d6607a9ec5fc0698f50382ffe61a4ad1f36a8b26c0834c305f40e41647980668

Analysis

max time kernel
11s
max time network
119s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ADZP 20 Complex.vbs
Size

32KB
MD5

36deca5bd53f31d062d07c1d3fa0cc8d
SHA1

1d245de03d3725b180f572b15036cbb168445edf
SHA256

d6607a9ec5fc0698f50382ffe61a4ad1f36a8b26c0834c305f40e41647980668
SHA512

e1253113a5dfd1cd7e93dfe45649d89e072db432b1724aaf36c7b082b38e770c4755e4d01c136134bb9356f74daa1e7205e5fa43f575edb5013a91f738be71c1
SSDEEP

384:WO9h4Bbs9odeP93e6xj6BT2xg2mP+CMdNLjl9NQJW:lZ+kPxe6x+BT22FGCMdtZoW

Score

8^/10

discovery exploit spyware stealer

Malware Config

Signatures

Possible privilege escalation attempt 15 IoCs

exploit

Processes:

takeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exe

pid	process
6584	takeown.exe
6484	takeown.exe
2656	takeown.exe
6576	takeown.exe
7480	icacls.exe
2328	takeown.exe
6476	takeown.exe
6500	takeown.exe
6492	takeown.exe
6568	takeown.exe
2056	takeown.exe
2784	takeown.exe
6540	takeown.exe
6512	takeown.exe
7364	icacls.exe

Modifies file permissions 1 TTPs 15 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exe

pid	process
2328	takeown.exe
2656	takeown.exe
2784	takeown.exe
6476	takeown.exe
6500	takeown.exe
6576	takeown.exe
2056	takeown.exe
6484	takeown.exe
6512	takeown.exe
7364	icacls.exe
6540	takeown.exe
6568	takeown.exe
6492	takeown.exe
6584	takeown.exe
7480	icacls.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops autorun.inf file 1 TTPs 8 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

attrib.execmd.execmd.execmd.exeattrib.exeattrib.exeattrib.execmd.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe

Drops file in System32 directory 5 IoCs

Processes:

cmd.execmd.execmd.execmd.exe

description	ioc	process
File created	C:\Windows\System32\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe

Drops file in Windows directory 12 IoCs

Processes:

mspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 13 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exe

pid	process
5840	ipconfig.exe
5772	ipconfig.exe
5956	ipconfig.exe
5256	ipconfig.exe
3324	ipconfig.exe
1132	ipconfig.exe
1664	ipconfig.exe
1688	ipconfig.exe
5272	ipconfig.exe
5728	ipconfig.exe
2036	ipconfig.exe
5224	ipconfig.exe
3756	ipconfig.exe

Kills process with taskkill 13 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
316	taskkill.exe
5520	taskkill.exe
2624	taskkill.exe
5860	taskkill.exe
5320	taskkill.exe
4708	taskkill.exe
6152	taskkill.exe
5272	taskkill.exe
6200	taskkill.exe
6208	taskkill.exe
2432	taskkill.exe
2876	taskkill.exe
5212	taskkill.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

takeown.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	2328	takeown.exe
Token: SeDebugPrivilege	2432	taskkill.exe
Token: SeDebugPrivilege	316	taskkill.exe
Token: SeDebugPrivilege	2876	taskkill.exe
Token: SeDebugPrivilege	2624	taskkill.exe
Token: SeTakeOwnershipPrivilege	2056	takeown.exe
Token: SeTakeOwnershipPrivilege	2656	takeown.exe
Token: SeTakeOwnershipPrivilege	2784	takeown.exe

Suspicious use of SetWindowsHookEx 27 IoCs

Processes:

mspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exe

pid	process
1644	mspaint.exe
1648	mspaint.exe
2704	mspaint.exe
1648	mspaint.exe
1644	mspaint.exe
2704	mspaint.exe
1644	mspaint.exe
1644	mspaint.exe
1648	mspaint.exe
1648	mspaint.exe
2704	mspaint.exe
2704	mspaint.exe
3092	mspaint.exe
3184	mspaint.exe
3392	mspaint.exe
3484	mspaint.exe
3568	mspaint.exe
3680	mspaint.exe
3092	mspaint.exe
4036	mspaint.exe
3184	mspaint.exe
3804	mspaint.exe
3392	mspaint.exe
4208	mspaint.exe
3484	mspaint.exe
3568	mspaint.exe
3680	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.execmd.execmd.exe

description	pid	process	target process
PID 2716 wrote to memory of 1056	2716	WScript.exe	cmd.exe
PID 2716 wrote to memory of 1056	2716	WScript.exe	cmd.exe
PID 2716 wrote to memory of 1056	2716	WScript.exe	cmd.exe
PID 1056 wrote to memory of 3048	1056	cmd.exe	certutil.exe
PID 1056 wrote to memory of 3048	1056	cmd.exe	certutil.exe
PID 1056 wrote to memory of 3048	1056	cmd.exe	certutil.exe
PID 1056 wrote to memory of 2824	1056	cmd.exe	cmd.exe
PID 1056 wrote to memory of 2824	1056	cmd.exe	cmd.exe
PID 1056 wrote to memory of 2824	1056	cmd.exe	cmd.exe
PID 1056 wrote to memory of 2196	1056	cmd.exe	cmd.exe
PID 1056 wrote to memory of 2196	1056	cmd.exe	cmd.exe
PID 1056 wrote to memory of 2196	1056	cmd.exe	cmd.exe
PID 1056 wrote to memory of 1312	1056	cmd.exe	WScript.exe
PID 1056 wrote to memory of 1312	1056	cmd.exe	WScript.exe
PID 1056 wrote to memory of 1312	1056	cmd.exe	WScript.exe
PID 1056 wrote to memory of 2592	1056	cmd.exe	cmd.exe
PID 1056 wrote to memory of 2592	1056	cmd.exe	cmd.exe
PID 1056 wrote to memory of 2592	1056	cmd.exe	cmd.exe
PID 1056 wrote to memory of 2768	1056	cmd.exe	reg.exe
PID 1056 wrote to memory of 2768	1056	cmd.exe	reg.exe
PID 1056 wrote to memory of 2768	1056	cmd.exe	reg.exe
PID 1056 wrote to memory of 2184	1056	cmd.exe	explorer.exe
PID 1056 wrote to memory of 2184	1056	cmd.exe	explorer.exe
PID 1056 wrote to memory of 2184	1056	cmd.exe	explorer.exe
PID 1056 wrote to memory of 2036	1056	cmd.exe	conhost.exe
PID 1056 wrote to memory of 2036	1056	cmd.exe	conhost.exe
PID 1056 wrote to memory of 2036	1056	cmd.exe	conhost.exe
PID 2592 wrote to memory of 2328	2592	cmd.exe	takeown.exe
PID 2592 wrote to memory of 2328	2592	cmd.exe	takeown.exe
PID 2592 wrote to memory of 2328	2592	cmd.exe	takeown.exe
PID 1056 wrote to memory of 2432	1056	cmd.exe	taskkill.exe
PID 1056 wrote to memory of 2432	1056	cmd.exe	taskkill.exe
PID 1056 wrote to memory of 2432	1056	cmd.exe	taskkill.exe
PID 1056 wrote to memory of 316	1056	cmd.exe	attrib.exe
PID 1056 wrote to memory of 316	1056	cmd.exe	attrib.exe
PID 1056 wrote to memory of 316	1056	cmd.exe	attrib.exe
PID 1056 wrote to memory of 1244	1056	cmd.exe	WScript.exe
PID 1056 wrote to memory of 1244	1056	cmd.exe	WScript.exe
PID 1056 wrote to memory of 1244	1056	cmd.exe	WScript.exe
PID 1056 wrote to memory of 2052	1056	cmd.exe	WScript.exe
PID 1056 wrote to memory of 2052	1056	cmd.exe	WScript.exe
PID 1056 wrote to memory of 2052	1056	cmd.exe	WScript.exe
PID 1056 wrote to memory of 320	1056	cmd.exe	WScript.exe
PID 1056 wrote to memory of 320	1056	cmd.exe	WScript.exe
PID 1056 wrote to memory of 320	1056	cmd.exe	WScript.exe
PID 1056 wrote to memory of 2076	1056	cmd.exe	WScript.exe
PID 1056 wrote to memory of 2076	1056	cmd.exe	WScript.exe
PID 1056 wrote to memory of 2076	1056	cmd.exe	WScript.exe
PID 1056 wrote to memory of 2148	1056	cmd.exe	WScript.exe
PID 1056 wrote to memory of 2148	1056	cmd.exe	WScript.exe
PID 1056 wrote to memory of 2148	1056	cmd.exe	WScript.exe
PID 1056 wrote to memory of 2504	1056	cmd.exe	WScript.exe
PID 1056 wrote to memory of 2504	1056	cmd.exe	WScript.exe
PID 1056 wrote to memory of 2504	1056	cmd.exe	WScript.exe
PID 1056 wrote to memory of 1828	1056	cmd.exe	WScript.exe
PID 1056 wrote to memory of 1828	1056	cmd.exe	WScript.exe
PID 1056 wrote to memory of 1828	1056	cmd.exe	WScript.exe
PID 1056 wrote to memory of 1584	1056	cmd.exe	WScript.exe
PID 1056 wrote to memory of 1584	1056	cmd.exe	WScript.exe
PID 1056 wrote to memory of 1584	1056	cmd.exe	WScript.exe
PID 1056 wrote to memory of 2740	1056	cmd.exe	WScript.exe
PID 1056 wrote to memory of 2740	1056	cmd.exe	WScript.exe
PID 1056 wrote to memory of 2740	1056	cmd.exe	WScript.exe
PID 1056 wrote to memory of 2560	1056	cmd.exe	WScript.exe

Views/modifies file attributes 1 TTPs 12 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
308	attrib.exe
3816	attrib.exe
4696	attrib.exe
316	attrib.exe
2472	attrib.exe
7532	attrib.exe
7624	attrib.exe
2508	attrib.exe
5396	attrib.exe
1968	attrib.exe
8216	attrib.exe
2752	attrib.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.vbs"
1⤵
- Suspicious use of WriteProcessMemory
PID:2716
- C:\Windows\System32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\TempShingapi.sk.bat" "
  2⤵
  - Drops autorun.inf file
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:1056
- - C:\Windows\system32\certutil.exe
    certutil -decode x.bin ADZP-20-Complex.bat
    3⤵
    PID:3048
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K Twain_20.cmd
    3⤵
    PID:2824
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K Twain_20.cmd
    3⤵
    PID:2196
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
    3⤵
    PID:1312
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K Taskdl.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32" /r
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:2328
- - C:\Windows\system32\reg.exe
    reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
    3⤵
    PID:2768
- - C:\Windows\system32\reg.exe
    reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
    3⤵
    PID:2184
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:2036
- - C:\Windows\system32\taskkill.exe
    taskkill /im DiskPart /f
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2432
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h *.*
    3⤵
    - Drops autorun.inf file
    - Views/modifies file attributes
    PID:316
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
    3⤵
    PID:1244
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
    3⤵
    PID:2052
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
    3⤵
    PID:320
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
    3⤵
    PID:2076
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
    3⤵
    PID:2148
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
    3⤵
    PID:2504
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
    3⤵
    PID:1828
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
    3⤵
    PID:1584
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
    3⤵
    PID:2740
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
    3⤵
    PID:2560
- - C:\Windows\system32\msg.exe
    msg * Virus Detectado
    3⤵
    PID:2708
- - C:\Windows\system32\msg.exe
    msg * Virus Detectado
    3⤵
    PID:2536
- - C:\Windows\system32\msg.exe
    msg * Has Sido Hackeado!
    3⤵
    PID:2640
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
    3⤵
    - Drops autorun.inf file
    - Drops file in System32 directory
    PID:2980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K Twain_20.cmd
      4⤵
      PID:2996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K Twain_20.cmd
      4⤵
      PID:1656
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
      4⤵
      PID:2168
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K Taskdl.bat
      4⤵
      PID:2240
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:2784
  - - C:\Windows\system32\reg.exe
      reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
      4⤵
      PID:856
  - - C:\Windows\system32\reg.exe
      reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
      4⤵
      PID:2256
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /release
      4⤵
      Gathers network information
      PID:1132
  - - C:\Windows\system32\taskkill.exe
      taskkill /im DiskPart /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:316
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h *.*
      4⤵
      Drops autorun.inf file
      Views/modifies file attributes
      PID:2752
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:1736
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:2300
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:2396
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:664
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:852
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:1708
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:3364
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:3712
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:4084
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:3460
  - - C:\Windows\system32\msg.exe
      msg * Virus Detectado
      4⤵
      PID:3468
  - - C:\Windows\system32\msg.exe
      msg * Virus Detectado
      4⤵
      PID:3808
  - - C:\Windows\system32\msg.exe
      msg * Has Sido Hackeado!
      4⤵
      PID:3872
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      PID:4064
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:3908
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:5008
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        5⤵
        
        PID:4960
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:3928
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6476
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:5152
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:5812
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:5956
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        5⤵
        Kills process with taskkill
        
        PID:5320
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Views/modifies file attributes
        
        PID:5396
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:8320
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:4072
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:3596
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:3076
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:3092
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      PID:3100
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:4440
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:4196
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        5⤵
        
        PID:5016
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:4912
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6500
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:4024
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:5748
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:5772
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        5⤵
        Kills process with taskkill
        
        PID:5212
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Views/modifies file attributes
        
        PID:2508
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:8196
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:3116
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:3140
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:3160
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:3184
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      PID:3148
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:4816
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:4768
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        5⤵
        
        PID:5300
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:5420
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6484
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:5480
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:6008
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:5256
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        5⤵
        Kills process with taskkill
        
        PID:5520
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Views/modifies file attributes
        
        PID:3816
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:3196
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:3256
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:3732
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:3392
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:3836
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:3696
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:4344
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:4800
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:4392
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:4968
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      PID:6924
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:6948
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:6972
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:6988
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      PID:6996
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      PID:7012
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:7036
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:7068
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:7092
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      PID:7108
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      PID:7136
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:7156
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:3168
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:3324
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      PID:5224
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      PID:4528
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:6348
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:4932
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:6552
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      PID:6612
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      PID:6628
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:2960
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:3016
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:1740
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      PID:804
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      PID:908
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:1044
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:3056
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:6776
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      PID:6104
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      PID:5004
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:4432
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:4340
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:4108
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      PID:4112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      PID:4700
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:4720
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:4760
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:4104
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      PID:5412
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      PID:5448
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:5788
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:6076
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:6088
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      PID:5276
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      PID:5472
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:5628
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:5936
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:5184
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      PID:5244
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      PID:5308
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:5508
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:7196
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:7240
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      PID:7264
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      PID:7304
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:7328
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:7396
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:7428
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      PID:7440
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Program Files"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:7480
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Program Files"
      4⤵
      Views/modifies file attributes
      PID:7624
  - - C:\Windows\system32\format.com
      format /y /q A:
      4⤵
      PID:4360
  - - C:\Windows\system32\format.com
      format /y /q B:
      4⤵
      PID:6352
  - - C:\Windows\system32\format.com
      format /y /q D:
      4⤵
      PID:8400
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:2760
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:2344
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:2116
- - C:\Windows\system32\mspaint.exe
    mspaint.exe
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1644
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
    3⤵
    - Drops autorun.inf file
    - Drops file in System32 directory
    PID:1296
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K Twain_20.cmd
      4⤵
      PID:2800
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K Twain_20.cmd
      4⤵
      PID:2684
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
      4⤵
      PID:2332
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K Taskdl.bat
      4⤵
      PID:2648
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
  - - C:\Windows\system32\reg.exe
      reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
      4⤵
      PID:2680
  - - C:\Windows\system32\reg.exe
      reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
      4⤵
      PID:1080
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /release
      4⤵
      Gathers network information
      PID:1664
  - - C:\Windows\system32\taskkill.exe
      taskkill /im DiskPart /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2876
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h *.*
      4⤵
      Drops autorun.inf file
      Views/modifies file attributes
      PID:308
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:1696
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:1676
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:1748
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:2640
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:2456
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:3120
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:3500
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:3932
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:3264
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:3724
  - - C:\Windows\system32\msg.exe
      msg * Virus Detectado
      4⤵
      PID:3800
  - - C:\Windows\system32\msg.exe
      msg * Virus Detectado
      4⤵
      PID:3856
  - - C:\Windows\system32\msg.exe
      msg * Has Sido Hackeado!
      4⤵
      PID:4048
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      PID:3156
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:4740
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        5⤵
        
        PID:5400
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:5440
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6492
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:5524
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:6016
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:5272
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        5⤵
        Kills process with taskkill
        
        PID:5860
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Views/modifies file attributes
        
        PID:1968
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        5⤵
        
        PID:8464
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:3212
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:3292
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:3340
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:3484
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      PID:3780
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:4204
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:4568
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        5⤵
        
        PID:5652
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:5696
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6512
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:5728
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:5540
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:5728
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        5⤵
        Kills process with taskkill
        
        PID:4708
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Views/modifies file attributes
        
        PID:4696
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:3516
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:3532
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:3540
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:3568
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      PID:2440
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:4168
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:3800
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        5⤵
        
        PID:5944
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:5996
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6540
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:6040
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:5320
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:5840
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        5⤵
        Kills process with taskkill
        
        PID:5272
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Views/modifies file attributes
        
        PID:8216
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:3628
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:3644
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:3672
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:3680
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:3404
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:3900
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:4636
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:5036
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:4772
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:4292
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      PID:6908
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:6916
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:6940
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:6964
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      PID:6980
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      PID:7004
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:7020
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:7052
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:7060
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      PID:7084
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      PID:7100
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:7120
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:7148
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:5188
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      PID:3112
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      PID:4848
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:4856
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:4596
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:6528
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      PID:6596
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      PID:6620
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:5888
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:2924
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:1948
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      PID:1864
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      PID:764
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:1928
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:2232
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:2084
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      PID:6728
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      PID:264
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:1976
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:7048
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:2236
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      PID:4396
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      PID:4408
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:4660
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:4820
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:6784
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      PID:5044
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      PID:4752
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:4924
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:4964
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:5432
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      PID:5780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      PID:4664
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:6052
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:6136
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:5340
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      PID:5584
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      PID:5828
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:6120
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:5240
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:5232
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      PID:5352
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      PID:5796
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:7220
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:7256
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:7296
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      PID:7320
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Program Files"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:7364
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Program Files"
      4⤵
      Views/modifies file attributes
      PID:7532
  - - C:\Windows\system32\format.com
      format /y /q A:
      4⤵
      PID:5812
  - - C:\Windows\system32\format.com
      format /y /q B:
      4⤵
      PID:6164
  - - C:\Windows\system32\format.com
      format /y /q D:
      4⤵
      PID:8372
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:2500
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:2584
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:2612
- - C:\Windows\system32\mspaint.exe
    mspaint.exe
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2704
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
    3⤵
    - Drops autorun.inf file
    - Drops file in System32 directory
    PID:2772
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K Twain_20.cmd
      4⤵
      PID:1300
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K Twain_20.cmd
      4⤵
      PID:340
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
      4⤵
      PID:2880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K Taskdl.bat
      4⤵
      PID:2264
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
  - - C:\Windows\system32\reg.exe
      reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
      4⤵
      PID:1716
  - - C:\Windows\system32\reg.exe
      reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
      4⤵
      PID:888
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /release
      4⤵
      Gathers network information
      PID:1688
  - - C:\Windows\system32\taskkill.exe
      taskkill /im DiskPart /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2624
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h *.*
      4⤵
      Drops autorun.inf file
      Views/modifies file attributes
      PID:2472
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:2712
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:1700
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:1912
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:3220
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:3580
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:3940
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:3260
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:3776
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:4020
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:3948
  - - C:\Windows\system32\msg.exe
      msg * Virus Detectado
      4⤵
      PID:3764
  - - C:\Windows\system32\msg.exe
      msg * Virus Detectado
      4⤵
      PID:3916
  - - C:\Windows\system32\msg.exe
      msg * Has Sido Hackeado!
      4⤵
      PID:3428
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      PID:2868
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:5380
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        5⤵
        
        PID:4376
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:5172
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6576
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:5772
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:2680
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:5224
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        5⤵
        Kills process with taskkill
        
        PID:6200
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:4052
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:3360
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:3408
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:4036
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      PID:3472
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:5604
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:5644
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        5⤵
        
        PID:3440
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:5764
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6584
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:5748
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:1552
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:3756
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        5⤵
        Kills process with taskkill
        
        PID:6208
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:3844
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:3824
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:3800
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:3804
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
      4⤵
      PID:3896
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:6112
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        5⤵
        
        PID:6132
    - - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        5⤵
        
        PID:5180
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:6044
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6568
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:5660
    - - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        5⤵
        
        PID:5540
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:3324
    - - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        5⤵
        Kills process with taskkill
        
        PID:6152
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:4136
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:4152
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:4172
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      Drops file in Windows directory
      Suspicious use of SetWindowsHookEx
      PID:4208
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:4620
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:5028
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:4792
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:3164
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:4188
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:5020
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:2832
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:1720
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:2184
- - C:\Windows\system32\mspaint.exe
    mspaint.exe
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:1648
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
    3⤵
    PID:1284
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
    3⤵
    PID:2156
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
    3⤵
    PID:1576
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
    3⤵
    PID:3004
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
    3⤵
    PID:2632
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
    3⤵
    PID:1476
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
    3⤵
    PID:5408
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:3748
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:6884
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:5280
- - C:\Windows\system32\mspaint.exe
    mspaint.exe
    3⤵
    PID:4628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
    3⤵
    PID:1620
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:6648
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:6468
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:6988
- - C:\Windows\system32\mspaint.exe
    mspaint.exe
    3⤵
    PID:5752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
    3⤵
    PID:3508
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:6688
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:1508
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:5512
- - C:\Windows\system32\mspaint.exe
    mspaint.exe
    3⤵
    PID:6384
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
    3⤵
    PID:5708
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:3040
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:3788
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:3428
- - C:\Windows\system32\mspaint.exe
    mspaint.exe
    3⤵
    PID:1552
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
    3⤵
    PID:5320
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:5852
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:5860
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:2508
- - C:\Windows\system32\mspaint.exe
    mspaint.exe
    3⤵
    PID:4708
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
    3⤵
    PID:5396
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:5772
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:7208
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:6968
- - C:\Windows\system32\mspaint.exe
    mspaint.exe
    3⤵
    PID:5864

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1255964061-544150849-16573972111863020607-1660537181-13153820881570418774660387703"
1⤵
PID:2036

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-676887625-1073134067-8410375181794150156-11418564961862864579-165912570391075188"
1⤵
PID:2708

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "437577013392280940-10738306884194125961338202433694962308-12139074161007318137"
1⤵
PID:3672

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-555270786-1787551311-408814385-14607659411204674690118924370114835254711973785691"
1⤵
PID:3408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempShingapi.sk.bat

Filesize
26KB

MD5
977b003963e42262994223bfb827d610

SHA1
c357ccea26f64da9ad5c3bf96b83e12ccaeb916e

SHA256
d7a449acbcb78e0fb137a868d2c8b4e86f32d643cde7e7f291f77e5480ae2bb8

SHA512
99e3dadeebc8c35c6a47a0c7de4e82dbd558f5c23df910ff6899537f3ae370c4c5ea125353cb22ae469a332dfec14577a06ae651309405ef2e69ea000ff18e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat

Filesize
17KB

MD5
591700c81fbd38cf8c83092030536c14

SHA1
a122ca4b91ec2275400e10f21093c43186391c97

SHA256
29415d32850d821d9854bfd6edabee920052e0920e6eceec187ea57b8a3c707e

SHA512
ae3e1ffef5a82016f13fe728a8a3f2696ed55cdd9ea60d6e75352d55f95fe71cb09bad02945601d4661818473882cc4fae4493d9125e3803054e69c861a97758

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
300B

MD5
88a2fcd93445c8b092324fe1236d31dc

SHA1
f63653fe34d54b7e42e29689a934ed097329128d

SHA256
0783070444c465de8a21f7fc41f61d2bd535e995454e4086b2e01780e96ad419

SHA512
3e44cce194b1cc3d6946d33dee6756f0333edc886f9ebe8149887c2e9b35867575ed47f15b2c384ed37aab3b8e37dae3369e1259d132bdf9bb832c70c09e8085

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
360B

MD5
8d485f3ac2acb6e586e8f1d8af2df57f

SHA1
43e9653ecedbad263a5e015ecaa3eebb7a44feb9

SHA256
530f6ebaf4445acb0855efc516729598a3312aeedd0ef9024da6f347f152e783

SHA512
4105fa612f86d46457f77449c095cd9e1f59dcb4d137bf3d822e4f52f89c517faadfbaa00b07d15aabfc0d2afdb093ea63d59add313525149f17b7427917494b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
120B

MD5
6bc9ab9854695874c5338bd08dde7db5

SHA1
8ae8dc91cd8b80dd688378a3eacb2750e2de8c3c

SHA256
d4249fbe2df7ddc684f61bbba98e5d3312c85e5787d5500a73ff18a5abce76eb

SHA512
e8fda27e7d1144816879b84fa04b8b3a7063f3841e57a1aaa918b5dfa1dc35f0f4380f89ca861c59ea45d884488e68309dabff15200e6b99038df4431e439f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
180B

MD5
b2206e980c51067d6e9dd7575d842bdc

SHA1
5aa6f76eee9efd569089be7f363e30ebf0531a22

SHA256
add106f3d6e9cfd2fac3d14a74d6791a9caa257b9c7e105a9a5fc2a309337ecd

SHA512
89ab3ca635f8fdcb1206f0a1d585355a730506cc1d72ca666f1e9d650b24107368349b44ab0b3d3132442a2fc61c0c9404d00b717a61f305d9c93d5d638d9bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
240B

MD5
482dcfe952218cf31ad2adddd8f6616b

SHA1
7a6bcfce28c76bc3319c871696531d21200f3bc0

SHA256
093b0f0c3f7a9bf24406662245b57f171837a266aba49f198319045e971e77d5

SHA512
440182ba5cd7c85abc11fe9097a41486469afde738d26f471efe4e7928106cd57240b1045bc97d60c42147ca25b032c4149487f1a1ab4581292c7eff2bc801b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
60B

MD5
11aa52a7eca2cf8fdcd1584b5a8b6026

SHA1
01ae6066e6b3879cb0caf306cc91077b7c0bea1e

SHA256
8dfd0a6db2df60455840dbbbcc4f8b70d730ba1c2afbf300316898b3dd3e9b11

SHA512
07f37c050eb59e7a1a228ca851d05ca9b62bb3de97f988fb36c374c827833c8c551e5cb51eb05130861c0b35515ca77ae667ca97ee4f08c86cdf9f6fb64533c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf

Filesize
370B

MD5
3fdd19fb2a886abcccbbb2d3253b43ea

SHA1
56f40cec4c6287084f3fe5147a929e9c6d81ab41

SHA256
005939c96c791e50f2aa446ad812e3bfeae8297fee51c7f6e543d1d6571882a3

SHA512
cdc92751c460ef659637ff239479503f13c701bddb704799e173e6b2e9ad90fd551b5cbf2dd060ecadc0f9f450e2c49656a74a9a36f7d82b919d92dca234e467

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf

Filesize
444B

MD5
929d76643e667f8d6faa590f5cfee782

SHA1
e120fdfc91c88681f835b703c336908b9cd4b649

SHA256
dedb3209e6ffe8a68578145eda5a34b9f64108c4ccb3b228fb9fa3d7ada5380a

SHA512
bfd61aaf55a50d3c4bbb0386ac02aebfdf14fb8d009bc47eb0e6398b49229222e3c0b7d23b22b235efa14398d6340084d0b9b683bbd9c3ab2f66c0a6d27a4171

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf

Filesize
529B

MD5
e6db76fe5bc170224d2e01bd195826c3

SHA1
e8f4d6db502e4e103bf9c9a114dd12eee1d1f0fe

SHA256
2060d357388b42778a334954dce5491b322cf28e4990f7cd7836c3327271f162

SHA512
0a0bed8f79893c5f2fe4bb292ab27f699ec7c83da0c05d14ba23f9122b7db08a7071546f5944fda45197a1b650a68ff8d7aac71c002b16830506cf9b84e47dab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf

Filesize
603B

MD5
23308d4f81622be89889a1a6bdb76279

SHA1
68fa20278ec7ef725500fa0f336b662ff142ef6d

SHA256
5c7b261b298ecc45f6e798f4769df471e1665175e4d37f2525e1c35bdb03c2f9

SHA512
936a3df6c38997b46deab60cbbcc902124e05c7e91cdd69df807496a0883d08840cb85fc50c6f621e4940f7e296209dac75655e79ad9f23dbe3e87aef80d33fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf

Filesize
181B

MD5
f9379027075a8b91d87d11a4764d8607

SHA1
9d8a4d2282ba01999ca71af6258031f637254e8f

SHA256
9adcc837ef5e11eb31625b3bd9eb7280b40fd1e0596505153f1269d8414d6a4f

SHA512
25bbc44545384fa8d4b86b876384a9373c2439fc86a3a2f1b4bdabdbd6ddae39f4874ee8db01940d49ab6cd7e4a8bc032de47cdb8bb60d37c71a985fb5397169

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf

Filesize
222B

MD5
05a4d4594b598cfe885bf862787b8cde

SHA1
dfb26e156e88af25bd00db0bc788b81c521a4db9

SHA256
fd8427db8c0c5ad2c7a8fc36c18f9400e25bdd7dfd1d267ec11a7a94bdbd1cab

SHA512
ac1f87eabd69e1939f463c8710cdd1ba8a886ad6509d26d0fac4e09ab82056cf952b7a0cf2ecb55bb0549fdb0aff6457133eeb6b7b222df58f773f91df101136

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf

Filesize
296B

MD5
b20421aba6b1738af56e402aed7b5fca

SHA1
7b9e8f147c25a383e775cf4ce66fec5f050f8187

SHA256
2b11af7c3e34fcb9851881ecb06ee601696a6e29b3d3f283f79b118bdba35ecd

SHA512
32eb6ae6c4009d43422f6abad7cd88f21b3efbd85c4a8c1fa45675f59f5c7a1d0839c6f73131522de5c0f5f1cec2dc9b4e2b00dbe68e060390cc5b6174ef9683

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf

Filesize
74B

MD5
b39df423c6e5978065a9a8ec4879a3b4

SHA1
96441a7a7d8090f7a96a1160f539531f66568e88

SHA256
12a5135510016abcfe1192aceb6fec42634346661d778d68be1debaa3d75e967

SHA512
2d583fcae1ec73f836c5b66b8b1337bb4250a8230073de96d501a4fab5f522b75599ac2a1fcf1457a841d8c84bcccb88feade82f49357b28345c63d9526cfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
270B

MD5
adad2cd23a8880d4b3bdb1481c5b7998

SHA1
823fc1acc3e7a3f0cffab5cb8fa453a8c0d1872c

SHA256
838ba55eb15df2e0145178a20b4d01314d0fcde04ff871649012eaeba6bbfb69

SHA512
8c600e32157daef85549d0a19a40f38e812e05cbf24e51453fa1ea94435e55fe4a705e77d42a4f63f3c565da98b4e69f1ed7bb6f3dbca65e80b17526954e60e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
324B

MD5
b260589bc116e407e75412be10ce0c7c

SHA1
b3498d228b26ad13ba76b27d624ef5eef940221c

SHA256
61bf3a4e7eb43119fb6f69c2d63872f35b9b6d79fd5a846ad824951ccea9898f

SHA512
007b78a36ea10d91360610ceec313bfa51c663c719859edf95dae0cdb75bdbbe6908bf0cb4c3f2e237539e0e20dc64266328e8a82ad5a7c90b59b6f56f683c4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
382B

MD5
43dedec91e9b5fe4b62c7b949cd495ed

SHA1
caff7ffe7459b801bc5735c7431df8b6fc1078fa

SHA256
0707369384aa37884fba95f6833e1d7b28ad1010841413ecbf42b9b1d20e71b6

SHA512
edce2cfcbd524d182634cb3c20e40dbf24482ff3a8ef9601f6b4097b0de8a027a71ba5dff07929a9183635124eabca23a31cb453dc6437f1dce138c0609eca99

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
480B

MD5
2b4b5f8ba1fc275d616f6b5e55713aa8

SHA1
a49f52d44e5427579227a312762238259791a938

SHA256
c9eeca17c239e9e55007543dc53f41ea0cc8e4d3eca6bcb8c060960885bd5464

SHA512
f992b10b4fd4be70c4dc654e3360c2f552c9143aa4e34bcd58e4bd21a6e0deca462fcfd64e240f8b64d61225e84f5ba81fc3cd215f2faf0eb0c00f7914e62bcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
108B

MD5
aea78da25dd9a4226b49abfadcc3977c

SHA1
1ae73fa0157801a3c42074f6d057712de6427e31

SHA256
18d5c5a71bb9b2414e4a08a52eeacf10961f29c5c582964b3507896be885b3a4

SHA512
f4a2c037f59680fe9d7931866fac1d28c3006e1fbf128ff8b6cb8f3edd54b32854e3a51839f8aca9288e657ece7dd645875ef4db1160c92d1f515137fb245ada

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
162B

MD5
d5980bf4b018e4c397df95afe8941c66

SHA1
ce53c669a898d09479831bc59bc31a5fba2a6f2b

SHA256
9afd004a8cb9b9e8b1eeab780fb0c4ffa39c3ec2ded034b1a7cd69db7f67872a

SHA512
c995f9d3252b9a7af52a398562261baf3297fee64fade9de22895cce017e5aa097c7935a0519e474253a181e1e018348a1ade3d953bfaff5dc43e30e2d9fde5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
216B

MD5
7659392a12010d8c761cb9888f6fd5ac

SHA1
b8829c26628740b77ab7405c231f420e860d8c1f

SHA256
71bd0bffdeca9dce2b4e9e1d767a0732657032171f3ad33903dec353ef95a431

SHA512
5caf94b288649b687f411cbb5519168e09e161f8d9545a6bad1b0d08876a542d153a115f8b44e3f15d973812ce8ec7471bba7d8bd0b9a22d0abf6fdf2914a2bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
54B

MD5
888e64c554686bbbc0499057cce1af36

SHA1
5a7f51c66e3ae7dd0e0231c9817aee8c9fc54006

SHA256
616cf19739e00c69e9606d9c94869f6fcb6a7b3860e7b8af9bc896f3081dad0d

SHA512
9882375fdd09d489258447d49b8b63d0bc8db57cdb7186500c00c79d57f30af5f37a69e8fab70683a7c9d730e3484ef537ee57bb1892a84f92e9aba639d1d227

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
345B

MD5
baa511e0932e6c0781dd1488615d17a6

SHA1
e3218aefe8c272ade02eb6cc5188df6d50b04de0

SHA256
20fa853d5be5b8f30eeb6ae3e24558a2091d80102944ab26b9861df5cea6c6fa

SHA512
24be7fabda63dd82dfb5307e2ae0dc7176bf59c0918f1316bddb7515e0695b10cd6e24420af4afcda3d5f1b01e3d540a2d75a629f40c381da05eb3c28ff4697e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
418B

MD5
7c469eaae93d67c7f8f28fa787740d01

SHA1
4d03d82d8145f1da52a52af87174670cf82c1ffb

SHA256
da136d25001651a09f0b08f84e68125de955f14e8d602e85049c933758ea4298

SHA512
1c1c8c10c52e8075354429dd0f1dd7c302151a28c710cba245f2b1169f2fa31b2e2e73330f8f3ee654490c44519f0ed89359f7392a087e5e7ef906b7fee66900

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
487B

MD5
9e4759658b08c3684f0f0b38bafdd6af

SHA1
55c2c25e5cffb0bdeac7d7864d318426b1feb9cb

SHA256
2418628d9dffed0b50051310c00237c8a69e4c14fe2f8f73bfc34a907548a038

SHA512
2c91c2fc3216dea925a55a8c2413be838f252c878f7b6e8f9127d38f8401d581e35407ab1eb7f6908d0430af5529f4c761579f6aafbd8dd163662bfbccaa7f3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
552B

MD5
a1cb8c48e97707a11ac8794937babd64

SHA1
d0c4383824e6da91c7e96564898c2ef7260ea719

SHA256
b4050967df21001336f0f6770a89acaae2065622a8501032e81bb68e4aec94fa

SHA512
1aec19c285d34f78a4fd8c7a9c044b4710d230b600d89c5f1d7a7baa6382701046d6a359dade75c78a37804baff4a6351690ee11fffba08488126245e1a14076

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
897B

MD5
c2ad111a08afc24b3b049268249f7684

SHA1
c8bb29425d2a9f2ab18e788eebcbba6ea8e72c4a

SHA256
5b27e40b2fdfcd2d7a72531ecbd822a673dfdad55b2f9b4f8238ed96c083ca18

SHA512
a6ccc4d657436925529995efbbde77127b17f887b06a3d207963bb4291e60b739719882d2a3d72fe3000d2c2b452591337932cc44929e77a9005018d98f5c97d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
201B

MD5
d88eb6431ce886b898998f1adb9ab563

SHA1
e5fc42298ffbeba0c6345e349aee94ce7a401f9d

SHA256
20eec25ed3bc24eda5251213559b15947ea9c9d8e27b55ea83c26d87f8ddea83

SHA512
7d63e3f0c5335e920afc7c9aa367869c02df34bfe8f2333a54bc864c74e5bde7fc62419538d2c9be71f23a3dac6ccda6aa4ebb4db024fd17d155e256244aca41

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
207B

MD5
d3715d7f77349116a701484780269375

SHA1
589c48410637ac33431569b867070a51c4de5b1c

SHA256
ea0bdd86d283aba33d619aeecb5087ad9132b58e8ae7121e3c3774504abb976a

SHA512
9526a79ac4f9a18104f8e84d684136eef9b6bbccfe772d1d1030d9be02de2f7221cdee248ec748971551a42ed1d8fb1c8a9d820b837164f68376cdee1dc8ff3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
276B

MD5
089381a847f01ba0962ae00f0d92d5e8

SHA1
9f3240f89871639778a318e0cadccafcf9d7c55e

SHA256
2cda289b5067c9daf8b4dffdf323b2fe9d0a47bfdbb91b4a017029bc74729c05

SHA512
89fbf1b423f17101970290b070d740b8d58beecc6723e64edb7ae23b9285afe3a612b8e8f5ec202d60aca3875a28dbc556a43af9fe4113ac0bdba1fa83c5213a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
69B

MD5
72946942abf5cf295f726b816c531ebf

SHA1
8ac5ccae8003c3776c2e0ee0959a76c8bc913495

SHA256
d9fc0446467e00e640f0dd0bf36882943a6993dcc1038ba8f73239152896eb25

SHA512
2f42b10e2c1359a690e1a69e307008e3beb4712e4c071d916fb1380c61cb2ed3ae48c86af44c6f1c9d613e85dd75d8cfd66fd01de0649444ee6d5193d9789d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
1KB

MD5
8d42b25e34da75cd09d10b534d7a6012

SHA1
a408aa5cb02089156497c1976c7fe41dd42f06d9

SHA256
d20e9eb2185a2d21b55a5f1ae338e500337d8a43c117c0929c0e3233a58bea1a

SHA512
ead990dff8a6a1d47ca32ad4899e48261c2c628afa5d25cc201ce6c1406a8a52cff6be0718964641b3f610160277122fcfdcb93ac0b68d050effc3e2fc26f8fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
1KB

MD5
0dccaf467634e6b9a5eb1548160db4d2

SHA1
5ffa8f7daf69125f789426d6d284f31335265a81

SHA256
91c7d2980dd7131d07218d3877a178883d8d78c2ffa33ece494cc27654e3ca06

SHA512
9186b611486393a651e4c5aafd8b348d92ef7bd598268a718ef6306ac8a57eec5d55b4f07e5d56a3fe18b36f9ef7009eb8d4b67dfc93230a9314bf2c2726b244

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
1KB

MD5
9ef0c2dfbcc7c519a88d0f08e217bf99

SHA1
3f679f39b27b59ebb53e1870a5b1061eaa926e51

SHA256
434c41d38af23f56652eca901add4c2530a25c6f4379881bf2c552c45a2c2553

SHA512
0dc21bb77ffeb94f811271c4083145a01b69da81004c347b8e65e26be3ba6539075734c371969839c78ad5f1393bbf5c03885c653f6ab3b69ad2ca7ac03e42c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
1KB

MD5
0ae53c6f1e1adcc8a9693f206a2485a6

SHA1
206d4109769946f0510fa8a14e352c2a04898011

SHA256
254139a043d82339054678dbaa8ad01c67bceba6cedfa75b8eeb6cf5efdc1aac

SHA512
c47702e2f176b7fc44e97f2980c0e0548e749a97a5b8f78b1295b54f47e00cbcbe78563777351e4fa48a8565e2df9dc1d793c87f624bed4f4b3a25edb7bd31af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
346B

MD5
4e71aaa85b945ab5dc2680ce12d8474f

SHA1
a00ff196706e8282b02187281a7fa71f20c59eba

SHA256
411d8fc3a482880ec2b56a7193a4104130ca9554f1feb96db27c59a2b61303a5

SHA512
cea3cdb3eb537454ccf9773c80c111d8172dace2c79c62ffe18ac7c4373669d055fd9cc4929f9b6f4f376507a1319e37b0ba26373e40f4332d1acb025792b430

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
530B

MD5
a97bccd5d4426007636c50d510628719

SHA1
3c9f75224fd1292d18c4c21f92585a02aec86059

SHA256
5089193fb7b9f2cac4f1193c0cf0731266e804baf2c274fb93b4cebbe4baa40e

SHA512
834d6ffb6919f3f76a97819fefdf86af6e9ce5032d132025237957fe83cc4ca111a1dce08046bdadceaf352ee9b1815f5e5344b48571bd57304b6a2586eb0890

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
692B

MD5
6989502044e4a9fca67e9ded25de9956

SHA1
9a8d099caad939d32599530b27f7db641cbdb8da

SHA256
b370b54e95376f4b6df27592bc23343c82ebbfad3d52e71a38a2aac504bda04c

SHA512
9f0e6d59d9adc531f5c162b964205e0dd63c6a956291af48d24e6b8988a940b6f2cc7644a9163277e6383a6d9f8ddb00c9687d73426ea776c691e73f66e95a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
173B

MD5
0c998e3681eb9f67fbacda38281c5fa7

SHA1
bd3e89780f374c54c5dfbe3fab83a926ca5803de

SHA256
3c656f47268598c5bbe3ee4661b4f8c7dc09420cf393a6e417541db3c6020205

SHA512
11e3fd1d141bd23a2b0f17665f0f57e5a606fdd82555a7bd88cd533863ce4269d8395f8963d1cdfde93efbb0817486db48c3b593f8de35e150e2395daadb762e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
22KB

MD5
378c2b4307c0cd29f9badd57e99f5c00

SHA1
af99eae6d0e5e88e1502a0894b03ec05a3c088a2

SHA256
1f23fda971d2f92a1a8006018e8f10cda7051d789d896709871c0beeed1a597d

SHA512
aa60fb8d7c9c51d6dc1b445abbddc50e7a5af806e5bec54fe5bb91d8298eee269a28890712ed4e4f701eb09190f967c102b4fb84230a34538ccf9ef4b99763b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
27KB

MD5
6da9e4977e7682a64c37f40e736af3e2

SHA1
44fcb89a3d51eb55322a10d709a8494f46a1dba6

SHA256
39a9b6f375218b08a83cb0d7b861a9cdd7e827e0b1effb6d9f5455ee3f47a513

SHA512
9ead15aca751fdf5ab0fa503648a38b4bdf1e517b6fce26330d5672fa4e324ca55207b0f1f58610ba9d8d4d8ddade68c436a11d5202bcb435b5fde895cadad2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
32KB

MD5
0aa11ace327eda2911b6cf8421de4dde

SHA1
581a9c2bb8806b61452fd8338acdc54f8d85f7bb

SHA256
258fd6c52d3b07dd2bc835dd74916861e23e4903ac892089268b34b1c06704ba

SHA512
762203cac4698bbba1848a0090999211c7a5350fcd237ac6164716f65e6d3935d7148b7fe0ef18be981ffb6e15a01b28084683b7487328c924f05d4e58c05475

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
37KB

MD5
b44664c00a7d7d0535e4846b51559f6f

SHA1
7c6293900036e9e4694728a401eff5749be6cd5e

SHA256
98134988c82b734c102c9f8ea8da581da4f2c443b005b95838e6b71257d3357a

SHA512
58611b1b86aad90cd16a5d982b0e5c85a92194e41c5319ab922a5e44c9179964d2997a49406f92603b599e9ef6552e6cf02309c4f27b773ff3dadf8fa4821a47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
7KB

MD5
3fbd79868d92cda925d620c9cc58b6fc

SHA1
ffc1f59d4fa6c2c3ae9056de9b8725e4edb1a164

SHA256
077cfc21dcfb3ef1ff33de6d863cbcbb95e9fa23b27fb73536d1767c6ba5812c

SHA512
ee8aa86f6c3a071cdfca7b2a64ef0e2bb8c293a71d13e0e86e466cfc435322176f4a4e206f26f1e6ac68718c7673c72cefb0e5312bb10ff8ae72139fcabcb90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
11KB

MD5
8db42deb0f0be58859ab8fb23dec8cf0

SHA1
9e661967077dadb5f12fb94496e75cda0cdff391

SHA256
f258004f74564eabe2fd22bab90a0c85b18a7e18f55d8b921e618760ad7aaac9

SHA512
f7d9c112d005bb714c3953758cb5cbfec49a7845f3ca234d9daef9c71f57926ae4682f148c3fe9187f58476e0c94761be88e59305eccf513f8d94aa81bf7b22e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
17KB

MD5
9c89062ef12f5b2ac467290afca6c9d4

SHA1
be58d69fa64cfa934ea4860bbbb0ffc9f6803535

SHA256
eb1dbb8db3b3e28e2e6c292cc4f638958fd68ebebe491fa9ca5d1e3576d296c9

SHA512
bbcd46c76f31632dd151ed8e12525b4146c0145eaf3268c540c26f9b607ca6677f6b934867c2188fd0ba0b9074dcb92ea317447bc88f12f93e2e44235b30a3b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
18KB

MD5
d9be3f95edb89e170b181dac71703c7d

SHA1
21d3696ee7f4bdacbb8c3eaad4bf737e9a64cf17

SHA256
1d622de16cca92721a94764c7babbce44e15ba8bfae050b3aef220ede98f890d

SHA512
8d2ca16126fe6f82bca720b5c260890e605b78dddd710ed1a34afbd5908abdbe90208b921a37529897c9914dc2e2966593e46f6843e489a6f07d3750cb0e01db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
4KB

MD5
95bd3350b35e064121e66185a3599c41

SHA1
0f9f2fc3c3cf67815d78fdda3b93f91fb4b664c5

SHA256
5adaced65862b3487049be38f0559705d90876f984c3909554c836c1eb5701da

SHA512
aaadf0a39da5f59a95a57ea9a05b46a499e6ee5ff1ab29967acf0be12a0a07a261577eac7cad678e92852b55220e89d42e265a4a586fa7096d69efb2ed1e91e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd

Filesize
383B

MD5
8babd49ad88f1c33447d75684f86a1c2

SHA1
ff260cc000a8b1c408e6052d0dbdd0f67099e79b

SHA256
b84bcc3e91e860353deb1f1b4d205723757b504845fcccca69f54f0409106f8d

SHA512
4a0d0659954f369658fd717e034a803af631e90938a82271fb2c0fc1cd63b4adcd6de142249682cc5a2e376893af106adb92b251aa610f0d049fc97715be214c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd

Filesize
890B

MD5
43bc6fb4ad87d3349b94ee758b39a6fe

SHA1
6fb1f6080aa5dd2f246787e41ea077962271d96e

SHA256
80e9b7c719aa2c3b4eb0fcf4e53b8e527f5c4b091de06c18eeecc32d5b9ac0f5

SHA512
4b264610321be3534fe655d35280489624971a74a013a0b41d22049805f24be1f54fb36a051079c476b87d079122c311153839890033b4d467c37b34d78da5ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd

Filesize
456B

MD5
1595f9e563b8295d0fae7d4f187d61bf

SHA1
35ba322b084bf181053f596c675fed7ff2663ed0

SHA256
ff26182780e7bfd3c6b00c2c1225ab9a8db94a3efcc511cc897a2db4caa9e9ad

SHA512
d6e462123e08a2120909b4aec63686903e23b642b99ed64b3ecd1461ea6f5dfebf9c791c78aee91e59aa07b7759854ce079251d111f866e79b163f6e6a011ca7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd

Filesize
445B

MD5
401e4eb249071b70f56d18e942ae7df2

SHA1
f3820c8c3ecf2443504736023fc0ce252d06e19c

SHA256
33413957207bff35858e95b3d8a54bf2b9e7d20882a4a62366946cfd960dbe73

SHA512
196e7ef12447e97e3be7a7c20fd69d0d1377364def9059e8eacf05a98a003fdc0470c9e88f662d38db7c54c24135d165bbe59f32b49aaeba5e91e6941725edf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd

Filesize
158B

MD5
ad0010095a82da61b486dbe70cd90767

SHA1
67d5a65f8cee8409dfcec2da99d290a2730cd662

SHA256
28d651bd0e01d8ee66b46b064b05841cf33e44f3c55ee8b0612f5a812bf0de43

SHA512
93a5f5c2f71a00ce760f1efe89280e259b3f75f1d04e3a1708d683c0b9a619fb5ac577e0d9f59c3b767c3b45323e3af9450362624526705766bf77a94b4aa827

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd

Filesize
260B

MD5
ce46666974f1f7df7a675cd11f91a55d

SHA1
57727418fb3430e0ee1697a09d2e7bf35d8455ea

SHA256
b69cfdd69d97ffc6b541cdec0b73ce6d28665c6dbd027125a7b1aed3dc9733dc

SHA512
a78002e8f8f5cdbba772998c1f32babafd2ddf6b55c2964b64308e222a2155e3778637be20564aa8497aa1cebe33066139c516526818461e35ab5539f6a70540

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat

Filesize
44B

MD5
ea260c435f9eb83e2b5041e734ff3598

SHA1
ca70d64367cbdffbbf24e82baff4048119203a2e

SHA256
3ade659fdae17c11c3f42b712f94045691fbd0b413428b73e1de8fe699e74615

SHA512
548624cc523aeb4136376f792d23b3f2aee4a676362f8a0dd0e8161f0df87ab926b82f67fc174eb5d9473c23f49e6ca962bc84479967f7e624250d94efa66876

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat

Filesize
49B

MD5
cfb046d3c9513b92c1b287da26f97c28

SHA1
ea8208c4dad826b7fdb3b5b728863a95e86d4383

SHA256
a06f170d4f92bf290e38b0ce1c05bb59c95de2797b1a5253b949ad7e1be9818b

SHA512
dbeeea4d284f59e1455a5426334caa02458e88833aeece9817c51be616697ca4c399b2a9d0e8e44bf4a5ee63d0b37c0aed68c01f1748fa5a23ed6d2af62b3340

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.bin

Filesize
24KB

MD5
2e40c97f7790fed7606c2ab881340ce5

SHA1
b45ccff0eaffed71c822b8ad31bf2342e5aaa2cb

SHA256
299fedc96d0eaf4f1bf6398fb9c8d30b1f3f10571e834b93432bb02297b0648f

SHA512
339a2e2e931890628aee8e708a8f5d2057e8ca3a40c48689852867d99d1c56ee926f192ab3893201823ce25b0174384fcbf1e1fe7567eb11beed3babcd8e7b53

Download Submit
C:\Windows\System32\Twain_20.dll

Filesize
32KB

MD5
36deca5bd53f31d062d07c1d3fa0cc8d

SHA1
1d245de03d3725b180f572b15036cbb168445edf

SHA256
d6607a9ec5fc0698f50382ffe61a4ad1f36a8b26c0834c305f40e41647980668

SHA512
e1253113a5dfd1cd7e93dfe45649d89e072db432b1724aaf36c7b082b38e770c4755e4d01c136134bb9356f74daa1e7205e5fa43f575edb5013a91f738be71c1

Download Submit
memory/804-2492-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/1644-395-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/1644-2508-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/1648-2509-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/1648-396-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/1864-2493-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/2704-399-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/2704-2510-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/3092-1467-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/3092-2511-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/3112-2488-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/3184-1491-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/3184-2512-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/3392-2513-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/3392-1492-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/3484-2534-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/3484-1493-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/3568-1517-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/3680-1518-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/3804-1658-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/4036-1631-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/4112-2497-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/4208-1659-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/4396-2496-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/5044-2498-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/5224-2489-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/5244-2503-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/5276-2501-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/5352-2504-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/5412-2499-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/5584-2502-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/5780-2500-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/6104-2495-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/6596-2490-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/6612-2491-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/6728-2494-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/6980-2485-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/6996-2484-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/7084-2486-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/7108-2487-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/7264-2505-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/7320-2506-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download
memory/7440-2507-0x000007FEF70C0000-0x000007FEF710C000-memory.dmp

Filesize
304KB

Download