Analysis
-
max time kernel
12s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-05-2024 17:00
Static task
static1
Behavioral task
behavioral1
Sample
ADZP 20 Complex.bat
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ADZP 20 Complex.bat
Resource
win10v2004-20240426-en
General
-
Target
ADZP 20 Complex.bat
-
Size
17KB
-
MD5
591700c81fbd38cf8c83092030536c14
-
SHA1
a122ca4b91ec2275400e10f21093c43186391c97
-
SHA256
29415d32850d821d9854bfd6edabee920052e0920e6eceec187ea57b8a3c707e
-
SHA512
ae3e1ffef5a82016f13fe728a8a3f2696ed55cdd9ea60d6e75352d55f95fe71cb09bad02945601d4661818473882cc4fae4493d9125e3803054e69c861a97758
-
SSDEEP
192:Un0iMJWap3ahz9j3E301VaYYATCdhSouXKN:ZJWo3yzHVbYMW
Malware Config
Signatures
-
Possible privilege escalation attempt 15 IoCs
Processes:
takeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exepid process 6932 takeown.exe 6788 takeown.exe 6776 takeown.exe 6976 takeown.exe 5440 icacls.exe 3540 icacls.exe 6708 takeown.exe 1600 takeown.exe 1864 takeown.exe 6764 takeown.exe 7000 takeown.exe 632 takeown.exe 6740 takeown.exe 6732 takeown.exe 2200 takeown.exe -
Modifies file permissions 1 TTPs 15 IoCs
Processes:
takeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exepid process 632 takeown.exe 2200 takeown.exe 6708 takeown.exe 5440 icacls.exe 3540 icacls.exe 6764 takeown.exe 6932 takeown.exe 7000 takeown.exe 1600 takeown.exe 6732 takeown.exe 6776 takeown.exe 1864 takeown.exe 6740 takeown.exe 6788 takeown.exe 6976 takeown.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops autorun.inf file 1 TTPs 8 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
Processes:
attrib.exeattrib.exeattrib.execmd.exeattrib.execmd.execmd.execmd.exedescription ioc process File opened for modification C:\Users\Admin\AppData\Local\Temp\Autorun.inf attrib.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\Autorun.inf attrib.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\Autorun.inf attrib.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\Autorun.inf cmd.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\Autorun.inf attrib.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\Autorun.inf cmd.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\Autorun.inf cmd.exe File opened for modification C:\Users\Admin\AppData\Local\Temp\Autorun.inf cmd.exe -
Drops file in System32 directory 5 IoCs
Processes:
cmd.execmd.execmd.execmd.exedescription ioc process File created C:\Windows\System32\Twain_20.dll cmd.exe File opened for modification C:\Windows\System32\Twain_20.dll cmd.exe File opened for modification C:\Windows\System32\Twain_20.dll cmd.exe File opened for modification C:\Windows\System32\Twain_20.dll cmd.exe File opened for modification C:\Windows\System32\Twain_20.dll cmd.exe -
Drops file in Windows directory 9 IoCs
Processes:
mspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exedescription ioc process File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe File opened for modification C:\Windows\Debug\WIA\wiatrace.log mspaint.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 13 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exepid process 2820 ipconfig.exe 5704 ipconfig.exe 6540 ipconfig.exe 2104 ipconfig.exe 5980 ipconfig.exe 6000 ipconfig.exe 2712 ipconfig.exe 5796 ipconfig.exe 5884 ipconfig.exe 6444 ipconfig.exe 632 ipconfig.exe 1464 ipconfig.exe 6508 ipconfig.exe -
Kills process with taskkill 13 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid process 6056 taskkill.exe 5620 taskkill.exe 6132 taskkill.exe 5636 taskkill.exe 6076 taskkill.exe 6516 taskkill.exe 6612 taskkill.exe 1784 taskkill.exe 1672 taskkill.exe 956 taskkill.exe 6576 taskkill.exe 2936 taskkill.exe 2628 taskkill.exe -
Suspicious use of AdjustPrivilegeToken 8 IoCs
Processes:
takeown.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetakeown.exetakeown.exetakeown.exedescription pid process Token: SeTakeOwnershipPrivilege 1600 takeown.exe Token: SeDebugPrivilege 2936 taskkill.exe Token: SeDebugPrivilege 1784 taskkill.exe Token: SeDebugPrivilege 1672 taskkill.exe Token: SeDebugPrivilege 2628 taskkill.exe Token: SeTakeOwnershipPrivilege 1864 takeown.exe Token: SeTakeOwnershipPrivilege 632 takeown.exe Token: SeTakeOwnershipPrivilege 2200 takeown.exe -
Suspicious use of SetWindowsHookEx 21 IoCs
Processes:
mspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exepid process 1016 mspaint.exe 2948 mspaint.exe 748 mspaint.exe 2948 mspaint.exe 1016 mspaint.exe 748 mspaint.exe 1016 mspaint.exe 2948 mspaint.exe 1016 mspaint.exe 2948 mspaint.exe 748 mspaint.exe 748 mspaint.exe 3088 mspaint.exe 3156 mspaint.exe 1672 mspaint.exe 3628 mspaint.exe 3820 mspaint.exe 3920 mspaint.exe 3088 mspaint.exe 3156 mspaint.exe 1672 mspaint.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
cmd.execmd.exedescription pid process target process PID 2336 wrote to memory of 2708 2336 cmd.exe cmd.exe PID 2336 wrote to memory of 2708 2336 cmd.exe cmd.exe PID 2336 wrote to memory of 2708 2336 cmd.exe cmd.exe PID 2336 wrote to memory of 2600 2336 cmd.exe cmd.exe PID 2336 wrote to memory of 2600 2336 cmd.exe cmd.exe PID 2336 wrote to memory of 2600 2336 cmd.exe cmd.exe PID 2336 wrote to memory of 2488 2336 cmd.exe WScript.exe PID 2336 wrote to memory of 2488 2336 cmd.exe WScript.exe PID 2336 wrote to memory of 2488 2336 cmd.exe WScript.exe PID 2336 wrote to memory of 2524 2336 cmd.exe cmd.exe PID 2336 wrote to memory of 2524 2336 cmd.exe cmd.exe PID 2336 wrote to memory of 2524 2336 cmd.exe cmd.exe PID 2336 wrote to memory of 2152 2336 cmd.exe reg.exe PID 2336 wrote to memory of 2152 2336 cmd.exe reg.exe PID 2336 wrote to memory of 2152 2336 cmd.exe reg.exe PID 2336 wrote to memory of 748 2336 cmd.exe mspaint.exe PID 2336 wrote to memory of 748 2336 cmd.exe mspaint.exe PID 2336 wrote to memory of 748 2336 cmd.exe mspaint.exe PID 2524 wrote to memory of 1600 2524 cmd.exe takeown.exe PID 2524 wrote to memory of 1600 2524 cmd.exe takeown.exe PID 2524 wrote to memory of 1600 2524 cmd.exe takeown.exe PID 2336 wrote to memory of 2820 2336 cmd.exe ipconfig.exe PID 2336 wrote to memory of 2820 2336 cmd.exe ipconfig.exe PID 2336 wrote to memory of 2820 2336 cmd.exe ipconfig.exe PID 2336 wrote to memory of 2936 2336 cmd.exe taskkill.exe PID 2336 wrote to memory of 2936 2336 cmd.exe taskkill.exe PID 2336 wrote to memory of 2936 2336 cmd.exe taskkill.exe PID 2336 wrote to memory of 1560 2336 cmd.exe attrib.exe PID 2336 wrote to memory of 1560 2336 cmd.exe attrib.exe PID 2336 wrote to memory of 1560 2336 cmd.exe attrib.exe PID 2336 wrote to memory of 2016 2336 cmd.exe WScript.exe PID 2336 wrote to memory of 2016 2336 cmd.exe WScript.exe PID 2336 wrote to memory of 2016 2336 cmd.exe WScript.exe PID 2336 wrote to memory of 1700 2336 cmd.exe WScript.exe PID 2336 wrote to memory of 1700 2336 cmd.exe WScript.exe PID 2336 wrote to memory of 1700 2336 cmd.exe WScript.exe PID 2336 wrote to memory of 2052 2336 cmd.exe WScript.exe PID 2336 wrote to memory of 2052 2336 cmd.exe WScript.exe PID 2336 wrote to memory of 2052 2336 cmd.exe WScript.exe PID 2336 wrote to memory of 612 2336 cmd.exe WScript.exe PID 2336 wrote to memory of 612 2336 cmd.exe WScript.exe PID 2336 wrote to memory of 612 2336 cmd.exe WScript.exe PID 2336 wrote to memory of 1880 2336 cmd.exe WScript.exe PID 2336 wrote to memory of 1880 2336 cmd.exe WScript.exe PID 2336 wrote to memory of 1880 2336 cmd.exe WScript.exe PID 2336 wrote to memory of 1964 2336 cmd.exe WScript.exe PID 2336 wrote to memory of 1964 2336 cmd.exe WScript.exe PID 2336 wrote to memory of 1964 2336 cmd.exe WScript.exe PID 2336 wrote to memory of 1740 2336 cmd.exe WScript.exe PID 2336 wrote to memory of 1740 2336 cmd.exe WScript.exe PID 2336 wrote to memory of 1740 2336 cmd.exe WScript.exe PID 2336 wrote to memory of 1300 2336 cmd.exe WScript.exe PID 2336 wrote to memory of 1300 2336 cmd.exe WScript.exe PID 2336 wrote to memory of 1300 2336 cmd.exe WScript.exe PID 2336 wrote to memory of 1576 2336 cmd.exe WScript.exe PID 2336 wrote to memory of 1576 2336 cmd.exe WScript.exe PID 2336 wrote to memory of 1576 2336 cmd.exe WScript.exe PID 2336 wrote to memory of 2592 2336 cmd.exe WScript.exe PID 2336 wrote to memory of 2592 2336 cmd.exe WScript.exe PID 2336 wrote to memory of 2592 2336 cmd.exe WScript.exe PID 2336 wrote to memory of 2552 2336 cmd.exe msg.exe PID 2336 wrote to memory of 2552 2336 cmd.exe msg.exe PID 2336 wrote to memory of 2552 2336 cmd.exe msg.exe PID 2336 wrote to memory of 2724 2336 cmd.exe msg.exe -
Views/modifies file attributes 1 TTPs 5 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exeattrib.exepid process 1560 attrib.exe 2372 attrib.exe 1240 attrib.exe 864 attrib.exe 5728 attrib.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"1⤵
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f2⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f2⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release2⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*2⤵
- Drops autorun.inf file
- Views/modifies file attributes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"2⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado2⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado2⤵
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"2⤵
- Drops autorun.inf file
- Drops file in System32 directory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f3⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f3⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release3⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*3⤵
- Drops autorun.inf file
- Views/modifies file attributes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado3⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado3⤵
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat4⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f4⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f4⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release4⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f4⤵
- Kills process with taskkill
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat4⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f4⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f4⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release4⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f4⤵
- Kills process with taskkill
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat4⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f4⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f4⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release4⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f4⤵
- Kills process with taskkill
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h "C:\Program Files"3⤵
- Views/modifies file attributes
-
C:\Windows\system32\notepad.exenotepad2⤵
-
C:\Windows\system32\calc.execalc2⤵
-
C:\Windows\explorer.exeexplorer.exe2⤵
-
C:\Windows\system32\mspaint.exemspaint.exe2⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"2⤵
- Drops autorun.inf file
- Drops file in System32 directory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f3⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f3⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release3⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*3⤵
- Drops autorun.inf file
- Views/modifies file attributes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado3⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado3⤵
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat4⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f4⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f4⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release4⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f4⤵
- Kills process with taskkill
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat4⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f4⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f4⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release4⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f4⤵
- Kills process with taskkill
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat4⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f4⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f4⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release4⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f4⤵
- Kills process with taskkill
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\system32\notepad.exenotepad2⤵
-
C:\Windows\system32\calc.execalc2⤵
-
C:\Windows\explorer.exeexplorer.exe2⤵
-
C:\Windows\system32\mspaint.exemspaint.exe2⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"2⤵
- Drops autorun.inf file
- Drops file in System32 directory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat3⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f3⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f3⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release3⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\attrib.exeattrib -r -a -s -h *.*3⤵
- Drops autorun.inf file
- Views/modifies file attributes
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado3⤵
-
C:\Windows\system32\msg.exemsg * Virus Detectado3⤵
-
C:\Windows\system32\msg.exemsg * Has Sido Hackeado!3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat4⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f4⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f4⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release4⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f4⤵
- Kills process with taskkill
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat4⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f4⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f4⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release4⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f4⤵
- Kills process with taskkill
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Twain_20.cmd4⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"4⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K Taskdl.bat4⤵
-
C:\Windows\system32\takeown.exetakeown /f "C:\Windows\System32" /r5⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\reg.exereg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f4⤵
-
C:\Windows\system32\reg.exereg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f4⤵
-
C:\Windows\system32\ipconfig.exeipconfig /release4⤵
- Gathers network information
-
C:\Windows\system32\taskkill.exetaskkill /im DiskPart /f4⤵
- Kills process with taskkill
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"3⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"3⤵
-
C:\Windows\system32\notepad.exenotepad3⤵
-
C:\Windows\system32\calc.execalc3⤵
-
C:\Windows\explorer.exeexplorer.exe3⤵
-
C:\Windows\system32\mspaint.exemspaint.exe3⤵
-
C:\Windows\system32\icacls.exeicacls "C:\Program Files"3⤵
- Possible privilege escalation attempt
- Modifies file permissions
-
C:\Windows\system32\notepad.exenotepad2⤵
-
C:\Windows\system32\calc.execalc2⤵
-
C:\Windows\explorer.exeexplorer.exe2⤵
-
C:\Windows\system32\mspaint.exemspaint.exe2⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"2⤵
-
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"2⤵
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"2⤵
-
C:\Windows\system32\notepad.exenotepad2⤵
-
C:\Windows\system32\calc.execalc2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbsFilesize
300B
MD588a2fcd93445c8b092324fe1236d31dc
SHA1f63653fe34d54b7e42e29689a934ed097329128d
SHA2560783070444c465de8a21f7fc41f61d2bd535e995454e4086b2e01780e96ad419
SHA5123e44cce194b1cc3d6946d33dee6756f0333edc886f9ebe8149887c2e9b35867575ed47f15b2c384ed37aab3b8e37dae3369e1259d132bdf9bb832c70c09e8085
-
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbsFilesize
360B
MD58d485f3ac2acb6e586e8f1d8af2df57f
SHA143e9653ecedbad263a5e015ecaa3eebb7a44feb9
SHA256530f6ebaf4445acb0855efc516729598a3312aeedd0ef9024da6f347f152e783
SHA5124105fa612f86d46457f77449c095cd9e1f59dcb4d137bf3d822e4f52f89c517faadfbaa00b07d15aabfc0d2afdb093ea63d59add313525149f17b7427917494b
-
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbsFilesize
420B
MD5faa4d74ae1348f395723208ea9b5734e
SHA1d9fcf36438c3b9cfb2f5863b644fd5436f564309
SHA2561f50be6aaebc58d582685707b23f749ea0db9d028dc9839a144514cf139775c4
SHA512d5d1409f0948d4393d0cf94b2648dc2929cb53386f54a2c37d92dca14238f88856cc0c3a689818873d48c49a8a686b7bc074d2e0a4ab92ca882be6f42aa69882
-
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbsFilesize
540B
MD52c77e3b1a1fbe57f517a5e20a2276067
SHA139b148046cd506d6e77de89363c12cf1a5dddae5
SHA2562743c84bf8627627d8bc12b948e13740a2370bda01accf49ae68cec93d8fbfd3
SHA5129656636f516894aab708cdd526e88c69cc943aae6790bd1a11dd56f78fa4e8779b4af1448dfa25da947f735cb74c59b35ed2c5fbda06df2744d8f770ae5ade2f
-
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbsFilesize
120B
MD56bc9ab9854695874c5338bd08dde7db5
SHA18ae8dc91cd8b80dd688378a3eacb2750e2de8c3c
SHA256d4249fbe2df7ddc684f61bbba98e5d3312c85e5787d5500a73ff18a5abce76eb
SHA512e8fda27e7d1144816879b84fa04b8b3a7063f3841e57a1aaa918b5dfa1dc35f0f4380f89ca861c59ea45d884488e68309dabff15200e6b99038df4431e439f85
-
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbsFilesize
180B
MD5b2206e980c51067d6e9dd7575d842bdc
SHA15aa6f76eee9efd569089be7f363e30ebf0531a22
SHA256add106f3d6e9cfd2fac3d14a74d6791a9caa257b9c7e105a9a5fc2a309337ecd
SHA51289ab3ca635f8fdcb1206f0a1d585355a730506cc1d72ca666f1e9d650b24107368349b44ab0b3d3132442a2fc61c0c9404d00b717a61f305d9c93d5d638d9bec
-
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbsFilesize
240B
MD5482dcfe952218cf31ad2adddd8f6616b
SHA17a6bcfce28c76bc3319c871696531d21200f3bc0
SHA256093b0f0c3f7a9bf24406662245b57f171837a266aba49f198319045e971e77d5
SHA512440182ba5cd7c85abc11fe9097a41486469afde738d26f471efe4e7928106cd57240b1045bc97d60c42147ca25b032c4149487f1a1ab4581292c7eff2bc801b9
-
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbsFilesize
60B
MD511aa52a7eca2cf8fdcd1584b5a8b6026
SHA101ae6066e6b3879cb0caf306cc91077b7c0bea1e
SHA2568dfd0a6db2df60455840dbbbcc4f8b70d730ba1c2afbf300316898b3dd3e9b11
SHA51207f37c050eb59e7a1a228ca851d05ca9b62bb3de97f988fb36c374c827833c8c551e5cb51eb05130861c0b35515ca77ae667ca97ee4f08c86cdf9f6fb64533c5
-
C:\Users\Admin\AppData\Local\Temp\Autorun.infFilesize
370B
MD53fdd19fb2a886abcccbbb2d3253b43ea
SHA156f40cec4c6287084f3fe5147a929e9c6d81ab41
SHA256005939c96c791e50f2aa446ad812e3bfeae8297fee51c7f6e543d1d6571882a3
SHA512cdc92751c460ef659637ff239479503f13c701bddb704799e173e6b2e9ad90fd551b5cbf2dd060ecadc0f9f450e2c49656a74a9a36f7d82b919d92dca234e467
-
C:\Users\Admin\AppData\Local\Temp\Autorun.infFilesize
518B
MD5c97422f06c77bca36a58567f0182538e
SHA15a026fb6b533aedc318bf7d89f839eff9c68796a
SHA2562252affb7a2eca4c1331d50d85fa05cadd4f24c44b9dfae9b7938b47f6db9e84
SHA5128f6cfc2a9f69404f26fc9a2d1f2c61e6015fae3b42e66a2633513c9fe9016a2eb11b5c02fe59a56c9015edb69e1d1b79f4abd85668e610e7158b5c04e31fe8de
-
C:\Users\Admin\AppData\Local\Temp\Autorun.infFilesize
592B
MD592174183f7773fe31903c92b1497266d
SHA16dc45a93610c00480aa0117e8ebc32e4eb7e9081
SHA25667f0f025f36648603ceb90fd7ea6ff7602885bebc404e49cd19e993539cee3c3
SHA5123d31c178e24a638fcf02f83810a793ecfc064dacc6366c85be543b17a3c7ec63a0482e65490f03d1caa40357855ab1f45d6e50e8af32a35cbb1c03cbd0ae3247
-
C:\Users\Admin\AppData\Local\Temp\Autorun.infFilesize
666B
MD53d50285600f52fda8e1f06ad9d2a23d2
SHA151482c4fd3e8f8426ca7adb402c7d55729132c78
SHA256b001e1333c230cb838a11877259e23fac1d8cf54500751180408d96541b3ef3f
SHA51260b0cd909bf9cefd251af95cf0a2d276615d1158e91a8dff877a465b8b49c5b504c0d8163b6b1c86c12d327dea7bd3828471cb9e8f0e5bed8be0710f94deeb52
-
C:\Users\Admin\AppData\Local\Temp\Autorun.infFilesize
222B
MD505a4d4594b598cfe885bf862787b8cde
SHA1dfb26e156e88af25bd00db0bc788b81c521a4db9
SHA256fd8427db8c0c5ad2c7a8fc36c18f9400e25bdd7dfd1d267ec11a7a94bdbd1cab
SHA512ac1f87eabd69e1939f463c8710cdd1ba8a886ad6509d26d0fac4e09ab82056cf952b7a0cf2ecb55bb0549fdb0aff6457133eeb6b7b222df58f773f91df101136
-
C:\Users\Admin\AppData\Local\Temp\Autorun.infFilesize
296B
MD5b20421aba6b1738af56e402aed7b5fca
SHA17b9e8f147c25a383e775cf4ce66fec5f050f8187
SHA2562b11af7c3e34fcb9851881ecb06ee601696a6e29b3d3f283f79b118bdba35ecd
SHA51232eb6ae6c4009d43422f6abad7cd88f21b3efbd85c4a8c1fa45675f59f5c7a1d0839c6f73131522de5c0f5f1cec2dc9b4e2b00dbe68e060390cc5b6174ef9683
-
C:\Users\Admin\AppData\Local\Temp\Autorun.infFilesize
74B
MD5b39df423c6e5978065a9a8ec4879a3b4
SHA196441a7a7d8090f7a96a1160f539531f66568e88
SHA25612a5135510016abcfe1192aceb6fec42634346661d778d68be1debaa3d75e967
SHA5122d583fcae1ec73f836c5b66b8b1337bb4250a8230073de96d501a4fab5f522b75599ac2a1fcf1457a841d8c84bcccb88feade82f49357b28345c63d9526cfeb4
-
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbsFilesize
324B
MD5b260589bc116e407e75412be10ce0c7c
SHA1b3498d228b26ad13ba76b27d624ef5eef940221c
SHA25661bf3a4e7eb43119fb6f69c2d63872f35b9b6d79fd5a846ad824951ccea9898f
SHA512007b78a36ea10d91360610ceec313bfa51c663c719859edf95dae0cdb75bdbbe6908bf0cb4c3f2e237539e0e20dc64266328e8a82ad5a7c90b59b6f56f683c4f
-
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbsFilesize
378B
MD5598e89776a2342ea6d8b4035643da929
SHA1714cac1cbe4ba77bbd270faeffa3ea3c9bab61ba
SHA25653547edb5bd2cda23359fbb7c577e0bda6d5a8e984b5f2a228ee9c60feaed3a4
SHA5126ff3eac0032560c6e7f2a9518511cdf6a62d3dc6e2792df10fac0b4d9bbb598822eb168e4c921230f5f90905c3e7074eec70f40805518041394e8a0e838d68c8
-
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbsFilesize
432B
MD5b7392ff4107098f68f3e265039d37f0e
SHA1b75cd5036fa282e450036a5a2d0cd24171f92a90
SHA25678ebe3e92c40d95f2ea9eb0e2628618902e08c7b93f3de4a2b4419a631a0f0cd
SHA5120326b5ef7ce136bc646f90fd413f72b6143a95f57cd34dae42b08d1f4e6db5cd491e941292372290c4144449468204c89c9c01078daecf0b2baf1466573ff5de
-
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbsFilesize
112B
MD542358fda8075b544bd30b846c6b0ffad
SHA1d1cec067376591089afdc39f4d2fdff60d68a8f1
SHA256efe04a8acb9cda8561d0076f51332784814b78cd4e52e6f6bdf3d7e3b2835405
SHA51278aab3fef009ccee6b7fa012aec650504961694aa692801f05b0058a8bc8ca308c2827b416086497fc3ceb94a56905ebfbe60def463f09b1ec699fff6d978bb5
-
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbsFilesize
162B
MD5d5980bf4b018e4c397df95afe8941c66
SHA1ce53c669a898d09479831bc59bc31a5fba2a6f2b
SHA2569afd004a8cb9b9e8b1eeab780fb0c4ffa39c3ec2ded034b1a7cd69db7f67872a
SHA512c995f9d3252b9a7af52a398562261baf3297fee64fade9de22895cce017e5aa097c7935a0519e474253a181e1e018348a1ade3d953bfaff5dc43e30e2d9fde5f
-
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbsFilesize
216B
MD57659392a12010d8c761cb9888f6fd5ac
SHA1b8829c26628740b77ab7405c231f420e860d8c1f
SHA25671bd0bffdeca9dce2b4e9e1d767a0732657032171f3ad33903dec353ef95a431
SHA5125caf94b288649b687f411cbb5519168e09e161f8d9545a6bad1b0d08876a542d153a115f8b44e3f15d973812ce8ec7471bba7d8bd0b9a22d0abf6fdf2914a2bf
-
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbsFilesize
54B
MD5888e64c554686bbbc0499057cce1af36
SHA15a7f51c66e3ae7dd0e0231c9817aee8c9fc54006
SHA256616cf19739e00c69e9606d9c94869f6fcb6a7b3860e7b8af9bc896f3081dad0d
SHA5129882375fdd09d489258447d49b8b63d0bc8db57cdb7186500c00c79d57f30af5f37a69e8fab70683a7c9d730e3484ef537ee57bb1892a84f92e9aba639d1d227
-
C:\Users\Admin\AppData\Local\Temp\Informacion.vbsFilesize
414B
MD5873781e160d6c7a2c7100536f95e373a
SHA1439389553b0f4b61327c0160a92e4c8ddca8f84d
SHA256e244905c9acc529b7d7dbd58453f44dbd3f3d627bba23adcf375afde9b6b2a35
SHA5121116b365d1e44dbad9fcdf462bb3467dbe3ab8b40a01c7dc6d516b24d2b1260c405cbda80f7a1177f89412a2db726a68e6ae2ceee839c117061ecbb75a06a4aa
-
C:\Users\Admin\AppData\Local\Temp\Informacion.vbsFilesize
418B
MD57c469eaae93d67c7f8f28fa787740d01
SHA14d03d82d8145f1da52a52af87174670cf82c1ffb
SHA256da136d25001651a09f0b08f84e68125de955f14e8d602e85049c933758ea4298
SHA5121c1c8c10c52e8075354429dd0f1dd7c302151a28c710cba245f2b1169f2fa31b2e2e73330f8f3ee654490c44519f0ed89359f7392a087e5e7ef906b7fee66900
-
C:\Users\Admin\AppData\Local\Temp\Informacion.vbsFilesize
483B
MD521321634b2c2bf8223d389be19d13d4e
SHA1116c0af8712cc2120fbb6c4893f9a99a77242960
SHA256fa1ddb950fadc33035dc70e015155e7db6fefaddc05d83cc1fab233e3c416f60
SHA512feea91421292af2cb0348c6c09b2bbe810f3a3385c5b5ddbb7e6312aa7f97f48eebf10d6f9966b2fee8f4e843e87ceabf78318c9ac9b070478f0372471acce20
-
C:\Users\Admin\AppData\Local\Temp\Informacion.vbsFilesize
621B
MD51f6a511cf3f20b52f2579f588f3a39a2
SHA18d8bc11847d23be6c26ead8e51c37f5cccbc1ee0
SHA256cc10719081e957fb8cd05a9b1974914ef919cdb42494de67eb9f5b3985226bc6
SHA5120587f6e02587aecb62730b3937a7027f7d33400c888d6f19223088805c4491dfa3a222dcfe202ed40f08cfd26b13a1db366b8f051232df3e0fe1dff85ef4bd1d
-
C:\Users\Admin\AppData\Local\Temp\Informacion.vbsFilesize
207B
MD5d3715d7f77349116a701484780269375
SHA1589c48410637ac33431569b867070a51c4de5b1c
SHA256ea0bdd86d283aba33d619aeecb5087ad9132b58e8ae7121e3c3774504abb976a
SHA5129526a79ac4f9a18104f8e84d684136eef9b6bbccfe772d1d1030d9be02de2f7221cdee248ec748971551a42ed1d8fb1c8a9d820b837164f68376cdee1dc8ff3a
-
C:\Users\Admin\AppData\Local\Temp\Informacion.vbsFilesize
276B
MD5089381a847f01ba0962ae00f0d92d5e8
SHA19f3240f89871639778a318e0cadccafcf9d7c55e
SHA2562cda289b5067c9daf8b4dffdf323b2fe9d0a47bfdbb91b4a017029bc74729c05
SHA51289fbf1b423f17101970290b070d740b8d58beecc6723e64edb7ae23b9285afe3a612b8e8f5ec202d60aca3875a28dbc556a43af9fe4113ac0bdba1fa83c5213a
-
C:\Users\Admin\AppData\Local\Temp\Informacion.vbsFilesize
69B
MD572946942abf5cf295f726b816c531ebf
SHA18ac5ccae8003c3776c2e0ee0959a76c8bc913495
SHA256d9fc0446467e00e640f0dd0bf36882943a6993dcc1038ba8f73239152896eb25
SHA5122f42b10e2c1359a690e1a69e307008e3beb4712e4c071d916fb1380c61cb2ed3ae48c86af44c6f1c9d613e85dd75d8cfd66fd01de0649444ee6d5193d9789d23
-
C:\Users\Admin\AppData\Local\Temp\Taskdl.batFilesize
876B
MD577f69d6377472fd28eade93d650d8221
SHA1e85f7c9edea782a93a6fed9bc28ee4aeee2155f4
SHA256222669a803e349dd5ce98771e41131744c31eaf823993607b9331e72adc7eb36
SHA512616b29a38aa892cf4357cf80d5d10f93db306b553b5729aec431449bd109df6384cfd439f21317d644bfe29191eaecf03a81f6cdac2dc54a7224f5c5fe8319a5
-
C:\Users\Admin\AppData\Local\Temp\Taskdl.batFilesize
1KB
MD58d42b25e34da75cd09d10b534d7a6012
SHA1a408aa5cb02089156497c1976c7fe41dd42f06d9
SHA256d20e9eb2185a2d21b55a5f1ae338e500337d8a43c117c0929c0e3233a58bea1a
SHA512ead990dff8a6a1d47ca32ad4899e48261c2c628afa5d25cc201ce6c1406a8a52cff6be0718964641b3f610160277122fcfdcb93ac0b68d050effc3e2fc26f8fe
-
C:\Users\Admin\AppData\Local\Temp\Taskdl.batFilesize
1KB
MD5277e1a2dd49b05d06fc57a224f172e8c
SHA1cfbc082cd9f07678a247a3a45e1b18bab8b972e7
SHA2569614387211e9f37f5defa24434741e5c68eb281bc2964e7a1bd4d2063f4ecb2a
SHA512dd6f5e3a9ab8abb6dd133a6b1374634e083d765f4cf306c3aebdcb82196f3329b89b09ccdfbad8fc691ad6b31160f8d9ea814126ae1ba08b7020e54662d73512
-
C:\Users\Admin\AppData\Local\Temp\Taskdl.batFilesize
1KB
MD50ae53c6f1e1adcc8a9693f206a2485a6
SHA1206d4109769946f0510fa8a14e352c2a04898011
SHA256254139a043d82339054678dbaa8ad01c67bceba6cedfa75b8eeb6cf5efdc1aac
SHA512c47702e2f176b7fc44e97f2980c0e0548e749a97a5b8f78b1295b54f47e00cbcbe78563777351e4fa48a8565e2df9dc1d793c87f624bed4f4b3a25edb7bd31af
-
C:\Users\Admin\AppData\Local\Temp\Taskdl.batFilesize
357B
MD5c43ba87bbd9766ee622a5ada4078e353
SHA18d66f51c515921a2bf174bb60f6b7d2f492b062c
SHA256fb18f2f20302b25b7be201c9678e5c42eaee793590503eb1450283e677de21b7
SHA512f0fbbc5000b4def67de88318e2753f44134f0db727667c3fb1517d957bd326dde7b8c4704dd3e58fa1c89008c8ccb5501bc8bf4bd8f8a8b6cc9e45650935e9ba
-
C:\Users\Admin\AppData\Local\Temp\Taskdl.batFilesize
519B
MD503f0ef4961ee3f5ebc91e222ad5c3a55
SHA1130947f0716f672e1c0577f60471dfbd9d1f3435
SHA256b2cf1c83480bb2e69599e063be75ef8188b20c82a03998098d13d42c11502d21
SHA512641784c8422a15360449ae9d79722e4d6d5752ef8db0a6cd8e1d71e78c5994dc9e790f5e875a7314be603feb42badc587bf79e8f682aa94b2335443ea8592671
-
C:\Users\Admin\AppData\Local\Temp\Taskdl.batFilesize
692B
MD56989502044e4a9fca67e9ded25de9956
SHA19a8d099caad939d32599530b27f7db641cbdb8da
SHA256b370b54e95376f4b6df27592bc23343c82ebbfad3d52e71a38a2aac504bda04c
SHA5129f0e6d59d9adc531f5c162b964205e0dd63c6a956291af48d24e6b8988a940b6f2cc7644a9163277e6383a6d9f8ddb00c9687d73426ea776c691e73f66e95a5e
-
C:\Users\Admin\AppData\Local\Temp\Taskdl.batFilesize
173B
MD50c998e3681eb9f67fbacda38281c5fa7
SHA1bd3e89780f374c54c5dfbe3fab83a926ca5803de
SHA2563c656f47268598c5bbe3ee4661b4f8c7dc09420cf393a6e417541db3c6020205
SHA51211e3fd1d141bd23a2b0f17665f0f57e5a606fdd82555a7bd88cd533863ce4269d8395f8963d1cdfde93efbb0817486db48c3b593f8de35e150e2395daadb762e
-
C:\Users\Admin\AppData\Local\Temp\Taskse.exeFilesize
23KB
MD57b1014121451c72ae238a9375cb9a34f
SHA1b34267e022b3b9bfa45cbee6214b58248a606dcb
SHA2565a8ab1349c8f5573ab16b94aea4810d6c2df1eb1cd6463afda0a3de1842ae278
SHA512451528ee3392d54ac0826101aa89bc2182f7f2f5d88c29960ae00832f5ca0e31e6128f1167b350a511306e2917c51fdb06ce6f87853cbf7578012681c491d986
-
C:\Users\Admin\AppData\Local\Temp\Taskse.exeFilesize
27KB
MD591f526907367e546f6637f9882b7b69d
SHA19b66887186c56e28d8659461583050ede1745383
SHA256cbd3e37648b6a9f1c3722280ea3e8c8391ecf711af6107faec22a962b85a96d7
SHA512ea7073f0a139bb7d3d6b1a9c7dac2498b0e82b6a4476cddc39d9f80ed6801bed96937e4a8a1626cc5ad41791e814c1d42a3c56b121bd17e700210921a1b18d5f
-
C:\Users\Admin\AppData\Local\Temp\Taskse.exeFilesize
36KB
MD58d5c0094fbefe78fabb6d35879d9f192
SHA1adf32d163c065fcfa64f48a15946fa0114bb3737
SHA2560c08fc87b54a1e8d8c52da25f6e00ab292c1277929221b90035e91446e8858e2
SHA512ab5d4381095d3b12425fa65f9199e995b2b5293c030d9fb5c57c45d8b6c723f0e56157611fbf740a98be9490e07f43aa469b85377d9725b053619b4eaa97f286
-
C:\Users\Admin\AppData\Local\Temp\Taskse.exeFilesize
41KB
MD55fe0331327a8de4bb824e9f632854a24
SHA1307f80fa32b85ea91625eea5009e9d2964600d4a
SHA2566c3c8dd699f084ee872a60428b8ff8a29a4a314271531686ea9b8683ef9121a8
SHA5121496e4cd579fa0de8ac8d849dd2b1118f6b26c74b48a8b0323b67376416b5b61cf10676a9b86539e9abc2d1beeab22c6dcf7078eac4f5398b008b0013e93767d
-
C:\Users\Admin\AppData\Local\Temp\Taskse.exeFilesize
6KB
MD555d49aa2766a82ed64b82ae430d396f4
SHA1d5cef7e67cadf128ad7eae7ee910a15c25c18b10
SHA256512418d05541619c29d712b4199ba83363f12e27e1f66735977688a2cb003b3e
SHA512d52fde777870da26138c34cbea65705f9d82717e874d79f85acee4d4f8c9711933ca45965f3243191ab4bbb9c529860bd218df27a525117a1e9150c117fa8c0c
-
C:\Users\Admin\AppData\Local\Temp\Taskse.exeFilesize
9KB
MD5866cf2b0d99e3461f10d7c2f054201ef
SHA15302d63bf1565212a2e0ce0146acdfbf945cd5d7
SHA256658bc6a8fe7213b8f49bf29f35d35585ed2925413475d19cc3331627378b10e6
SHA5128dc3c66930e1ac8f1c1a5b93a7c074643d605ed8c1d148c083f3530b8ba8896227423f39af690ffb2cc7dbe685a30d20b45f4f74df4aa9ce7b28c571cbf89e04
-
C:\Users\Admin\AppData\Local\Temp\Taskse.exeFilesize
14KB
MD5edfe50f8097766b7eff79357320b7e8e
SHA1f9ecda7eea707c6eb346255df3ad89abedf485a9
SHA2569d690fa438fd8675e082a08dcb72cb1042841535d6a4b2b2bc490ae93a24598f
SHA512798c2bd7ff6cee953d48f89a8843fce1f332546d78828d096949ca0c2bfe54bc9076331d951ee49ac89586aae7c99a92f2578390777f4501781fa074f7e90e83
-
C:\Users\Admin\AppData\Local\Temp\Taskse.exeFilesize
18KB
MD529b5b09df26f27309a035092f12cea61
SHA18368472cfe258c2ceca3c6050687ab4c3fa32af8
SHA25694df41074ce14fe5181d8a4d9739b2b1c6acccb8e7d73007ce0bccee342c4c7e
SHA51287cfa5a3aaf28da50c7e441040d0c90ee74478b2b1cf39ef5525f8211a544ab8987dd8a478354e43f3272da875887196f8ba0b7cb510d8911b6be29214139340
-
C:\Users\Admin\AppData\Local\Temp\Taskse.exeFilesize
4KB
MD536aa84388b0253dec8f91d7b3228e3e6
SHA161597113395d3d9d8675f4d4945f68d775df0bfd
SHA256f66924c09b7e836a2f2c519213bcb87be0dbc533f19e681f38264e0d5469abcd
SHA512260f530b57d680b78079ccf0fa00ed76c1f15b12e83088e45ff328fd6521c354040302e2de21168e243fb6ba8c67d139bf7d99793747d7ff7b6941a13071a723
-
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmdFilesize
11B
MD59905e5a33c6edd8eb5f59780afbf74de
SHA164b2cd0186ff6fe05072ee88e2bb54476023772e
SHA256c134b2f85415ba5cfce3e3fe4745688335745a9bb22152ac8f5c77f190d8aee3
SHA512e10711d0fb09db27192e9af05ae45b83cf3882d98e904a7f1f969cf24c2f9626f70f35d76f57477fe9c64a58bc74100410740e9d506d4e72d3e2900d6277816e
-
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmdFilesize
231B
MD5da5f8d71afd8ce9598ec5e5443c459d9
SHA1abd2267aaea39b0a9208bc7f094df5fb2754d233
SHA256a1d679d97c8ab326b9578d18de310789709482bf270d350786e1b30895c92c80
SHA5121318f1471a536244523141d14c8c73b8dc52de3843eb8b8b3e9b2ae0348eb4f41c085931b8053c5fc68182f0a493d15de7bb086cc872f48203e8f9916886452b
-
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmdFilesize
158B
MD5ad0010095a82da61b486dbe70cd90767
SHA167d5a65f8cee8409dfcec2da99d290a2730cd662
SHA25628d651bd0e01d8ee66b46b064b05841cf33e44f3c55ee8b0612f5a812bf0de43
SHA51293a5f5c2f71a00ce760f1efe89280e259b3f75f1d04e3a1708d683c0b9a619fb5ac577e0d9f59c3b767c3b45323e3af9450362624526705766bf77a94b4aa827
-
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmdFilesize
462B
MD54dc05ac0050c0d2f98299a019fda2577
SHA19e606ec3d928474adfda99e10a3ef39e5c727683
SHA25655fbdc6e73e70bf1466c6f00fe182c51aca8ead2fd1e3ee408cf9eff91f1a5da
SHA512ebe2a623abbb7da77102687d1cbdd6255317ef32de0c0e6920c933c25a8a6069cd6be9f44248d91bdca87270db50468bf5e16ea629dd7277d9e15f34075cb268
-
C:\Users\Admin\AppData\Local\Temp\windowswimn32.batFilesize
49B
MD5cfb046d3c9513b92c1b287da26f97c28
SHA1ea8208c4dad826b7fdb3b5b728863a95e86d4383
SHA256a06f170d4f92bf290e38b0ce1c05bb59c95de2797b1a5253b949ad7e1be9818b
SHA512dbeeea4d284f59e1455a5426334caa02458e88833aeece9817c51be616697ca4c399b2a9d0e8e44bf4a5ee63d0b37c0aed68c01f1748fa5a23ed6d2af62b3340
-
C:\Windows\System32\Twain_20.dllFilesize
17KB
MD5591700c81fbd38cf8c83092030536c14
SHA1a122ca4b91ec2275400e10f21093c43186391c97
SHA25629415d32850d821d9854bfd6edabee920052e0920e6eceec187ea57b8a3c707e
SHA512ae3e1ffef5a82016f13fe728a8a3f2696ed55cdd9ea60d6e75352d55f95fe71cb09bad02945601d4661818473882cc4fae4493d9125e3803054e69c861a97758
-
memory/748-2464-0x000007FEF67D0000-0x000007FEF681C000-memory.dmpFilesize
304KB
-
memory/748-405-0x000007FEF67D0000-0x000007FEF681C000-memory.dmpFilesize
304KB
-
memory/1016-2463-0x000007FEF67D0000-0x000007FEF681C000-memory.dmpFilesize
304KB
-
memory/1016-404-0x000007FEF67D0000-0x000007FEF681C000-memory.dmpFilesize
304KB
-
memory/1672-1401-0x000007FEF67D0000-0x000007FEF681C000-memory.dmpFilesize
304KB
-
memory/2268-2465-0x000007FEF67D0000-0x000007FEF681C000-memory.dmpFilesize
304KB
-
memory/2416-2466-0x000007FEF67D0000-0x000007FEF681C000-memory.dmpFilesize
304KB
-
memory/2948-2462-0x000007FEF67D0000-0x000007FEF681C000-memory.dmpFilesize
304KB
-
memory/2948-386-0x000007FEF67D0000-0x000007FEF681C000-memory.dmpFilesize
304KB
-
memory/3088-1393-0x000007FEF67D0000-0x000007FEF681C000-memory.dmpFilesize
304KB
-
memory/3096-2460-0x000007FEF67D0000-0x000007FEF681C000-memory.dmpFilesize
304KB
-
memory/3156-1397-0x000007FEF67D0000-0x000007FEF681C000-memory.dmpFilesize
304KB
-
memory/3512-1709-0x000007FEF67D0000-0x000007FEF681C000-memory.dmpFilesize
304KB
-
memory/3628-1471-0x000007FEF67D0000-0x000007FEF681C000-memory.dmpFilesize
304KB
-
memory/3820-1490-0x000007FEF67D0000-0x000007FEF681C000-memory.dmpFilesize
304KB
-
memory/3920-1496-0x000007FEF67D0000-0x000007FEF681C000-memory.dmpFilesize
304KB
-
memory/4688-2458-0x000007FEF67D0000-0x000007FEF681C000-memory.dmpFilesize
304KB
-
memory/4900-2461-0x000007FEF67D0000-0x000007FEF681C000-memory.dmpFilesize
304KB
-
memory/5008-1704-0x000007FEF67D0000-0x000007FEF681C000-memory.dmpFilesize
304KB
-
memory/5072-1708-0x000007FEF67D0000-0x000007FEF681C000-memory.dmpFilesize
304KB
-
memory/5704-2467-0x000007FEF67D0000-0x000007FEF681C000-memory.dmpFilesize
304KB
-
memory/6120-2456-0x000007FEF67D0000-0x000007FEF681C000-memory.dmpFilesize
304KB
-
memory/6148-2457-0x000007FEF67D0000-0x000007FEF681C000-memory.dmpFilesize
304KB
-
memory/6348-2459-0x000007FEF67D0000-0x000007FEF681C000-memory.dmpFilesize
304KB
-
memory/7144-2455-0x000007FEF67D0000-0x000007FEF681C000-memory.dmpFilesize
304KB