Windows Analysis Report
ADZP 20 Complex.exe

Overview

General Information

Sample name: ADZP 20 Complex.exe
Analysis ID: 1428362
MD5: 8b6a377f9a67d5482a8eba5708f45bb2
SHA1: 7197436525e568606850ee5e033c43aea1c3bc91
SHA256: 6ca11c8b6442db97c02f3b0f73db61f58c96d52e8a880e33abee5b10807d993f
Tags: exe
Infos:

Detection

Babadeda
Score: 58
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus / Scanner detection for submitted sample
Antivirus detection for dropped file
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected Babadeda
Command shell drops VBS files
Machine Learning detection for dropped file
Machine Learning detection for sample
Sample is not signed and drops a device driver
Self deletion via cmd or bat file
Sigma detected: Rare Remote Thread Creation By Uncommon Source Image
Sigma detected: WScript or CScript Dropper
Uses cmd line tools excessively to alter registry or file data
Uses ipconfig to lookup or modify the Windows network settings
Contains functionality to dynamically determine API calls
Creates a process in suspended mode (likely to inject code)
Creates driver files
Creates files inside the system directory
Detected potential crypto function
Drops PE files
Drops PE files to the windows directory (C:\Windows)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found potential string decryption / allocating functions
May infect USB drives
May sleep (evasive loops) to hinder dynamic analysis
PE file contains sections with non-standard names
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Suspicious Recursive Takeown
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Sleep loop found (likely to delay execution)
Uses 32bit PE files
Uses reg.exe to modify the Windows registry
Uses taskkill to terminate processes

Classification

Name Description Attribution Blogpost URLs Link
Babadeda According to PCrisk, Babadeda is a new sample in the crypters family, allowing threat actors to encrypt and obfuscate the malicious samples. The obfuscation allows malware to bypass the majority of antivirus protections without triggering any alerts. According to the researchers analysis, Babadeda leverages a sophisticated and complex obfuscation that shows a very low detection rate by anti-virus engines. No Attribution https://malpedia.caad.fkie.fraunhofer.de/details/win.babadeda

AV Detection
barindex
Antivirus / Scanner detection for submitted sample
Source: ADZP 20 Complex.exe Avira: detected
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\9B58.tmp\9B59.tmp\9B6A.bat Avira: detection malicious, Label: BAT/Agent.RAA
Source: C:\Users\user\Desktop\Twain_20.dll Avira: detection malicious, Label: TR/AD.BatBadJoke.javlp
Source: C:\Users\user\AppData\Local\Temp\B539.tmp\B53A.tmp\B53B.bat Avira: detection malicious, Label: BAT/Agent.RAA
Source: C:\Users\user\AppData\Local\Temp\B132.tmp\B133.tmp\B134.bat Avira: detection malicious, Label: BAT/Agent.RAA
Source: C:\Users\user\Desktop\Twain_20.dll Avira: detection malicious, Label: TR/AD.BatBadJoke.javlp
Source: C:\Users\user\AppData\Local\Temp\BE03.tmp\BE04.tmp\BE05.bat Avira: detection malicious, Label: BAT/Agent.RAA
Multi AV Scanner detection for dropped file
Source: C:\Users\user\Desktop\Twain_20.dll ReversingLabs: Detection: 63%
Source: C:\Windows\System32\Twain_20.dll ReversingLabs: Detection: 63%
Multi AV Scanner detection for submitted file
Source: ADZP 20 Complex.exe ReversingLabs: Detection: 63%
Machine Learning detection for dropped file
Source: C:\Users\user\Desktop\Twain_20.dll Joe Sandbox ML: detected
Source: C:\Users\user\Desktop\Twain_20.dll Joe Sandbox ML: detected
Machine Learning detection for sample
Source: ADZP 20 Complex.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: ADZP 20 Complex.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
May infect USB drives
Source: ADZP 20 Complex.exe, 00000000.00000002.3321208748.000000000254C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo off>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000000.00000002.3321208748.000000000254C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000000.00000002.3321208748.000000000254C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000000.00000002.3321208748.000000000254C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000000.00000002.3321208748.000000000254C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000000.00000002.3321208748.000000000254C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Label=???>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000000.00000002.3314133631.0000000002300000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo off>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000000.00000002.3314133631.0000000002300000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000000.00000002.3314133631.0000000002300000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000000.00000002.3314133631.0000000002300000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000000.00000002.3314133631.0000000002300000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000000.00000002.3314133631.0000000002300000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Label=???>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000000.00000003.1972664336.000000000254D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo off>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000000.00000003.1972664336.000000000254D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000000.00000003.1972664336.000000000254D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000000.00000003.1972664336.000000000254D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000000.00000003.1972664336.000000000254D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000000.00000003.1972664336.000000000254D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Label=???>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000000.00000002.3321208748.0000000002540000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo off>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000000.00000002.3321208748.0000000002540000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000000.00000002.3321208748.0000000002540000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000000.00000002.3321208748.0000000002540000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000000.00000002.3321208748.0000000002540000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000000.00000002.3321208748.0000000002540000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Label=???>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000001E.00000002.3240360738.0000000002510000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo off>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000001E.00000002.3240360738.0000000002510000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000001E.00000002.3240360738.0000000002510000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000001E.00000002.3240360738.0000000002510000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000001E.00000002.3240360738.0000000002510000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000001E.00000002.3240360738.0000000002510000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Label=???>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000001E.00000002.3240360738.000000000251C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo off>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000001E.00000002.3240360738.000000000251C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000001E.00000002.3240360738.000000000251C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000001E.00000002.3240360738.000000000251C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000001E.00000002.3240360738.000000000251C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000001E.00000002.3240360738.000000000251C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Label=???>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000001E.00000003.2030226696.000000000251D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo off>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000001E.00000003.2030226696.000000000251D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000001E.00000003.2030226696.000000000251D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000001E.00000003.2030226696.000000000251D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000001E.00000003.2030226696.000000000251D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000001E.00000003.2030226696.000000000251D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Label=???>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000001E.00000002.3240149731.0000000002160000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo off>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000001E.00000002.3240149731.0000000002160000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000001E.00000002.3240149731.0000000002160000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000001E.00000002.3240149731.0000000002160000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000001E.00000002.3240149731.0000000002160000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000001E.00000002.3240149731.0000000002160000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Label=???>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000025.00000002.3256174955.000000000234C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo off>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000025.00000002.3256174955.000000000234C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000025.00000002.3256174955.000000000234C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000025.00000002.3256174955.000000000234C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000025.00000002.3256174955.000000000234C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000025.00000002.3256174955.000000000234C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Label=???>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000025.00000002.3256041689.00000000021A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo off>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000025.00000002.3256041689.00000000021A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000025.00000002.3256041689.00000000021A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000025.00000002.3256041689.00000000021A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000025.00000002.3256041689.00000000021A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000025.00000002.3256041689.00000000021A0000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Label=???>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000025.00000003.2044192341.000000000234D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo off>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000025.00000003.2044192341.000000000234D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000025.00000003.2044192341.000000000234D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000025.00000003.2044192341.000000000234D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000025.00000003.2044192341.000000000234D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000025.00000003.2044192341.000000000234D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Label=???>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000025.00000002.3256174955.0000000002340000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo off>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000025.00000002.3256174955.0000000002340000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000025.00000002.3256174955.0000000002340000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000025.00000002.3256174955.0000000002340000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000025.00000002.3256174955.0000000002340000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
Source: ADZP 20 Complex.exe, 00000025.00000002.3256174955.0000000002340000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Label=???>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000002F.00000002.3305122486.0000000002300000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo off>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000002F.00000002.3305122486.0000000002300000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000002F.00000002.3305122486.0000000002300000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000002F.00000002.3305122486.0000000002300000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000002F.00000002.3305122486.0000000002300000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000002F.00000002.3305122486.0000000002300000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Label=???>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000002F.00000002.3294165874.0000000002130000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo off>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000002F.00000002.3294165874.0000000002130000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000002F.00000002.3294165874.0000000002130000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000002F.00000002.3294165874.0000000002130000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000002F.00000002.3294165874.0000000002130000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000002F.00000002.3294165874.0000000002130000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Label=???>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000002F.00000003.2063449358.000000000230D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo off>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000002F.00000003.2063449358.000000000230D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000002F.00000003.2063449358.000000000230D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000002F.00000003.2063449358.000000000230D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000002F.00000003.2063449358.000000000230D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000002F.00000003.2063449358.000000000230D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Label=???>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000002F.00000002.3305122486.000000000230C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo off>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000002F.00000002.3305122486.000000000230C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000002F.00000002.3305122486.000000000230C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000002F.00000002.3305122486.000000000230C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000002F.00000002.3305122486.000000000230C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
Source: ADZP 20 Complex.exe, 0000002F.00000002.3305122486.000000000230C000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: echo Label=???>>Autorun.inf
Source: 9B6A.bat.0.dr Binary or memory string: echo off>>Autorun.inf
Source: 9B6A.bat.0.dr Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: 9B6A.bat.0.dr Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: 9B6A.bat.0.dr Binary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
Source: 9B6A.bat.0.dr Binary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
Source: 9B6A.bat.0.dr Binary or memory string: echo Label=???>>Autorun.inf
Source: Autorun.inf.2.dr Binary or memory string: [AutoRun]
Source: B53B.bat.37.dr Binary or memory string: echo off>>Autorun.inf
Source: B53B.bat.37.dr Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: B53B.bat.37.dr Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: B53B.bat.37.dr Binary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
Source: B53B.bat.37.dr Binary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
Source: B53B.bat.37.dr Binary or memory string: echo Label=???>>Autorun.inf
Source: B134.bat.30.dr Binary or memory string: echo off>>Autorun.inf
Source: B134.bat.30.dr Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: B134.bat.30.dr Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: B134.bat.30.dr Binary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
Source: B134.bat.30.dr Binary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
Source: B134.bat.30.dr Binary or memory string: echo Label=???>>Autorun.inf
Source: BE05.bat.47.dr Binary or memory string: echo off>>Autorun.inf
Source: BE05.bat.47.dr Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: BE05.bat.47.dr Binary or memory string: echo [AutoRun]>>Autorun.inf
Source: BE05.bat.47.dr Binary or memory string: echo Open=ADZP 20 Complex>>Autorun.inf
Source: BE05.bat.47.dr Binary or memory string: echo Action=Start ADZP 20 Complex>>Autorun.inf
Source: BE05.bat.47.dr Binary or memory string: echo Label=???>>Autorun.inf
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe File opened: C:\Users\user\AppData\Local\Temp\9B58.tmp Jump to behavior
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe File opened: C:\Users\user\AppData\Local\Temp\9B58.tmp\9B59.tmp Jump to behavior
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe File opened: C:\Users\user\AppData\Local\Temp\9B58.tmp\9B59.tmp\9B6A.tmp Jump to behavior
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe File opened: C:\Users\user\ Jump to behavior
Creates driver files
Source: C:\Windows\System32\cmd.exe File created: C:\Users\user\Desktop\virus.sys Jump to behavior
Creates files inside the system directory
Source: C:\Windows\System32\cmd.exe File created: C:\Windows\System32\Twain_20.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe File created: C:\Windows\System32\Twain_20.dll\:Zone.Identifier:$DATA Jump to behavior
Source: C:\Windows\System32\mspaint.exe File created: C:\Windows\Debug\WIA
Source: C:\Windows\System32\mspaint.exe File created: C:\Windows\Debug\WIA\wiatrace.log
Source: C:\Windows\System32\cmd.exe File created: C:\Windows\System32\Twain_20.dll\:Zone.Identifier:$DATA
Source: C:\Windows\System32\cmd.exe File created: C:\Windows\System32\Twain_20.dll\:Zone.Identifier:$DATA
Source: C:\Windows\System32\cmd.exe File created: C:\Windows\System32\Twain_20.dll\:Zone.Identifier:$DATA
Detected potential crypto function
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Code function: 0_2_00411079 0_2_00411079
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Code function: 0_2_00411C20 0_2_00411C20
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Code function: 0_2_00411033 0_2_00411033
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Code function: 0_2_00410C80 0_2_00410C80
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Code function: 0_2_00410CA0 0_2_00410CA0
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Code function: 0_2_0040B9C7 0_2_0040B9C7
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Code function: 0_2_0040FA68 0_2_0040FA68
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Code function: 0_2_0040CF18 0_2_0040CF18
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Code function: 0_2_0040EFF0 0_2_0040EFF0
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Code function: 0_2_00410FB0 0_2_00410FB0
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Code function: 30_2_00411079 30_2_00411079
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Code function: 30_2_00411C20 30_2_00411C20
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Code function: 30_2_00411033 30_2_00411033
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Code function: 30_2_00410C80 30_2_00410C80
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Code function: 30_2_00410CA0 30_2_00410CA0
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Code function: 30_2_0040B9C7 30_2_0040B9C7
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Code function: 30_2_0040FA68 30_2_0040FA68
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Code function: 30_2_0040CF18 30_2_0040CF18
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Code function: 30_2_0040EFF0 30_2_0040EFF0
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Code function: 30_2_00410FB0 30_2_00410FB0
Found potential string decryption / allocating functions
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Code function: String function: 0040E5F0 appears 38 times
Uses 32bit PE files
Source: ADZP 20 Complex.exe Static PE information: RELOCS_STRIPPED, EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Uses reg.exe to modify the Windows registry
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
Source: classification engine Classification label: mal58.troj.winEXE@294/17@0/0
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Code function: 0_2_00402664 LoadResource,SizeofResource,FreeResource, 0_2_00402664
Source: C:\Windows\System32\cmd.exe File created: C:\Users\user\Desktop\ErrorCritico.vbs Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3288:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6396:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7540:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7940:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2680:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7352:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5632:120:WilError_03
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe File created: C:\Users\user\AppData\Local\Temp\9B58.tmp Jump to behavior
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\9B58.tmp\9B59.tmp\9B6A.bat "C:\Users\user\Desktop\ADZP 20 Complex.exe""
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Informacion.vbs"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\explorer.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\explorer.exe Jump to behavior
Source: C:\Windows\System32\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "DiskPart")
Source: C:\Windows\System32\wscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process WHERE ( Caption = "DiskPart")
Source: C:\Windows\System32\cmd.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: ADZP 20 Complex.exe ReversingLabs: Detection: 63%
Source: unknown Process created: C:\Users\user\Desktop\ADZP 20 Complex.exe "C:\Users\user\Desktop\ADZP 20 Complex.exe"
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\9B58.tmp\9B59.tmp\9B6A.bat "C:\Users\user\Desktop\ADZP 20 Complex.exe""
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K Twain_20.cmd
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K Twain_20.cmd
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Informacion.vbs"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K Taskdl.bat
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f "C:\Windows\System32" /r
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ipconfig.exe ipconfig /release
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /im DiskPart /f
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib -r -a -s -h *.*
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\ErrorCritico.vbs"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\ErrorCritico.vbs"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\ErrorCritico.vbs"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\ErrorCritico.vbs"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\ErrorCritico.vbs"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs"
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg * Virus Detectado
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg * Virus Detectado
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg * Has Sido Hackeado!
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\Desktop\ADZP 20 Complex.exe "C:\Users\user\Desktop\ADZP 20 Complex.exe"
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\notepad.exe notepad
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\calc.exe calc
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mspaint.exe mspaint.exe
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\B132.tmp\B133.tmp\B134.bat "C:\Users\user\Desktop\ADZP 20 Complex.exe""
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\Desktop\ADZP 20 Complex.exe "C:\Users\user\Desktop\ADZP 20 Complex.exe"
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\notepad.exe notepad
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\calc.exe calc
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\B539.tmp\B53A.tmp\B53B.bat "C:\Users\user\Desktop\ADZP 20 Complex.exe""
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mspaint.exe mspaint.exe
Source: unknown Process created: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe "C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe" -ServerName:App.AppXsm3pg4n7er43kdh1qp4e79f1j7am68r8.mca
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\Desktop\ADZP 20 Complex.exe "C:\Users\user\Desktop\ADZP 20 Complex.exe"
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\notepad.exe notepad
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\calc.exe calc
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\BE03.tmp\BE04.tmp\BE05.bat "C:\Users\user\Desktop\ADZP 20 Complex.exe""
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\explorer.exe explorer.exe
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\9B58.tmp\9B59.tmp\9B6A.bat "C:\Users\user\Desktop\ADZP 20 Complex.exe"" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K Twain_20.cmd Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K Twain_20.cmd Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Informacion.vbs" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K Taskdl.bat Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ipconfig.exe ipconfig /release Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /im DiskPart /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib -r -a -s -h *.* Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\ErrorCritico.vbs" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\ErrorCritico.vbs" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\ErrorCritico.vbs" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /im DiskPart /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\ErrorCritico.vbs" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg * Virus Detectado Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg * Virus Detectado Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg * Has Sido Hackeado! Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\Desktop\ADZP 20 Complex.exe "C:\Users\user\Desktop\ADZP 20 Complex.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\notepad.exe notepad Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\calc.exe calc Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\explorer.exe explorer.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mspaint.exe mspaint.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\Desktop\ADZP 20 Complex.exe "C:\Users\user\Desktop\ADZP 20 Complex.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\notepad.exe notepad Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\calc.exe calc Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\explorer.exe explorer.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mspaint.exe mspaint.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\Desktop\ADZP 20 Complex.exe "C:\Users\user\Desktop\ADZP 20 Complex.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\notepad.exe notepad Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\calc.exe calc Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\explorer.exe explorer.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f "C:\Windows\System32" /r Jump to behavior
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\B132.tmp\B133.tmp\B134.bat "C:\Users\user\Desktop\ADZP 20 Complex.exe""
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\B539.tmp\B53A.tmp\B53B.bat "C:\Users\user\Desktop\ADZP 20 Complex.exe""
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Process created: C:\Windows\System32\cmd.exe "C:\Windows\sysnative\cmd" /c "C:\Users\user\AppData\Local\Temp\BE03.tmp\BE04.tmp\BE05.bat "C:\Users\user\Desktop\ADZP 20 Complex.exe""
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: policymanager.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: msvcp110_win.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: pcacli.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: sfc_os.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll Jump to behavior
Source: C:\Windows\System32\takeown.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\takeown.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\ipconfig.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Windows\System32\ipconfig.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Windows\System32\ipconfig.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Windows\System32\ipconfig.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: framedynos.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: dbghelp.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: winsta.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\taskkill.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: ulib.dll Jump to behavior
Source: C:\Windows\System32\attrib.exe Section loaded: fsutilext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: textshaping.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: textinputframework.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: coreuicomponents.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: coremessaging.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe Section loaded: textshaping.dll
Source: C:\Windows\System32\wscript.exe Section loaded: textinputframework.dll
Source: C:\Windows\System32\wscript.exe Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\wscript.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\wscript.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe Section loaded: textshaping.dll
Source: C:\Windows\System32\wscript.exe Section loaded: textinputframework.dll
Source: C:\Windows\System32\wscript.exe Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\wscript.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\wscript.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe Section loaded: textshaping.dll
Source: C:\Windows\System32\wscript.exe Section loaded: textinputframework.dll
Source: C:\Windows\System32\wscript.exe Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\wscript.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\wscript.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe Section loaded: textshaping.dll
Source: C:\Windows\System32\wscript.exe Section loaded: textinputframework.dll
Source: C:\Windows\System32\wscript.exe Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\wscript.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\wscript.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe Section loaded: textshaping.dll
Source: C:\Windows\System32\wscript.exe Section loaded: textinputframework.dll
Source: C:\Windows\System32\wscript.exe Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\wscript.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\wscript.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe Section loaded: textshaping.dll
Source: C:\Windows\System32\wscript.exe Section loaded: textinputframework.dll
Source: C:\Windows\System32\wscript.exe Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\wscript.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\wscript.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe Section loaded: textshaping.dll
Source: C:\Windows\System32\wscript.exe Section loaded: textinputframework.dll
Source: C:\Windows\System32\wscript.exe Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\wscript.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\wscript.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe Section loaded: textshaping.dll
Source: C:\Windows\System32\wscript.exe Section loaded: textinputframework.dll
Source: C:\Windows\System32\wscript.exe Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\wscript.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\wscript.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\wscript.exe Section loaded: version.dll
Source: C:\Windows\System32\wscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\wscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\wscript.exe Section loaded: sxs.dll
Source: C:\Windows\System32\wscript.exe Section loaded: vbscript.dll
Source: C:\Windows\System32\wscript.exe Section loaded: amsi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: userenv.dll
Source: C:\Windows\System32\wscript.exe Section loaded: profapi.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wldp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msasn1.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\System32\wscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\System32\wscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\System32\wscript.exe Section loaded: msisip.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wshext.dll
Source: C:\Windows\System32\wscript.exe Section loaded: scrobj.dll
Source: C:\Windows\System32\wscript.exe Section loaded: textshaping.dll
Source: C:\Windows\System32\wscript.exe Section loaded: textinputframework.dll
Source: C:\Windows\System32\wscript.exe Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\wscript.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\wscript.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\wscript.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\msg.exe Section loaded: winsta.dll
Source: C:\Windows\System32\msg.exe Section loaded: winsta.dll
Source: C:\Windows\System32\msg.exe Section loaded: winsta.dll
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Section loaded: winmm.dll
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\notepad.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\notepad.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\notepad.exe Section loaded: mrmcorer.dll
Source: C:\Windows\System32\notepad.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\notepad.exe Section loaded: wldp.dll
Source: C:\Windows\System32\notepad.exe Section loaded: textshaping.dll
Source: C:\Windows\System32\notepad.exe Section loaded: efswrt.dll
Source: C:\Windows\System32\notepad.exe Section loaded: mpr.dll
Source: C:\Windows\System32\notepad.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\notepad.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\notepad.exe Section loaded: oleacc.dll
Source: C:\Windows\System32\notepad.exe Section loaded: textinputframework.dll
Source: C:\Windows\System32\notepad.exe Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\notepad.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\notepad.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\notepad.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\calc.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\calc.exe Section loaded: wldp.dll
Source: C:\Windows\System32\calc.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\calc.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\calc.exe Section loaded: propsys.dll
Source: C:\Windows\System32\calc.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\calc.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\calc.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\calc.exe Section loaded: netutils.dll
Source: C:\Windows\System32\calc.exe Section loaded: ieframe.dll
Source: C:\Windows\System32\calc.exe Section loaded: netapi32.dll
Source: C:\Windows\System32\calc.exe Section loaded: version.dll
Source: C:\Windows\System32\calc.exe Section loaded: userenv.dll
Source: C:\Windows\System32\calc.exe Section loaded: winhttp.dll
Source: C:\Windows\System32\calc.exe Section loaded: wkscli.dll
Source: C:\Windows\System32\calc.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\calc.exe Section loaded: edputil.dll
Source: C:\Windows\System32\calc.exe Section loaded: secur32.dll
Source: C:\Windows\System32\calc.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\calc.exe Section loaded: mlang.dll
Source: C:\Windows\System32\calc.exe Section loaded: wininet.dll
Source: C:\Windows\System32\calc.exe Section loaded: profapi.dll
Source: C:\Windows\System32\calc.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\calc.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\calc.exe Section loaded: twinui.appcore.dll
Source: C:\Windows\System32\calc.exe Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\System32\calc.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\calc.exe Section loaded: execmodelproxy.dll
Source: C:\Windows\System32\calc.exe Section loaded: mrmcorer.dll
Source: C:\Windows\System32\calc.exe Section loaded: windows.staterepositorycore.dll
Source: C:\Windows\System32\calc.exe Section loaded: appxdeploymentclient.dll
Source: C:\Windows\System32\calc.exe Section loaded: bcp47mrm.dll
Source: C:\Windows\System32\calc.exe Section loaded: windows.ui.dll
Source: C:\Windows\System32\calc.exe Section loaded: windowmanagementapi.dll
Source: C:\Windows\System32\calc.exe Section loaded: textinputframework.dll
Source: C:\Windows\System32\calc.exe Section loaded: inputhost.dll
Source: C:\Windows\System32\calc.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\calc.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\calc.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\calc.exe Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\calc.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\calc.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\calc.exe Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\calc.exe Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe Section loaded: aepic.dll
Source: C:\Windows\explorer.exe Section loaded: twinapi.dll
Source: C:\Windows\explorer.exe Section loaded: userenv.dll
Source: C:\Windows\explorer.exe Section loaded: iphlpapi.dll
Source: C:\Windows\explorer.exe Section loaded: powrprof.dll
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe Section loaded: dxgi.dll
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe Section loaded: propsys.dll
Source: C:\Windows\explorer.exe Section loaded: coremessaging.dll
Source: C:\Windows\explorer.exe Section loaded: urlmon.dll
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe Section loaded: windows.storage.dll
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe Section loaded: wtsapi32.dll
Source: C:\Windows\explorer.exe Section loaded: wininet.dll
Source: C:\Windows\explorer.exe Section loaded: uxtheme.dll
Source: C:\Windows\explorer.exe Section loaded: dwmapi.dll
Source: C:\Windows\explorer.exe Section loaded: sspicli.dll
Source: C:\Windows\explorer.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\explorer.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\explorer.exe Section loaded: ntmarta.dll
Source: C:\Windows\explorer.exe Section loaded: cryptsp.dll
Source: C:\Windows\explorer.exe Section loaded: wldp.dll
Source: C:\Windows\explorer.exe Section loaded: iertutil.dll
Source: C:\Windows\explorer.exe Section loaded: srvcli.dll
Source: C:\Windows\explorer.exe Section loaded: netutils.dll
Source: C:\Windows\explorer.exe Section loaded: umpdc.dll
Source: C:\Windows\explorer.exe Section loaded: profapi.dll
Source: C:\Windows\explorer.exe Section loaded: edputil.dll
Source: C:\Windows\explorer.exe Section loaded: apphelp.dll
Source: C:\Windows\explorer.exe Section loaded: appresolver.dll
Source: C:\Windows\explorer.exe Section loaded: bcp47langs.dll
Source: C:\Windows\explorer.exe Section loaded: slc.dll
Source: C:\Windows\explorer.exe Section loaded: sppc.dll
Source: C:\Windows\explorer.exe Section loaded: starttiledata.dll
Source: C:\Windows\explorer.exe Section loaded: usermgrcli.dll
Source: C:\Windows\explorer.exe Section loaded: usermgrproxy.dll
Source: C:\Windows\explorer.exe Section loaded: cscui.dll
Source: C:\Windows\explorer.exe Section loaded: structuredquery.dll
Source: C:\Windows\explorer.exe Section loaded: windows.globalization.dll
Source: C:\Windows\explorer.exe Section loaded: bcp47mrm.dll
Source: C:\Windows\explorer.exe Section loaded: icu.dll
Source: C:\Windows\explorer.exe Section loaded: mswb7.dll
Source: C:\Windows\explorer.exe Section loaded: windows.storage.search.dll
Source: C:\Windows\explorer.exe Section loaded: explorerframe.dll
Source: C:\Windows\explorer.exe Section loaded: actxprxy.dll
Source: C:\Windows\explorer.exe Section loaded: wintypes.dll
Source: C:\Windows\explorer.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\mspaint.exe Section loaded: apphelp.dll
Source: C:\Windows\System32\mspaint.exe Section loaded: acgenral.dll
Source: C:\Windows\System32\mspaint.exe Section loaded: userenv.dll
Source: C:\Windows\System32\mspaint.exe Section loaded: mpr.dll
Source: C:\Windows\System32\mspaint.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\mspaint.exe Section loaded: mfc42u.dll
Source: C:\Windows\System32\mspaint.exe Section loaded: propsys.dll
Source: C:\Windows\System32\mspaint.exe Section loaded: winmm.dll
Source: C:\Windows\System32\mspaint.exe Section loaded: ninput.dll
Source: C:\Windows\System32\mspaint.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\mspaint.exe Section loaded: msftedit.dll
Source: C:\Windows\System32\mspaint.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\mspaint.exe Section loaded: uiribbon.dll
Source: C:\Windows\System32\mspaint.exe Section loaded: xmllite.dll
Source: C:\Windows\System32\mspaint.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\mspaint.exe Section loaded: wldp.dll
Source: C:\Windows\System32\mspaint.exe Section loaded: efswrt.dll
Source: C:\Windows\System32\mspaint.exe Section loaded: wintypes.dll
Source: C:\Windows\System32\mspaint.exe Section loaded: twinapi.appcore.dll
Source: C:\Windows\System32\mspaint.exe Section loaded: sti.dll
Source: C:\Windows\System32\mspaint.exe Section loaded: wiatrace.dll
Source: C:\Windows\System32\mspaint.exe Section loaded: atlthunk.dll
Source: C:\Windows\System32\mspaint.exe Section loaded: dwmapi.dll
Source: C:\Windows\System32\mspaint.exe Section loaded: windowscodecs.dll
Source: C:\Windows\System32\mspaint.exe Section loaded: textshaping.dll
Source: C:\Windows\System32\mspaint.exe Section loaded: oleacc.dll
Source: C:\Windows\System32\mspaint.exe Section loaded: textinputframework.dll
Source: C:\Windows\System32\mspaint.exe Section loaded: coreuicomponents.dll
Source: C:\Windows\System32\mspaint.exe Section loaded: coremessaging.dll
Source: C:\Windows\System32\mspaint.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\cmd.exe Section loaded: cmdext.dll
Source: C:\Windows\System32\cmd.exe Section loaded: ntmarta.dll
Source: C:\Windows\System32\cmd.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\System32\cmd.exe Section loaded: uxtheme.dll
Source: C:\Windows\System32\cmd.exe Section loaded: windows.storage.dll
Source: C:\Windows\System32\cmd.exe Section loaded: wldp.dll
Source: C:\Windows\System32\cmd.exe Section loaded: propsys.dll
Source: C:\Windows\System32\cmd.exe Section loaded: edputil.dll
Source: C:\Windows\System32\cmd.exe Section loaded: urlmon.dll
Source: C:\Windows\System32\cmd.exe Section loaded: iertutil.dll
Source: C:\Windows\System32\cmd.exe Section loaded: srvcli.dll
Source: C:\Windows\System32\cmd.exe Section loaded: netutils.dll
Source: C:\Windows\System32\cmd.exe Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\System32\cmd.exe Section loaded: policymanager.dll
Source: C:\Windows\System32\cmd.exe Section loaded: msvcp110_win.dll
Source: C:\Windows\System32\cmd.exe Section loaded: sspicli.dll
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32 Jump to behavior
Source: C:\Windows\System32\wscript.exe Automated click: OK
Source: C:\Windows\System32\wscript.exe Automated click: OK
Source: C:\Windows\System32\taskkill.exe Automated click: OK
Source: C:\Windows\System32\wscript.exe Automated click: OK
Source: C:\Windows\System32\wscript.exe Automated click: OK
Source: C:\Windows\System32\wscript.exe Automated click: OK
Source: C:\Windows\System32\wscript.exe Automated click: OK
Source: C:\Windows\System32\wscript.exe Automated click: OK
Source: C:\Windows\System32\wscript.exe Automated click: OK
Source: C:\Windows\System32\wscript.exe Automated click: OK
Source: C:\Windows\System32\wscript.exe Automated click: OK
Source: C:\Windows\System32\wscript.exe Automated click: OK
Source: C:\Windows\System32\wscript.exe Automated click: OK
Source: C:\Windows\System32\mspaint.exe File opened: C:\Windows\system32\MSFTEDIT.DLL
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Windows\System32\calc.exe Key opened: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Office\16.0\Access\Capabilities\UrlAssociations

Data Obfuscation
barindex
Yara detected Babadeda
Source: Yara match File source: ADZP 20 Complex.exe, type: SAMPLE
Source: Yara match File source: 37.2.ADZP 20 Complex.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.0.ADZP 20 Complex.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 37.0.ADZP 20 Complex.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 47.2.ADZP 20 Complex.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 47.0.ADZP 20 Complex.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.ADZP 20 Complex.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 30.2.ADZP 20 Complex.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.0.ADZP 20 Complex.exe.400000.0.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\Desktop\Twain_20.dll, type: DROPPED
Source: Yara match File source: C:\Users\user\Desktop\Twain_20.dll, type: DROPPED
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Code function: 0_2_0040ADD6 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary, 0_2_0040ADD6
PE file contains sections with non-standard names
Source: ADZP 20 Complex.exe Static PE information: section name: .code
Source: Twain_20.dll.2.dr Static PE information: section name: .code
Source: Twain_20.dll0.2.dr Static PE information: section name: .code

Persistence and Installation Behavior
barindex
Command shell drops VBS files
Source: C:\Windows\System32\cmd.exe File created: C:\Users\user\Desktop\ErrorCritico.vbs Jump to behavior
Source: C:\Windows\System32\cmd.exe File created: C:\Users\user\Desktop\Advertencia.vbs Jump to behavior
Source: C:\Windows\System32\cmd.exe File created: C:\Users\user\Desktop\Informacion.vbs Jump to behavior
Sample is not signed and drops a device driver
Source: C:\Windows\System32\cmd.exe File created: C:\Users\user\Desktop\virus.sys Jump to behavior
Uses cmd line tools excessively to alter registry or file data
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe
Source: C:\Windows\System32\cmd.exe Process created: attrib.exe
Source: C:\Windows\System32\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: attrib.exe Jump to behavior
Uses ipconfig to lookup or modify the Windows network settings
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ipconfig.exe ipconfig /release
Drops PE files
Source: C:\Windows\System32\cmd.exe File created: C:\Users\user\Desktop\Twain_20.dll Jump to dropped file
Source: C:\Windows\System32\cmd.exe File created: C:\Windows\System32\Twain_20.dll Jump to dropped file
Drops PE files to the windows directory (C:\Windows)
Source: C:\Windows\System32\cmd.exe File created: C:\Windows\System32\Twain_20.dll Jump to dropped file

Hooking and other Techniques for Hiding and Protection
barindex
Self deletion via cmd or bat file
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe File created: C:\Users\user\AppData\Local\Temp\9B58.tmp\9B59.tmp\9B6A.bat Jump to dropped file
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe File created: C:\Users\user\AppData\Local\Temp\B132.tmp\B133.tmp\B134.bat Jump to dropped file
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe File created: C:\Users\user\AppData\Local\Temp\B539.tmp\B53A.tmp\B53B.bat Jump to dropped file
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe File created: C:\Users\user\AppData\Local\Temp\BE03.tmp\BE04.tmp\BE05.bat Jump to dropped file
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\taskkill.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\wscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mspaint.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mspaint.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mspaint.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mspaint.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mspaint.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mspaint.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mspaint.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\mspaint.exe Process information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\System32\cmd.exe Process information set: NOOPENFILEERRORBOX
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Source: C:\Windows\System32\wscript.exe Window found: window name: WSH-Timer
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Window / User API: threadDelayed 2832 Jump to behavior
Source: C:\Windows\System32\conhost.exe Window / User API: threadDelayed 781 Jump to behavior
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Window / User API: threadDelayed 2622
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Window / User API: threadDelayed 1711
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Window / User API: threadDelayed 2488
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe TID: 7348 Thread sleep count: 2622 > 30
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe TID: 7532 Thread sleep count: 1711 > 30
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe TID: 7896 Thread sleep count: 2488 > 30
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Last function: Thread delayed
Sleep loop found (likely to delay execution)
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Thread sleep count: Count: 2832 delay: -10 Jump to behavior
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Thread sleep count: Count: 2622 delay: -10
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Thread sleep count: Count: 1711 delay: -10
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Thread sleep count: Count: 2488 delay: -10
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe File opened: C:\Users\user\AppData\Local\Temp\9B58.tmp Jump to behavior
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe File opened: C:\Users\user\AppData\Local\ Jump to behavior
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe File opened: C:\Users\user\AppData\Local\Temp\9B58.tmp\9B59.tmp Jump to behavior
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe File opened: C:\Users\user\AppData\ Jump to behavior
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe File opened: C:\Users\user\AppData\Local\Temp\9B58.tmp\9B59.tmp\9B6A.tmp Jump to behavior
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe File opened: C:\Users\user\ Jump to behavior
Source: C:\Windows\System32\mspaint.exe Process information queried: ProcessInformation
Contains functionality to dynamically determine API calls
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Code function: 0_2_0040ADD6 GetTempPathW,LoadLibraryW,GetProcAddress,GetLongPathNameW,FreeLibrary, 0_2_0040ADD6
Enables debug privileges
Source: C:\Windows\System32\taskkill.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Code function: 0_2_00409FD0 SetUnhandledExceptionFilter, 0_2_00409FD0
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Code function: 0_2_00409FB0 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter, 0_2_00409FB0
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Code function: 30_2_00409FD0 SetUnhandledExceptionFilter, 30_2_00409FD0
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Code function: 30_2_00409FB0 SetUnhandledExceptionFilter,SetUnhandledExceptionFilter,SetUnhandledExceptionFilter, 30_2_00409FB0
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K Twain_20.cmd Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K Twain_20.cmd Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Informacion.vbs" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /K Taskdl.bat Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add hkey_local_machinesoftwaremicrosoftwindowscurrentversionrun /v WINDOWsAPI /t reg_sz /d c:windowswimn32.bat /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\reg.exe reg add hkey_current_usersoftwaremicrosoftwindowscurrentversionrun /v CONTROLexit /t reg_sz /d c:windowswimn32.bat /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\ipconfig.exe ipconfig /release Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /im DiskPart /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\attrib.exe attrib -r -a -s -h *.* Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\ErrorCritico.vbs" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\ErrorCritico.vbs" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\ErrorCritico.vbs" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /im DiskPart /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\ErrorCritico.vbs" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\Desktop\Advertencia.vbs" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg * Virus Detectado Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg * Virus Detectado Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\msg.exe msg * Has Sido Hackeado! Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\Desktop\ADZP 20 Complex.exe "C:\Users\user\Desktop\ADZP 20 Complex.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\notepad.exe notepad Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\calc.exe calc Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\explorer.exe explorer.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mspaint.exe mspaint.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\Desktop\ADZP 20 Complex.exe "C:\Users\user\Desktop\ADZP 20 Complex.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\notepad.exe notepad Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\calc.exe calc Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\explorer.exe explorer.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\mspaint.exe mspaint.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Users\user\Desktop\ADZP 20 Complex.exe "C:\Users\user\Desktop\ADZP 20 Complex.exe" Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\notepad.exe notepad Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\calc.exe calc Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\explorer.exe explorer.exe Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\takeown.exe takeown /f "C:\Windows\System32" /r Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Source: C:\Windows\System32\cmd.exe Process created: unknown unknown
Uses taskkill to terminate processes
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /im DiskPart /f Jump to behavior
Source: C:\Windows\System32\cmd.exe Process created: C:\Windows\System32\taskkill.exe taskkill /im DiskPart /f Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation Jump to behavior
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Queries volume information: C:\Windows\Fonts\segoeui.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Queries volume information: C:\Windows\Fonts\segoeuib.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Queries volume information: C:\Windows\Fonts\seguisb.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation
Source: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Calculator.exe Queries volume information: C:\Program Files\WindowsApps\Microsoft.WindowsCalculator_10.1906.55.0_x64__8wekyb3d8bbwe\Assets\CalcMDL2.ttf VolumeInformation
Source: C:\Windows\System32\cmd.exe Queries volume information: C:\ VolumeInformation
Source: C:\Users\user\Desktop\ADZP 20 Complex.exe Code function: 0_2_00405573 GetVersionExW,GetVersionExW, 0_2_00405573
Source: C:\Windows\System32\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 1428362 Sample: ADZP 20 Complex.exe Startdate: 18/04/2024 Architecture: WINDOWS Score: 58 62 Antivirus detection for dropped file 2->62 64 Antivirus / Scanner detection for submitted sample 2->64 66 Multi AV Scanner detection for dropped file 2->66 68 7 other signatures 2->68 8 ADZP 20 Complex.exe 8 2->8         started        11 Calculator.exe 2->11         started        process3 file4 52 C:\Users\user\AppData\Local\Temp\...\9B6A.bat, Unicode 8->52 dropped 13 cmd.exe 3 35 8->13         started        17 conhost.exe 8->17         started        process5 file6 54 C:\Windows\System32\Twain_20.dll, PE32 13->54 dropped 56 C:\Users\user\Desktop\Twain_20.dll, PE32 13->56 dropped 58 C:\Users\user\Desktop\Informacion.vbs, ASCII 13->58 dropped 60 2 other malicious files 13->60 dropped 70 Command shell drops VBS files 13->70 72 Uses cmd line tools excessively to alter registry or file data 13->72 74 Uses ipconfig to lookup or modify the Windows network settings 13->74 76 Sample is not signed and drops a device driver 13->76 19 ADZP 20 Complex.exe 13->19         started        22 ADZP 20 Complex.exe 13->22         started        24 ADZP 20 Complex.exe 13->24         started        26 33 other processes 13->26 signatures7 process8 file9 46 C:\Users\user\AppData\Local\Temp\...\B134.bat, Unicode 19->46 dropped 28 conhost.exe 19->28         started        30 cmd.exe 19->30         started        48 C:\Users\user\AppData\Local\Temp\...\B53B.bat, Unicode 22->48 dropped 32 conhost.exe 22->32         started        34 cmd.exe 22->34         started        50 C:\Users\user\AppData\Local\Temp\...\BE05.bat, Unicode 24->50 dropped 44 2 other processes 24->44 36 takeown.exe 1 26->36         started        38 conhost.exe 26->38         started        40 conhost.exe 26->40         started        42 conhost.exe 26->42         started        process10
No contacted IP infos