badrabbit | d8270d57a3b02ad700dd88eb35bd00c24899e193efe4d60a1c1d3c5947eaf3ea

Analysis

max time kernel
25s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/03/2025, 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-19_ab566bd2a0f20afa6817214cf66269f0_cova_ryuk.exe
Size

1.0MB
MD5

ab566bd2a0f20afa6817214cf66269f0
SHA1

31cb35812778d4bbb0c7a496c9d789a13625b056
SHA256

d8270d57a3b02ad700dd88eb35bd00c24899e193efe4d60a1c1d3c5947eaf3ea
SHA512

353d36b414bfaef79f7c3703f33d12ec8467ca6bd71d7dab9aaf4546d60c9b74941fbf41eaa5e0352e34a3bd51b56baefd15183168ee519985eba81fe5399447
SSDEEP

24576:TR+cl7X1BRnI6hmebOe1gmf2Jg+DTcTugiIwsQhlRv9x/9K4CfFiEr0CJ:l+clb1BRntmeSKJStRv9xFK1gEr0E

Score

10^/10

badrabbit mimikatz defense_evasion discovery exploit persistence privilege_escalation ransomware spyware stealer

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Badrabbit family
badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral1/files/0x000500000001960c-623.dat	mimikatz

Modifies Windows Firewall 2 TTPs 20 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
10056	netsh.exe
5616	netsh.exe
1764	netsh.exe
5724	netsh.exe
6016	netsh.exe
3744	netsh.exe
10108	netsh.exe
2740	netsh.exe
1660	netsh.exe
5068	netsh.exe
9280	netsh.exe
3056	netsh.exe
5076	netsh.exe
4656	netsh.exe
5204	netsh.exe
9580	netsh.exe
5756	netsh.exe
6716	netsh.exe
9588	netsh.exe
9636	netsh.exe

Possible privilege escalation attempt 15 IoCs

exploit

pid	Process
3120	takeown.exe
2576	takeown.exe
5116	takeown.exe
6316	takeown.exe
6284	takeown.exe
6772	takeown.exe
7788	icacls.exe
6740	takeown.exe
6764	takeown.exe
2548	takeown.exe
988	takeown.exe
7048	takeown.exe
6784	takeown.exe
8728	icacls.exe
3108	takeown.exe

Executes dropped EXE 17 IoCs

pid	Process
2364	A2-Cryptor.exe
2880	BadRabbit.exe
2700	FMLN.exe
2852	Shingapi.exe
236	Shingapi.exe
1036	Shingapi.exe
1556	Shingapi.exe
1088	B7DA.tmp
1496	Shingapi.exe
4016	Shingapi.exe
3332	Shingapi.exe
3480	Shingapi.exe
3880	Shingapi.exe
4112	Shingapi.exe
4700	Shingapi.exe
4100	Shingapi.exe
4888	Shingapi.exe

Loads dropped DLL 6 IoCs

pid	Process
2640	cmd.exe
2640	cmd.exe
2640	cmd.exe
2640	cmd.exe
2640	cmd.exe
2640	cmd.exe

Modifies file permissions 1 TTPs 15 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5116	takeown.exe
6316	takeown.exe
988	takeown.exe
6740	takeown.exe
6764	takeown.exe
2548	takeown.exe
2576	takeown.exe
6784	takeown.exe
7788	icacls.exe
3108	takeown.exe
6772	takeown.exe
7048	takeown.exe
6284	takeown.exe
8728	icacls.exe
3120	takeown.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Twain_20 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Twain_20.cmd"	reg.exe

Deobfuscate/Decode Files or Information 1 TTPs 1 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

pid	Process
1488	certutil.exe

Enumerates connected drives 3 TTPs 3 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	cmd.exe
File opened (read-only)	\??\B:	cmd.exe
File opened (read-only)	\??\E:	cmd.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Drops autorun.inf file 1 TTPs 11 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe

Sets desktop wallpaper using registry 2 TTPs 5 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Encrypted.jpeg"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Encrypted.jpeg"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Encrypted.jpeg"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Encrypted.jpeg"	wscript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Encrypted.jpeg"	wscript.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe
File opened for modification	C:\Windows\B7DA.tmp	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 21 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 63 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shingapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A2-Cryptor.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FMLN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mspaint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shingapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shingapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shingapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shingapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shingapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	calc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shingapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	takeown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shingapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mode.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	explorer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shingapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mspaint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mspaint.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shingapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Delays execution with timeout.exe 6 IoCs

defense_evasion

pid	Process
4904	timeout.exe
2028	timeout.exe
1440	timeout.exe
3780	timeout.exe
3320	timeout.exe
4932	timeout.exe

Gathers network information 2 TTPs 13 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
5912	ipconfig.exe
3648	ipconfig.exe
5972	ipconfig.exe
2952	ipconfig.exe
1416	ipconfig.exe
6056	ipconfig.exe
5332	ipconfig.exe
4844	ipconfig.exe
1340	ipconfig.exe
2028	ipconfig.exe
4900	ipconfig.exe
5340	ipconfig.exe
5300	ipconfig.exe

Kills process with taskkill 13 IoCs

defense_evasion

pid	Process
5124	taskkill.exe
6448	taskkill.exe
6808	taskkill.exe
4852	taskkill.exe
6840	taskkill.exe
1796	taskkill.exe
496	taskkill.exe
4236	taskkill.exe
6084	taskkill.exe
156	taskkill.exe
6440	taskkill.exe
2880	taskkill.exe
1660	taskkill.exe

Modifies Control Panel 5 IoCs

defense_evasion

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop	wscript.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\Desktop	wscript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2688	schtasks.exe
1848	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 9 IoCs

pid	Process
1496	Shingapi.exe
4016	Shingapi.exe
3332	Shingapi.exe
3480	Shingapi.exe
3880	Shingapi.exe
4112	Shingapi.exe
4700	Shingapi.exe
4100	Shingapi.exe
4888	Shingapi.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2620	rundll32.exe
2620	rundll32.exe
1088	B7DA.tmp
1088	B7DA.tmp
1088	B7DA.tmp
1088	B7DA.tmp
1088	B7DA.tmp
1088	B7DA.tmp

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2620	rundll32.exe
Token: SeDebugPrivilege	2620	rundll32.exe
Token: SeTcbPrivilege	2620	rundll32.exe
Token: SeTakeOwnershipPrivilege	2576	takeown.exe
Token: SeDebugPrivilege	1796	taskkill.exe
Token: SeDebugPrivilege	1088	B7DA.tmp
Token: SeDebugPrivilege	496	taskkill.exe
Token: SeDebugPrivilege	2880	taskkill.exe
Token: SeDebugPrivilege	1660	taskkill.exe
Token: SeTakeOwnershipPrivilege	988	takeown.exe
Token: SeTakeOwnershipPrivilege	3108	takeown.exe
Token: SeTakeOwnershipPrivilege	3120	takeown.exe

Suspicious use of SetWindowsHookEx 38 IoCs

pid	Process
1724	mspaint.exe
2368	mspaint.exe
1724	mspaint.exe
2368	mspaint.exe
1724	mspaint.exe
2368	mspaint.exe
1724	mspaint.exe
2368	mspaint.exe
3096	mspaint.exe
3312	mspaint.exe
3468	mspaint.exe
3096	mspaint.exe
3312	mspaint.exe
3468	mspaint.exe
3304	mspaint.exe
4104	mspaint.exe
4184	mspaint.exe
3312	mspaint.exe
3096	mspaint.exe
3312	mspaint.exe
3096	mspaint.exe
3468	mspaint.exe
3468	mspaint.exe
4104	mspaint.exe
3304	mspaint.exe
4184	mspaint.exe
4920	mspaint.exe
4980	mspaint.exe
3284	mspaint.exe
3304	mspaint.exe
4104	mspaint.exe
3304	mspaint.exe
4104	mspaint.exe
4920	mspaint.exe
4184	mspaint.exe
4184	mspaint.exe
3284	mspaint.exe
4980	mspaint.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2364	2076	2025-03-19_ab566bd2a0f20afa6817214cf66269f0_cova_ryuk.exe	30
PID 2076 wrote to memory of 2364	2076	2025-03-19_ab566bd2a0f20afa6817214cf66269f0_cova_ryuk.exe	30
PID 2076 wrote to memory of 2364	2076	2025-03-19_ab566bd2a0f20afa6817214cf66269f0_cova_ryuk.exe	30
PID 2076 wrote to memory of 2364	2076	2025-03-19_ab566bd2a0f20afa6817214cf66269f0_cova_ryuk.exe	30
PID 2076 wrote to memory of 2880	2076	2025-03-19_ab566bd2a0f20afa6817214cf66269f0_cova_ryuk.exe	32
PID 2076 wrote to memory of 2880	2076	2025-03-19_ab566bd2a0f20afa6817214cf66269f0_cova_ryuk.exe	32
PID 2076 wrote to memory of 2880	2076	2025-03-19_ab566bd2a0f20afa6817214cf66269f0_cova_ryuk.exe	32
PID 2076 wrote to memory of 2880	2076	2025-03-19_ab566bd2a0f20afa6817214cf66269f0_cova_ryuk.exe	32
PID 2076 wrote to memory of 2880	2076	2025-03-19_ab566bd2a0f20afa6817214cf66269f0_cova_ryuk.exe	32
PID 2076 wrote to memory of 2880	2076	2025-03-19_ab566bd2a0f20afa6817214cf66269f0_cova_ryuk.exe	32
PID 2076 wrote to memory of 2880	2076	2025-03-19_ab566bd2a0f20afa6817214cf66269f0_cova_ryuk.exe	32
PID 2076 wrote to memory of 2700	2076	2025-03-19_ab566bd2a0f20afa6817214cf66269f0_cova_ryuk.exe	33
PID 2076 wrote to memory of 2700	2076	2025-03-19_ab566bd2a0f20afa6817214cf66269f0_cova_ryuk.exe	33
PID 2076 wrote to memory of 2700	2076	2025-03-19_ab566bd2a0f20afa6817214cf66269f0_cova_ryuk.exe	33
PID 2076 wrote to memory of 2700	2076	2025-03-19_ab566bd2a0f20afa6817214cf66269f0_cova_ryuk.exe	33
PID 2076 wrote to memory of 2852	2076	2025-03-19_ab566bd2a0f20afa6817214cf66269f0_cova_ryuk.exe	36
PID 2076 wrote to memory of 2852	2076	2025-03-19_ab566bd2a0f20afa6817214cf66269f0_cova_ryuk.exe	36
PID 2076 wrote to memory of 2852	2076	2025-03-19_ab566bd2a0f20afa6817214cf66269f0_cova_ryuk.exe	36
PID 2076 wrote to memory of 2852	2076	2025-03-19_ab566bd2a0f20afa6817214cf66269f0_cova_ryuk.exe	36
PID 2364 wrote to memory of 2872	2364	A2-Cryptor.exe	38
PID 2364 wrote to memory of 2872	2364	A2-Cryptor.exe	38
PID 2364 wrote to memory of 2872	2364	A2-Cryptor.exe	38
PID 2364 wrote to memory of 2872	2364	A2-Cryptor.exe	38
PID 2872 wrote to memory of 2772	2872	cmd.exe	39
PID 2872 wrote to memory of 2772	2872	cmd.exe	39
PID 2872 wrote to memory of 2772	2872	cmd.exe	39
PID 2700 wrote to memory of 2888	2700	FMLN.exe	40
PID 2700 wrote to memory of 2888	2700	FMLN.exe	40
PID 2700 wrote to memory of 2888	2700	FMLN.exe	40
PID 2700 wrote to memory of 2888	2700	FMLN.exe	40
PID 2880 wrote to memory of 2620	2880	BadRabbit.exe	41
PID 2880 wrote to memory of 2620	2880	BadRabbit.exe	41
PID 2880 wrote to memory of 2620	2880	BadRabbit.exe	41
PID 2880 wrote to memory of 2620	2880	BadRabbit.exe	41
PID 2880 wrote to memory of 2620	2880	BadRabbit.exe	41
PID 2880 wrote to memory of 2620	2880	BadRabbit.exe	41
PID 2880 wrote to memory of 2620	2880	BadRabbit.exe	41
PID 2872 wrote to memory of 2532	2872	cmd.exe	42
PID 2872 wrote to memory of 2532	2872	cmd.exe	42
PID 2872 wrote to memory of 2532	2872	cmd.exe	42
PID 2852 wrote to memory of 2640	2852	Shingapi.exe	43
PID 2852 wrote to memory of 2640	2852	Shingapi.exe	43
PID 2852 wrote to memory of 2640	2852	Shingapi.exe	43
PID 2852 wrote to memory of 2640	2852	Shingapi.exe	43
PID 2888 wrote to memory of 2704	2888	cmd.exe	44
PID 2888 wrote to memory of 2704	2888	cmd.exe	44
PID 2888 wrote to memory of 2704	2888	cmd.exe	44
PID 2888 wrote to memory of 2704	2888	cmd.exe	44
PID 2872 wrote to memory of 1488	2872	cmd.exe	45
PID 2872 wrote to memory of 1488	2872	cmd.exe	45
PID 2872 wrote to memory of 1488	2872	cmd.exe	45
PID 2620 wrote to memory of 1784	2620	rundll32.exe	46
PID 2620 wrote to memory of 1784	2620	rundll32.exe	46
PID 2620 wrote to memory of 1784	2620	rundll32.exe	46
PID 2620 wrote to memory of 1784	2620	rundll32.exe	46
PID 2640 wrote to memory of 1944	2640	cmd.exe	48
PID 2640 wrote to memory of 1944	2640	cmd.exe	48
PID 2640 wrote to memory of 1944	2640	cmd.exe	48
PID 2640 wrote to memory of 1944	2640	cmd.exe	48
PID 2640 wrote to memory of 1764	2640	cmd.exe	49
PID 2640 wrote to memory of 1764	2640	cmd.exe	49
PID 2640 wrote to memory of 1764	2640	cmd.exe	49
PID 2640 wrote to memory of 1764	2640	cmd.exe	49
PID 2872 wrote to memory of 2028	2872	cmd.exe	52

Views/modifies file attributes 1 TTPs 12 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
5888	attrib.exe
5300	attrib.exe
7868	attrib.exe
8908	attrib.exe
8932	attrib.exe
9012	attrib.exe
3132	attrib.exe
3196	attrib.exe
4016	attrib.exe
4432	attrib.exe
6012	attrib.exe
1520	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2025-03-19_ab566bd2a0f20afa6817214cf66269f0_cova_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-19_ab566bd2a0f20afa6817214cf66269f0_cova_ryuk.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exe
  "C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2364
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\AEA7.tmp\AEA8.tmp\AEA9.bat C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exe"
    3⤵
    - Enumerates connected drives
    - Suspicious use of WriteProcessMemory
    PID:2872
  - - C:\Windows\system32\mode.com
      MODE CON: COLS=100 LINES=25
      4⤵
      PID:2772
  - - C:\Windows\system32\mode.com
      MODE CON: COLS=100 LINES=25
      4⤵
      PID:2532
  - - C:\Windows\system32\certutil.exe
      certutil -decode "Image.bin" "Encrypted.jpeg"
      4⤵
      Deobfuscate/Decode Files or Information
      PID:1488
  - - C:\Windows\system32\timeout.exe
      timeout /t 3
      4⤵
      Delays execution with timeout.exe
      PID:2028
  - - C:\Windows\system32\timeout.exe
      timeout /t 3
      4⤵
      Delays execution with timeout.exe
      PID:1440
  - - C:\Windows\system32\timeout.exe
      timeout /t 3
      4⤵
      Delays execution with timeout.exe
      PID:3780
  - - C:\Windows\system32\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:3320
  - - C:\Windows\system32\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:4932
  - - C:\Windows\system32\wscript.exe
      wscript "0.vbs"
      4⤵
      Sets desktop wallpaper using registry
      Modifies Control Panel
      PID:4836
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:6040
  - - C:\Windows\system32\wscript.exe
      wscript "0.vbs"
      4⤵
      Sets desktop wallpaper using registry
      Modifies Control Panel
      PID:4856
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:5240
  - - C:\Windows\system32\wscript.exe
      wscript "0.vbs"
      4⤵
      Sets desktop wallpaper using registry
      Modifies Control Panel
      PID:4860
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:6068
  - - C:\Windows\system32\wscript.exe
      wscript "0.vbs"
      4⤵
      Sets desktop wallpaper using registry
      Modifies Control Panel
      PID:4868
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:5224
  - - C:\Windows\system32\wscript.exe
      wscript "0.vbs"
      4⤵
      Sets desktop wallpaper using registry
      Modifies Control Panel
      PID:4876
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:5084
  - - C:\Windows\system32\timeout.exe
      timeout /t 4
      4⤵
      Delays execution with timeout.exe
      PID:4904
  - - C:\Windows\system32\wscript.exe
      wscript "m.vbs"
      4⤵
      PID:6116
- C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe
  "C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      PID:1784
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /F /TN rhaegal
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2144
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2863028014 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      PID:568
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 2863028014 && exit"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2688
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:45:00
      4⤵
      System Location Discovery: System Language Discovery
      PID:2284
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:45:00
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1848
  - - C:\Windows\B7DA.tmp
      "C:\Windows\B7DA.tmp" \\.\pipe\{BA2DA43B-D790-4499-9B63-F84642F7AFCF}
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1088
- C:\Users\Admin\AppData\Local\Temp\FMLN.exe
  "C:\Users\Admin\AppData\Local\Temp\FMLN.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\AF04.tmp\AF05.tmp\AF06.bat C:\Users\Admin\AppData\Local\Temp\FMLN.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2888
  - - C:\Windows\SysWOW64\mode.com
      mode con: cols=170 lines=45
      4⤵
      System Location Discovery: System Language Discovery
      PID:2704
- C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
  "C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\AF33.tmp\AF34.tmp\AF35.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
    3⤵
    - Loads dropped DLL
    - Drops autorun.inf file
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2640
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K Twain_20.cmd
      4⤵
      System Location Discovery: System Language Discovery
      PID:1944
    - - C:\Windows\SysWOW64\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
        5⤵
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1848
  - - C:\Windows\SysWOW64\netsh.exe
      netsh advfirewall set publicprofile state off
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      System Location Discovery: System Language Discovery
      PID:1764
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K Twain_20.cmd
      4⤵
      System Location Discovery: System Language Discovery
      PID:1316
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2196
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K Taskdl.bat
      4⤵
      System Location Discovery: System Language Discovery
      PID:1044
    - - C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        5⤵
        Possible privilege escalation attempt
        Modifies file permissions
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
  - - C:\Windows\SysWOW64\reg.exe
      reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:2836
  - - C:\Windows\SysWOW64\reg.exe
      reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
      4⤵
      System Location Discovery: System Language Discovery
      PID:1084
  - - C:\Windows\SysWOW64\ipconfig.exe
      ipconfig /release
      4⤵
      System Location Discovery: System Language Discovery
      Gathers network information
      PID:2952
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /im DiskPart /f
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1796
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -a -s -h *.*
      4⤵
      Drops autorun.inf file
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1520
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:888
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3028
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2708
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2832
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1832
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:844
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2560
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:548
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1148
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2080
  - - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:236
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B56A.tmp\B56B.tmp\B56C.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        5⤵
        Drops autorun.inf file
        
        PID:620
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        6⤵
        
        PID:1452
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:2740
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        6⤵
        
        PID:2984
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        6⤵
        
        PID:2128
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        6⤵
        
        PID:2496
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:988
      - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        6⤵
        
        PID:1596
      - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        6⤵
        
        PID:1988
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        6⤵
        Gathers network information
        
        PID:1416
      - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:496
      - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        6⤵
        Drops autorun.inf file
        Views/modifies file attributes
        
        PID:3132
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:3268
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:3376
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:3484
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:3596
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:3720
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:3848
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:3976
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:1596
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:3460
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:3708
      - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        6⤵
        
        PID:3716
      - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        6⤵
        
        PID:3936
      - C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        6⤵
        
        PID:4044
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:1496
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\EA6E.tmp\EA7F.tmp\EA80.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        7⤵
        Drops autorun.inf file
        
        PID:4396
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        8⤵
        
        PID:4928
        
        C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
        9⤵
        
        PID:6252
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        8⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5068
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        8⤵
        
        PID:4144
        
        C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
        9⤵
        
        PID:6468
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        8⤵
        
        PID:5316
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        8⤵
        
        PID:5460
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        9⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6764
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        8⤵
        
        PID:5492
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        8⤵
        
        PID:5880
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        8⤵
        Gathers network information
        
        PID:6056
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        8⤵
        Kills process with taskkill
        
        PID:4236
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        8⤵
        Views/modifies file attributes
        
        PID:5300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:7732
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:7548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:8176
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:7672
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:8112
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:8880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:4892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:8984
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:6600
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:5160
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        8⤵
        
        PID:5932
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        8⤵
        
        PID:9788
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        8⤵
        
        PID:9752
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        8⤵
        
        PID:10000
        
        C:\Windows\system32\notepad.exe
        
        notepad
        8⤵
        
        PID:10032
        
        C:\Windows\system32\calc.exe
        
        calc
        8⤵
        
        PID:6244
        
        C:\Windows\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:9236
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:496
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:3136
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:3176
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3096
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:4016
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\EB58.tmp\EB59.tmp\EB5A.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        7⤵
        Drops autorun.inf file
        
        PID:4540
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        8⤵
        
        PID:5052
        
        C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
        9⤵
        
        PID:6184
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        8⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:5076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        8⤵
        
        PID:5452
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        8⤵
        
        PID:5500
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        9⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6740
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        8⤵
        
        PID:5524
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        8⤵
        
        PID:5920
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        8⤵
        Gathers network information
        
        PID:4900
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        8⤵
        Kills process with taskkill
        
        PID:5124
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        8⤵
        Views/modifies file attributes
        
        PID:5888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:1508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:5692
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:7264
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:7980
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:5412
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:7420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:4660
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:8372
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:9148
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:9120
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        8⤵
        
        PID:4876
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        8⤵
        
        PID:8552
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        8⤵
        
        PID:5616
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        8⤵
        
        PID:9028
        
        C:\Windows\system32\notepad.exe
        
        notepad
        8⤵
        
        PID:3664
        
        C:\Windows\system32\calc.exe
        
        calc
        8⤵
        
        PID:6012
        
        C:\Windows\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:6560
        
        C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        8⤵
        
        PID:9108
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        8⤵
        
        PID:9112
        
        C:\Windows\system32\notepad.exe
        
        notepad
        8⤵
        
        PID:5856
        
        C:\Windows\system32\calc.exe
        
        calc
        8⤵
        
        PID:6452
        
        C:\Windows\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:6372
        
        C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        8⤵
        
        PID:2384
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        8⤵
        
        PID:7096
        
        C:\Windows\system32\notepad.exe
        
        notepad
        8⤵
        
        PID:6056
        
        C:\Windows\system32\calc.exe
        
        calc
        8⤵
        
        PID:3012
        
        C:\Windows\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:6524
        
        C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        8⤵
        
        PID:5708
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:9488
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:3228
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:876
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:3296
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3312
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3332
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\EB87.tmp\EB88.tmp\EB89.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        7⤵
        Drops autorun.inf file
        
        PID:4624
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        8⤵
        
        PID:4640
        
        C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
        9⤵
        
        PID:6664
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        8⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:4656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        8⤵
        
        PID:5772
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        8⤵
        
        PID:5812
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        9⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6772
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        8⤵
        
        PID:5872
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        8⤵
        
        PID:5516
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        8⤵
        Gathers network information
        
        PID:5340
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        8⤵
        Kills process with taskkill
        
        PID:6084
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        8⤵
        Views/modifies file attributes
        
        PID:4432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:8168
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:7904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:8120
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:5904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:8696
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:3764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:8652
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:8360
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:3704
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:9380
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        8⤵
        
        PID:9692
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        8⤵
        
        PID:9984
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:3360
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:3392
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:3476
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3468
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:3748
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:380
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:3452
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:1440
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:3116
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:3544
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        
        PID:6716
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\BD47.tmp\BD48.tmp\BD49.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        7⤵
        
        PID:4744
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        8⤵
        
        PID:10096
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        8⤵
        Modifies Windows Firewall
        
        PID:10108
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:4908
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:4600
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:6788
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        
        PID:5972
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        
        PID:6828
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\BF2A.tmp\BF2B.tmp\BF2C.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        7⤵
        
        PID:3092
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        8⤵
        
        PID:9444
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        8⤵
        Modifies Windows Firewall
        
        PID:9588
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:6000
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:5296
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:1592
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        
        PID:632
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        
        PID:1764
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C17B.tmp\C17C.tmp\C17D.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        7⤵
        
        PID:3612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        8⤵
        
        PID:9572
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        8⤵
        Modifies Windows Firewall
        
        PID:9636
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:1756
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:1548
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:1792
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        
        PID:2148
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        
        PID:1640
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C34F.tmp\C350.tmp\C351.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        7⤵
        
        PID:6320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        8⤵
        
        PID:9400
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        8⤵
        Modifies Windows Firewall
        
        PID:9580
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:2200
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:6180
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:1964
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        
        PID:640
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        
        PID:5804
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C726.tmp\C727.tmp\C728.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        7⤵
        
        PID:6376
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        8⤵
        
        PID:9936
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        8⤵
        Modifies Windows Firewall
        
        PID:10056
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:6264
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:2920
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:924
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        
        PID:6476
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        
        PID:7092
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C929.tmp\C92A.tmp\C92B.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        7⤵
        
        PID:6140
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        8⤵
        
        PID:10068
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        8⤵
        Modifies Windows Firewall
        
        PID:9280
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:5496
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:3580
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:3316
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        
        PID:4860
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        
        PID:2676
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\DE9C.tmp\DE9D.tmp\DE9E.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        7⤵
        
        PID:9800
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        8⤵
        
        PID:10184
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        8⤵
        Modifies Windows Firewall
        
        PID:5616
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:2012
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:2092
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:6232
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        
        PID:2740
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        
        PID:6492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E86C.tmp\E86D.tmp\E86E.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        7⤵
        
        PID:10196
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:5876
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:4432
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:2088
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        
        PID:7176
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        
        PID:7272
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:7280
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:7300
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:7320
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        
        PID:7344
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        
        PID:7376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\E86D.tmp\E86D.tmp\E86E.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        7⤵
        
        PID:6604
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:7404
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:7432
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:7440
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        
        PID:7452
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        
        PID:7468
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:7508
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:7536
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:7556
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        
        PID:7584
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        
        PID:7612
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:7676
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:7696
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:7744
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        
        PID:7756
      - C:\Windows\system32\icacls.exe
        
        icacls "C:\Program Files"
        6⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:7788
      - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h "C:\Program Files"
        6⤵
        Views/modifies file attributes
        
        PID:7868
      - C:\Windows\system32\format.com
        
        format /y /q A:
        6⤵
        
        PID:8972
      - C:\Windows\system32\format.com
        
        format /y /q B:
        6⤵
        
        PID:8344
      - C:\Windows\system32\format.com
        
        format /y /q D:
        6⤵
        
        PID:5308
      - C:\Windows\system32\format.com
        
        format /y /q E:
        6⤵
        
        PID:6400
      - C:\Windows\system32\format.com
        
        format /y /q F:
        6⤵
        
        PID:6888
      - C:\Windows\system32\format.com
        
        format /y /q G:
        6⤵
        
        PID:6304
      - C:\Windows\system32\format.com
        
        format /y /q H:
        6⤵
        
        PID:6328
      - C:\Windows\system32\format.com
        
        format /y /q I:
        6⤵
        
        PID:9300
      - C:\Windows\system32\format.com
        
        format /y /q J:
        6⤵
        
        PID:9884
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      System Location Discovery: System Language Discovery
      PID:748
  - - C:\Windows\SysWOW64\calc.exe
      calc
      4⤵
      System Location Discovery: System Language Discovery
      PID:680
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1804
  - - C:\Windows\SysWOW64\mspaint.exe
      mspaint.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:1724
  - - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1036
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B75D.tmp\B75E.tmp\B75F.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        5⤵
        Drops autorun.inf file
        
        PID:2500
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        6⤵
        
        PID:1608
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:3056
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        6⤵
        
        PID:1700
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        6⤵
        
        PID:1692
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        6⤵
        
        PID:1768
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:3108
      - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        6⤵
        
        PID:1328
      - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        6⤵
        
        PID:988
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        6⤵
        Gathers network information
        
        PID:2028
      - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
      - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        6⤵
        Drops autorun.inf file
        Views/modifies file attributes
        
        PID:4016
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:3684
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:3236
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:3240
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:3280
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:3172
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:3548
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:4272
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:4548
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:4880
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:4368
      - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        6⤵
        
        PID:4356
      - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        6⤵
        
        PID:4572
      - C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        6⤵
        
        PID:4224
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:4700
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\447F.tmp\4480.tmp\4481.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        7⤵
        
        PID:6340
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        8⤵
        
        PID:6528
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        8⤵
        Modifies Windows Firewall
        
        PID:6716
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        8⤵
        
        PID:6628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        8⤵
        
        PID:6976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        8⤵
        
        PID:7012
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        9⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6284
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        8⤵
        
        PID:7040
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        8⤵
        
        PID:6712
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        8⤵
        Gathers network information
        
        PID:3648
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        8⤵
        Kills process with taskkill
        
        PID:6840
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:4708
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:4712
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:4312
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4920
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4B62.tmp\4B63.tmp\4B64.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        7⤵
        
        PID:5808
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        8⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall set publicprofile state off
        8⤵
        Modifies Windows Firewall
        
        PID:3744
        
        C:\Windows\SysWOW64\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        8⤵
        
        PID:5152
        
        C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        8⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        9⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6316
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        8⤵
        
        PID:5888
        
        C:\Windows\SysWOW64\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        8⤵
        
        PID:5780
        
        C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /release
        8⤵
        Gathers network information
        
        PID:5972
        
        C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /im DiskPart /f
        8⤵
        Kills process with taskkill
        
        PID:4852
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:5100
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:4812
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:4820
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4980
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:4888
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\48F2.tmp\48F3.tmp\48F4.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        7⤵
        
        PID:6728
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        8⤵
        
        PID:5848
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        8⤵
        Modifies Windows Firewall
        
        PID:5204
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        8⤵
        
        PID:2724
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        8⤵
        
        PID:6044
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        9⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:2548
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        8⤵
        
        PID:7028
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        8⤵
        
        PID:3404
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        8⤵
        Gathers network information
        
        PID:4844
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        8⤵
        Kills process with taskkill
        
        PID:6808
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:5032
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:5036
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:5048
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3284
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:3512
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:4472
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:5136
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:5640
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:4488
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:4480
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      System Location Discovery: System Language Discovery
      PID:1956
  - - C:\Windows\SysWOW64\calc.exe
      calc
      4⤵
      System Location Discovery: System Language Discovery
      PID:3060
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:1440
  - - C:\Windows\SysWOW64\mspaint.exe
      mspaint.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2140
  - - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1556
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B7AB.tmp\B7AC.tmp\B7AD.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        5⤵
        Drops autorun.inf file
        
        PID:2776
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        6⤵
        
        PID:3008
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1660
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        6⤵
        
        PID:2164
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        6⤵
        
        PID:3020
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        7⤵
        Possible privilege escalation attempt
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:3120
      - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        6⤵
        
        PID:2688
      - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        6⤵
        
        PID:1864
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        6⤵
        Gathers network information
        
        PID:1340
      - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        6⤵
        Kills process with taskkill
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
      - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        6⤵
        Drops autorun.inf file
        Views/modifies file attributes
        
        PID:3196
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:1988
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:3292
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:3516
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:3904
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:4064
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:3288
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:3916
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:3492
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:3836
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:4084
      - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        6⤵
        
        PID:3664
      - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        6⤵
        
        PID:3816
      - C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        6⤵
        
        PID:3296
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3480
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\F6C.tmp\F6D.tmp\F6E.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        7⤵
        
        PID:5208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        8⤵
        
        PID:5712
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        8⤵
        Modifies Windows Firewall
        
        PID:5756
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        8⤵
        
        PID:6268
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        8⤵
        
        PID:6988
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        8⤵
        
        PID:7004
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        9⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:7048
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        8⤵
        
        PID:7052
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        8⤵
        
        PID:3860
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        8⤵
        Gathers network information
        
        PID:5332
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        8⤵
        Kills process with taskkill
        
        PID:6448
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        8⤵
        Views/modifies file attributes
        
        PID:9012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:8792
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:6380
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:5744
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:9664
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:3628
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:3432
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:3808
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:3304
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:3880
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\1140.tmp\1141.tmp\1142.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        7⤵
        
        PID:5276
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        8⤵
        
        PID:3320
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        8⤵
        Modifies Windows Firewall
        
        PID:6016
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        8⤵
        
        PID:6656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        8⤵
        
        PID:6676
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        9⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:6784
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        8⤵
        
        PID:6708
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        8⤵
        
        PID:7124
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        8⤵
        Gathers network information
        
        PID:5300
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        8⤵
        Kills process with taskkill
        
        PID:156
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        8⤵
        Views/modifies file attributes
        
        PID:8932
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:6520
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:7172
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:2968
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:9296
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:3204
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:3208
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:3796
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4104
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        
        PID:4112
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\CFC.tmp\CFD.tmp\CFE.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        7⤵
        
        PID:6020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        8⤵
        
        PID:5576
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        8⤵
        Modifies Windows Firewall
        
        PID:5724
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        8⤵
        
        PID:6916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        8⤵
        
        PID:6996
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        9⤵
        Possible privilege escalation attempt
        Modifies file permissions
        
        PID:5116
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        8⤵
        
        PID:7028
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        8⤵
        
        PID:2812
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        8⤵
        Gathers network information
        
        PID:5912
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        8⤵
        Kills process with taskkill
        
        PID:6440
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        8⤵
        Views/modifies file attributes
        
        PID:6012
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:10204
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:4132
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:4148
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:4176
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        Suspicious use of SetWindowsHookEx
        
        PID:4184
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:4420
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:4724
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:5088
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:4528
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:4412
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:4984
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      System Location Discovery: System Language Discovery
      PID:2556
  - - C:\Windows\SysWOW64\calc.exe
      calc
      4⤵
      System Location Discovery: System Language Discovery
      PID:2360
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      System Location Discovery: System Language Discovery
      PID:2376
  - - C:\Windows\SysWOW64\mspaint.exe
      mspaint.exe
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:2368
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1836
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:824
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2172
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2748
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:1140
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2304
  - - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      4⤵
      PID:7868
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      PID:7228
  - - C:\Windows\SysWOW64\calc.exe
      calc
      4⤵
      PID:7256
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:7352
  - - C:\Windows\SysWOW64\mspaint.exe
      mspaint.exe
      4⤵
      PID:3756
  - - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      4⤵
      PID:6788
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      PID:5480
  - - C:\Windows\SysWOW64\calc.exe
      calc
      4⤵
      PID:7576
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:4864
  - - C:\Windows\SysWOW64\mspaint.exe
      mspaint.exe
      4⤵
      PID:7028
  - - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      4⤵
      PID:7496
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      PID:1268
  - - C:\Windows\SysWOW64\calc.exe
      calc
      4⤵
      PID:7520
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:5680
  - - C:\Windows\SysWOW64\mspaint.exe
      mspaint.exe
      4⤵
      PID:7876
  - - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      4⤵
      PID:7908
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      PID:7892
  - - C:\Windows\SysWOW64\calc.exe
      calc
      4⤵
      PID:7964
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:8092
  - - C:\Windows\SysWOW64\mspaint.exe
      mspaint.exe
      4⤵
      PID:8132
  - - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      4⤵
      PID:8156
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      PID:8184
  - - C:\Windows\SysWOW64\calc.exe
      calc
      4⤵
      PID:6324
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:6356
  - - C:\Windows\SysWOW64\mspaint.exe
      mspaint.exe
      4⤵
      PID:4312
  - - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      4⤵
      PID:7796
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      PID:6392
  - - C:\Windows\SysWOW64\calc.exe
      calc
      4⤵
      PID:1000
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:6904
  - - C:\Windows\SysWOW64\mspaint.exe
      mspaint.exe
      4⤵
      PID:7100
  - - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      4⤵
      PID:5408
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      PID:6216
  - - C:\Windows\SysWOW64\calc.exe
      calc
      4⤵
      PID:6464
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:6148
  - - C:\Windows\SysWOW64\mspaint.exe
      mspaint.exe
      4⤵
      PID:7660
  - - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      4⤵
      PID:6624
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      PID:5688
  - - C:\Windows\SysWOW64\calc.exe
      calc
      4⤵
      PID:6204
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:8096
  - - C:\Windows\SysWOW64\mspaint.exe
      mspaint.exe
      4⤵
      PID:8088
  - - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      4⤵
      PID:8108
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      PID:7968
  - - C:\Windows\SysWOW64\calc.exe
      calc
      4⤵
      PID:7484
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:8196
  - - C:\Windows\SysWOW64\mspaint.exe
      mspaint.exe
      4⤵
      PID:8212
  - - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      4⤵
      PID:8228
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      PID:8256
  - - C:\Windows\SysWOW64\calc.exe
      calc
      4⤵
      PID:8284
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:8392
  - - C:\Windows\SysWOW64\mspaint.exe
      mspaint.exe
      4⤵
      PID:8400
  - - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      4⤵
      PID:8412
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      PID:8444
  - - C:\Windows\SysWOW64\calc.exe
      calc
      4⤵
      PID:8488
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:8500
  - - C:\Windows\SysWOW64\mspaint.exe
      mspaint.exe
      4⤵
      PID:8520
  - - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      4⤵
      PID:8528
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      PID:8540
  - - C:\Windows\SysWOW64\calc.exe
      calc
      4⤵
      PID:8568
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:8592
  - - C:\Windows\SysWOW64\mspaint.exe
      mspaint.exe
      4⤵
      PID:8668
  - - C:\Windows\SysWOW64\icacls.exe
      icacls "C:\Program Files"
      4⤵
      Possible privilege escalation attempt
      Modifies file permissions
      PID:8728
  - - C:\Windows\SysWOW64\attrib.exe
      attrib -r -a -s -h "C:\Program Files"
      4⤵
      Views/modifies file attributes
      PID:8908
  - - C:\Windows\SysWOW64\format.com
      format /y /q A:
      4⤵
      PID:5308
  - - C:\Windows\SysWOW64\format.com
      format /y /q B:
      4⤵
      PID:9176
  - - C:\Windows\SysWOW64\format.com
      format /y /q D:
      4⤵
      PID:6556
  - - C:\Windows\SysWOW64\format.com
      format /y /q E:
      4⤵
      PID:6236
  - - C:\Windows\SysWOW64\format.com
      format /y /q F:
      4⤵
      PID:9268

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-14453999711713425857-18885435078379859141845109541-36499055-1531733379-123633438"
1⤵
PID:3176

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-523994136-1577541918-782123268-1598428048-1882937878-20685355481813433420275200369"
1⤵
PID:5880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Deobfuscate/Decode Files or Information

T1140

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0.vbs

Filesize
383B

MD5
e8ac1f187bb02b76ff45f3a3977c6669

SHA1
a6246d99d7f0347e246399576342e7e118d6cb2a

SHA256
8b163a7e7bc1048d74b3b0298b85bc453cf349c9adb53d76adf391ef0491db26

SHA512
f7f67854fdd19718a5fe8aaf99cf722ffb73a8151c8d3f214e89b44b0c4cba24c5fbfd390246e9cb2423919d0b4f694117c09b7697853168156d77efbb83397b

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000.eky

Filesize
48B

MD5
411b6f29e49af6d3a666924804b8f3fa

SHA1
b9b4861fe47250ccc788e54cae97ae796d39d18b

SHA256
caaf8e07ede077894144705a7de51f86f54893e669b6803f4f8fbf43c3cac1c3

SHA512
10de7018d473be4845b8280435a3a67fd245ccc32eb4963d81ac39a28e098024170bd0a21547632cc10ef24f1a1b0c714fb1a69edd38d0045b3b3a87c4c11e30

Download Submit
C:\Users\Admin\AppData\Local\Temp\00000.zsc

Filesize
45B

MD5
b21f4b4bcab9ebe2aa0716f64cf8e147

SHA1
7086dd8c70f04e006f47e6a7a87b337c4de51fbf

SHA256
c28f0337fbb2abe6dc349581ba054047fadbedc0ee2f759d2fcd2566d6ba0ad2

SHA512
68bb7d8d0a0e062550ad18a4e57c7041b3c8241ded2dc464672a4a46be0656b566127e814642bf86a697b129085ae063bfc4eb9731dc92ddd2c7aeba95007aa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\13842_27052.bat

Filesize
127B

MD5
71f2ece5d6de26f528ff0e1c9382f1c9

SHA1
12b4fe9e4f1d4e0ea494393282baeb58f5991c8e

SHA256
648b31ac461f2539e111298e9d5f8e154ed8852a4f8c57cceec17504da8cdb01

SHA512
0236aa82c44f9cdc7230d2b46c910c794820202e697031c893ed8502883f310bc202beee7d4a502f5508c8f6c320f9479e48be30f24f344624a0224a1f549c56

Download Submit
C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exe

Filesize
122KB

MD5
d6e36f6b145a4601a84835b7e8a0bbc2

SHA1
3c7e26433f5f42fe69fbe4b3c2e6d9d7b196697c

SHA256
46038db7643482e1d25939e6c7be35a7e7529fd716570e25e4137f6a79a1c316

SHA512
e10acbaa6e1cd5cc4350dc789841e2638fb50b152aebc65bee2c07ad94f7e6ae1ce6bd51c5f5f6952f970ee364f2515417608e872c3b97b0cf749bb86fa0b72e

Download Submit
C:\Users\Admin\AppData\Local\Temp\AEA7.tmp\AEA8.tmp\AEA9.bat

Filesize
33KB

MD5
4b42191175209ea23203acc526307c00

SHA1
a77abea54f5b2a0084fd1574a1c5b6e1df1df054

SHA256
4ce518699c3f97015eb2f81b09325c8f67213d0efaec73bbf924a5bdf3d5152c

SHA512
fb35705095153a587a253160a92268c8e03605f87ecbb45dd3a0c4ca59e255046188cb9476d99f8164458506d2e5057e6127f0e0fe7997471e7381cc4a08ec42

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF04.tmp\AF05.tmp\AF06.bat

Filesize
54KB

MD5
93841169c4264ce13735e8b116d06226

SHA1
1ceac2fe01f6bdb37bdeb73ba13cd7ed99d0f608

SHA256
82bf8fbb4b79fdd9a21518373ddd57fc2d6c53599458a055f64e20d40dc85f2b

SHA512
ce98cac504828ac676d1069f6d0cedc55ff68bf51d2b01df0108ec632bdc0aa1f809ef6ddb000fa1c59ea66723c903cf37412d98f59ff7032777a45b2c72e871

Download Submit
C:\Users\Admin\AppData\Local\Temp\AF33.tmp\AF34.tmp\AF35.bat

Filesize
17KB

MD5
190e7cfa7d6de532ba4498ca3d38b47d

SHA1
7d4ea5ce61962c0445d955a44dd31226fa8c736e

SHA256
faee2b0ac2218435a6973b87277b29010c988efefdcd7fe0e107808c2cc0f282

SHA512
5a87b4bac67957acbc6dfab08cf9b3e1110e4b496b66110a44f7b2d0ec75b950d7569b6220c4a5ab3597db032e70b16d5a5e6ee4ab23102f6d12fea7bdc11598

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
60B

MD5
11aa52a7eca2cf8fdcd1584b5a8b6026

SHA1
01ae6066e6b3879cb0caf306cc91077b7c0bea1e

SHA256
8dfd0a6db2df60455840dbbbcc4f8b70d730ba1c2afbf300316898b3dd3e9b11

SHA512
07f37c050eb59e7a1a228ca851d05ca9b62bb3de97f988fb36c374c827833c8c551e5cb51eb05130861c0b35515ca77ae667ca97ee4f08c86cdf9f6fb64533c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
780B

MD5
7a8cb2322bb010a4ed6ffd7cdbab23c1

SHA1
9982961b5ab370c78e1c27de567e5abb43fc295d

SHA256
80827d6d8c3b1dd3f236684a8884a1b3a869b445df2941be5946581d39fbdae4

SHA512
8e3463932632bc9c8bc0d13918cb0809f290c2714ec498837ef239a5c7f0bba1705517cc2c1ce94441d29db2f7503c6231a8d06dfe93695b5fef4b44b0baf8a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
120B

MD5
6bc9ab9854695874c5338bd08dde7db5

SHA1
8ae8dc91cd8b80dd688378a3eacb2750e2de8c3c

SHA256
d4249fbe2df7ddc684f61bbba98e5d3312c85e5787d5500a73ff18a5abce76eb

SHA512
e8fda27e7d1144816879b84fa04b8b3a7063f3841e57a1aaa918b5dfa1dc35f0f4380f89ca861c59ea45d884488e68309dabff15200e6b99038df4431e439f85

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
180B

MD5
b2206e980c51067d6e9dd7575d842bdc

SHA1
5aa6f76eee9efd569089be7f363e30ebf0531a22

SHA256
add106f3d6e9cfd2fac3d14a74d6791a9caa257b9c7e105a9a5fc2a309337ecd

SHA512
89ab3ca635f8fdcb1206f0a1d585355a730506cc1d72ca666f1e9d650b24107368349b44ab0b3d3132442a2fc61c0c9404d00b717a61f305d9c93d5d638d9bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf

Filesize
74B

MD5
b39df423c6e5978065a9a8ec4879a3b4

SHA1
96441a7a7d8090f7a96a1160f539531f66568e88

SHA256
12a5135510016abcfe1192aceb6fec42634346661d778d68be1debaa3d75e967

SHA512
2d583fcae1ec73f836c5b66b8b1337bb4250a8230073de96d501a4fab5f522b75599ac2a1fcf1457a841d8c84bcccb88feade82f49357b28345c63d9526cfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf

Filesize
1KB

MD5
4c3e3e88f5ca83ed65cade646c9469f8

SHA1
ac9f15a0ef7f47f1e4bfdef5581879e5e55e2f08

SHA256
840d010f8abea0f01256e4f47ccdaf713a8b6459473c8885cda1d3c2e750a04d

SHA512
9d8827d7b486d70d3f5589bbdf77b97e1e10175934ac35128ce8c82a4597532763f2efe733c8b6a79a08abdc4d22fa55b61c07bf436e3a8e760ac806a9d97ded

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf

Filesize
148B

MD5
50e2a40bc39192080a39d3088fa7aa76

SHA1
481807334d45196f752e8d35eb8f09dc9ff7b008

SHA256
6cfa1ab5a6ca16d543b4026cd3e96ad70b24b76170af8f48c189c80c61bec843

SHA512
ab19fb37e801f8cc8305745b112160b269c18fd6300ba93cf1976069c04bde4b566d9c2430bc0ecfe06c3c0efafb962da0b0a17cec43ef014bfababf36d701c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf

Filesize
296B

MD5
b20421aba6b1738af56e402aed7b5fca

SHA1
7b9e8f147c25a383e775cf4ce66fec5f050f8187

SHA256
2b11af7c3e34fcb9851881ecb06ee601696a6e29b3d3f283f79b118bdba35ecd

SHA512
32eb6ae6c4009d43422f6abad7cd88f21b3efbd85c4a8c1fa45675f59f5c7a1d0839c6f73131522de5c0f5f1cec2dc9b4e2b00dbe68e060390cc5b6174ef9683

Download Submit
C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Encrypt.sk

Filesize
358B

MD5
9e58c25239664255d0d6b12c2537c5f4

SHA1
6a27238c70fe496d644bf6959cb41da01d65f4eb

SHA256
4a08897a6b715d953c8995655b359b7ae71ede0efc775c90610f825feb721e69

SHA512
722c9b272372a76888ccf486b08da1326409f764c33dc71ec1e02ce2342f5d2d36732b2643ead5226ff869fec8c1fba54b925932d2c73cc921169aee217ba79f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Encrypted.jpeg

Filesize
15KB

MD5
20aba01130e85571476712c784af05b0

SHA1
54c9002381bafbfa648dd3f5c77b1830efc1dc85

SHA256
72bdac2468fa4e19f8915817f380ceeb96ff94a64a3e29e64ac79b65bed2f6ac

SHA512
c84a603b359d3e7097229161d22a69c574a582cbbd21c8343fa06986b5058125763196b8d4e2f7bf51400ffaba63e9c565e42c32759b973439f46e5a9f84b19f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
54B

MD5
888e64c554686bbbc0499057cce1af36

SHA1
5a7f51c66e3ae7dd0e0231c9817aee8c9fc54006

SHA256
616cf19739e00c69e9606d9c94869f6fcb6a7b3860e7b8af9bc896f3081dad0d

SHA512
9882375fdd09d489258447d49b8b63d0bc8db57cdb7186500c00c79d57f30af5f37a69e8fab70683a7c9d730e3484ef537ee57bb1892a84f92e9aba639d1d227

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
58B

MD5
8e160ad100a745d03ce20de0546923d4

SHA1
b051db4140c061209b3b321c69d28e48dc7001a5

SHA256
c038df2a897f1f142291e832a82acb23b1cbc66f4c33442fd8dee87a107f0924

SHA512
90e857dbf5dc8d110a0c958f0ff8c918a43a5bf412b4a28c0d7c40f5563f0ac608c1594a412b1fcd51c2175daddcfca6e23d76ad3ec8cfe5203e3cc18f512ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
108B

MD5
aea78da25dd9a4226b49abfadcc3977c

SHA1
1ae73fa0157801a3c42074f6d057712de6427e31

SHA256
18d5c5a71bb9b2414e4a08a52eeacf10961f29c5c582964b3507896be885b3a4

SHA512
f4a2c037f59680fe9d7931866fac1d28c3006e1fbf128ff8b6cb8f3edd54b32854e3a51839f8aca9288e657ece7dd645875ef4db1160c92d1f515137fb245ada

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
162B

MD5
d5980bf4b018e4c397df95afe8941c66

SHA1
ce53c669a898d09479831bc59bc31a5fba2a6f2b

SHA256
9afd004a8cb9b9e8b1eeab780fb0c4ffa39c3ec2ded034b1a7cd69db7f67872a

SHA512
c995f9d3252b9a7af52a398562261baf3297fee64fade9de22895cce017e5aa097c7935a0519e474253a181e1e018348a1ade3d953bfaff5dc43e30e2d9fde5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
216B

MD5
7659392a12010d8c761cb9888f6fd5ac

SHA1
b8829c26628740b77ab7405c231f420e860d8c1f

SHA256
71bd0bffdeca9dce2b4e9e1d767a0732657032171f3ad33903dec353ef95a431

SHA512
5caf94b288649b687f411cbb5519168e09e161f8d9545a6bad1b0d08876a542d153a115f8b44e3f15d973812ce8ec7471bba7d8bd0b9a22d0abf6fdf2914a2bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\FMLN.exe

Filesize
258KB

MD5
c87988e35ec34779191f42b6213fdec1

SHA1
81036dcf6ea331243f2d512b8ac9611a95a18ea1

SHA256
96f3ce153153f922fb18e4722b0348aee2c76022bcdee75fadab97023003fe10

SHA512
ba32f9bc18fb187fa4dc03bb1db903255c16af62dc903521ddd8fb120e5599bbccb4fa12255f0195a5e51b6a99ee5228bc0515f299c0ebb1b1a5134e61aab9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Image.bin

Filesize
21KB

MD5
f6f72da7cd731682ff5442ba541457e2

SHA1
60bddfc609fad2f80c0688905e795e51003d9433

SHA256
00a5048d9f74271e4cd5c36cf1434c789a8c16206ff5fca1c785156e01693bc1

SHA512
2a09df3df3d89ec413f31f7a20254513db6323e7c7e5e041161f55dfefcc80d22870c512f71aad77e7e9ef775b635a707ddf60b0bb4ef458bff6e15f1e425e5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
69B

MD5
72946942abf5cf295f726b816c531ebf

SHA1
8ac5ccae8003c3776c2e0ee0959a76c8bc913495

SHA256
d9fc0446467e00e640f0dd0bf36882943a6993dcc1038ba8f73239152896eb25

SHA512
2f42b10e2c1359a690e1a69e307008e3beb4712e4c071d916fb1380c61cb2ed3ae48c86af44c6f1c9d613e85dd75d8cfd66fd01de0649444ee6d5193d9789d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
1KB

MD5
d867811867032ac9ea005ef01065ce6f

SHA1
8f179a187074922a9f4405ecf54a59929dd17af3

SHA256
d046763de7e23a2b92a223edfbd07d8bfca913cdfc5f698b9a5bf6349948114b

SHA512
91efffa455f1877636e52f7cd9953266c761a86465699b87e6a50736304164ce9f06b0d80ffea5b7731b7c73d26e937e4d52e7577f7f5bbc0cad038de98d3735

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
142B

MD5
09a66de624d647dadd33c7897344dc66

SHA1
0819f133c861cd4ca007de9abb9778a7e76cd24b

SHA256
a540e358c1349df49f88e0fd99bbc844430c84dc79d2599c878743f8f4b2ddb3

SHA512
1883d62b7fedff77e8893003719fd2e6b0a9d47963e2bfbc08e662e09145745e1f7d7a21fc47c4470e19dbef2ba274e1f87d0a6841bb804e2ed06205d5e1e779

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
207B

MD5
d3715d7f77349116a701484780269375

SHA1
589c48410637ac33431569b867070a51c4de5b1c

SHA256
ea0bdd86d283aba33d619aeecb5087ad9132b58e8ae7121e3c3774504abb976a

SHA512
9526a79ac4f9a18104f8e84d684136eef9b6bbccfe772d1d1030d9be02de2f7221cdee248ec748971551a42ed1d8fb1c8a9d820b837164f68376cdee1dc8ff3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
276B

MD5
089381a847f01ba0962ae00f0d92d5e8

SHA1
9f3240f89871639778a318e0cadccafcf9d7c55e

SHA256
2cda289b5067c9daf8b4dffdf323b2fe9d0a47bfdbb91b4a017029bc74729c05

SHA512
89fbf1b423f17101970290b070d740b8d58beecc6723e64edb7ae23b9285afe3a612b8e8f5ec202d60aca3875a28dbc556a43af9fe4113ac0bdba1fa83c5213a

Download Submit
C:\Users\Admin\AppData\Local\Temp\README.txt

Filesize
342B

MD5
cd278805d5f1aa22f2c3e3903cd10727

SHA1
1f7fcf532a4cb2d0d08247a9dd3b435f68ab76c7

SHA256
f349c9dab2020f5e485b412c370f3470404ed15eb182e728ed298861030712d8

SHA512
ccd0bb756642b1d90582398a4d860c591d9405d4ca91618c10f86527a5ceed5b1c2f0b253c51577fd00c4ba003b63167b04fa84b6542ec630d4f3c2b745c663c

Download Submit
C:\Users\Admin\AppData\Local\Temp\README.txt

Filesize
564B

MD5
df6412cc0f77ce16caf3602c53d7a4be

SHA1
aa34421e95cb3a642842a63f5cfd46763e9b9a8c

SHA256
51bc53f8dba5178e0063e41e54197c4d7a566df509e67cc40c02137fd7ee2ac6

SHA512
335b790a29f91853899eae21d5973c839e5a9edfc49496ce6de909ec20bdfc9841dd14042727dd6b3dec091337fcdbb8ae8f1e44f4d8619723a2e882e50e667b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shingapi.exe

Filesize
106KB

MD5
8b6a377f9a67d5482a8eba5708f45bb2

SHA1
7197436525e568606850ee5e033c43aea1c3bc91

SHA256
6ca11c8b6442db97c02f3b0f73db61f58c96d52e8a880e33abee5b10807d993f

SHA512
644e51798399168530b05e629b414dd80cac678bd3c8d4a5d164f55736a2b2fd380d3ca4640f7a034c8f043c06b1527b473e2d17da088d5e97de6ea04120dd72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
173B

MD5
0c998e3681eb9f67fbacda38281c5fa7

SHA1
bd3e89780f374c54c5dfbe3fab83a926ca5803de

SHA256
3c656f47268598c5bbe3ee4661b4f8c7dc09420cf393a6e417541db3c6020205

SHA512
11e3fd1d141bd23a2b0f17665f0f57e5a606fdd82555a7bd88cd533863ce4269d8395f8963d1cdfde93efbb0817486db48c3b593f8de35e150e2395daadb762e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
1KB

MD5
0ae53c6f1e1adcc8a9693f206a2485a6

SHA1
206d4109769946f0510fa8a14e352c2a04898011

SHA256
254139a043d82339054678dbaa8ad01c67bceba6cedfa75b8eeb6cf5efdc1aac

SHA512
c47702e2f176b7fc44e97f2980c0e0548e749a97a5b8f78b1295b54f47e00cbcbe78563777351e4fa48a8565e2df9dc1d793c87f624bed4f4b3a25edb7bd31af

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
2KB

MD5
8ae842f36bf78d954e5a6a9875cdfaae

SHA1
23d65f4ae1ab65278c9f0b4c404e483ed2401878

SHA256
a9af29a7083f8def234d07e548833c98101c0eef1b0146a9220506a8f12e2cd6

SHA512
175802c9149d35aad3400feed091377192508cd656ba7d36ad5047d8ff14e9b72d957660b00fa4995c56e29de12bebf71301fedbedaffd5f328609c435d08834

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
3KB

MD5
035a430d34dbfc796d4b87d1c4ee605f

SHA1
8cfa3b915d483b887edd9246a6a1412050da8eff

SHA256
372ef282176a9585d40496081b4cb0a8214c91d215246db5f9f059d645386946

SHA512
e4dcaca075dfe7927c6752337e9d5788caae179945316552a32eac2f26f99b5bc911964eb16c99cd764923ecac8302699dd55156a37ba3ab3445a254e93635c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
3KB

MD5
db73285015a7f76e6201d618df1695f7

SHA1
b217d068d6d700be1788493ea920871900a02ad3

SHA256
3eac16cdc32d9297ae1b412c18ffd60b8a721f89d7383d6317077daa54084cb2

SHA512
3b80f1abca26e55fe0f04876079a65325f8f95f0e40e6dd7b4cbe4f76506a7e8c1d8b73210f6c61ad6d9d895187859c1c35a8bdeb889d7a8479c6ac7a089e991

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
519B

MD5
03f0ef4961ee3f5ebc91e222ad5c3a55

SHA1
130947f0716f672e1c0577f60471dfbd9d1f3435

SHA256
b2cf1c83480bb2e69599e063be75ef8188b20c82a03998098d13d42c11502d21

SHA512
641784c8422a15360449ae9d79722e4d6d5752ef8db0a6cd8e1d71e78c5994dc9e790f5e875a7314be603feb42badc587bf79e8f682aa94b2335443ea8592671

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
692B

MD5
6989502044e4a9fca67e9ded25de9956

SHA1
9a8d099caad939d32599530b27f7db641cbdb8da

SHA256
b370b54e95376f4b6df27592bc23343c82ebbfad3d52e71a38a2aac504bda04c

SHA512
9f0e6d59d9adc531f5c162b964205e0dd63c6a956291af48d24e6b8988a940b6f2cc7644a9163277e6383a6d9f8ddb00c9687d73426ea776c691e73f66e95a5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
4KB

MD5
6d642e115c1d32686fd56c3aae2c93b3

SHA1
3eab51add75fdb49999cec9748f3f3302b77d8df

SHA256
48964b914ce4e0fc2fb6319b1c6a65f0c25b1aa6312fd22631d1de957dd5713e

SHA512
373fc436ef8db3cc95914fd741cdd591d6b583b90a6d681e972bfa64d388a07dbd0d32a3cfb5ef6401da3e64ce6f6832db8f6b75c3b41e6fb3903d1e01faa508

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
6KB

MD5
7f1a4b3d87bff6a41c08ce3380027d4c

SHA1
13c60d9d0a163fdf52c1b15515b15a0a93829e40

SHA256
421fdf038063155bb84daf0bdcc8c11e3a93ad80a8c41e917a7f86e55400cbc0

SHA512
cd33e6352ab865b389535919af7c2c27a4b102d9563c222c138456b43729acc762d51bbc3b57c43a16f566c678ee03b51afcff27d1679b7400e8449e933da8e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
13KB

MD5
3099e999264f3b7e029b53b9e15f6dcf

SHA1
10fe06c2a148b0ea104a4a2f3cda1f7ef4bed842

SHA256
864d2cb79abe1b919662d5eaf4ffe9d079fcefa06855b04f1874ed3dff029cd5

SHA512
aeeab1e1fb905af2ef4ca3df327472e8712facb9741c80dfe50ff87abdf1afab24966525e6bad68e217278a708eb77634eff8cdec162f9f18ae816aac06838ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
15KB

MD5
6889c7ff7e44fe74a81e2d0b7c987d57

SHA1
0dd977ede9d74b964283c3a02aa5aa160e465404

SHA256
0c40aacddda9c2032144646910bf53cae063a3e51d66f803dae49e666b70dd44

SHA512
a16ac6b9b6ec0c1bae6de945f962ffe77790e33d11e6bb5f1bc0c5091290ff8ddcb41c194743bf76a7d408e08470218d583cf6a1c730137cd6b8c9963c83f4a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
18KB

MD5
c97914d0aeb57b1f2d3f8686c2291ed6

SHA1
07288435aac60a7eecbb13a7e9e191bd94a85ec4

SHA256
865a1071b357b01b07cbfb8a64318a285e184080a34b0034d3c7020e559c7394

SHA512
b894c444d334c180b18ac1d09a95c054290170f885d8ba512496727ab35796c9ca97e962d7af7d082a5bb490b0b33387e15588f1e877e2cbc0ac824d3a20f4b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd

Filesize
389B

MD5
340e0e1ecf7d231d4632663d95816784

SHA1
1a698a94d747ed67fcfda645b1c3d26311de3bed

SHA256
72c75877ed2a88ab17a6f2762b373e529a364bed30578a27dd715436a9a7efc9

SHA512
cf1202fcb1449cbfed31bb441625c700421d908c77e70efb1d77e94daec7bc11ef32b9701407f65d17211081bf9cf9eaec94e54d5abe8f6c5779e9fbc8d86e60

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd

Filesize
231B

MD5
da5f8d71afd8ce9598ec5e5443c459d9

SHA1
abd2267aaea39b0a9208bc7f094df5fb2754d233

SHA256
a1d679d97c8ab326b9578d18de310789709482bf270d350786e1b30895c92c80

SHA512
1318f1471a536244523141d14c8c73b8dc52de3843eb8b8b3e9b2ae0348eb4f41c085931b8053c5fc68182f0a493d15de7bb086cc872f48203e8f9916886452b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd

Filesize
242B

MD5
fe79131d9f62a7125ae2f69267273bdc

SHA1
ce64c88f8b869715592a62313c1085fd404723c4

SHA256
ddbb6ebd07eb73d7d96736f68ba5e1b4757e999ced26fc1552665835c5cd7028

SHA512
178d228907b7bb32a7787b64a7e791897bacf75516493ddcb6494fe0ec7002bf0ba840a75e4a6d5db26c179de85c2a88e13104d571a1ee585512a5d775519347

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd

Filesize
462B

MD5
4dc05ac0050c0d2f98299a019fda2577

SHA1
9e606ec3d928474adfda99e10a3ef39e5c727683

SHA256
55fbdc6e73e70bf1466c6f00fe182c51aca8ead2fd1e3ee408cf9eff91f1a5da

SHA512
ebe2a623abbb7da77102687d1cbdd6255317ef32de0c0e6920c933c25a8a6069cd6be9f44248d91bdca87270db50468bf5e16ea629dd7277d9e15f34075cb268

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd

Filesize
158B

MD5
ad0010095a82da61b486dbe70cd90767

SHA1
67d5a65f8cee8409dfcec2da99d290a2730cd662

SHA256
28d651bd0e01d8ee66b46b064b05841cf33e44f3c55ee8b0612f5a812bf0de43

SHA512
93a5f5c2f71a00ce760f1efe89280e259b3f75f1d04e3a1708d683c0b9a619fb5ac577e0d9f59c3b767c3b45323e3af9450362624526705766bf77a94b4aa827

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat

Filesize
49B

MD5
cfb046d3c9513b92c1b287da26f97c28

SHA1
ea8208c4dad826b7fdb3b5b728863a95e86d4383

SHA256
a06f170d4f92bf290e38b0ce1c05bb59c95de2797b1a5253b949ad7e1be9818b

SHA512
dbeeea4d284f59e1455a5426334caa02458e88833aeece9817c51be616697ca4c399b2a9d0e8e44bf4a5ee63d0b37c0aed68c01f1748fa5a23ed6d2af62b3340

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat

Filesize
44B

MD5
ea260c435f9eb83e2b5041e734ff3598

SHA1
ca70d64367cbdffbbf24e82baff4048119203a2e

SHA256
3ade659fdae17c11c3f42b712f94045691fbd0b413428b73e1de8fe699e74615

SHA512
548624cc523aeb4136376f792d23b3f2aee4a676362f8a0dd0e8161f0df87ab926b82f67fc174eb5d9473c23f49e6ca962bc84479967f7e624250d94efa66876

Download Submit
C:\Windows\B7DA.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/632-2634-0x000007FEF7480000-0x000007FEF74CC000-memory.dmp

Filesize
304KB

Download
memory/640-2660-0x000007FEF7480000-0x000007FEF74CC000-memory.dmp

Filesize
304KB

Download
memory/2148-2658-0x000007FEF7480000-0x000007FEF74CC000-memory.dmp

Filesize
304KB

Download
memory/2620-84-0x0000000000320000-0x0000000000388000-memory.dmp

Filesize
416KB

Download
memory/2620-92-0x0000000000320000-0x0000000000388000-memory.dmp

Filesize
416KB

Download
memory/2620-608-0x0000000000320000-0x0000000000388000-memory.dmp

Filesize
416KB

Download
memory/2740-2760-0x000007FEF7480000-0x000007FEF74CC000-memory.dmp

Filesize
304KB

Download
memory/3096-1314-0x000007FEF7480000-0x000007FEF74CC000-memory.dmp

Filesize
304KB

Download
memory/3096-2558-0x000007FEF7480000-0x000007FEF74CC000-memory.dmp

Filesize
304KB

Download
memory/3284-1934-0x000007FEF7480000-0x000007FEF74CC000-memory.dmp

Filesize
304KB

Download
memory/3284-2662-0x000007FEF7480000-0x000007FEF74CC000-memory.dmp

Filesize
304KB

Download
memory/3304-2611-0x000007FEF7480000-0x000007FEF74CC000-memory.dmp

Filesize
304KB

Download
memory/3304-1665-0x000007FEF7480000-0x000007FEF74CC000-memory.dmp

Filesize
304KB

Download
memory/3312-2559-0x000007FEF7480000-0x000007FEF74CC000-memory.dmp

Filesize
304KB

Download
memory/3312-1315-0x000007FEF7480000-0x000007FEF74CC000-memory.dmp

Filesize
304KB

Download
memory/3468-2560-0x000007FEF7480000-0x000007FEF74CC000-memory.dmp

Filesize
304KB

Download
memory/3468-1319-0x000007FEF7480000-0x000007FEF74CC000-memory.dmp

Filesize
304KB

Download
memory/4104-2607-0x000007FEF7480000-0x000007FEF74CC000-memory.dmp

Filesize
304KB

Download
memory/4104-1664-0x000007FEF7480000-0x000007FEF74CC000-memory.dmp

Filesize
304KB

Download
memory/4184-2612-0x000007FEF7480000-0x000007FEF74CC000-memory.dmp

Filesize
304KB

Download
memory/4184-1673-0x000007FEF7480000-0x000007FEF74CC000-memory.dmp

Filesize
304KB

Download
memory/4860-2687-0x000007FEF7480000-0x000007FEF74CC000-memory.dmp

Filesize
304KB

Download
memory/4920-1928-0x000007FEF7480000-0x000007FEF74CC000-memory.dmp

Filesize
304KB

Download
memory/4920-2659-0x000007FEF7480000-0x000007FEF74CC000-memory.dmp

Filesize
304KB

Download
memory/4980-2661-0x000007FEF7480000-0x000007FEF74CC000-memory.dmp

Filesize
304KB

Download
memory/4980-1933-0x000007FEF7480000-0x000007FEF74CC000-memory.dmp

Filesize
304KB

Download
memory/5972-2633-0x000007FEF7480000-0x000007FEF74CC000-memory.dmp

Filesize
304KB

Download
memory/6476-2663-0x000007FEF7480000-0x000007FEF74CC000-memory.dmp

Filesize
304KB

Download
memory/7176-2761-0x000007FEF7480000-0x000007FEF74CC000-memory.dmp

Filesize
304KB

Download
memory/7344-2785-0x000007FEF7480000-0x000007FEF74CC000-memory.dmp

Filesize
304KB

Download
memory/7452-2806-0x000007FEF7480000-0x000007FEF74CC000-memory.dmp

Filesize
304KB

Download
memory/7584-2830-0x000007FEF7480000-0x000007FEF74CC000-memory.dmp

Filesize
304KB

Download
memory/7756-2831-0x000007FEF7480000-0x000007FEF74CC000-memory.dmp

Filesize
304KB

Download