badrabbit | d8270d57a3b02ad700dd88eb35bd00c24899e193efe4d60a1c1d3c5947eaf3ea

Analysis

max time kernel
8s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20250314-en
resource tags

arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
submitted
19/03/2025, 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2025-03-19_ab566bd2a0f20afa6817214cf66269f0_cova_ryuk.exe
Size

1.0MB
MD5

ab566bd2a0f20afa6817214cf66269f0
SHA1

31cb35812778d4bbb0c7a496c9d789a13625b056
SHA256

d8270d57a3b02ad700dd88eb35bd00c24899e193efe4d60a1c1d3c5947eaf3ea
SHA512

353d36b414bfaef79f7c3703f33d12ec8467ca6bd71d7dab9aaf4546d60c9b74941fbf41eaa5e0352e34a3bd51b56baefd15183168ee519985eba81fe5399447
SSDEEP

24576:TR+cl7X1BRnI6hmebOe1gmf2Jg+DTcTugiIwsQhlRv9x/9K4CfFiEr0CJ:l+clb1BRntmeSKJStRv9xFK1gEr0E

Score

10^/10

badrabbit mimikatz defense_evasion discovery persistence privilege_escalation ransomware

Malware Config

Signatures

BadRabbit
Ransomware family discovered in late 2017, mainly targeting Russia and Ukraine.
ransomware badrabbit
Badrabbit family
badrabbit
Mimikatz
mimikatz is an open source tool to dump credentials on Windows.
mimikatz
Mimikatz family
mimikatz

mimikatz is an open source tool to dump credentials on Windows 1 IoCs

resource	yara_rule
behavioral2/files/0x00050000000006f7-180.dat	mimikatz

Manipulates Digital Signatures 1 TTPs 3 IoCs

Attackers can apply techniques such as changing the registry keys of authenticode & Cryptography to obtain their binary as valid.

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.1!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_CA_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.2!7\Name = "szOID_ROOT_PROGRAM_AUTO_UPDATE_END_REVOCATION"	certutil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Cryptography\OID\EncodingType 0\CryptDllFindOIDInfo\1.3.6.1.4.1.311.60.3.3!7\Name = "szOID_ROOT_PROGRAM_NO_OCSP_FAILOVER_TO_CRL"	certutil.exe

Modifies Windows Firewall 2 TTPs 14 IoCs

defense_evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
5136	netsh.exe
3772	netsh.exe
9888	netsh.exe
6028	netsh.exe
560	netsh.exe
3784	netsh.exe
9896	netsh.exe
9880	netsh.exe
9964	netsh.exe
11784	netsh.exe
5480	netsh.exe
5052	netsh.exe
4240	netsh.exe
452	netsh.exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	2025-03-19_ab566bd2a0f20afa6817214cf66269f0_cova_ryuk.exe
Key value queried	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 8 IoCs

pid	Process
4440	A2-Cryptor.exe
4836	BadRabbit.exe
1084	FMLN.exe
5188	Shingapi.exe
5784	6457.tmp
3996	Shingapi.exe
1168	Shingapi.exe
3620	Shingapi.exe

Loads dropped DLL 1 IoCs

pid	Process
3852	rundll32.exe

Modifies file permissions 1 TTPs 14 IoCs

discovery

File and Directory Permissions Modification

T1222

pid	Process
5480	takeown.exe
9288	takeown.exe
7736	takeown.exe
9972	takeown.exe
14172	takeown.exe
4412	takeown.exe
4868	takeown.exe
1076	takeown.exe
9264	takeown.exe
9408	takeown.exe
9416	takeown.exe
6352	takeown.exe
4384	takeown.exe
4088	takeown.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Twain_20 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Twain_20.cmd"	reg.exe

Deobfuscate/Decode Files or Information 1 TTPs 3 IoCs

Payload decoded via CertUtil.

defense_evasion

Deobfuscate/Decode Files or Information

T1140

pid	Process
9568	certutil.exe
4708	certutil.exe
3900	certutil.exe

File and Directory Permissions Modification: Windows File and Directory Permissions Modification 1 TTPs
defense_evasion

Windows File and Directory Permissions Modification
T1222.001

Drops autorun.inf file 1 TTPs 5 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	attrib.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe
File opened for modification	C:\Users\Admin\AppData\Local\Temp\Autorun.inf	cmd.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\6457.tmp	rundll32.exe
File created	C:\Windows\infpub.dat	BadRabbit.exe
File opened for modification	C:\Windows\infpub.dat	rundll32.exe
File created	C:\Windows\cscc.dat	rundll32.exe
File created	C:\Windows\dispci.exe	rundll32.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 6 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 20 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mode.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shingapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shingapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FMLN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shingapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	rundll32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Shingapi.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BadRabbit.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mode.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	certutil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	A2-Cryptor.exe

Delays execution with timeout.exe 12 IoCs

defense_evasion

pid	Process
4576	timeout.exe
5812	timeout.exe
7640	timeout.exe
4492	timeout.exe
5692	timeout.exe
4492	timeout.exe
3492	timeout.exe
6924	timeout.exe
4056	timeout.exe
1424	timeout.exe
1076	timeout.exe
2060	timeout.exe

Gathers network information 2 TTPs 13 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
9872	ipconfig.exe
9604	ipconfig.exe
2460	ipconfig.exe
756	ipconfig.exe
5504	ipconfig.exe
9588	ipconfig.exe
9796	ipconfig.exe
9448	ipconfig.exe
4240	ipconfig.exe
2232	ipconfig.exe
9612	ipconfig.exe
9604	ipconfig.exe
9596	ipconfig.exe

Kills process with taskkill 13 IoCs

defense_evasion

pid	Process
9924	taskkill.exe
1052	taskkill.exe
9888	taskkill.exe
4220	taskkill.exe
1160	taskkill.exe
756	taskkill.exe
10212	taskkill.exe
3040	taskkill.exe
5824	taskkill.exe
4492	taskkill.exe
6796	taskkill.exe
5016	taskkill.exe
9600	taskkill.exe

Modifies registry class 5 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-308834014-1004923324-1191300197-1000_Classes\Local Settings	calc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
372	schtasks.exe
4868	schtasks.exe

Suspicious behavior: EnumeratesProcesses 17 IoCs

pid	Process
3852	rundll32.exe
3852	rundll32.exe
3852	rundll32.exe
3852	rundll32.exe
5784	6457.tmp
5784	6457.tmp
5784	6457.tmp
5784	6457.tmp
5784	6457.tmp
5784	6457.tmp
5784	6457.tmp
2812	mspaint.exe
2812	mspaint.exe
4792	mspaint.exe
4792	mspaint.exe
632	mspaint.exe
632	mspaint.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3852	rundll32.exe
Token: SeDebugPrivilege	3852	rundll32.exe
Token: SeTcbPrivilege	3852	rundll32.exe
Token: SeTakeOwnershipPrivilege	4412	takeown.exe
Token: SeDebugPrivilege	5824	taskkill.exe
Token: SeDebugPrivilege	5784	6457.tmp

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
1084	FMLN.exe
2812	mspaint.exe
4792	mspaint.exe
632	mspaint.exe
2812	mspaint.exe
2812	mspaint.exe
2812	mspaint.exe
4792	mspaint.exe
4792	mspaint.exe
4792	mspaint.exe
632	mspaint.exe
632	mspaint.exe
632	mspaint.exe
3396	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5336 wrote to memory of 4440	5336	2025-03-19_ab566bd2a0f20afa6817214cf66269f0_cova_ryuk.exe	87
PID 5336 wrote to memory of 4440	5336	2025-03-19_ab566bd2a0f20afa6817214cf66269f0_cova_ryuk.exe	87
PID 5336 wrote to memory of 4440	5336	2025-03-19_ab566bd2a0f20afa6817214cf66269f0_cova_ryuk.exe	87
PID 5336 wrote to memory of 4836	5336	2025-03-19_ab566bd2a0f20afa6817214cf66269f0_cova_ryuk.exe	89
PID 5336 wrote to memory of 4836	5336	2025-03-19_ab566bd2a0f20afa6817214cf66269f0_cova_ryuk.exe	89
PID 5336 wrote to memory of 4836	5336	2025-03-19_ab566bd2a0f20afa6817214cf66269f0_cova_ryuk.exe	89
PID 5336 wrote to memory of 1084	5336	2025-03-19_ab566bd2a0f20afa6817214cf66269f0_cova_ryuk.exe	90
PID 5336 wrote to memory of 1084	5336	2025-03-19_ab566bd2a0f20afa6817214cf66269f0_cova_ryuk.exe	90
PID 5336 wrote to memory of 1084	5336	2025-03-19_ab566bd2a0f20afa6817214cf66269f0_cova_ryuk.exe	90
PID 5336 wrote to memory of 5188	5336	2025-03-19_ab566bd2a0f20afa6817214cf66269f0_cova_ryuk.exe	94
PID 5336 wrote to memory of 5188	5336	2025-03-19_ab566bd2a0f20afa6817214cf66269f0_cova_ryuk.exe	94
PID 5336 wrote to memory of 5188	5336	2025-03-19_ab566bd2a0f20afa6817214cf66269f0_cova_ryuk.exe	94
PID 4836 wrote to memory of 3852	4836	BadRabbit.exe	97
PID 4836 wrote to memory of 3852	4836	BadRabbit.exe	97
PID 4836 wrote to memory of 3852	4836	BadRabbit.exe	97
PID 1084 wrote to memory of 3956	1084	FMLN.exe	98
PID 1084 wrote to memory of 3956	1084	FMLN.exe	98
PID 4440 wrote to memory of 4960	4440	A2-Cryptor.exe	99
PID 4440 wrote to memory of 4960	4440	A2-Cryptor.exe	99
PID 4440 wrote to memory of 4960	4440	A2-Cryptor.exe	99
PID 5188 wrote to memory of 4520	5188	Shingapi.exe	100
PID 5188 wrote to memory of 4520	5188	Shingapi.exe	100
PID 3956 wrote to memory of 4604	3956	cmd.exe	101
PID 3956 wrote to memory of 4604	3956	cmd.exe	101
PID 4960 wrote to memory of 4624	4960	cmd.exe	102
PID 4960 wrote to memory of 4624	4960	cmd.exe	102
PID 4960 wrote to memory of 4624	4960	cmd.exe	102
PID 3852 wrote to memory of 4568	3852	rundll32.exe	103
PID 3852 wrote to memory of 4568	3852	rundll32.exe	103
PID 3852 wrote to memory of 4568	3852	rundll32.exe	103
PID 4960 wrote to memory of 2828	4960	cmd.exe	105
PID 4960 wrote to memory of 2828	4960	cmd.exe	105
PID 4960 wrote to memory of 2828	4960	cmd.exe	105
PID 4568 wrote to memory of 3056	4568	cmd.exe	106
PID 4568 wrote to memory of 3056	4568	cmd.exe	106
PID 4568 wrote to memory of 3056	4568	cmd.exe	106
PID 4960 wrote to memory of 4708	4960	cmd.exe	107
PID 4960 wrote to memory of 4708	4960	cmd.exe	107
PID 4960 wrote to memory of 4708	4960	cmd.exe	107
PID 4520 wrote to memory of 4084	4520	cmd.exe	108
PID 4520 wrote to memory of 4084	4520	cmd.exe	108
PID 4520 wrote to memory of 5480	4520	cmd.exe	110
PID 4520 wrote to memory of 5480	4520	cmd.exe	110
PID 4960 wrote to memory of 4492	4960	cmd.exe	111
PID 4960 wrote to memory of 4492	4960	cmd.exe	111
PID 4960 wrote to memory of 4492	4960	cmd.exe	111
PID 3956 wrote to memory of 3900	3956	cmd.exe	112
PID 3956 wrote to memory of 3900	3956	cmd.exe	112
PID 4084 wrote to memory of 5720	4084	cmd.exe	187
PID 4084 wrote to memory of 5720	4084	cmd.exe	187
PID 3956 wrote to memory of 5692	3956	cmd.exe	114
PID 3956 wrote to memory of 5692	3956	cmd.exe	114
PID 4520 wrote to memory of 5220	4520	cmd.exe	116
PID 4520 wrote to memory of 5220	4520	cmd.exe	116
PID 4520 wrote to memory of 1756	4520	cmd.exe	118
PID 4520 wrote to memory of 1756	4520	cmd.exe	118
PID 4520 wrote to memory of 408	4520	cmd.exe	119
PID 4520 wrote to memory of 408	4520	cmd.exe	119
PID 4520 wrote to memory of 540	4520	cmd.exe	206
PID 4520 wrote to memory of 540	4520	cmd.exe	206
PID 4520 wrote to memory of 2252	4520	cmd.exe	217
PID 4520 wrote to memory of 2252	4520	cmd.exe	217
PID 4520 wrote to memory of 4240	4520	cmd.exe	219
PID 4520 wrote to memory of 4240	4520	cmd.exe	219

Views/modifies file attributes 1 TTPs 13 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1448	attrib.exe
6204	attrib.exe
5108	attrib.exe
7620	attrib.exe
9716	attrib.exe
10128	attrib.exe
9568	attrib.exe
1604	attrib.exe
2252	attrib.exe
9944	attrib.exe
9568	attrib.exe
4256	attrib.exe
7608	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2025-03-19_ab566bd2a0f20afa6817214cf66269f0_cova_ryuk.exe
"C:\Users\Admin\AppData\Local\Temp\2025-03-19_ab566bd2a0f20afa6817214cf66269f0_cova_ryuk.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:5336
- C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exe
  "C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4440
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\system32\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5B5E.tmp\5B5F.tmp\5B60.bat C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4960
  - - C:\Windows\SysWOW64\mode.com
      MODE CON: COLS=100 LINES=25
      4⤵
      System Location Discovery: System Language Discovery
      PID:4624
  - - C:\Windows\SysWOW64\mode.com
      MODE CON: COLS=100 LINES=25
      4⤵
      System Location Discovery: System Language Discovery
      PID:2828
  - - C:\Windows\SysWOW64\certutil.exe
      certutil -decode "Image.bin" "Encrypted.jpeg"
      4⤵
      Manipulates Digital Signatures
      Deobfuscate/Decode Files or Information
      System Location Discovery: System Language Discovery
      PID:4708
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:4492
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 3
      4⤵
      System Location Discovery: System Language Discovery
      Delays execution with timeout.exe
      PID:1076
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 3
      4⤵
      Delays execution with timeout.exe
      PID:4492
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:5812
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:6924
  - - C:\Windows\SysWOW64\wscript.exe
      wscript "0.vbs"
      4⤵
      PID:1188
    - - C:\Windows\SysWOW64\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:6924
    - - C:\Windows\SysWOW64\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:7192
  - - C:\Windows\SysWOW64\wscript.exe
      wscript "0.vbs"
      4⤵
      PID:7404
    - - C:\Windows\SysWOW64\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:7856
    - - C:\Windows\SysWOW64\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:1604
  - - C:\Windows\SysWOW64\wscript.exe
      wscript "0.vbs"
      4⤵
      PID:3392
    - - C:\Windows\SysWOW64\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:5996
    - - C:\Windows\SysWOW64\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:5996
  - - C:\Windows\SysWOW64\wscript.exe
      wscript "0.vbs"
      4⤵
      PID:8104
    - - C:\Windows\SysWOW64\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:7784
    - - C:\Windows\SysWOW64\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:7784
  - - C:\Windows\SysWOW64\wscript.exe
      wscript "0.vbs"
      4⤵
      PID:5576
    - - C:\Windows\SysWOW64\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:7400
    - - C:\Windows\SysWOW64\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:7508
  - - C:\Windows\SysWOW64\timeout.exe
      timeout /t 4
      4⤵
      Delays execution with timeout.exe
      PID:7640
  - - C:\Windows\SysWOW64\wscript.exe
      wscript "m.vbs"
      4⤵
      PID:9084
- C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe
  "C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4836
- - C:\Windows\SysWOW64\rundll32.exe
    C:\Windows\system32\rundll32.exe C:\Windows\infpub.dat,#1 15
    3⤵
    - Loads dropped DLL
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3852
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Delete /F /TN rhaegal
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4568
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Delete /F /TN rhaegal
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3056
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1740541075 && exit"
      4⤵
      System Location Discovery: System Language Discovery
      PID:928
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /RU SYSTEM /SC ONSTART /TN rhaegal /TR "C:\Windows\system32\cmd.exe /C Start \"\" \"C:\Windows\dispci.exe\" -id 1740541075 && exit"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4868
  - - C:\Windows\SysWOW64\cmd.exe
      /c schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:45:00
      4⤵
      System Location Discovery: System Language Discovery
      PID:3576
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks /Create /SC once /TN drogon /RU SYSTEM /TR "C:\Windows\system32\shutdown.exe /r /t 0 /f" /ST 02:45:00
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:372
  - - C:\Windows\6457.tmp
      "C:\Windows\6457.tmp" \\.\pipe\{15F495B8-CB43-4A8E-8CB7-0189D2F77B33}
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5784
- C:\Users\Admin\AppData\Local\Temp\FMLN.exe
  "C:\Users\Admin\AppData\Local\Temp\FMLN.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1084
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5B4F.tmp\5B50.tmp\5B60.bat C:\Users\Admin\AppData\Local\Temp\FMLN.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3956
  - - C:\Windows\system32\mode.com
      mode con: cols=170 lines=45
      4⤵
      PID:4604
  - - C:\Windows\system32\certutil.exe
      certutil -decode "Image.bin" "Wallpaper.jpeg"
      4⤵
      Deobfuscate/Decode Files or Information
      PID:3900
  - - C:\Windows\system32\timeout.exe
      timeout /t 3
      4⤵
      Delays execution with timeout.exe
      PID:5692
  - - C:\Windows\system32\timeout.exe
      timeout /t 3
      4⤵
      Delays execution with timeout.exe
      PID:1424
  - - C:\Windows\system32\timeout.exe
      timeout /t 3
      4⤵
      Delays execution with timeout.exe
      PID:2060
  - - C:\Windows\system32\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:4576
  - - C:\Windows\system32\timeout.exe
      timeout /t 5
      4⤵
      Delays execution with timeout.exe
      PID:3492
  - - C:\Windows\system32\wscript.exe
      wscript "0.vbs"
      4⤵
      PID:6576
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:7476
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:7668
  - - C:\Windows\system32\wscript.exe
      wscript "0.vbs"
      4⤵
      PID:6604
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:6696
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:7680
  - - C:\Windows\system32\wscript.exe
      wscript "0.vbs"
      4⤵
      PID:7068
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:7300
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:6560
  - - C:\Windows\system32\wscript.exe
      wscript "0.vbs"
      4⤵
      PID:7312
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:7668
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:7924
  - - C:\Windows\system32\wscript.exe
      wscript "0.vbs"
      4⤵
      PID:7496
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:6928
    - - C:\Windows\System32\RUNDLL32.EXE
        
        "C:\Windows\System32\RUNDLL32.EXE" user32.dll, UpdatePerUserSystemParameters
        5⤵
        
        PID:7948
  - - C:\Windows\system32\timeout.exe
      timeout /t 4
      4⤵
      Delays execution with timeout.exe
      PID:4056
  - - C:\Windows\system32\certutil.exe
      certutil -decode "Data.lp" "KillWin.exe"
      4⤵
      Deobfuscate/Decode Files or Information
      PID:9568
  - - C:\Windows\system32\wscript.exe
      wscript "m.vbs"
      4⤵
      PID:10096
- C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
  "C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5188
- - C:\Windows\system32\cmd.exe
    "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5B7E.tmp\5B7F.tmp\5B80.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
    3⤵
    - Checks computer location settings
    - Drops autorun.inf file
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:4520
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K Twain_20.cmd
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4084
    - - C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
        5⤵
        Adds Run key to start application
        
        PID:5720
  - - C:\Windows\system32\netsh.exe
      netsh advfirewall set publicprofile state off
      4⤵
      Modifies Windows Firewall
      Event Triggered Execution: Netsh Helper DLL
      PID:5480
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K Twain_20.cmd
      4⤵
      PID:5220
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
      4⤵
      PID:1756
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /K Taskdl.bat
      4⤵
      PID:408
    - - C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        5⤵
        Modifies file permissions
        Suspicious use of AdjustPrivilegeToken
        
        PID:4412
  - - C:\Windows\system32\reg.exe
      reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
      4⤵
      PID:540
  - - C:\Windows\system32\reg.exe
      reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
      4⤵
      PID:2252
  - - C:\Windows\system32\ipconfig.exe
      ipconfig /release
      4⤵
      Gathers network information
      PID:4240
  - - C:\Windows\system32\taskkill.exe
      taskkill /im DiskPart /f
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5824
  - - C:\Windows\system32\attrib.exe
      attrib -r -a -s -h *.*
      4⤵
      Drops autorun.inf file
      Views/modifies file attributes
      PID:1604
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:1260
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:1928
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:5724
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:940
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:1896
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:2876
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:5124
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:5948
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:4124
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:412
  - - C:\Windows\system32\msg.exe
      msg * Virus Detectado
      4⤵
      PID:4216
  - - C:\Windows\system32\msg.exe
      msg * Virus Detectado
      4⤵
      PID:5488
  - - C:\Windows\system32\msg.exe
      msg * Has Sido Hackeado!
      4⤵
      PID:5024
  - - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3996
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\66E8.tmp\66F8.tmp\66F9.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        5⤵
        Drops autorun.inf file
        
        PID:3628
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        6⤵
        
        PID:6132
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        6⤵
        Modifies Windows Firewall
        
        PID:5052
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        6⤵
        
        PID:4276
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        6⤵
        
        PID:540
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        6⤵
        
        PID:1916
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        7⤵
        Modifies file permissions
        
        PID:5480
      - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        6⤵
        
        PID:3968
      - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        6⤵
        
        PID:5064
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        6⤵
        Gathers network information
        
        PID:5504
      - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        6⤵
        Kills process with taskkill
        
        PID:4220
      - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        6⤵
        Views/modifies file attributes
        
        PID:2252
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:2448
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:3580
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:6172
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:6256
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:6300
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:6408
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:6432
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:6456
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:6492
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:6516
      - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        6⤵
        
        PID:6528
      - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        6⤵
        
        PID:6588
      - C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        6⤵
        
        PID:6672
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        
        PID:6952
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\AEBE.tmp\C13E.tmp\C13F.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        7⤵
        
        PID:8016
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        8⤵
        
        PID:6220
        
        C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
        9⤵
        
        PID:2376
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        8⤵
        Modifies Windows Firewall
        
        PID:452
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        8⤵
        
        PID:3892
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        8⤵
        
        PID:2772
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        8⤵
        
        PID:3384
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        9⤵
        Modifies file permissions
        
        PID:9416
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        8⤵
        
        PID:9388
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        8⤵
        
        PID:9520
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        8⤵
        Gathers network information
        
        PID:9872
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        8⤵
        Kills process with taskkill
        
        PID:6796
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        8⤵
        Views/modifies file attributes
        
        PID:7620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:9736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:6476
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:10256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:10420
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:10464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:10640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:10656
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:10852
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:10964
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:10980
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        8⤵
        
        PID:10988
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        8⤵
        
        PID:11584
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        8⤵
        
        PID:11232
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        8⤵
        
        PID:12784
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\5A5B.tmp\5A5C.tmp\5A5D.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        9⤵
        
        PID:13300
        
        C:\Windows\system32\notepad.exe
        
        notepad
        8⤵
        
        PID:12996
        
        C:\Windows\system32\calc.exe
        
        calc
        8⤵
        
        PID:13152
        
        C:\Windows\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:12480
        
        C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        8⤵
        
        PID:8676
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        8⤵
        
        PID:4768
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\79CA.tmp\79CB.tmp\79CC.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        9⤵
        
        PID:6944
        
        C:\Windows\system32\notepad.exe
        
        notepad
        8⤵
        
        PID:7928
        
        C:\Windows\system32\calc.exe
        
        calc
        8⤵
        
        PID:4604
        
        C:\Windows\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:13608
        
        C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        8⤵
        
        PID:13912
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        8⤵
        
        PID:14164
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9E1B.tmp\9E1C.tmp\9E1D.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        9⤵
        
        PID:11668
        
        C:\Windows\system32\notepad.exe
        
        notepad
        8⤵
        
        PID:8332
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:7060
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:4336
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:6308
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        
        PID:6692
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        
        PID:7220
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B8A1.tmp\C0B1.tmp\C0B2.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        7⤵
        
        PID:7916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        8⤵
        
        PID:9784
        
        C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
        9⤵
        
        PID:9904
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        8⤵
        Modifies Windows Firewall
        
        PID:9964
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        8⤵
        
        PID:736
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        8⤵
        
        PID:9456
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        8⤵
        
        PID:7124
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        9⤵
        Modifies file permissions
        
        PID:9972
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        8⤵
        
        PID:9868
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        8⤵
        
        PID:440
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        8⤵
        Gathers network information
        
        PID:9448
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        8⤵
        Kills process with taskkill
        
        PID:1052
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        8⤵
        Views/modifies file attributes
        
        PID:9568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:13444
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:13628
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:14316
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:7460
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:7504
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:7640
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        
        PID:7724
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        
        PID:7808
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\C36F.tmp\C370.tmp\C381.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        7⤵
        
        PID:8176
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        8⤵
        
        PID:6764
        
        C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
        9⤵
        
        PID:2300
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        8⤵
        Modifies Windows Firewall
        
        PID:3784
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        8⤵
        
        PID:7908
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        8⤵
        
        PID:8236
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        8⤵
        
        PID:2832
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        9⤵
        Modifies file permissions
        
        PID:1076
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        8⤵
        
        PID:9328
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        8⤵
        
        PID:9476
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        8⤵
        Gathers network information
        
        PID:9604
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        8⤵
        Kills process with taskkill
        
        PID:756
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        8⤵
        Views/modifies file attributes
        
        PID:9944
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:10036
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:440
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:6848
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:8336
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:3592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:6252
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:6332
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:5472
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:10376
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:10584
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        8⤵
        
        PID:10744
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        8⤵
        
        PID:10936
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        8⤵
        
        PID:11612
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        8⤵
        
        PID:12032
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\42DB.tmp\42DC.tmp\42DD.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        9⤵
        
        PID:12316
        
        C:\Windows\system32\notepad.exe
        
        notepad
        8⤵
        
        PID:12040
        
        C:\Windows\system32\calc.exe
        
        calc
        8⤵
        
        PID:12048
        
        C:\Windows\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:12056
        
        C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        8⤵
        
        PID:12064
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        8⤵
        
        PID:12072
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\40C8.tmp\40C9.tmp\40CA.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        9⤵
        
        PID:6612
        
        C:\Windows\system32\notepad.exe
        
        notepad
        8⤵
        
        PID:12080
        
        C:\Windows\system32\calc.exe
        
        calc
        8⤵
        
        PID:12088
        
        C:\Windows\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:12096
        
        C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        8⤵
        
        PID:12104
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        8⤵
        
        PID:12112
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4944.tmp\4945.tmp\4946.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        9⤵
        
        PID:12584
        
        C:\Windows\system32\notepad.exe
        
        notepad
        8⤵
        
        PID:12120
        
        C:\Windows\system32\calc.exe
        
        calc
        8⤵
        
        PID:12128
        
        C:\Windows\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:12136
        
        C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        8⤵
        
        PID:12144
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:11432
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:12632
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:12880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:11784
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:11508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:13484
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:7980
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:6700
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:6600
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        
        PID:7624
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:8988
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:7768
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:8464
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:2268
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:8532
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:8684
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:764
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      Modifies registry class
      PID:1400
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      Modifies registry class
      PID:4856
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:2812
  - - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1168
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\67C2.tmp\67C3.tmp\67C4.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        5⤵
        Drops autorun.inf file
        
        PID:228
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        6⤵
        
        PID:5356
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        7⤵
        
        PID:4216
        
        C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
        7⤵
        
        PID:4672
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        6⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:6028
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        6⤵
        
        PID:456
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        6⤵
        
        PID:2620
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        6⤵
        
        PID:1944
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        7⤵
        Modifies file permissions
        
        PID:4088
      - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        6⤵
        
        PID:4548
      - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        6⤵
        
        PID:4964
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        6⤵
        Gathers network information
        
        PID:756
      - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        6⤵
        Kills process with taskkill
        
        PID:1160
      - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        6⤵
        Views/modifies file attributes
        
        PID:1448
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:4248
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:3656
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:3624
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:2232
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:5344
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:5052
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:6228
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:6240
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:6280
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:6324
      - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        6⤵
        
        PID:6400
      - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        6⤵
        
        PID:6572
      - C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        6⤵
        
        PID:6596
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        
        PID:6620
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\A9EC.tmp\C0C1.tmp\C0C2.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        7⤵
        
        PID:7956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        8⤵
        
        PID:8816
        
        C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
        9⤵
        
        PID:5728
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        8⤵
        Modifies Windows Firewall
        
        PID:3772
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        8⤵
        
        PID:3064
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        8⤵
        
        PID:8564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        8⤵
        
        PID:4112
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        9⤵
        Modifies file permissions
        
        PID:9408
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        8⤵
        
        PID:9340
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        8⤵
        
        PID:9452
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        8⤵
        Gathers network information
        
        PID:9588
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        8⤵
        Kills process with taskkill
        
        PID:10212
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        8⤵
        Views/modifies file attributes
        
        PID:5108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:5272
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:3040
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:7620
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:5108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:4976
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:3400
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:9608
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:10300
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:10516
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:10688
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        8⤵
        
        PID:10844
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        8⤵
        
        PID:11028
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        8⤵
        
        PID:11924
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        8⤵
        
        PID:6472
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\4F01.tmp\4F02.tmp\4F03.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        9⤵
        
        PID:12836
        
        C:\Windows\system32\notepad.exe
        
        notepad
        8⤵
        
        PID:12560
        
        C:\Windows\system32\calc.exe
        
        calc
        8⤵
        
        PID:12736
        
        C:\Windows\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:12948
        
        C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        8⤵
        
        PID:13144
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        8⤵
        
        PID:6812
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6CCA.tmp\6CCB.tmp\6CCC.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        9⤵
        
        PID:12056
        
        C:\Windows\system32\notepad.exe
        
        notepad
        8⤵
        
        PID:11740
        
        C:\Windows\system32\calc.exe
        
        calc
        8⤵
        
        PID:12608
        
        C:\Windows\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:7828
        
        C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        8⤵
        
        PID:8568
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        8⤵
        
        PID:13584
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\8CF4.tmp\8CF5.tmp\8CF6.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        9⤵
        
        PID:14028
        
        C:\Windows\system32\notepad.exe
        
        notepad
        8⤵
        
        PID:13860
        
        C:\Windows\system32\calc.exe
        
        calc
        8⤵
        
        PID:14124
        
        C:\Windows\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:13524
        
        C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        8⤵
        
        PID:2488
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:6628
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:6664
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:6688
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        
        PID:6776
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        
        PID:6784
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\ABFF.tmp\C0C1.tmp\C0C2.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        7⤵
        
        PID:7968
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        8⤵
        
        PID:7820
        
        C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
        9⤵
        
        PID:8808
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        8⤵
        Modifies Windows Firewall
        
        PID:5136
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        8⤵
        
        PID:1188
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        8⤵
        
        PID:5248
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        8⤵
        
        PID:5836
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        9⤵
        Modifies file permissions
        
        PID:9264
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        8⤵
        
        PID:9364
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        8⤵
        
        PID:9460
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        8⤵
        Gathers network information
        
        PID:9596
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        8⤵
        Kills process with taskkill
        
        PID:3040
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        8⤵
        Views/modifies file attributes
        
        PID:9716
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:2664
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:9508
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:4812
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:5208
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:6080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:8548
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:10396
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:10592
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:10764
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:10788
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        8⤵
        
        PID:10804
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        8⤵
        
        PID:10904
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        8⤵
        
        PID:10944
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        8⤵
        
        PID:11052
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2E1B.tmp\2E1C.tmp\2E1D.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        9⤵
        
        PID:11488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        10⤵
        
        PID:11776
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        10⤵
        Modifies Windows Firewall
        
        PID:11784
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        10⤵
        
        PID:12464
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        10⤵
        
        PID:13004
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        10⤵
        
        PID:13244
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        11⤵
        Modifies file permissions
        
        PID:14172
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        10⤵
        
        PID:13760
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        10⤵
        
        PID:12088
        
        C:\Windows\system32\notepad.exe
        
        notepad
        8⤵
        
        PID:11060
        
        C:\Windows\system32\calc.exe
        
        calc
        8⤵
        
        PID:11068
        
        C:\Windows\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:11076
        
        C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        8⤵
        
        PID:11084
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        8⤵
        
        PID:11092
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\3109.tmp\310A.tmp\310B.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        9⤵
        
        PID:11624
        
        C:\Windows\system32\notepad.exe
        
        notepad
        8⤵
        
        PID:11100
        
        C:\Windows\system32\calc.exe
        
        calc
        8⤵
        
        PID:11108
        
        C:\Windows\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:11116
        
        C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        8⤵
        
        PID:11124
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        8⤵
        
        PID:11132
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\2D7F.tmp\2D80.tmp\2D81.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        9⤵
        
        PID:11456
        
        C:\Windows\system32\notepad.exe
        
        notepad
        8⤵
        
        PID:11140
        
        C:\Windows\system32\calc.exe
        
        calc
        8⤵
        
        PID:11148
        
        C:\Windows\explorer.exe
        
        explorer.exe
        8⤵
        
        PID:11156
        
        C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        8⤵
        
        PID:11164
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:11172
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:11596
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:11080
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:12624
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:13092
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:8396
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:6800
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:6848
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:6872
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        
        PID:6968
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        
        PID:7076
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\B016.tmp\C0C1.tmp\C0C2.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        7⤵
        
        PID:7936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        8⤵
        
        PID:9168
        
        C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
        9⤵
        
        PID:4984
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        8⤵
        Modifies Windows Firewall
        
        PID:560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        8⤵
        
        PID:3324
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        8⤵
        
        PID:5416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        8⤵
        
        PID:3772
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        9⤵
        Modifies file permissions
        
        PID:9288
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        8⤵
        
        PID:9316
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        8⤵
        
        PID:9468
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        8⤵
        Gathers network information
        
        PID:9612
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        8⤵
        Kills process with taskkill
        
        PID:5016
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        8⤵
        Views/modifies file attributes
        
        PID:9568
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:3640
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:10356
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:10544
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:10720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:10888
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:4076
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:11904
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:11880
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:12720
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:13204
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        8⤵
        
        PID:8680
        
        C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        8⤵
        
        PID:7204
        
        C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        8⤵
        
        PID:14240
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:6224
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:3768
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:7248
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        
        PID:7288
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:7328
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:3916
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:5156
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:8204
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:8880
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:2548
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:2120
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      Modifies registry class
      PID:1492
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:632
  - - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3620
    - - C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\6A53.tmp\6A54.tmp\6A55.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        5⤵
        Drops autorun.inf file
        
        PID:4744
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        6⤵
        
        PID:5280
        
        C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
        7⤵
        
        PID:1592
      - C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        6⤵
        Modifies Windows Firewall
        
        PID:4240
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        6⤵
        
        PID:6052
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        6⤵
        
        PID:6028
      - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        6⤵
        
        PID:2848
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        7⤵
        Modifies file permissions
        
        PID:4868
      - C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        6⤵
        
        PID:5884
      - C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        6⤵
        
        PID:2032
      - C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        6⤵
        Gathers network information
        
        PID:2232
      - C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        6⤵
        Kills process with taskkill
        
        PID:4492
      - C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        6⤵
        Views/modifies file attributes
        
        PID:6204
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:7588
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:7776
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:7880
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:7704
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:7248
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:2536
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:7976
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:6852
      - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        6⤵
        
        PID:1188
      - C:\Windows\system32\msg.exe
        
        msg * Virus Detectado
        6⤵
        
        PID:6532
      - C:\Windows\system32\msg.exe
        
        msg * Has Sido Hackeado!
        6⤵
        
        PID:7952
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        
        PID:5288
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\858.tmp\859.tmp\85A.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        7⤵
        
        PID:8612
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        8⤵
        
        PID:9628
        
        C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
        9⤵
        
        PID:10056
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        8⤵
        Modifies Windows Firewall
        
        PID:9888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        8⤵
        
        PID:10108
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        8⤵
        
        PID:9320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        8⤵
        
        PID:6816
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        9⤵
        Modifies file permissions
        
        PID:4384
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        8⤵
        
        PID:9892
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        8⤵
        
        PID:9968
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        8⤵
        Gathers network information
        
        PID:9604
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        8⤵
        Kills process with taskkill
        
        PID:9600
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        8⤵
        Views/modifies file attributes
        
        PID:4256
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:12328
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:12864
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:2604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:7200
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:14052
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:2952
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:7604
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:7964
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        
        PID:7276
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        
        PID:7404
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\80B.tmp\80B.tmp\80C.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        7⤵
        
        PID:8580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        8⤵
        
        PID:9620
        
        C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
        9⤵
        
        PID:10048
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        8⤵
        Modifies Windows Firewall
        
        PID:9880
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        8⤵
        
        PID:10140
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        8⤵
        
        PID:9360
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        8⤵
        
        PID:9376
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        9⤵
        Modifies file permissions
        
        PID:6352
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        8⤵
        
        PID:116
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        8⤵
        
        PID:5108
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        8⤵
        Gathers network information
        
        PID:9796
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        8⤵
        Kills process with taskkill
        
        PID:9924
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        8⤵
        Views/modifies file attributes
        
        PID:10128
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:1436
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        8⤵
        
        PID:13452
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        8⤵
        
        PID:14080
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:6664
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:5576
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:6768
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        
        PID:7720
      - C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        
        C:\Users\Admin\AppData\Local\Temp\Shingapi.exe
        6⤵
        
        PID:7952
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\80A.tmp\80B.tmp\80C.bat C:\Users\Admin\AppData\Local\Temp\Shingapi.exe"
        7⤵
        
        PID:8588
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        8⤵
        
        PID:9576
        
        C:\Windows\system32\reg.exe
        
        REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Twain_20 /t REG_SZ /d "C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd"
        9⤵
        
        PID:10064
        
        C:\Windows\system32\netsh.exe
        
        netsh advfirewall set publicprofile state off
        8⤵
        Modifies Windows Firewall
        
        PID:9896
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Twain_20.cmd
        8⤵
        
        PID:10196
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Informacion.vbs"
        8⤵
        
        PID:6644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /K Taskdl.bat
        8⤵
        
        PID:9496
        
        C:\Windows\system32\takeown.exe
        
        takeown /f "C:\Windows\System32" /r
        9⤵
        Modifies file permissions
        
        PID:7736
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
        8⤵
        
        PID:7912
        
        C:\Windows\system32\reg.exe
        
        reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
        8⤵
        
        PID:10124
        
        C:\Windows\system32\ipconfig.exe
        
        ipconfig /release
        8⤵
        Gathers network information
        
        PID:2460
        
        C:\Windows\system32\taskkill.exe
        
        taskkill /im DiskPart /f
        8⤵
        Kills process with taskkill
        
        PID:9888
        
        C:\Windows\system32\attrib.exe
        
        attrib -r -a -s -h *.*
        8⤵
        Views/modifies file attributes
        
        PID:7608
      - C:\Windows\system32\notepad.exe
        
        notepad
        6⤵
        
        PID:8216
      - C:\Windows\system32\calc.exe
        
        calc
        6⤵
        
        PID:8256
      - C:\Windows\explorer.exe
        
        explorer.exe
        6⤵
        
        PID:8264
      - C:\Windows\system32\mspaint.exe
        
        mspaint.exe
        6⤵
        
        PID:8340
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:8640
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:8864
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:9052
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
        6⤵
        
        PID:1372
      - C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
        6⤵
        
        PID:7348
  - - C:\Windows\system32\notepad.exe
      notepad
      4⤵
      PID:4480
  - - C:\Windows\system32\calc.exe
      calc
      4⤵
      PID:4532
  - - C:\Windows\explorer.exe
      explorer.exe
      4⤵
      Modifies registry class
      PID:4788
  - - C:\Windows\system32\mspaint.exe
      mspaint.exe
      4⤵
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:4792
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:5668
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:1964
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:5720
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:4132
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs"
      4⤵
      PID:6136
  - - C:\Windows\System32\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs"
      4⤵
      PID:4864

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:3396

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:2776

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:5876

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3164

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:6992

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7132

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7232

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7436

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7708

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:7908

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8564

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8716

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8812

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11524

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11832

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11960

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:9324

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:12540

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:12684

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:13060

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:11008

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:8048

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:13708

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:12232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Deobfuscate/Decode Files or Information

T1140

File and Directory Permissions Modification

T1222

Windows File and Directory Permissions Modification

T1222.001

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0.vbs

Filesize
383B

MD5
e8ac1f187bb02b76ff45f3a3977c6669

SHA1
a6246d99d7f0347e246399576342e7e118d6cb2a

SHA256
8b163a7e7bc1048d74b3b0298b85bc453cf349c9adb53d76adf391ef0491db26

SHA512
f7f67854fdd19718a5fe8aaf99cf722ffb73a8151c8d3f214e89b44b0c4cba24c5fbfd390246e9cb2423919d0b4f694117c09b7697853168156d77efbb83397b

Download Submit
C:\Users\Admin\AppData\Local\Temp\0.vbs

Filesize
766B

MD5
72b5aee695ab8f7c40fca542592817a5

SHA1
8045fa50bcecaa5eeac4284650642d7b901a4772

SHA256
60c004e57de6111ce9718faf9af4bed371e0d2c95a70bc9e2cce0c468b098d27

SHA512
5e6fb67f99f577f1e2bcde5de5ea02fbe61707a1287f9d4a395207e8a61616ed08c7fe6d1415183b4708eb34e369af102b7716a540d1f5a4a11f04e4d86de160

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B4F.tmp\5B50.tmp\5B60.bat

Filesize
54KB

MD5
93841169c4264ce13735e8b116d06226

SHA1
1ceac2fe01f6bdb37bdeb73ba13cd7ed99d0f608

SHA256
82bf8fbb4b79fdd9a21518373ddd57fc2d6c53599458a055f64e20d40dc85f2b

SHA512
ce98cac504828ac676d1069f6d0cedc55ff68bf51d2b01df0108ec632bdc0aa1f809ef6ddb000fa1c59ea66723c903cf37412d98f59ff7032777a45b2c72e871

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B5E.tmp\5B5F.tmp\5B60.bat

Filesize
33KB

MD5
4b42191175209ea23203acc526307c00

SHA1
a77abea54f5b2a0084fd1574a1c5b6e1df1df054

SHA256
4ce518699c3f97015eb2f81b09325c8f67213d0efaec73bbf924a5bdf3d5152c

SHA512
fb35705095153a587a253160a92268c8e03605f87ecbb45dd3a0c4ca59e255046188cb9476d99f8164458506d2e5057e6127f0e0fe7997471e7381cc4a08ec42

Download Submit
C:\Users\Admin\AppData\Local\Temp\5B7E.tmp\5B7F.tmp\5B80.bat

Filesize
17KB

MD5
190e7cfa7d6de532ba4498ca3d38b47d

SHA1
7d4ea5ce61962c0445d955a44dd31226fa8c736e

SHA256
faee2b0ac2218435a6973b87277b29010c988efefdcd7fe0e107808c2cc0f282

SHA512
5a87b4bac67957acbc6dfab08cf9b3e1110e4b496b66110a44f7b2d0ec75b950d7569b6220c4a5ab3597db032e70b16d5a5e6ee4ab23102f6d12fea7bdc11598

Download Submit
C:\Users\Admin\AppData\Local\Temp\A2-Cryptor.exe

Filesize
122KB

MD5
d6e36f6b145a4601a84835b7e8a0bbc2

SHA1
3c7e26433f5f42fe69fbe4b3c2e6d9d7b196697c

SHA256
46038db7643482e1d25939e6c7be35a7e7529fd716570e25e4137f6a79a1c316

SHA512
e10acbaa6e1cd5cc4350dc789841e2638fb50b152aebc65bee2c07ad94f7e6ae1ce6bd51c5f5f6952f970ee364f2515417608e872c3b97b0cf749bb86fa0b72e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
60B

MD5
11aa52a7eca2cf8fdcd1584b5a8b6026

SHA1
01ae6066e6b3879cb0caf306cc91077b7c0bea1e

SHA256
8dfd0a6db2df60455840dbbbcc4f8b70d730ba1c2afbf300316898b3dd3e9b11

SHA512
07f37c050eb59e7a1a228ca851d05ca9b62bb3de97f988fb36c374c827833c8c551e5cb51eb05130861c0b35515ca77ae667ca97ee4f08c86cdf9f6fb64533c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Advertencia.vbs

Filesize
240B

MD5
482dcfe952218cf31ad2adddd8f6616b

SHA1
7a6bcfce28c76bc3319c871696531d21200f3bc0

SHA256
093b0f0c3f7a9bf24406662245b57f171837a266aba49f198319045e971e77d5

SHA512
440182ba5cd7c85abc11fe9097a41486469afde738d26f471efe4e7928106cd57240b1045bc97d60c42147ca25b032c4149487f1a1ab4581292c7eff2bc801b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf

Filesize
74B

MD5
b39df423c6e5978065a9a8ec4879a3b4

SHA1
96441a7a7d8090f7a96a1160f539531f66568e88

SHA256
12a5135510016abcfe1192aceb6fec42634346661d778d68be1debaa3d75e967

SHA512
2d583fcae1ec73f836c5b66b8b1337bb4250a8230073de96d501a4fab5f522b75599ac2a1fcf1457a841d8c84bcccb88feade82f49357b28345c63d9526cfeb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Autorun.inf

Filesize
296B

MD5
7b25402475482c7b770d89f147fae974

SHA1
f64addcac8a47b4f4fec3693f0b20011c02d9616

SHA256
524eba98364d7802f73613e2e85d7a809997efd9aaa509038d080cda38349348

SHA512
b0e7d51440e532958e6006503a579e93f7ca0a38bc7325b41d4a62b226f6fd8692b11e658c52bbe6a60853310536bae1c69a3fb4b85a4c8b4c6b8856048a041f

Download Submit
C:\Users\Admin\AppData\Local\Temp\BadRabbit.exe

Filesize
431KB

MD5
fbbdc39af1139aebba4da004475e8839

SHA1
de5c8d858e6e41da715dca1c019df0bfb92d32c0

SHA256
630325cac09ac3fab908f903e3b00d0dadd5fdaa0875ed8496fcbb97a558d0da

SHA512
74eca8c01de215b33d5ceea1fda3f3bef96b513f58a750dba04b0de36f7ef4f7846a6431d52879ca0d8641bfd504d4721a9a96fa2e18c6888fd67fa77686af87

Download Submit
C:\Users\Admin\AppData\Local\Temp\Encrypt.sk

Filesize
712B

MD5
fd85c3ad8c5e9ae743bb6602327f3620

SHA1
dfc55f497ba103a3d48a838eeb4a0be155ef2386

SHA256
4d7f869098139507da74363dfc44d464ef6c9db8ddf1f03cf651806e0a691318

SHA512
a788058a432fb7e7f587ffb7330b20066417f9bc50cc93c53f9076df8a212d440abad48bc32f8f17f8451721b5cc99f5d7524e70ed4504df619ee510ed0f7acf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Encrypt.sk

Filesize
360B

MD5
eb52ab89b5bcc1dcb107e0b2abf807b4

SHA1
806ef3da9ee724c726e97b08734b6cfb987cc911

SHA256
f59fbfa98b9b8f9d09db0220f6e37e16b369a437ce121ecb5d9464c29f4579ec

SHA512
1e0f3f1f7a11c8d7e7597581d6f90071a4854c2313e0bac7e78d4a641d27809c92779ac5e03e6dfb59404b491949c11b8a23161fc84e4714b66f947da270d0bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\Encrypt.sk

Filesize
428B

MD5
4c422e255d9d298d73d5b90977380b4a

SHA1
0798080598c5050bc948dd788ed8d493a7d62c93

SHA256
bd85ef7a02fdcd0cbd5088c6d2e24fc785d4fb8f48d1376a616578a9b0654d7c

SHA512
84c9b97ab8f3cbafc0c76f2bca8ec707fd278023e8bd972c0e0633b8396b5dfec912a19011e01dcacc1636c22397c29bc82b6c9f40770bc41a4e72c5b5641a6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Encrypt.sk

Filesize
499B

MD5
f1efa7465af8ee69b92c1ed64e45d576

SHA1
9516e9e472731b7d61497d7d664cc3df40bc382d

SHA256
e3b2bd15783934777a91641732b04ab5fb9b3e51427105e14d1952f3608bdbbd

SHA512
709c0643d78e5dab91c42dea80a072524a4b34e7dda682c6f31a115a485b33ed1aeffa7ddadeb6616f852d7b43bbc3277a78e41bd485529f99b6f5f45d51d83d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
54B

MD5
888e64c554686bbbc0499057cce1af36

SHA1
5a7f51c66e3ae7dd0e0231c9817aee8c9fc54006

SHA256
616cf19739e00c69e9606d9c94869f6fcb6a7b3860e7b8af9bc896f3081dad0d

SHA512
9882375fdd09d489258447d49b8b63d0bc8db57cdb7186500c00c79d57f30af5f37a69e8fab70683a7c9d730e3484ef537ee57bb1892a84f92e9aba639d1d227

Download Submit
C:\Users\Admin\AppData\Local\Temp\ErrorCritico.vbs

Filesize
216B

MD5
7659392a12010d8c761cb9888f6fd5ac

SHA1
b8829c26628740b77ab7405c231f420e860d8c1f

SHA256
71bd0bffdeca9dce2b4e9e1d767a0732657032171f3ad33903dec353ef95a431

SHA512
5caf94b288649b687f411cbb5519168e09e161f8d9545a6bad1b0d08876a542d153a115f8b44e3f15d973812ce8ec7471bba7d8bd0b9a22d0abf6fdf2914a2bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\FMLN.exe

Filesize
258KB

MD5
c87988e35ec34779191f42b6213fdec1

SHA1
81036dcf6ea331243f2d512b8ac9611a95a18ea1

SHA256
96f3ce153153f922fb18e4722b0348aee2c76022bcdee75fadab97023003fe10

SHA512
ba32f9bc18fb187fa4dc03bb1db903255c16af62dc903521ddd8fb120e5599bbccb4fa12255f0195a5e51b6a99ee5228bc0515f299c0ebb1b1a5134e61aab9e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Image.bin

Filesize
18KB

MD5
eb05f382514e1a62572f9afd06a0a50d

SHA1
86a601e6b8a6e0dee089a66707a9a1d80bd33ba5

SHA256
24c3df9a48a7d1abd01b3a608505a33a3a2d3d907c7b6dad79c0f0da01125ab9

SHA512
2b46fcbcd1a35e09c22f3230b690783121fbdd504e4f3f34d3e1753db63d6720e5c6d752bad2d2015326e165b08b13d4c4ed7611cdaaad0e1f52a357e270a79f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
69B

MD5
72946942abf5cf295f726b816c531ebf

SHA1
8ac5ccae8003c3776c2e0ee0959a76c8bc913495

SHA256
d9fc0446467e00e640f0dd0bf36882943a6993dcc1038ba8f73239152896eb25

SHA512
2f42b10e2c1359a690e1a69e307008e3beb4712e4c071d916fb1380c61cb2ed3ae48c86af44c6f1c9d613e85dd75d8cfd66fd01de0649444ee6d5193d9789d23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
276B

MD5
089381a847f01ba0962ae00f0d92d5e8

SHA1
9f3240f89871639778a318e0cadccafcf9d7c55e

SHA256
2cda289b5067c9daf8b4dffdf323b2fe9d0a47bfdbb91b4a017029bc74729c05

SHA512
89fbf1b423f17101970290b070d740b8d58beecc6723e64edb7ae23b9285afe3a612b8e8f5ec202d60aca3875a28dbc556a43af9fe4113ac0bdba1fa83c5213a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
814B

MD5
c73987f13f479e43d3be519043f82445

SHA1
20dcfdb40817cdee460de304d65cca3bf235fc47

SHA256
96ea8eb2887dde2c855e548e34f925a9f21170196ce4a973b3d9988ae1e9a9ac

SHA512
45cc5f6e7c364ee925927ba8184f4b8c882941dfc2266f212e100b7d4b0fe1a06625020cfd13375869b16fd0677646daf7fd2bf9ede0f0e6b8bc518a320a1d32

Download Submit
C:\Users\Admin\AppData\Local\Temp\Informacion.vbs

Filesize
883B

MD5
225ac9b19de7ab828623cc7fca06c215

SHA1
c5ec85619e03cbc98287e4977bf5e13d23ded507

SHA256
9e0eb524bff871741994b3dc40038652382fc9893f8e6645944c7025ff5834fb

SHA512
e7bb38d1e738e1dd703d1717de609d7b9737f7b91ef098110b33552ac535244e1e0080bb784b73e7b404deae03345c36d09f1ea8db993cbcfe6a716689de80dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\README.txt

Filesize
153B

MD5
cc5115017033d6d1cff6203a751651fe

SHA1
f55ea4cfdb05ebb8e764b1577f04022477ccdbac

SHA256
1ee38e8cf1783d70f9cf63456f397702e3c35c624f0b391b99f0c3df3a9949c3

SHA512
eb8a5983c0562f1948628d2e8925de0174e8b615ab0875c138e2817fa1bacb60b223cef15f2223be3a18e9be2cdac491e6c7b74856a83d88a3639ba176344960

Download Submit
C:\Users\Admin\AppData\Local\Temp\README.txt

Filesize
199B

MD5
c85a3ebabaa3d4fba42a7dc949c67729

SHA1
1c3d8d261b25606e02506c28a995742b6773e33c

SHA256
aea0d1335b1a74ce2df2b0d31a54305370689c262e19f1af1e82e9c79d115b27

SHA512
658c8a6b5bcb3b28cdecf4f54788a0cf094d778c12a913fa2b6448b2a7ba1111d4c5aca1feee4b4391333fd4a11a62598c4d93d860b62b754639f882e4226a92

Download Submit
C:\Users\Admin\AppData\Local\Temp\README.txt

Filesize
260B

MD5
92cdbff07c07f387b54ea7b1ca69e5fc

SHA1
b683d582012fc7f2b9f9f7a856480100029cb996

SHA256
72fa12d4704c720e23ce5f8ff09738f81e5d45b933689e3fcbde1ce16f5496c2

SHA512
37a6ef7f21c0607a3535570b2993ad58862ab6446f5f9cf5731c716a8908364f575c2d7a8f552037ea84a1f0e22fcca976581c409699b339f6eecca53ab1f994

Download Submit
C:\Users\Admin\AppData\Local\Temp\README.txt

Filesize
1KB

MD5
60de1b078aa8618116bbf75e81f67bf0

SHA1
109bdd60da622dc35056efcaef2843fc9840c243

SHA256
66ba3f612a78917b8e1768f284538c214455c2f1b543ec4d9628f0ae2f0e1507

SHA512
b00096e5d43143728871fdd995316fc067155bc62cdcea71a57e31c6196080918e4a80880630658e3477dee5ffbdeb9e6983c5abb923874d7dff62d4985d47ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Shingapi.exe

Filesize
106KB

MD5
8b6a377f9a67d5482a8eba5708f45bb2

SHA1
7197436525e568606850ee5e033c43aea1c3bc91

SHA256
6ca11c8b6442db97c02f3b0f73db61f58c96d52e8a880e33abee5b10807d993f

SHA512
644e51798399168530b05e629b414dd80cac678bd3c8d4a5d164f55736a2b2fd380d3ca4640f7a034c8f043c06b1527b473e2d17da088d5e97de6ea04120dd72

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
173B

MD5
0c998e3681eb9f67fbacda38281c5fa7

SHA1
bd3e89780f374c54c5dfbe3fab83a926ca5803de

SHA256
3c656f47268598c5bbe3ee4661b4f8c7dc09420cf393a6e417541db3c6020205

SHA512
11e3fd1d141bd23a2b0f17665f0f57e5a606fdd82555a7bd88cd533863ce4269d8395f8963d1cdfde93efbb0817486db48c3b593f8de35e150e2395daadb762e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
346B

MD5
4e71aaa85b945ab5dc2680ce12d8474f

SHA1
a00ff196706e8282b02187281a7fa71f20c59eba

SHA256
411d8fc3a482880ec2b56a7193a4104130ca9554f1feb96db27c59a2b61303a5

SHA512
cea3cdb3eb537454ccf9773c80c111d8172dace2c79c62ffe18ac7c4373669d055fd9cc4929f9b6f4f376507a1319e37b0ba26373e40f4332d1acb025792b430

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
371B

MD5
35ecc8cfdd94d17cac636bc542434869

SHA1
8247ac65fd9a043e90099de789102e0ed94ce7d8

SHA256
49a9beac6a4e5cee83721ad911ded576f6efdfda14a69e58df369f8459650567

SHA512
d064f1278a60647d8d8a5bb7e122670cc1eddb4c211d6fb1e85377a715e7bdf9b60d8cfdcb29604a7a73f3c79c0f6dd5661b2e18fba4e34ff3f01c4a55e8fb33

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskdl.bat

Filesize
1KB

MD5
a3fa3a80cf4c9cc1833d45a7f627b604

SHA1
53cf1c4ab7542085a8c2ea97323a650b62e36963

SHA256
001cdd900b1546b5b6f52182f539ff185198a723a7cf4b39af438160d9ac229b

SHA512
f3c61e93de3fe03afd54cbe9a57482c82a0388cb3dfb2417f48469d035dddc1444aa268153ea459c16293d003cc8f6d4c11923f50c186e2b00b243b40b18a051

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
4KB

MD5
0fd0890127425257cd8347359abd7664

SHA1
681c58322ec788a05d9693e3ec15fadf7a809941

SHA256
e0942b21f6cc1fbcb052e6fc00d70dd9ff0f55169bda48ea12285fd414ee1418

SHA512
11ce13209bcf7c8a06c66ac71244defa097b5f972ce84cb1f4f0890d4502b17dd32c55407a48cedbd07ac085412ce7969a1637d131c48e6959745925cefa88f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
17KB

MD5
8ca4583e279139744aed6b9c41d82b5b

SHA1
1968a9c6c2f012ff00c5718a24b5a010bc769c8b

SHA256
899daab2fd08d5f678ca4b770968c73e7ff5f453cc731c942d3052af8880e4a8

SHA512
3eb68147cacf68ca05020fd154684fbf7528f6eb3d4496572590ae22712e5b2b5efd5f2d7914ac482c521e73205211d0d67c431dc77cf92ee1b051cfef71df1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Taskse.exe

Filesize
16KB

MD5
91551b6a441750aa813a986e95d93488

SHA1
c939b81c27fb7283152988f7cc5af311edc6db3f

SHA256
75dab69bf0372e6fade9ceba4cb2e008163bc2b162fe9ffbee9c43982b08a2f9

SHA512
d441fa9a7987fc4169d4ea54a4b426c7d863050c6c1ec42631f142d3469a39ff21ed1bc144904c1930b57bc14b8ebd2debb6d9fadf3c10eba4201c62895dd067

Download Submit
C:\Users\Admin\AppData\Local\Temp\Twain_20.cmd

Filesize
231B

MD5
da5f8d71afd8ce9598ec5e5443c459d9

SHA1
abd2267aaea39b0a9208bc7f094df5fb2754d233

SHA256
a1d679d97c8ab326b9578d18de310789709482bf270d350786e1b30895c92c80

SHA512
1318f1471a536244523141d14c8c73b8dc52de3843eb8b8b3e9b2ae0348eb4f41c085931b8053c5fc68182f0a493d15de7bb086cc872f48203e8f9916886452b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wallpaper.jpeg

Filesize
13KB

MD5
1285cd98536d791db631ac4bbc4520b1

SHA1
c0cf2a608361742736fc886ee837c6a501cc1ed1

SHA256
8f16b68a09fb1ac498e34054c6b31634a7fba08204678b19d449f617c303c674

SHA512
f67065feb33b555748e5e82dd8c2b3da4992d03eab7444481b8d060fd74a579859bbbbf6f8f37aeb6e267ab4594a2c4732e90b5e2cf2cec006191885359f8826

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat

Filesize
49B

MD5
cfb046d3c9513b92c1b287da26f97c28

SHA1
ea8208c4dad826b7fdb3b5b728863a95e86d4383

SHA256
a06f170d4f92bf290e38b0ce1c05bb59c95de2797b1a5253b949ad7e1be9818b

SHA512
dbeeea4d284f59e1455a5426334caa02458e88833aeece9817c51be616697ca4c399b2a9d0e8e44bf4a5ee63d0b37c0aed68c01f1748fa5a23ed6d2af62b3340

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat

Filesize
11B

MD5
9905e5a33c6edd8eb5f59780afbf74de

SHA1
64b2cd0186ff6fe05072ee88e2bb54476023772e

SHA256
c134b2f85415ba5cfce3e3fe4745688335745a9bb22152ac8f5c77f190d8aee3

SHA512
e10711d0fb09db27192e9af05ae45b83cf3882d98e904a7f1f969cf24c2f9626f70f35d76f57477fe9c64a58bc74100410740e9d506d4e72d3e2900d6277816e

Download Submit
C:\Users\Admin\AppData\Local\Temp\windowswimn32.bat

Filesize
44B

MD5
ea260c435f9eb83e2b5041e734ff3598

SHA1
ca70d64367cbdffbbf24e82baff4048119203a2e

SHA256
3ade659fdae17c11c3f42b712f94045691fbd0b413428b73e1de8fe699e74615

SHA512
548624cc523aeb4136376f792d23b3f2aee4a676362f8a0dd0e8161f0df87ab926b82f67fc174eb5d9473c23f49e6ca962bc84479967f7e624250d94efa66876

Download Submit
C:\Windows\6457.tmp

Filesize
60KB

MD5
347ac3b6b791054de3e5720a7144a977

SHA1
413eba3973a15c1a6429d9f170f3e8287f98c21c

SHA256
301b905eb98d8d6bb559c04bbda26628a942b2c4107c07a02e8f753bdcfe347c

SHA512
9a399916bc681964af1e1061bc0a8e2926307642557539ad587ce6f9b5ef93bdf1820fe5d7b5ffe5f0bb38e5b4dc6add213ba04048c0c7c264646375fcd01787

Download Submit
C:\Windows\infpub.dat

Filesize
401KB

MD5
1d724f95c61f1055f0d02c2154bbccd3

SHA1
79116fe99f2b421c52ef64097f0f39b815b20907

SHA256
579fd8a0385482fb4c789561a30b09f25671e86422f40ef5cca2036b28f99648

SHA512
f2d7b018d1516df1c97cfff5507957c75c6d9bf8e2ce52ae0052706f4ec62f13eba6d7be17e6ad2b693fdd58e1fd091c37f17bd2b948cdcd9b95b4ad428c0113

Download Submit
memory/3852-56-0x00000000026B0000-0x0000000002718000-memory.dmp

Filesize
416KB

Download
memory/3852-48-0x00000000026B0000-0x0000000002718000-memory.dmp

Filesize
416KB

Download
memory/3852-174-0x00000000026B0000-0x0000000002718000-memory.dmp

Filesize
416KB

Download