a156a572c9c5e5798badf235dc10aae62a052efa8dd9dfdbdca8189
-
Filesize
19KB
MD576a3f1e9a452564e0f8dce6c0ee111e8
SHA111c3d925cbc1a52d53584fd8606f8f713aa59114
SHA256381396157ed5e8021dd8e660142b35eb71a63aecd33062a1103ce9c709c7632c
SHA512a1156a907649d6f2c3f7256405d9d5c62a626b8d4cd717fa2f29d2fbe91092a2b3fdd0716f8f31e59708fe12274bc2dea6c9ae6a413ea290e70ddf921fe7f274
-
Filesize
62KB
MD5c3c0eb5e044497577bec91b5970f6d30
SHA1d833f81cf21f68d43ba64a6c28892945adc317a6
SHA256eb48be34490ec9c4f9402b882166cd82cd317b51b2a49aae75cdf9ee035035eb
SHA51283d3545a4ed9eed2d25f98c4c9f100ae0ac5e4bc8828dccadee38553b7633bb63222132df8ec09d32eb37d960accb76e7aab5719fc08cc0a4ef07b053f30cf38
-
Filesize
69KB
MD5aac57f6f587f163486628b8860aa3637
SHA1b1b51e14672caae2361f0e2c54b72d1107cfce54
SHA2560cda72f2d9b6f196897f58d5de1fe1b43424ce55701eac625e591a0fd4ce7486
SHA5120622796aab85764434e30cbe78b4e80e129443744dd13bc376f7a124ed04863c86bb1dcd5222bb1814f6599accbd45c9ee2b983da6c461b68670ae59141a6c1a
-
Filesize
38KB
MD51edd3d912257000ff5323d9f99d19afc
SHA13de2661f92b1ad140510f94e586240a0b0c78afd
SHA256976cbf636911cd61d2be6ddf2e971df169cea7a7c2b210b852196bd7c81eac62
SHA512a06bd0e28bdc3d5196d683e375c6c45ec7d673db9df1438623b856a66ba63f1e2b78a60ff729c6ee74202be7ce4264fd3770e912bca6fd9249a66532e88dfc16
-
Filesize
65KB
MD556d57bc655526551f217536f19195495
SHA128b430886d1220855a805d78dc5d6414aeee6995
SHA256f12de7e272171cda36389813df4ba68eb2b8b23c58e515391614284e7b03c4d4
SHA5127814c60dc377e400bbbcc2000e48b617e577a21045a0f5c79af163faa0087c6203d9f667e531bbb049c9bd8fb296678e6a5cdcad149498d7f22ffa11236b51cb
-
Filesize
88KB
MD5b38fbbd0b5c8e8b4452b33d6f85df7dc
SHA1386ba241790252df01a6a028b3238de2f995a559
SHA256b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd
SHA512546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16
-
Filesize
1.2MB
MD5be529a907c265364aea60b32d2a6b43f
SHA14e36681dc58aaaa130238083d0aa43d4604019e8
SHA2561790bffabda47de3ac63c09728874fec01d03bd240361e81dbef964f8ed179bd
SHA51237e65201a514127811d0f92dce4ca096401af92b4c90441d1e0673c1829cdf5d47f513a63f8ee1593987ac3dd542f197654423b0fe24d50aea4794001356004b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD55497cbfabe53d9e409b8b93dac5f4c6e
SHA10232e386e2e4f41ce4df8a9c0f72fffa357a853c
SHA2563f4126e410f242f5843b1a06422c8e49b7758b52e031df7c06c6eee68ac05704
SHA512317ad44f16af608afa9fcd91df790dec784fd642cf711a0a031f9b05cefcfacd2d09e5d58b52d95c80d526fe5a5ee21e1ca814183f50391a641b22fce7996273
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD599ac226ca959fd5e664319621cf6c83f
SHA14f89872056ccd6a41c56bb9a52ae8155fc1472bb
SHA256de569e4e2b3a214cf7fcddfc96e42f6882e46bea6716038d90f037a21dc626a3
SHA5128a09e120d4865b586e6cccfe5624ad1bd49612948991062d99858387ba53786d4029406405286e5cb40b6da3158d23b3a8acabb91fa7bfd33d531b4d1ee27384
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize3KB
MD558683cf57d9028ea34195564889e65c2
SHA196a0a2e3382456f8882e8c55ba6a70c0f984c3f7
SHA256a15b7fbb55b9621655141df5cedd272c1389ce97462e857b7373f71553a3e233
SHA512cfb17f87f6204aa02abb7d9d95029bc7b9b438ce186ac51d1a5136e2722b9eea51aa932ae84582c03509546ed584372c8f3699625ab6b54503844cbdbcb11a96
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD583338ae279ea6cf59ff26fd7135233eb
SHA1a535f378c49a1c2cb5712335c579dbbf50809cef
SHA25652ff53ce9042c33796ab790fcd6d76365456c449931aef507cf8bc9225aa33e9
SHA51202c7afae3b0cebf984372018ed539740446305b3f32566641e0267b9d6b7b3eca0ceda7950749247fb9ff1ac034834a3a196c65c1a405f82f302fe5e84ecb96c
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5a8d949cf7fd614973af09ad3707dd294
SHA134c68978a58a7e4c279f2ec1147d599c5bce0aa0
SHA25687ea3b6d27e972722e7f7abc88c8c3132fbebf08d4915616e2b6b4da2fa343d4
SHA5120c0ad02d5b14af8f7eedd06fca15ce2f8f7802f5cf8a4f99487a4d94be4dfe8ddbbada6556d986e6d76569b394480c22f2e1415639965e60829a4d33fcb630a9
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD59ff00f4090cef4dc8dfe680dbdf37012
SHA18a42269efd11dbe36e1794407296511a6b0e73fb
SHA256e69da511f310e6573a54a625f34a16586ac8d7b6082b30b2a36c1b1c92929ed1
SHA512f0e36788b294df0d8fcba2b1a56799d43a8073ad58da92148b28e6011c339c2c837122e81b09d88d44b193e4a4be916c169abb323d9304456dc742bee90e3a4b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5dfce161236a25c0c98797d0aea82855d
SHA1ff0b3093be136fef59279219dd27f7c3cdade451
SHA256df8aeee4cae9a2b3fd71cee73d4365e28dfcbc03c7ff49493f32d2830ce68e2d
SHA5123ef6bd38dc86b2f7e3d5906e5e26f3db36627ed9630508316875f33ba24318199add8b2ee82cdcbadd7735a30ad284f907b35ef969a3c0836a5bd18ae32c7196
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize4KB
MD5695f3ea7aa19a5161c62cd531068a346
SHA180835b5b26ec4282a624be772cb9fbf99b16d5f1
SHA2561b19aa91f436d2ac104bdee3fc530c0695a5be3ab35d5d91f83877c2af05c1a4
SHA51212a61ec66b43977838783febfa99f49fb71799a947d3e2971298f0612ddecd356583ef3454fb96621b3c4f05e98ae6455e344802938703d9f723add9867f19c8
-
Filesize
264KB
MD5b3d85e6ec601b884af003bb408ef342e
SHA1f67b9ed1742d271cf7d2ca8a5b07820804a45b07
SHA2567d46d5e5f42688340a3aaadc8cf8ac3b52a4fda211750a4b683b846b27671500
SHA51299eca5046da731b0577829f87afeeb1b72b0bb36b9f2beaa88245de02cb3b830fe2182a2d945fa294b31f2b4ded42028372e1676d7c12cbfe3832069cf74a870
-
Filesize
1KB
MD5f323e2ed708ede62b3909e15bf963d94
SHA1a5589065449f33b31b542ff72c6b19e312d9e2a0
SHA25610276dab215cc02e117ba08c076bab72b208091b4003be343088ea3c24027e35
SHA5129ebefcfc1f161ae7d51b64c423b64638b9cb208ebd8d9d8c7dcb9973cb1ae0779267ee846943a0cebc2a69c96088c79532a015d64000b9b33edc814c981912eb
-
Filesize
1KB
MD5230ad849c359f6e2ffa4c3435c93c24d
SHA1f8819c090faa94dcd4074089f9fa1fb31f1e903d
SHA2563e036273ec06d6fd060ea8b1e44eae6471f675c9701421feeccdf2d7ef8443a3
SHA512dc9cb8bfc2ec1cf0b469a93931e006b428994ae87c49940f4f2364b6259c547eb6f06c805978e9a72ee6316d11829349bd169c3658b1e2369d383873600d5146
-
Filesize
1KB
MD5555b36395991332e616d3000f157e87a
SHA1c04cb3684a30da67f0e663292899accda3aabde5
SHA2561a9dcaa535792bafb12e4cdafde3083ce34fe5903640cb02bc9ce4a204f1f923
SHA5124b93a5fa37b3b0b938e23f88835bc2741f75f63f2fa82e3338b8af1546af23f3f4b4357cf2d8b4439caf57c7c97b96452079384c9b47971dbf419cd7103644ca
-
Filesize
1KB
MD55f9141f6a84a78e2c62a559af5a8af5c
SHA1b0abf03f007e2c611904321bf59369f0bac7ac76
SHA256c18e8fa3db907d4582acb2f2b1f3c5e99a966654c4f787653e7dc0ce7d2f2fb2
SHA5120715f90ef4cc64cce2f75f30366105553cc32b9fbaa76057c253ebe9e39c24f1e53cb17aacd41a3548f617dde773a76c4064e623755352a0a10c35fe56e5f6b9
-
Filesize
1KB
MD52bbb1a47a8421c38debdbe51373b6e06
SHA15e1a1c148c432d0ca2e58de81d6e7e14e986f4cd
SHA256303246b03a3eb29ead3313b4b64196dc6d0ffea715b802456180211871907389
SHA51245acf1a3ba9f4e19b2ec816a5336408b139634756828053c9e941c8ff659dd3caf0362a2639a004e570c5998f8525775ab9bf1a108843c6f09d11d3a24e4aa1a
-
Filesize
7KB
MD597f8baccfd80b3325a5b5c3a1a5f36db
SHA181699104010b27548d8ab21157802df69ed0ccae
SHA25651dd2a3b4a0d23a598cb75d34fae1e8407b3898b8b45905637c2eef6df0cdfd5
SHA5120643d0e3ce274977fcb436e9c497497b84e29b24957ab5c0cc5f7ad7881d7f6197a72c43a4f0d4dc7a7d279479b9f04dcb8b5a096e4a7b06d839aaf889766a4c
-
Filesize
6KB
MD564bd3f52ce633bea77c089899af89f66
SHA1d1ef740343fdc0255fdbd8cd80cb2f844f4f5d83
SHA256ac077d79bbd6295da8c9572e5e841c54eaac793b15a009db57398240da47d430
SHA51277f7457317052b25e8e51a50365b4e82244e23ee6ca4d63e9e3256e29ec0387a60b4e0eec158ec1ff13f754af02ce83b0946de597790149df8c91be59ac4225f
-
Filesize
5KB
MD5bca06bafc3a1801bf637727b946d4dc4
SHA1705bbf77d5271c4599c0e14ba989443eac91cd0a
SHA25683b5a70b60bdb0f56d4108f5904c76fdce1541f689de69a6b589ed665ce0c95d
SHA51225f9045dcf406ee366e7ea8d714eb344434a049b887e488102eedeb3bada82abf321a9d7fa59f833908afc35cb3158735f7ac8e5f0734f38d6f51c8b5b3f2b87
-
Filesize
6KB
MD51d9b0f4a03b7aeb3c28b33e939fc48f8
SHA1d44b45a78942270fbd700c594b934c6d986df8de
SHA25628bd07b41592ac8bc0904fcb2f68cf204922d25d099871f70a6a04c6fe798e39
SHA512c5ded5a15321abc8501775de90017bac68da23b25c9443fc078de4fc55b2e7bfc29f8e8b6c06fbf3660d209b7b7116a0494a9f60f65f9e4ac1659320d40d0cca
-
Filesize
6KB
MD57e97fa1230f2a1f46e6984fe7004b179
SHA12b94f3dfee42f19bb5ea861f831e96f75df7bb19
SHA256b44fd394dbb7e208712435afb50802824b9e191bfbf3048cfd4379af4db405f9
SHA512dc562145c2d003b325f491a1f7bf07b6098cd1eb16872de8ea96f3a4bbd5ff0126adf21c7f6d477c796dc6ca2f399645e28855b6511b0df80271cc917424aa86
-
Filesize
6KB
MD527bb2a378d2db9820dc1f3613f09ab6e
SHA1cf33f1cbb1e24a0f1d715af212e71d08393ba015
SHA256399a5871a3994ddfa93d3fdeb9f6979f6dcd679bfec2f902f3de86bbd8e97d9f
SHA51222a93dde6d55e45c38f6fee97073abfb0bf4f2d55685253a0fd6c4f03de30a0522717c41362f7ff8bc763cd835423b33fb2d7ba4fbe649c9fef4807fc08d7bef
-
Filesize
7KB
MD51774f7758c05820370fd33c1c9147435
SHA1e504ef944a777f6626bc3bb99bd88adb0ce18df5
SHA256c1ebaa9d75b72e490cb8ebc7201511933bc04242cbbb49a12fc996376cb8bd18
SHA5125de445a508c2a17d3d69033df338d9cd59e1c361e2514be3089914ad49686d67da897f978ad30260a25872f37c954bbcae24a0d84ae165c927139d7f2a00a284
-
Filesize
6KB
MD5b0fea5da9fc5f3ec9df152fc3558d530
SHA15f950de89c746cbb0500c6498db3c4dcf73047a0
SHA256858b08c2b7e29f4632fa0cde6c7edc7fe92a146b72392c08d6b6408c4a7f016c
SHA512d7c74a2023dbe93ac48f634386a2e7a87ddb7e7a86b8216e954080cbba843adb321fcf764b54240d5edd035ddc2e1cf3edc8a7323a6e035443d0eb6bb2545692
-
Filesize
7KB
MD5018a60a80025fb7e34dd6f46aab4cc0a
SHA1e788d55681fa70a3db76c54064d5b7903acb4583
SHA25672a0f9805ae2b8a5ee1f97aed3fc8f0a062e21bae483b6999a1cbe9f69f04fe2
SHA512fc30700f26aaceaa3d67a74eca769a6bc8f774897a00551952aa0731ed4d9ca932b1baf914a36c1f829fabe4a522b6d8c528e19fe2ed07c21ad4cfea6583879c
-
Filesize
7KB
MD52dcaed5969031d6c1a3a8218f21ebc84
SHA148210c17e0cf265e58b985da9b2b6177e3a1e4f5
SHA2569f69dfa41a0be7c632ac00d851b13b97707d16349cfabf704de72cc1a8e2cd1f
SHA5123e0a633d43a6cf528ca87fcad6fb34a86d5063a640bf207919953cf95039ef0679ba8af51b51cc457f1ae6079c2d8b719113696b2a204bff2114bbe455efffe0
-
Filesize
7KB
MD54d47290a8c095fd17c317017fea76668
SHA194803d3efe622b1881d362414abad9e74645d8eb
SHA2568865461694486a81bad289e2903f152ca484c66fc521fd12a63bb7db01f90420
SHA5127be01bba77abc57e7bb9616b032e38474dbe5c452fee3d1a08056093ea8b7534cadbf90f4b88c84b441e244ba03f14c7be0a67e8c2207cdf531f1e84b8f2a686
-
Filesize
7KB
MD5b57a05bf098dae41fa81914ff31ac100
SHA11dca18aba36c99903824565fcb6c3dd34b1104be
SHA2566aed4a00dde63e0b66fee348587a9e649bb8b1217ec9ac79957e3588b6da5545
SHA5125c3c077ae042ee2e65b2e4301758ea2e34f79de9d9420ff88507a0c776c704503939edb5ba347628aec6a984896672f6a74ed32eccb7d62e57ddd3c45528a3f9
-
Filesize
7KB
MD5adec3a8d088015d20da86998d1c9ed4d
SHA118a0e1cf7bb652360760d43d131b89cccf7ee67e
SHA256dc2555821fd247336f0112c2c2f732224bb3c1ae8771deb5630f950624c85e98
SHA512734794ce59fadc5a54aa2d09e011d171596d61de1806353f63d0b18ec6c962aade5b6941e0f7f4564aa5d444ba5c8fbc97a7344b6283842ee6b9200a24f2aa9f
-
Filesize
7KB
MD51e3eb7b33555660a09e46fcf29238fb3
SHA17992c956b7ec58e5aaa521d3de1a8580bb96f7d2
SHA2564d624acaffd12268c4d75a1d5785e745310c6e92dce1e8d11281be7d5aabcdaf
SHA512245b07ae3dbc10ac857b1b3961ba4ce967080943a7867ab16460a7afae66a4cbe094f6ad96a94753f2ee8fbc404557e8ebda948468aa25b169a8ae83fcce1285
-
Filesize
1KB
MD5363ea3e8f1b04d7dc1983585ff04529a
SHA1a0aa6cc124163d359721926f52581f37a899b512
SHA25697441b34f0fcafc11f29fdc227a04e3e13a51e0707c49b08650abafb08d347b5
SHA512cd8027c8d465152c6df3e198df2683ffb5fc410adfd7b9cc997023ec1c98eb56e9abd01ba70c410b710f8a454ed42a48099d0b26188ea400068208a1047e1ca9
-
Filesize
1KB
MD556e736e539b3630909c1b3cc594d444b
SHA10abd4db3f04b74f03670c40c5fc5188ef165abff
SHA256d7bee0bf257f43cd31a87744029177cf5d73b108841c111fac7aae3ba99288fc
SHA512e7242bb9ca49b0471353b9b3fbd3e265ce11b577e35545ec1ae39f44f2ac3810b1fe81e088740c51cb91ff5ac089c6e08db30bd2994b8a848dcc343662ccd6df
-
Filesize
1KB
MD570ca59440f353feb92b851735657a5f6
SHA15235062aa31e2ec79cf8c3853d3f5b184d82ba62
SHA256357772b679cbb97242b58d02a59649f0762c172973db9385c03ac9ebc3796fa2
SHA5126cd17fbeddc8ca2972a473d741330e9f42f7a74c4e910f9a4e34024cd4a824fd7411fad73a8e5c2ae6e628e40bc9ad57ee6c0a0c87c6670271fae460dcd3e7ef
-
Filesize
1KB
MD547bb8236196b40c2aa4d6809f13c5282
SHA1b3f6c8f85390cee66c69db573fb7eedf6fa588cf
SHA2567c938a14af98470c6709ff32cbdc8d19b5c759f5da4bed7d0de4517188e6bfc1
SHA512a93a729e96f77835b7427df5e07312c114e681fa4581b86fa0d79c4dd2aec8c74448c657c49d577712a04baf0a7363a429fed99e6ad1bf9edf2733244751f867
-
Filesize
1KB
MD5581085e242a6eecf53814d37ca83cefd
SHA12918f243dd35826e4d6d933c328eda4582980e2b
SHA2567c35e85f7f5d4bf4725350cdb6eb17c924a4a2b9290c9878c8ebf1d7f7d111b0
SHA5125ff80c3712e8f84454ae05c9d80bf4d0366bf6c798a4295792c23702e9f280873e7aab462b8f54e34f18f15279024da0396cadc0d7cc3dce89d61fd01b11d1d3
-
Filesize
1KB
MD5b0e09f4f81adfc8b8f3bcdca92ff2344
SHA1bea8b3a6a258c6860911c57c679f3562cb6b1d72
SHA2560487ea45bb6478f05ecf919fb484125a63cb2f3408ce0d2644ac92b7f7cf6d9c
SHA51277838df91cfe1e1fb6c0c5d9308a4da08a4478c3c10e281ffe4cfb310132441f3f6742a3b6a0a4bed6b907a47d52d6ce2e0fb41d7084e35f4836400a29d61f75
-
Filesize
1KB
MD52ecc29bd5a1a8d740c8552850c297ebc
SHA176a456401de27ee0356e9fea30521b036dd00daf
SHA25683dafba2a6f99b13f52c5ff22e1beccf97afd8c898510dcec1aaba839828c6c6
SHA512e0095af08c9b9f12cbaa66c8f62e9194a15879c2dcff5d253ab727e0f91be819efba5f861450eec752eb72ecd8a4db525feb23a77fbde8bed74e3dcdae555c43
-
Filesize
1KB
MD52aaff6a78ecf8aa5e101a04ca077cebb
SHA1fe6ebe258f3fea1e71edca862ccb857c1e50c638
SHA256df88629d78db11b958912088b2372c2a2ddb184ad9a7f2fbad9d411570c3daf9
SHA51235786855568abbb426f0f0adc3cab551043a209b2f6c2c15c23ef1512909688f045dafeaa524322bc8858512c57568d3bb670adc2bcb40b263422a8ad0993f49
-
Filesize
1KB
MD58426d6cd8bca721898e973924505833c
SHA19661e483c84d6c2d1534149f618590076e0b717a
SHA25666542033e115d53ee2c77f32b5ca901f5c6c5c49344b6d3b244e698a56d46a26
SHA5127cd67447b3f3b14eda34461100a5dde560cda0aeb6fc1b6614620c4c360f9d05453182eef7efcf1308fd9a64f29b55245afebf6a96bf61c3a2de5843fc48668c
-
Filesize
1KB
MD5bd4bdb9813749afc8f3924c2783d0a1c
SHA10e6a72671b3ac369c2522c8836f3cc90fddc6425
SHA25681613d13e15d41138d759ccf178f858d2fef3a0a1ba5307c43e7198e473d065e
SHA512acde5da461b6da0135448f93622c633641a6bc50d4078a778109362bfeae1468bc9cb8884579489c0376e0edb73ca8cf7f4af9f847041d293ec9beb0ad06558f
-
Filesize
1KB
MD5e0e7ccb7e9fe798d749803ec87b1cca0
SHA11caa5fcba90def23e682960934cd5b5186dc71d1
SHA25679da94650882ef5d6359203f8c1b4d9157d7cad197d464aa55436b67484358e2
SHA512e224e4dee21900ebbebee732ee6cfcaed2dd9935d7433ddeb4cf8d6dfd514338414b8976fe2437c8945e3207072ecb7adb984f8d83763cc8092b1defe4a7a90c
-
Filesize
1KB
MD5e8b9beb8085a5f3cc19854d5e63be875
SHA1dac58c011b13150fb663c655200839ebe3c1ed8d
SHA256b3f707db34b69c2665a8f569d20d036a82fa30a341a7ddcac1957e3c8d5a6f59
SHA5122eea46d1ac69daf5991e6ad56611d24af7265f40fbd21b97063e9a0f63290d1cc87071f7144e9225d42549a7e29c2001c4a1a7fb9bb81e2c78e0dd3d04768b80
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\e9dbd58a-2b15-45c9-8d85-d48f6e32c41a.tmp
Filesize1B
MD55058f1af8388633f609cadb75a75dc9d
SHA13a52ce780950d4d969792a2559cd519d7ee8c727
SHA256cdb4ee2aea69cc6a83331bbe96dc2caa9a299d21329efb0336fc02a82e1839a8
SHA5120b61241d7c17bcbb1baee7094d14b7c451efecc7ffcbd92598a0f13d313cc9ebc2a07e61f007baf58fbf94ff9a8695bdd5cae7ce03bbf1e94e93613a00f25f21
-
Filesize
11KB
MD5edb743680d63b4f9a909e5d3a1a2af9f
SHA1c17ed9e1560ce2675092cad9e49ef7b3e753b05e
SHA256143cc0407341a53020ef1de3c6a91a5f6435b245b6833dd9761a1a4319aeb4f5
SHA512bbd647a472fbf45436fa1bb6281f6935424f690b28143fcd22314740fcb11bbf818c80ed21f5ade2d383198981d795643b5c138ce7d47661bbdad98ccb6787d9
-
Filesize
12KB
MD552ce7466a682e489f7890746d6847514
SHA12de31758348c02b0b618d0b94b1508067d311001
SHA256a36d639a8553e942a9a1ecba9b62a2a470713bdbe0adc9a99636ef496f074280
SHA51283dc8fe156fb5a6f398b342348fc2954c733820c814878cbd163eb410731c86196ccba068886ca0265621f802f826ce28c63eb2664e689f937d7ff30e65c004d
-
Filesize
11KB
MD58f8ef2d5eb29bfc882a064c6f96b9d71
SHA1f9954315f27370d08effc7117b9972181807aece
SHA25623baf023fe6da9c8a542e31a3af7aa91fbc94fb3d1fcfda2d550b2c381e11b74
SHA512c795de39793a93414f3231571e4b3b05b561422df3ff1e62fc897a4ad46aaa6e4fd82f24693d9b141035bf5fb707cfa4922b284f49fa12ecad8e10678bdecb4f
-
Filesize
11KB
MD5352376bce2540982f36748564302ee38
SHA1429e93831275df3934d8bb5cd000e5eee7bf0eed
SHA2569d73894c0e1689a8e2f6f1577cd976410baede8283aa548029f33f203798c03e
SHA5129362413358858bdb2f5eb16190ad21bb21218eafa59b94cd8dec648e45e2d39b435d94959922c33d76a38780c9a81010e361b4e308188b36c7377226fbee770f
-
Filesize
11KB
MD5862dab12fe2ca99fdb3ef29df336206f
SHA1b1bb75da247b9710823223dbe5b6573fe1d021de
SHA2567dfc8f892a4dbc280f1f4f132af186110d67db260b8e89f22b8cd397dc18fca4
SHA5122346d0127419fc99f3c603539564d4793e10dfd5cd68ec46def98d8f626456abe036dc3d04f34ba163d285d7a4866b8fb7de9ac24a935da86c134934647f3955
-
Filesize
11KB
MD5354cdeebde5bb5fe3e94c26305410082
SHA1fa5a69bcdc937dc2353f505866a62e283f2cd248
SHA256355581ec0c3decd59e4ac20b5eb38227ae455af36e34fbcbb2ff17df943f1477
SHA5128c69acd5c15b4c4ed8d41b0e1fdd790bcc4cf4e87988ec7b17d5d6fc2ed09fca003f86d18c30aaa913669e99642d3e23c0b2a1c602be75dace000ce29a60ea5f
-
Filesize
11KB
MD58f314c207bcecf65bb0e68880a5a6b88
SHA1e463f9de072633492e823c53dd7a5a55bf366c09
SHA2560c8b5a92178100f9744f3274ae6e4e852e3ea1556e3690b683486d1278dcb309
SHA512c56811024d923ec89fd8b7cac1ed918dfe82ef681eaf7dd0e4891a05f1f05a87225c61753706d052a3d520bc05da6e149d7c18e9f64a192980cb0a4f6f0bc592
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat
Filesize10KB
MD5e9aa12ff0be6d995ed86f8cf88678158
SHA1e5ee38fc2ebef0fcbc3059dee29b39f7daf21931
SHA256f35cd8ef03ac924a59943c5dfffc31ab67a8b5aff272e9f47ff776aabc7ee561
SHA51295a67acd2a4784b87d73910c1f1f590937c9d9b901e98448556a37eb8137ae5f458f1c673d65a46cf7d6b90bee5fe6b102ce3eeac9e819062cd9c5c2418bcbfc
-
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SettingsCache.txt
Filesize846KB
MD5766f5efd9efca73b6dfd0fb3d648639f
SHA171928a29c3affb9715d92542ef4cf3472e7931fe
SHA2569111e9a5093f97e15510bf3d3dc36fd4a736981215f79540454ce86893993fdc
SHA5121d4bb423d9cc9037f6974a389ff304e5b9fbd4bfd013a09d4ceeff3fd2a87ad81fe84b2ee880023984978391daf11540f353d391f35a4236b241ccced13a3434
-
Filesize
17KB
MD5190e7cfa7d6de532ba4498ca3d38b47d
SHA17d4ea5ce61962c0445d955a44dd31226fa8c736e
SHA256faee2b0ac2218435a6973b87277b29010c988efefdcd7fe0e107808c2cc0f282
SHA5125a87b4bac67957acbc6dfab08cf9b3e1110e4b496b66110a44f7b2d0ec75b950d7569b6220c4a5ab3597db032e70b16d5a5e6ee4ab23102f6d12fea7bdc11598
-
Filesize
1.5MB
MD5b60e214eaa44ff19503fbd4f5317a1ed
SHA114020df6fa74797607db5ca081a232c8c21cf6f2
SHA2567c8da07bc7da089402739b2c1d006ba6373fefea38e557328a134be65ead9b2c
SHA51206dba6c725a21a274603243366688fb5f868d3f80f069c41acdbe384b70485af29a1df1ea97801163392f60a2e90f46c91961e35a829f63665f0ad38baaa03c3
-
Filesize
197B
MD5c7f2bc79dba9b078638f4692947066b0
SHA1a42bea02d22367788cb2dc77f68ea754c244a50c
SHA2567be75820d337a48c320e260fb71f40a5a0cbfa5c8c225bec5ff23c1cc15566f7
SHA51233f2a1c3708d4b3b353122105931ddb34dc4be146ffa73b24dee1eaaeb60f0eed2c3bbf4ad84d648f6408c8b9e0cbbbc421864514c1e057b0cea2c12b2c5d296
-
Filesize
18KB
MD56dbf6cba3344efd0982248d1f19d8a2a
SHA1e94fe2574f60231d0d0d7dbc519f341663e1d8e5
SHA2565d087923f2243a9894def74878f7b1b03681ccb357260b60fb30a38718b53fa4
SHA5124c46b0f2face86ed2641d0cc1fd5371282a751f6e28eebdad4d5e982b342e93d167e035ad17f8c31aad20699a7ee1a4294df0fbdf425c8ccf8af8f2acccf455b
-
Filesize
18.6MB
MD509cc6f9bb2077898dcaf5e8c418b2778
SHA1dfb2d75a8ef4c27aa6cedd4d2b509262ed1db542
SHA2562843966bb3facbd5fe911ae8430b8c7b7f6f65664c91a045e92fc3b3535563d4
SHA512b1fb4bd925e8fbf498bdfd3a286724c4b22d123c441d7a8a2b3469e311f2c6a2b640bd1f7fff2460d0141124c2a7579d93ee122e6aa1a8f269ac5640d57e0489
-
Filesize
318B
MD5b741d0951bc2d29318d75208913ea377
SHA1a13de54ccfbd4ea29d9f78b86615b028bd50d0a5
SHA256595dc1b7a6f1d7933c2d142d773e445dbc7b1a2089243b51193bc7f730b1c8df
SHA512bf7b44ba7f0cfe093b24f26b288b715c0f0910fa7dc5f318edfc5c4fdc8c9b8a3b6ced5b61672ecfa9820ffd054b5bc2650ae0812804d2b3fc901aa06dd3ca14
-
C:\Users\Admin\Desktop\@[email protected]
Filesize933B
MD57e6b6da7c61fcb66f3f30166871def5b
SHA100f699cf9bbc0308f6e101283eca15a7c566d4f9
SHA2564a25d98c121bb3bd5b54e0b6a5348f7b09966bffeec30776e5a731813f05d49e
SHA512e5a56137f325904e0c7de1d0df38745f733652214f0cdb6ef173fa0743a334f95bed274df79469e270c9208e6bdc2e6251ef0cdd81af20fa1897929663e2c7d3
-
Filesize
4B
MD508121ea7e3b2eb7edfc85252b937aaeb
SHA15abc6edb78ab6944e8fee42445eef7ff6c729fd0
SHA25631cd4463ecc62dc846dbaee0a5446d4bf11100beff1b01ae88e234b6c29329c2
SHA512a472cb645d2071117b5a10b091d148b9a625ece43c65c2d4bf028b41e88366e45ca25020303dd8d665ccb12e7a7f389966537f335b326b18287f2ac022036a18
-
Filesize
69B
MD572946942abf5cf295f726b816c531ebf
SHA18ac5ccae8003c3776c2e0ee0959a76c8bc913495
SHA256d9fc0446467e00e640f0dd0bf36882943a6993dcc1038ba8f73239152896eb25
SHA5122f42b10e2c1359a690e1a69e307008e3beb4712e4c071d916fb1380c61cb2ed3ae48c86af44c6f1c9d613e85dd75d8cfd66fd01de0649444ee6d5193d9789d23
-
Filesize
138B
MD5fdac6c0d6442c0cfe7c0b69e80227f0a
SHA1d0d9aea2bf7a4bf1b45237e2207d37830a578d8c
SHA256b759fa635b2bbce2570feea401c7d2a9735844d204f5bcdbc88f3a3a761f3959
SHA5127e5dc4b0876173f05f69f523d50ad573f5dfced10a771d1b28315c2a068b6f6c39ae5edd2433223f79e7d32b9180801746c9621de02cba026f93412b83339da4
-
Filesize
207B
MD5d3715d7f77349116a701484780269375
SHA1589c48410637ac33431569b867070a51c4de5b1c
SHA256ea0bdd86d283aba33d619aeecb5087ad9132b58e8ae7121e3c3774504abb976a
SHA5129526a79ac4f9a18104f8e84d684136eef9b6bbccfe772d1d1030d9be02de2f7221cdee248ec748971551a42ed1d8fb1c8a9d820b837164f68376cdee1dc8ff3a
-
Filesize
276B
MD5089381a847f01ba0962ae00f0d92d5e8
SHA19f3240f89871639778a318e0cadccafcf9d7c55e
SHA2562cda289b5067c9daf8b4dffdf323b2fe9d0a47bfdbb91b4a017029bc74729c05
SHA51289fbf1b423f17101970290b070d740b8d58beecc6723e64edb7ae23b9285afe3a612b8e8f5ec202d60aca3875a28dbc556a43af9fe4113ac0bdba1fa83c5213a
-
Filesize
345B
MD5baa511e0932e6c0781dd1488615d17a6
SHA1e3218aefe8c272ade02eb6cc5188df6d50b04de0
SHA25620fa853d5be5b8f30eeb6ae3e24558a2091d80102944ab26b9861df5cea6c6fa
SHA51224be7fabda63dd82dfb5307e2ae0dc7176bf59c0918f1316bddb7515e0695b10cd6e24420af4afcda3d5f1b01e3d540a2d75a629f40c381da05eb3c28ff4697e
-
Filesize
414B
MD5873781e160d6c7a2c7100536f95e373a
SHA1439389553b0f4b61327c0160a92e4c8ddca8f84d
SHA256e244905c9acc529b7d7dbd58453f44dbd3f3d627bba23adcf375afde9b6b2a35
SHA5121116b365d1e44dbad9fcdf462bb3467dbe3ab8b40a01c7dc6d516b24d2b1260c405cbda80f7a1177f89412a2db726a68e6ae2ceee839c117061ecbb75a06a4aa
-
Filesize
1KB
MD5a3ced75b9579d86a6aba988c5b9f1366
SHA13baa4455567bab50bd9dbadcf1190b0084b34ba5
SHA2563162796945f12393fb52c7b073b93f2d0911c623a75015265eca05cfbe769184
SHA51269e59ce7055411254c9f9917c69bbb3dfa94ee8b00c25789bec40ad04fe4627c567a3d66b8c6753ccf1d9ac0048828459d47caca65f01221d485f4766380998c
-
Filesize
1KB
MD57567cf187fe91ee159764b88d6f607ab
SHA1c2052c801e07fdbea4acd00631a43019f625a448
SHA256a1cedb0e74d972b8d71fcfa79ecfd7d53d32f037c1b0ed6138514b66db4585d9
SHA512e7ee608c48af33f7d7ed01d2e9a248d3e5c84a4e83846d94c0305aa94e26633c2f1d38b99fb66bd469c0c8bbaa8b1329d2dc54e103d3e7be482ec2ae5873a847
-
Filesize
2KB
MD52a123e84f1ee1718e965d878b5e98b45
SHA155d75b072501076d13b6935ad956a4722ac0cbcf
SHA2563c323c6625607fd67f9d67e0640c56345fc69a8c17007751f202bb38af18fb04
SHA512854f6640a72b57cd447a6df02e6a3a31bd44963ac656ac1e4fc28d288de77c4bdf4df42641598afb538f7a99e570509b227ea5069fd0d786b478c2eca893b982
-
Filesize
3.0MB
MD5fe7eb54691ad6e6af77f8a9a0b6de26d
SHA153912d33bec3375153b7e4e68b78d66dab62671a
SHA256e48673680746fbe027e8982f62a83c298d6fb46ad9243de8e79b7e5a24dcd4eb
SHA5128ac6dc5bb016afc869fcbb713f6a14d3692e866b94f4f1ee83b09a7506a8cb58768bd47e081cf6e97b2dacf9f9a6a8ca240d7d20d0b67dbd33238cc861deae8f
-
Filesize
346B
MD54e71aaa85b945ab5dc2680ce12d8474f
SHA1a00ff196706e8282b02187281a7fa71f20c59eba
SHA256411d8fc3a482880ec2b56a7193a4104130ca9554f1feb96db27c59a2b61303a5
SHA512cea3cdb3eb537454ccf9773c80c111d8172dace2c79c62ffe18ac7c4373669d055fd9cc4929f9b6f4f376507a1319e37b0ba26373e40f4332d1acb025792b430
-
Filesize
692B
MD56989502044e4a9fca67e9ded25de9956
SHA19a8d099caad939d32599530b27f7db641cbdb8da
SHA256b370b54e95376f4b6df27592bc23343c82ebbfad3d52e71a38a2aac504bda04c
SHA5129f0e6d59d9adc531f5c162b964205e0dd63c6a956291af48d24e6b8988a940b6f2cc7644a9163277e6383a6d9f8ddb00c9687d73426ea776c691e73f66e95a5e
-
Filesize
2KB
MD566ec111f240b3084f33b88bb859dfc8a
SHA16aa898c545f77bc9dc2e2e1aac25ccc6673f3932
SHA256ae84fbbec53115c94da4fedf903ed3ad351efa84952fb4281122e6d047f88fa4
SHA512ca258203bc8ebbe12cd8bad72a5052c856af1dd5441309b0713393b3f166ea679446af3839df0739d5f8c4ffa805ebe4bb57e6e7a0a063dbb62b0eeff5cfcf17
-
Filesize
4KB
MD586b897b6a7b671440e67e0dbb7124248
SHA17b16e207b59156b24192b9466834c7d90c46c833
SHA256481cccee9b8e011590fa44678e608c38c51bb9177b0a5a4c7305c591fe368d1a
SHA512f99a27edafe0dae66f59d3148188827cffda453bc2f3449e73fa7ceb03d68e6a902f070c0f80350f0b837b463017989f10fed1c27dd3458a2c3ba64e935359d6
-
Filesize
11B
MD59905e5a33c6edd8eb5f59780afbf74de
SHA164b2cd0186ff6fe05072ee88e2bb54476023772e
SHA256c134b2f85415ba5cfce3e3fe4745688335745a9bb22152ac8f5c77f190d8aee3
SHA512e10711d0fb09db27192e9af05ae45b83cf3882d98e904a7f1f969cf24c2f9626f70f35d76f57477fe9c64a58bc74100410740e9d506d4e72d3e2900d6277816e
-
Filesize
158B
MD5ad0010095a82da61b486dbe70cd90767
SHA167d5a65f8cee8409dfcec2da99d290a2730cd662
SHA25628d651bd0e01d8ee66b46b064b05841cf33e44f3c55ee8b0612f5a812bf0de43
SHA51293a5f5c2f71a00ce760f1efe89280e259b3f75f1d04e3a1708d683c0b9a619fb5ac577e0d9f59c3b767c3b45323e3af9450362624526705766bf77a94b4aa827
-
Filesize
106KB
MD58b6a377f9a67d5482a8eba5708f45bb2
SHA17197436525e568606850ee5e033c43aea1c3bc91
SHA2566ca11c8b6442db97c02f3b0f73db61f58c96d52e8a880e33abee5b10807d993f
SHA512644e51798399168530b05e629b414dd80cac678bd3c8d4a5d164f55736a2b2fd380d3ca4640f7a034c8f043c06b1527b473e2d17da088d5e97de6ea04120dd72
-
Filesize
1.4MB
MD5c17170262312f3be7027bc2ca825bf0c
SHA1f19eceda82973239a1fdc5826bce7691e5dcb4fb
SHA256d5e0e8694ddc0548d8e6b87c83d50f4ab85c1debadb106d6a6a794c3e746f4fa
SHA512c6160fd03ad659c8dd9cf2a83f9fdcd34f2db4f8f27f33c5afd52aced49dfa9ce4909211c221a0479dbbb6e6c985385557c495fc04d3400ff21a0fbbae42ee7c
-
Filesize
780B
MD593f33b83f1f263e2419006d6026e7bc1
SHA11a4b36c56430a56af2e0ecabd754bf00067ce488
SHA256ef0ed0b717d1b956eb6c42ba1f4fd2283cf7c8416bed0afd1e8805ee0502f2b4
SHA51245bdd1a9a3118ee4d3469ee65a7a8fdb0f9315ca417821db058028ffb0ed145209f975232a9e64aba1c02b9664c854232221eb041d09231c330ae510f638afac
-
Filesize
46KB
MD595673b0f968c0f55b32204361940d184
SHA181e427d15a1a826b93e91c3d2fa65221c8ca9cff
SHA25640b37e7b80cf678d7dd302aaf41b88135ade6ddf44d89bdba19cf171564444bd
SHA5127601f1883edbb4150a9dc17084012323b3bfa66f6d19d3d0355cf82b6a1c9dce475d758da18b6d17a8b321bf6fca20915224dbaedcb3f4d16abfaf7a5fc21b92
-
Filesize
53KB
MD50252d45ca21c8e43c9742285c48e91ad
SHA15c14551d2736eef3a1c1970cc492206e531703c1
SHA256845d0e178aeebd6c7e2a2e9697b2bf6cf02028c50c288b3ba88fe2918ea2834a
SHA5121bfcf6c0e7c977d777f12bd20ac347630999c4d99bd706b40de7ff8f2f52e02560d68093142cc93722095657807a1480ce3fb6a2e000c488550548c497998755
-
Filesize
77KB
MD52efc3690d67cd073a9406a25005f7cea
SHA152c07f98870eabace6ec370b7eb562751e8067e9
SHA2565c7f6ad1ec4bc2c8e2c9c126633215daba7de731ac8b12be10ca157417c97f3a
SHA5120766c58e64d9cda5328e00b86f8482316e944aa2c26523a3c37289e22c34be4b70937033bebdb217f675e40db9fecdce0a0d516f9065a170e28286c2d218487c
-
Filesize
38KB
MD517194003fa70ce477326ce2f6deeb270
SHA1e325988f68d327743926ea317abb9882f347fa73
SHA2563f33734b2d34cce83936ce99c3494cd845f1d2c02d7f6da31d42dfc1ca15a171
SHA512dcf4ccf0b352a8b271827b3b8e181f7d6502ca0f8c9dda3dc6e53441bb4ae6e77b49c9c947cc3ede0bf323f09140a0c068a907f3c23ea2a8495d1ad96820051c
-
Filesize
39KB
MD5537efeecdfa94cc421e58fd82a58ba9e
SHA13609456e16bc16ba447979f3aa69221290ec17d0
SHA2565afa4753afa048c6d6c39327ce674f27f5f6e5d3f2a060b7a8aed61725481150
SHA512e007786ffa09ccd5a24e5c6504c8de444929a2faaafad3712367c05615b7e1b0fbf7fbfff7028ed3f832ce226957390d8bf54308870e9ed597948a838da1137b
-
Filesize
36KB
MD52c5a3b81d5c4715b7bea01033367fcb5
SHA1b548b45da8463e17199daafd34c23591f94e82cd
SHA256a75bb44284b9db8d702692f84909a7e23f21141866adf3db888042e9109a1cb6
SHA512490c5a892fac801b853c348477b1140755d4c53ca05726ac19d3649af4285c93523393a3667e209c71c80ac06ffd809f62dd69ae65012dcb00445d032f1277b3
-
Filesize
36KB
MD57a8d499407c6a647c03c4471a67eaad7
SHA1d573b6ac8e7e04a05cbbd6b7f6a9842f371d343b
SHA2562c95bef914da6c50d7bdedec601e589fbb4fda24c4863a7260f4f72bd025799c
SHA512608ef3ff0a517fe1e70ff41aeb277821565c5a9bee5103aa5e45c68d4763fce507c2a34d810f4cd242d163181f8341d9a69e93fe32aded6fbc7f544c55743f12
-
Filesize
36KB
MD5fe68c2dc0d2419b38f44d83f2fcf232e
SHA16c6e49949957215aa2f3dfb72207d249adf36283
SHA25626fd072fda6e12f8c2d3292086ef0390785efa2c556e2a88bd4673102af703e5
SHA512941fa0a1f6a5756ed54260994db6158a7ebeb9e18b5c8ca2f6530c579bc4455918df0b38c609f501ca466b3cc067b40e4b861ad6513373b483b36338ae20a810
-
Filesize
36KB
MD508b9e69b57e4c9b966664f8e1c27ab09
SHA12da1025bbbfb3cd308070765fc0893a48e5a85fa
SHA256d8489f8c16318e524b45de8b35d7e2c3cd8ed4821c136f12f5ef3c9fc3321324
SHA512966b5ed68be6b5ccd46e0de1fa868cfe5432d9bf82e1e2f6eb99b2aef3c92f88d96f4f4eec5e16381b9c6db80a68071e7124ca1474d664bdd77e1817ec600cb4
-
Filesize
37KB
MD535c2f97eea8819b1caebd23fee732d8f
SHA1e354d1cc43d6a39d9732adea5d3b0f57284255d2
SHA2561adfee058b98206cb4fbe1a46d3ed62a11e1dee2c7ff521c1eef7c706e6a700e
SHA512908149a6f5238fcccd86f7c374986d486590a0991ef5243f0cd9e63cc8e208158a9a812665233b09c3a478233d30f21e3d355b94f36b83644795556f147345bf
-
Filesize
37KB
MD54e57113a6bf6b88fdd32782a4a381274
SHA10fccbc91f0f94453d91670c6794f71348711061d
SHA2569bd38110e6523547aed50617ddc77d0920d408faeed2b7a21ab163fda22177bc
SHA5124f1918a12269c654d44e9d394bc209ef0bc32242be8833a2fba437b879125177e149f56f2fb0c302330dec328139b34982c04b3fefb045612b6cc9f83ec85aa9
-
Filesize
36KB
MD53d59bbb5553fe03a89f817819540f469
SHA126781d4b06ff704800b463d0f1fca3afd923a9fe
SHA2562adc900fafa9938d85ce53cb793271f37af40cf499bcc454f44975db533f0b61
SHA51295719ae80589f71209bb3cb953276538040e7111b994d757b0a24283aefe27aadbbe9eef3f1f823ce4cabc1090946d4a2a558607ac6cac6faca5971529b34dac
-
Filesize
47KB
MD5fb4e8718fea95bb7479727fde80cb424
SHA11088c7653cba385fe994e9ae34a6595898f20aeb
SHA256e13cc9b13aa5074dc45d50379eceb17ee39a0c2531ab617d93800fe236758ca9
SHA51224db377af1569e4e2b2ebccec42564cea95a30f1ff43bcaf25a692f99567e027bcef4aacef008ec5f64ea2eef0c04be88d2b30bcadabb3919b5f45a6633940cb
-
Filesize
36KB
MD53788f91c694dfc48e12417ce93356b0f
SHA1eb3b87f7f654b604daf3484da9e02ca6c4ea98b7
SHA25623e5e738aad10fb8ef89aa0285269aff728070080158fd3e7792fe9ed47c51f4
SHA512b7dd9e6dc7c2d023ff958caf132f0544c76fae3b2d8e49753257676cc541735807b4befdf483bcae94c2dcde3c878c783b4a89dca0fecbc78f5bbf7c356f35cd
-
Filesize
36KB
MD530a200f78498990095b36f574b6e8690
SHA1c4b1b3c087bd12b063e98bca464cd05f3f7b7882
SHA25649f2c739e7d9745c0834dc817a71bf6676ccc24a4c28dcddf8844093aab3df07
SHA512c0da2aae82c397f6943a0a7b838f60eeef8f57192c5f498f2ecf05db824cfeb6d6ca830bf3715da7ee400aa8362bd64dc835298f3f0085ae7a744e6e6c690511
-
Filesize
79KB
MD5b77e1221f7ecd0b5d696cb66cda1609e
SHA151eb7a254a33d05edf188ded653005dc82de8a46
SHA2567e491e7b48d6e34f916624c1cda9f024e86fcbec56acda35e27fa99d530d017e
SHA512f435fd67954787e6b87460db026759410fbd25b2f6ea758118749c113a50192446861a114358443a129be817020b50f21d27b1ebd3d22c7be62082e8b45223fc
-
Filesize
89KB
MD56735cb43fe44832b061eeb3f5956b099
SHA1d636daf64d524f81367ea92fdafa3726c909bee1
SHA256552aa0f82f37c9601114974228d4fc54f7434fe3ae7a276ef1ae98a0f608f1d0
SHA51260272801909dbba21578b22c49f6b0ba8cd0070f116476ff35b3ac8347b987790e4cc0334724244c4b13415a246e77a577230029e4561ae6f04a598c3f536c7e
-
Filesize
40KB
MD5c33afb4ecc04ee1bcc6975bea49abe40
SHA1fbea4f170507cde02b839527ef50b7ec74b4821f
SHA256a0356696877f2d94d645ae2df6ce6b370bd5c0d6db3d36def44e714525de0536
SHA5120d435f0836f61a5ff55b78c02fa47b191e5807a79d8a6e991f3115743df2141b3db42ba8bdad9ad259e12f5800828e9e72d7c94a6a5259312a447d669b03ec44
-
Filesize
36KB
MD5ff70cc7c00951084175d12128ce02399
SHA175ad3b1ad4fb14813882d88e952208c648f1fd18
SHA256cb5da96b3dfcf4394713623dbf3831b2a0b8be63987f563e1c32edeb74cb6c3a
SHA512f01df3256d49325e5ec49fd265aa3f176020c8ffec60eb1d828c75a3fa18ff8634e1de824d77dfdd833768acff1f547303104620c70066a2708654a07ef22e19
-
Filesize
38KB
MD5e79d7f2833a9c2e2553c7fe04a1b63f4
SHA13d9f56d2381b8fe16042aa7c4feb1b33f2baebff
SHA256519ad66009a6c127400c6c09e079903223bd82ecc18ad71b8e5cd79f5f9c053e
SHA512e0159c753491cac7606a7250f332e87bc6b14876bc7a1cf5625fa56ab4f09c485f7b231dd52e4ff0f5f3c29862afb1124c0efd0741613eb97a83cbe2668af5de
-
Filesize
37KB
MD5fa948f7d8dfb21ceddd6794f2d56b44f
SHA1ca915fbe020caa88dd776d89632d7866f660fc7a
SHA256bd9f4b3aedf4f81f37ec0a028aabcb0e9a900e6b4de04e9271c8db81432e2a66
SHA5120d211bfb0ae953081dca00cd07f8c908c174fd6c47a8001fadc614203f0e55d9fbb7fa9b87c735d57101341ab36af443918ee00737ed4c19ace0a2b85497f41a
-
Filesize
50KB
MD5313e0ececd24f4fa1504118a11bc7986
SHA1e1b9ae804c7fb1d27f39db18dc0647bb04e75e9d
SHA25670c0f32ed379ae899e5ac975e20bbbacd295cf7cd50c36174d2602420c770ac1
SHA512c7500363c61baf8b77fce796d750f8f5e6886ff0a10f81c3240ea3ad4e5f101b597490dea8ab6bd9193457d35d8fd579fce1b88a1c8d85ebe96c66d909630730
-
Filesize
46KB
MD5452615db2336d60af7e2057481e4cab5
SHA1442e31f6556b3d7de6eb85fbac3d2957b7f5eac6
SHA25602932052fafe97e6acaaf9f391738a3a826f5434b1a013abbfa7a6c1ade1e078
SHA5127613dc329abe7a3f32164c9a6b660f209a84b774ab9c008bf6503c76255b30ea9a743a6dc49a8de8df0bcb9aea5a33f7408ba27848d9562583ff51991910911f
-
Filesize
40KB
MD5c911aba4ab1da6c28cf86338ab2ab6cc
SHA1fee0fd58b8efe76077620d8abc7500dbfef7c5b0
SHA256e64178e339c8e10eac17a236a67b892d0447eb67b1dcd149763dad6fd9f72729
SHA5123491ed285a091a123a1a6d61aafbb8d5621ccc9e045a237a2f9c2cf6049e7420eb96ef30fdcea856b50454436e2ec468770f8d585752d73fafd676c4ef5e800a
-
Filesize
36KB
MD58d61648d34cba8ae9d1e2a219019add1
SHA12091e42fc17a0cc2f235650f7aad87abf8ba22c2
SHA25672f20024b2f69b45a1391f0a6474e9f6349625ce329f5444aec7401fe31f8de1
SHA51268489c33ba89edfe2e3aebaacf8ef848d2ea88dcbef9609c258662605e02d12cfa4ffdc1d266fc5878488e296d2848b2cb0bbd45f1e86ef959bab6162d284079
-
Filesize
37KB
MD5c7a19984eb9f37198652eaf2fd1ee25c
SHA106eafed025cf8c4d76966bf382ab0c5e1bd6a0ae
SHA256146f61db72297c9c0facffd560487f8d6a2846ecec92ecc7db19c8d618dbc3a4
SHA51243dd159f9c2eac147cbff1dda83f6a83dd0c59d2d7acac35ba8b407a04ec9a1110a6a8737535d060d100ede1cb75078cf742c383948c9d4037ef459d150f6020
-
Filesize
41KB
MD5531ba6b1a5460fc9446946f91cc8c94b
SHA1cc56978681bd546fd82d87926b5d9905c92a5803
SHA2566db650836d64350bbde2ab324407b8e474fc041098c41ecac6fd77d632a36415
SHA512ef25c3cf4343df85954114f59933c7cc8107266c8bcac3b5ea7718eb74dbee8ca8a02da39057e6ef26b64f1dfccd720dd3bf473f5ae340ba56941e87d6b796c9
-
Filesize
91KB
MD58419be28a0dcec3f55823620922b00fa
SHA12e4791f9cdfca8abf345d606f313d22b36c46b92
SHA2561f21838b244c80f8bed6f6977aa8a557b419cf22ba35b1fd4bf0f98989c5bdf8
SHA5128fca77e54480aea3c0c7a705263ed8fb83c58974f5f0f62f12cc97c8e0506ba2cdb59b70e59e9a6c44dd7cde6adeeec35b494d31a6a146ff5ba7006136ab9386
-
Filesize
864B
MD53e0020fc529b1c2a061016dd2469ba96
SHA1c3a91c22b63f6fe709e7c29cafb29a2ee83e6ade
SHA256402751fa49e0cb68fe052cb3db87b05e71c1d950984d339940cf6b29409f2a7c
SHA5125ca3c134201ed39d96d72911c0498bae6f98701513fd7f1dc8512819b673f0ea580510fa94ed9413ccc73da18b39903772a7cbfa3478176181cee68c896e14cf
-
Filesize
2.9MB
MD5ad4c9de7c8c40813f200ba1c2fa33083
SHA1d1af27518d455d432b62d73c6a1497d032f6120e
SHA256e18fdd912dfe5b45776e68d578c3af3547886cf1353d7086c8bee037436dff4b
SHA512115733d08e5f1a514808a20b070db7ff453fd149865f49c04365a8c6502fa1e5c3a31da3e21f688ab040f583cf1224a544aea9708ffab21405dde1c57f98e617
-
Filesize
64KB
MD55dcaac857e695a65f5c3ef1441a73a8f
SHA17b10aaeee05e7a1efb43d9f837e9356ad55c07dd
SHA25697ebce49b14c46bebc9ec2448d00e1e397123b256e2be9eba5140688e7bc0ae6
SHA51206eb5e49d19b71a99770d1b11a5bb64a54bf3352f36e39a153469e54205075c203b08128dc2317259db206ab5323bdd93aaa252a066f57fb5c52ff28deedb5e2
-
Filesize
20KB
MD54fef5e34143e646dbf9907c4374276f5
SHA147a9ad4125b6bd7c55e4e7da251e23f089407b8f
SHA2564a468603fdcb7a2eb5770705898cf9ef37aade532a7964642ecd705a74794b79
SHA5124550dd1787deb353ebd28363dd2cdccca861f6a5d9358120fa6aa23baa478b2a9eb43cef5e3f6426f708a0753491710ac05483fac4a046c26bec4234122434d5
-
Filesize
21KB
MD5846f131710a4515f1b35002c0a486b58
SHA116936f073c7d72e998628bb1752478f4bf89b566
SHA2562d196f850ec834ad3b97edf38aaa447155e47afa62ea14b900610c046fe787af
SHA512b670cba45d961ffdefc21f67470e56aace2a04117edfb78e4bf5719cf154bbee45e531e6f0788400c33f0475b2250fa915659d214babf389035a11fbcd65334b
-
Filesize
20KB
MD58495400f199ac77853c53b5a3f278f3e
SHA1be5d6279874da315e3080b06083757aad9b32c23
SHA2562ca2d550e603d74dedda03156023135b38da3630cb014e3d00b1263358c5f00d
SHA5120669c524a295a049fa4629b26f89788b2a74e1840bcdc50e093a0bd40830dd1279c9597937301c0072db6ece70adee4ace67c3c8a4fb2db6deafd8f1e887abe4
-
Filesize
240KB
MD57bf2b57f2a205768755c07f238fb32cc
SHA145356a9dd616ed7161a3b9192e2f318d0ab5ad10
SHA256b9c5d4339809e0ad9a00d4d3dd26fdf44a32819a54abf846bb9b560d81391c25
SHA51291a39e919296cb5c6eccba710b780519d90035175aa460ec6dbe631324e5e5753bd8d87f395b5481bcd7e1ad623b31a34382d81faae06bef60ec28b49c3122a9
-
Filesize
49B
MD5cfb046d3c9513b92c1b287da26f97c28
SHA1ea8208c4dad826b7fdb3b5b728863a95e86d4383
SHA256a06f170d4f92bf290e38b0ce1c05bb59c95de2797b1a5253b949ad7e1be9818b
SHA512dbeeea4d284f59e1455a5426334caa02458e88833aeece9817c51be616697ca4c399b2a9d0e8e44bf4a5ee63d0b37c0aed68c01f1748fa5a23ed6d2af62b3340
-
Filesize
22B
MD5fe669e0a3a56961fba38ef9b7f7d01dd
SHA1338b6f4a3ec71587d53aec450ca5448928f966a1
SHA256138b48a413afa60daa506090fa4332d913a1f9d895b6c289c36dd7db00019d64
SHA512ff0bc50cef59421253578172602a56f9f9b3a8988a16576eaf8a004792d330c708dbed95f5f4074fb2eec36d7df7f4a0392c88420d2b0678cd907056a23cd41b
-
Filesize
44B
MD5ea260c435f9eb83e2b5041e734ff3598
SHA1ca70d64367cbdffbbf24e82baff4048119203a2e
SHA2563ade659fdae17c11c3f42b712f94045691fbd0b413428b73e1de8fe699e74615
SHA512548624cc523aeb4136376f792d23b3f2aee4a676362f8a0dd0e8161f0df87ab926b82f67fc174eb5d9473c23f49e6ca962bc84479967f7e624250d94efa66876
-
Filesize
568KB
MD537cbda979b054f52a91629131ede55c9
SHA1473fcf804ee3904601dc13c390e5bea4c58b5702
SHA25633765f8786fe116b6a584a0a90c7e5622e12f3b6ac6967d9d5f0b7b93a72b895
SHA512d72111cd07484976e4a8b5c63726c612f983286ae4992350742144eee49766fb70d18ace09674f84cf0f3d36421b8e9cdb56db5539ef96725322918a3a2db1ae
-
Filesize
86KB
MD5f2db87b351770e5995e9fcaad47d9591
SHA14c75bd93f458096fbc27fa852e16ce25a602f267
SHA2563113fa9a3cf00ed423a2c686a2ffb19586f6a047747de65a93436a7dca8fcfa7
SHA512608e74274b555a239534a9d43514e07cb8aad9b13baf4cc383e8c21ea4e9ebd36162dc0b4bf30a0975c334facf23d6e63742e2bbe4ba400e80d9f191893a84fc
-
Filesize
431KB
MD5fbbdc39af1139aebba4da004475e8839
SHA1de5c8d858e6e41da715dca1c019df0bfb92d32c0
SHA256630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da
SHA51274eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87
-
Filesize
3.4MB
MD584c82835a5d21bbcf75a61706d8ab549
SHA15ff465afaabcbf0150d1a3ab2c2e74f3a4426467
SHA256ed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa
SHA51290723a50c20ba3643d625595fd6be8dcf88d70ff7f4b4719a88f055d5b3149a4231018ea30d375171507a147e59f73478c0c27948590794554d031e7d54b7244
-
Filesize
55B
MD50f98a5550abe0fb880568b1480c96a1c
SHA1d2ce9f7057b201d31f79f3aee2225d89f36be07d
SHA2562dfb5f4b33e4cf8237b732c02b1f2b1192ffe4b83114bcf821f489bbf48c6aa1
SHA512dbc1150d831950684ab37407defac0177b7583da0fe13ee8f8eeb65e8b05d23b357722246888189b4681b97507a4262ece96a1c458c4427a9a41d8ea8d11a2f6