ccc6a5077b55f9c96e1bb37bd963ffa1586764f74ae0431bb13e97aab099e0fe

Resubmissions

06-04-2022 17:56

220406-whze2agbf9 8

06-04-2022 17:48

220406-wdr56acgbr 8

Analysis

max time kernel
213s
max time network
216s
platform
windows10-2004_x64
resource
win10v2004-20220331-en
submitted
06-04-2022 17:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

B9B8BC0D8669C6E55F651DCA76E9A1A9.exe
Size

15.7MB
MD5

b9b8bc0d8669c6e55f651dca76e9a1a9
SHA1

1f59d1d5501b5d5a9417b56a09b9d34cc6375a6d
SHA256

ccc6a5077b55f9c96e1bb37bd963ffa1586764f74ae0431bb13e97aab099e0fe
SHA512

0f88efdd16ffb7faf4ca415179dd78ddcb0e2974eda7f3748f76291826c189e53587019c365a7b157e9c4a283cf6f3536666822d55f9ff20f521036a9ff7a15f

Score

8^/10

discovery link pdf

Malware Config

Signatures

Executes dropped EXE 3 IoCs

Processes:

is-73S33.tmpunins000.exe_iu14D2N.tmp

pid process

1104 is-73S33.tmp
4980 unins000.exe
1944 _iu14D2N.tmp

pid	process
1104	is-73S33.tmp
4980	unins000.exe
1944	_iu14D2N.tmp

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

is-73S33.tmp

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\Control Panel\International\Geo\Nation	is-73S33.tmp

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 64 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe

Drops file in Windows directory 1 IoCs

Processes:

msiexec.exe

description ioc process

File created C:\Windows\Installer\e576179.msi msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\e576179.msi	msiexec.exe

HTTP links in PDF interactive object 2 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

Processes:

resource	yara_rule
C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\Guia del usuario prevalidador reporte conciliacion fiscal - Formato 2517v4.pdf	pdf_with_link_action
C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\Guia para la carga y envio de Archivo xml formato 2517v4.pdf	pdf_with_link_action

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exesvchost.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004D	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\300A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\0016	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0018	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{afd97640-86a3-4210-b67c-289c41aabe55}\0003	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{80d81ea6-7473-4b0c-8216-efc11a2c4c8b}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004C	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{4340a6c5-93fa-4706-972c-7b648008a5a7}\0008	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Capabilities	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0055	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0058	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{3464f7a4-2444-40b1-980a-e0903cb6d912}\000A\	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\CompatibleIDs	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\000A	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{83da6326-97a6-4088-9453-a1923f573b29}\0005	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\HardwareID	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{a8b865dd-2e3d-4094-ad97-e593a70c75d6}\0008\	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{88ad39db-0d0c-4a38-8435-4043826b5c91}\0008	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0034	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0051	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Capabilities	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0038	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0052	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{656a3bb3-ecc0-43fd-8477-4ae0404a96cd}\2006	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\0054	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\004E	svchost.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Mfg	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0002	svchost.exe

Checks processor information in registry 2 TTPs 21 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXEWINWORD.EXEAcroRd32.exeAcroRd32.exeAcroRd32.exeAcroRd32.exeAcroRd32.exeAcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe

Enumerates system info in registry 2 TTPs 9 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

WINWORD.EXEWINWORD.EXEWINWORD.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 1 IoCs

Processes:

svchost.exe

description ioc process

Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe
Modifies registry class 1 IoCs

Processes:

is-73S33.tmp

description ioc process

Key created \REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\Local Settings is-73S33.tmp
Suspicious behavior: AddClipboardFormatListener 4 IoCs

Processes:

WINWORD.EXEWINWORD.EXEWINWORD.EXE

pid process

1372 WINWORD.EXE
1372 WINWORD.EXE
4884 WINWORD.EXE
2764 WINWORD.EXE

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1082102374-1487407228-1886994731-1000_Classes\Local Settings	is-73S33.tmp

pid	process
1372	WINWORD.EXE
1372	WINWORD.EXE
4884	WINWORD.EXE
2764	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

msiexec.exeAcroRd32.exeAdobeARM.exe

pid	process
3160	msiexec.exe
3160	msiexec.exe
3648	AcroRd32.exe
3648	AcroRd32.exe
3648	AcroRd32.exe
3648	AcroRd32.exe
3648	AcroRd32.exe
3648	AcroRd32.exe
3648	AcroRd32.exe
3648	AcroRd32.exe
3648	AcroRd32.exe
3648	AcroRd32.exe
3648	AcroRd32.exe
3648	AcroRd32.exe
3648	AcroRd32.exe
3648	AcroRd32.exe
3648	AcroRd32.exe
3648	AcroRd32.exe
3648	AcroRd32.exe
3648	AcroRd32.exe
3648	AcroRd32.exe
3648	AcroRd32.exe
4548	AdobeARM.exe
4548	AdobeARM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exesrtasks.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	608	msiexec.exe
Token: SeIncreaseQuotaPrivilege	608	msiexec.exe
Token: SeSecurityPrivilege	3160	msiexec.exe
Token: SeCreateTokenPrivilege	608	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	608	msiexec.exe
Token: SeLockMemoryPrivilege	608	msiexec.exe
Token: SeIncreaseQuotaPrivilege	608	msiexec.exe
Token: SeMachineAccountPrivilege	608	msiexec.exe
Token: SeTcbPrivilege	608	msiexec.exe
Token: SeSecurityPrivilege	608	msiexec.exe
Token: SeTakeOwnershipPrivilege	608	msiexec.exe
Token: SeLoadDriverPrivilege	608	msiexec.exe
Token: SeSystemProfilePrivilege	608	msiexec.exe
Token: SeSystemtimePrivilege	608	msiexec.exe
Token: SeProfSingleProcessPrivilege	608	msiexec.exe
Token: SeIncBasePriorityPrivilege	608	msiexec.exe
Token: SeCreatePagefilePrivilege	608	msiexec.exe
Token: SeCreatePermanentPrivilege	608	msiexec.exe
Token: SeBackupPrivilege	608	msiexec.exe
Token: SeRestorePrivilege	608	msiexec.exe
Token: SeShutdownPrivilege	608	msiexec.exe
Token: SeDebugPrivilege	608	msiexec.exe
Token: SeAuditPrivilege	608	msiexec.exe
Token: SeSystemEnvironmentPrivilege	608	msiexec.exe
Token: SeChangeNotifyPrivilege	608	msiexec.exe
Token: SeRemoteShutdownPrivilege	608	msiexec.exe
Token: SeUndockPrivilege	608	msiexec.exe
Token: SeSyncAgentPrivilege	608	msiexec.exe
Token: SeEnableDelegationPrivilege	608	msiexec.exe
Token: SeManageVolumePrivilege	608	msiexec.exe
Token: SeImpersonatePrivilege	608	msiexec.exe
Token: SeCreateGlobalPrivilege	608	msiexec.exe
Token: SeBackupPrivilege	780	vssvc.exe
Token: SeRestorePrivilege	780	vssvc.exe
Token: SeAuditPrivilege	780	vssvc.exe
Token: SeBackupPrivilege	3160	msiexec.exe
Token: SeRestorePrivilege	3160	msiexec.exe
Token: SeBackupPrivilege	4980	srtasks.exe
Token: SeRestorePrivilege	4980	srtasks.exe
Token: SeSecurityPrivilege	4980	srtasks.exe
Token: SeTakeOwnershipPrivilege	4980	srtasks.exe
Token: SeBackupPrivilege	4980	srtasks.exe
Token: SeRestorePrivilege	4980	srtasks.exe
Token: SeSecurityPrivilege	4980	srtasks.exe
Token: SeTakeOwnershipPrivilege	4980	srtasks.exe
Token: SeBackupPrivilege	4980	srtasks.exe
Token: SeRestorePrivilege	4980	srtasks.exe
Token: SeSecurityPrivilege	4980	srtasks.exe
Token: SeTakeOwnershipPrivilege	4980	srtasks.exe
Token: SeShutdownPrivilege	3656	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3656	msiexec.exe
Token: SeCreateTokenPrivilege	3656	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3656	msiexec.exe
Token: SeLockMemoryPrivilege	3656	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3656	msiexec.exe
Token: SeMachineAccountPrivilege	3656	msiexec.exe
Token: SeTcbPrivilege	3656	msiexec.exe
Token: SeSecurityPrivilege	3656	msiexec.exe
Token: SeTakeOwnershipPrivilege	3656	msiexec.exe
Token: SeLoadDriverPrivilege	3656	msiexec.exe
Token: SeSystemProfilePrivilege	3656	msiexec.exe
Token: SeSystemtimePrivilege	3656	msiexec.exe
Token: SeProfSingleProcessPrivilege	3656	msiexec.exe
Token: SeIncBasePriorityPrivilege	3656	msiexec.exe

Suspicious use of FindShellTrayWindow 11 IoCs

Processes:

msiexec.exeAcroRd32.exeWINWORD.EXEWINWORD.EXEWINWORD.EXEmsiexec.exe

pid	process
608	msiexec.exe
608	msiexec.exe
3648	AcroRd32.exe
1372	WINWORD.EXE
2764	WINWORD.EXE
4884	WINWORD.EXE
2764	WINWORD.EXE
1372	WINWORD.EXE
4884	WINWORD.EXE
3656	msiexec.exe
3656	msiexec.exe

Suspicious use of SetWindowsHookEx 60 IoCs

Processes:

AcroRd32.exeAcroRd32.exeAcroRd32.exeAcroRd32.exeAcroRd32.exeWINWORD.EXEWINWORD.EXEWINWORD.EXEAdobeARM.exeunins000.exe_iu14D2N.tmpAcroRd32.exe

pid	process
3648	AcroRd32.exe
3504	AcroRd32.exe
4384	AcroRd32.exe
3864	AcroRd32.exe
4732	AcroRd32.exe
3648	AcroRd32.exe
3648	AcroRd32.exe
3648	AcroRd32.exe
3648	AcroRd32.exe
3648	AcroRd32.exe
1372	WINWORD.EXE
4884	WINWORD.EXE
2764	WINWORD.EXE
1372	WINWORD.EXE
4884	WINWORD.EXE
2764	WINWORD.EXE
1372	WINWORD.EXE
4884	WINWORD.EXE
2764	WINWORD.EXE
1372	WINWORD.EXE
1372	WINWORD.EXE
1372	WINWORD.EXE
1372	WINWORD.EXE
2764	WINWORD.EXE
2764	WINWORD.EXE
2764	WINWORD.EXE
2764	WINWORD.EXE
1372	WINWORD.EXE
1372	WINWORD.EXE
2764	WINWORD.EXE
2764	WINWORD.EXE
1372	WINWORD.EXE
4884	WINWORD.EXE
2764	WINWORD.EXE
3648	AcroRd32.exe
1372	WINWORD.EXE
2764	WINWORD.EXE
4884	WINWORD.EXE
1372	WINWORD.EXE
1372	WINWORD.EXE
2764	WINWORD.EXE
2764	WINWORD.EXE
4884	WINWORD.EXE
4884	WINWORD.EXE
3648	AcroRd32.exe
3648	AcroRd32.exe
1372	WINWORD.EXE
1372	WINWORD.EXE
4884	WINWORD.EXE
1372	WINWORD.EXE
2764	WINWORD.EXE
4884	WINWORD.EXE
2764	WINWORD.EXE
3648	AcroRd32.exe
3648	AcroRd32.exe
3648	AcroRd32.exe
4548	AdobeARM.exe
4980	unins000.exe
1944	_iu14D2N.tmp
3644	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

B9B8BC0D8669C6E55F651DCA76E9A1A9.exeis-73S33.tmpmsiexec.exeAcroRd32.exeRdrCEF.exe

description	pid	process	target process
PID 2292 wrote to memory of 1104	2292	B9B8BC0D8669C6E55F651DCA76E9A1A9.exe	is-73S33.tmp
PID 2292 wrote to memory of 1104	2292	B9B8BC0D8669C6E55F651DCA76E9A1A9.exe	is-73S33.tmp
PID 2292 wrote to memory of 1104	2292	B9B8BC0D8669C6E55F651DCA76E9A1A9.exe	is-73S33.tmp
PID 1104 wrote to memory of 608	1104	is-73S33.tmp	msiexec.exe
PID 1104 wrote to memory of 608	1104	is-73S33.tmp	msiexec.exe
PID 1104 wrote to memory of 608	1104	is-73S33.tmp	msiexec.exe
PID 3160 wrote to memory of 4980	3160	msiexec.exe	srtasks.exe
PID 3160 wrote to memory of 4980	3160	msiexec.exe	srtasks.exe
PID 1104 wrote to memory of 4384	1104	is-73S33.tmp	AcroRd32.exe
PID 1104 wrote to memory of 4384	1104	is-73S33.tmp	AcroRd32.exe
PID 1104 wrote to memory of 4384	1104	is-73S33.tmp	AcroRd32.exe
PID 1104 wrote to memory of 4884	1104	is-73S33.tmp	WINWORD.EXE
PID 1104 wrote to memory of 4884	1104	is-73S33.tmp	WINWORD.EXE
PID 1104 wrote to memory of 1372	1104	is-73S33.tmp	WINWORD.EXE
PID 1104 wrote to memory of 1372	1104	is-73S33.tmp	WINWORD.EXE
PID 1104 wrote to memory of 2764	1104	is-73S33.tmp	WINWORD.EXE
PID 1104 wrote to memory of 2764	1104	is-73S33.tmp	WINWORD.EXE
PID 1104 wrote to memory of 3504	1104	is-73S33.tmp	AcroRd32.exe
PID 1104 wrote to memory of 3504	1104	is-73S33.tmp	AcroRd32.exe
PID 1104 wrote to memory of 3504	1104	is-73S33.tmp	AcroRd32.exe
PID 1104 wrote to memory of 3864	1104	is-73S33.tmp	AcroRd32.exe
PID 1104 wrote to memory of 3864	1104	is-73S33.tmp	AcroRd32.exe
PID 1104 wrote to memory of 3864	1104	is-73S33.tmp	AcroRd32.exe
PID 1104 wrote to memory of 3648	1104	is-73S33.tmp	AcroRd32.exe
PID 1104 wrote to memory of 3648	1104	is-73S33.tmp	AcroRd32.exe
PID 1104 wrote to memory of 3648	1104	is-73S33.tmp	AcroRd32.exe
PID 1104 wrote to memory of 4732	1104	is-73S33.tmp	AcroRd32.exe
PID 1104 wrote to memory of 4732	1104	is-73S33.tmp	AcroRd32.exe
PID 1104 wrote to memory of 4732	1104	is-73S33.tmp	AcroRd32.exe
PID 3648 wrote to memory of 800	3648	AcroRd32.exe	RdrCEF.exe
PID 3648 wrote to memory of 800	3648	AcroRd32.exe	RdrCEF.exe
PID 3648 wrote to memory of 800	3648	AcroRd32.exe	RdrCEF.exe
PID 800 wrote to memory of 3560	800	RdrCEF.exe	RdrCEF.exe
PID 800 wrote to memory of 3560	800	RdrCEF.exe	RdrCEF.exe
PID 800 wrote to memory of 3560	800	RdrCEF.exe	RdrCEF.exe
PID 800 wrote to memory of 3560	800	RdrCEF.exe	RdrCEF.exe
PID 800 wrote to memory of 3560	800	RdrCEF.exe	RdrCEF.exe
PID 800 wrote to memory of 3560	800	RdrCEF.exe	RdrCEF.exe
PID 800 wrote to memory of 3560	800	RdrCEF.exe	RdrCEF.exe
PID 800 wrote to memory of 3560	800	RdrCEF.exe	RdrCEF.exe
PID 800 wrote to memory of 3560	800	RdrCEF.exe	RdrCEF.exe
PID 800 wrote to memory of 3560	800	RdrCEF.exe	RdrCEF.exe
PID 800 wrote to memory of 3560	800	RdrCEF.exe	RdrCEF.exe
PID 800 wrote to memory of 3560	800	RdrCEF.exe	RdrCEF.exe
PID 800 wrote to memory of 3560	800	RdrCEF.exe	RdrCEF.exe
PID 800 wrote to memory of 3560	800	RdrCEF.exe	RdrCEF.exe
PID 800 wrote to memory of 3560	800	RdrCEF.exe	RdrCEF.exe
PID 800 wrote to memory of 3560	800	RdrCEF.exe	RdrCEF.exe
PID 800 wrote to memory of 3560	800	RdrCEF.exe	RdrCEF.exe
PID 800 wrote to memory of 3560	800	RdrCEF.exe	RdrCEF.exe
PID 800 wrote to memory of 3560	800	RdrCEF.exe	RdrCEF.exe
PID 800 wrote to memory of 3560	800	RdrCEF.exe	RdrCEF.exe
PID 800 wrote to memory of 3560	800	RdrCEF.exe	RdrCEF.exe
PID 800 wrote to memory of 3560	800	RdrCEF.exe	RdrCEF.exe
PID 800 wrote to memory of 3560	800	RdrCEF.exe	RdrCEF.exe
PID 800 wrote to memory of 3560	800	RdrCEF.exe	RdrCEF.exe
PID 800 wrote to memory of 3560	800	RdrCEF.exe	RdrCEF.exe
PID 800 wrote to memory of 3560	800	RdrCEF.exe	RdrCEF.exe
PID 800 wrote to memory of 3560	800	RdrCEF.exe	RdrCEF.exe
PID 800 wrote to memory of 3560	800	RdrCEF.exe	RdrCEF.exe
PID 800 wrote to memory of 3560	800	RdrCEF.exe	RdrCEF.exe
PID 800 wrote to memory of 3560	800	RdrCEF.exe	RdrCEF.exe
PID 800 wrote to memory of 3560	800	RdrCEF.exe	RdrCEF.exe
PID 800 wrote to memory of 3560	800	RdrCEF.exe	RdrCEF.exe

C:\Users\Admin\AppData\Local\Temp\B9B8BC0D8669C6E55F651DCA76E9A1A9.exe
"C:\Users\Admin\AppData\Local\Temp\B9B8BC0D8669C6E55F651DCA76E9A1A9.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2292

C:\Users\Admin\AppData\Local\Temp\is-UUC41.tmp\is-73S33.tmp
"C:\Users\Admin\AppData\Local\Temp\is-UUC41.tmp\is-73S33.tmp" /SL4 $140054 "C:\Users\Admin\AppData\Local\Temp\B9B8BC0D8669C6E55F651DCA76E9A1A9.exe" 16185951 52224
2⤵
- Executes dropped EXE
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1104

C:\Windows\SysWOW64\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\msxmlspa.msi"
3⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:608

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\VerAyuda.pdf"
3⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:4384

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\Preguntas frecuentes Reporte de Conciliacion Fiscal Anexo Formulario 210 - Formato 2517V4.docx" /o ""
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:4884

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\Guia para la carga y enviio de Archivo xml formato 2517v4.docx" /o ""
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1372

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\Guia del usuario prevalidador reporte conciliacion fiscal - Formato 2517v4.docx" /o ""
3⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2764

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\Preguntas frecuentes Reporte de Conciliacion Fiscal Anexo Formulario 210 - Formato 2517V4.pdf"
3⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:3504

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\Guia para la carga y envio de Archivo xml formato 2517v4.pdf"
3⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:3864

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\Guia del usuario prevalidador reporte conciliacion fiscal - Formato 2517v4.pdf"
3⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3648

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
4⤵
- Suspicious use of WriteProcessMemory
PID:800

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=021F4C4DADE58078056D88440BECD91F --mojo-platform-channel-handle=1716 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:3560

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=359DDBC5CD698CA4E17AC48BB2A306B1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=359DDBC5CD698CA4E17AC48BB2A306B1 --renderer-client-id=2 --mojo-platform-channel-handle=1724 --allow-no-sandbox-job /prefetch:1
5⤵
PID:1644

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=06EBBA2AE9AFAE53866B6E44480267BD --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=06EBBA2AE9AFAE53866B6E44480267BD --renderer-client-id=4 --mojo-platform-channel-handle=2280 --allow-no-sandbox-job /prefetch:1
5⤵
PID:4680

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=96DA5761B5FDE4E020D27AE8CE5834E6 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=96DA5761B5FDE4E020D27AE8CE5834E6 --renderer-client-id=5 --mojo-platform-channel-handle=2300 --allow-no-sandbox-job /prefetch:1
5⤵
PID:868

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F5667FE096B0E8EC6AB75EC5D2674026 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F5667FE096B0E8EC6AB75EC5D2674026 --renderer-client-id=6 --mojo-platform-channel-handle=2408 --allow-no-sandbox-job /prefetch:1
5⤵
PID:1308

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=235982A33BDA077588F458F155CA1888 --mojo-platform-channel-handle=3040 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:3364

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F4004BCDDD8C5B303782C3C63355A6F3 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F4004BCDDD8C5B303782C3C63355A6F3 --renderer-client-id=8 --mojo-platform-channel-handle=3280 --allow-no-sandbox-job /prefetch:1
5⤵
PID:4880

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=804C2D9196CFDCEA8BF472729A3ED313 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=1 --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=804C2D9196CFDCEA8BF472729A3ED313 --renderer-client-id=9 --mojo-platform-channel-handle=3428 --allow-no-sandbox-job /prefetch:1
5⤵
PID:608

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FE10E59A786711D93FF67A2691871759 --mojo-platform-channel-handle=3872 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:1332

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=225469FE1C57868EA2EC05E264FA219C --mojo-platform-channel-handle=3896 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
5⤵
PID:3920

C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
"C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe" /PRODUCT:Reader /VERSION:19.0 /MODE:3
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4548

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
5⤵
PID:8

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\Anexo_4_Guia de diligenciamiento del formato 2517 V3.pdf"
3⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:4732

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3160

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
2⤵
- Suspicious use of AdjustPrivilegeToken
PID:4980

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:780

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s DsmSvc
1⤵
- Checks SCSI registry key(s)
- Modifies data under HKEY_USERS
PID:4168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4468

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{5AAABB05-F91B-4BCE-AB18-D8319DEDABA8}
1⤵
PID:368

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4252

C:\Windows\System32\msiexec.exe
"C:\Windows\System32\msiexec.exe" /i "C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\msxmlspa.msi"
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3656

C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\unins000.exe
"C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\unins000.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4980

C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
"C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp" /SECONDPHASE="C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\unins000.exe" /FIRSTPHASEWND=$4037A
2⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1944

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\VerAyuda.pdf"
1⤵
- Checks processor information in registry
- Suspicious use of SetWindowsHookEx
PID:3644

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\Anexo_4_Guia de diligenciamiento del formato 2517 V3.pdf
Filesize
808KB

MD5
ecf271a2e80a019dc0d5d370cf0462cf

SHA1
e1537793a67a57ca743a8d2f12998d290af22dc9

SHA256
2b44db50d29627134bef4d778484a4477f2305b59d609aa94d5d486dccc8ca62

SHA512
30fd2646a494c6b8eb69e8ac62fce22d0e437dd2da8e21da776e3e897c32ccd2112a9162c5fd57f876b72e90caee140d432f1c68edc885f26c1a7a63061b8335

Download Submit
C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\Guia del usuario prevalidador reporte conciliacion fiscal - Formato 2517v4.docx
Filesize
2.6MB

MD5
fcd5db248499c842077c4d6fb6732fc4

SHA1
a62f20999344e68f1590c8485600454d18d7f278

SHA256
ede8d37bd7128698d0146297df66e6fcb6b25567bdc7b524ce7c694480867498

SHA512
cc944c190a0614585cc42f7e9b2d7513bce3a1cce5f8b8ca11ea9135d3223bfdc0a8707d13e6592b92c4b63a6dacfd4ed3d0d1de54db3e10e55646a9ec359847

Download Submit
C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\Guia del usuario prevalidador reporte conciliacion fiscal - Formato 2517v4.pdf
Filesize
2.4MB

MD5
9ddccc7b834872af7e1e759f44b20e64

SHA1
e40f131640c693ec77aaa21f4dc9c05dba0a170e

SHA256
59b71445836292c8ad4e8f1ffc6813b449d5231acf2602c98ec1d9dc54093201

SHA512
6d92fbc95f8b4591706b345b613e2f55461cfc3e687dd6ca8895b5fe07e6346aa81c1b3f0469c199bdf236525d621272b81c257038e84e96f6009b27f95b32c4

Download Submit
C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\Guia para la carga y enviio de Archivo xml formato 2517v4.docx
Filesize
2.3MB

MD5
b41a72df7d7895c1edf0f2df7884737e

SHA1
4b360b28912a56732616394f2c3e13555eed7432

SHA256
b939c0aa433e4d01c55b5d1fcf48b001156c9e774b153f2099aaf62f01dc1458

SHA512
8a8773bb5141ade5a803081463f3cefe54502d4dbdbd0c93f84eb5d544fb3f7a65b3d6a4c08c26360532c6f7d9c53d04b75368b5d483557f88d6dbb87280a024

Download Submit
C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\Guia para la carga y envio de Archivo xml formato 2517v4.pdf
Filesize
1.8MB

MD5
5cd56659be9ff30cc7dda3ecdf4475a8

SHA1
0e57a43952031bddc528449dfb25effe0a1a9396

SHA256
e51218cfb5b3e30422cca7935c02287a118b128403bffccc34ca453d8c7ad98f

SHA512
5fcfb65efeb2480f069fd1887c4813c36d8fa888685fc3364cda89dad2fb8b73f474aca735e8d42e0d3f96b7d180526e1b00393a354c3f709890c7350550abf2

Download Submit
C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\Preguntas frecuentes Reporte de Conciliacion Fiscal Anexo Formulario 210 - Formato 2517V4.docx
Filesize
179KB

MD5
1c1431f92005213acd8d937df2bb097d

SHA1
c51b039b73850202a1d63aa2a320dcac9a75cca0

SHA256
318909f3e8e43c1f7e5d4b5deeb0bb172a77ac35d3789d063013452490a80cdf

SHA512
c0c2858ead45c296964d5053c9917030b53742e8a224f5ecd56df1f7305f1ed9d7dfef7e57befe9fd0bac64aee210ac2dca25038a506ae2ca12fd611ac9c907b

Download Submit
C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\Preguntas frecuentes Reporte de Conciliacion Fiscal Anexo Formulario 210 - Formato 2517V4.pdf
Filesize
456KB

MD5
2925f7829727157e4605b29f27dc70d2

SHA1
ff5d3a9daa38d168c97352c508aa270bd7fdc007

SHA256
da85df5f1cc39ac907284c7523da5dc3282144735a84f943d4040b519854f561

SHA512
145024d337b2c7ce84755803989a87507fad7f605c48512aa8ef9db4d57824ac1fc3a5d03824d7ae5181bcc61b17609962f23a4f80e9b8fe31245644b32ae34a

Download Submit
C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022.xlsm
Filesize
2.8MB

MD5
ff2431f2316442f03aaa5be9d8685c45

SHA1
7e1ba375d4d40bc624aef37e35e45de0ee591a54

SHA256
c7c94f90ef3d0d6184790dc86d5c69afc14e2a625e55b773e966e9f0c4b10f7b

SHA512
6b5319888b76389d8c17896d612265246705c6b5c36a7a361575d58ffcbc2eb6264f4b3b9e8dc1e027948b1c7642a8ccf3d2dbf8ac4a261ad9a124d66916c651

Download Submit
C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\VerAyuda.pdf
Filesize
808KB

MD5
ecf271a2e80a019dc0d5d370cf0462cf

SHA1
e1537793a67a57ca743a8d2f12998d290af22dc9

SHA256
2b44db50d29627134bef4d778484a4477f2305b59d609aa94d5d486dccc8ca62

SHA512
30fd2646a494c6b8eb69e8ac62fce22d0e437dd2da8e21da776e3e897c32ccd2112a9162c5fd57f876b72e90caee140d432f1c68edc885f26c1a7a63061b8335

Download Submit
C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\msxmlspa.msi
Filesize
5.0MB

MD5
f7697ac65e6d75f5e964d642c9d2ca94

SHA1
7249c988032b56ba92d0208bb229b9979eb90364

SHA256
f2ecfbbb3afb50e93a690a51eb6adee1091a81173990b2ae991aa57216f19e7a

SHA512
e6bf24e4535cb0913b39f663206597dbac11378f41370311e3c0031677680c98fab2d4812e34803288559efb152e65e92e0d2472727232b15bbd400a96fb599e

Download Submit
C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\unins000.dat
Filesize
7KB

MD5
4943968b3b11aaa7b3d773e225ad25e0

SHA1
71fefd2c408c531cad7721a179b805bbf6d8b545

SHA256
663ce172bee3c5afcf25689bc7c0a6a2dec71d3feab2c7b1bc6f83b59f1be4e5

SHA512
4bb58f8d2d1f10e884e1a50571b389f6590321bc2ed21b3423ad40e1245e19deddfc1e3993ecb39c44d9ef81fc333856d2a1750e46dca8a0ca271cc2ce9f44ce

Download Submit
C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\unins000.exe
Filesize
667KB

MD5
80c134e287795665f14ffa476f3fe769

SHA1
6a390801f191c6e8cb980588dba7e12b2b8cd4da

SHA256
85fd4c73c137101ccbe9f576a5c9622c49203f604bf36be36a6ba9738da84ac3

SHA512
b22984f917503510345039ae9027386ab66bcf0ef9c537b595e3ed85a810e01ab5013d35e62e6d86ad2c58246c74260572996062ad04c2598221b9a56b67cd85

Download Submit
C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\unins000.exe
Filesize
667KB

MD5
80c134e287795665f14ffa476f3fe769

SHA1
6a390801f191c6e8cb980588dba7e12b2b8cd4da

SHA256
85fd4c73c137101ccbe9f576a5c9622c49203f604bf36be36a6ba9738da84ac3

SHA512
b22984f917503510345039ae9027386ab66bcf0ef9c537b595e3ed85a810e01ab5013d35e62e6d86ad2c58246c74260572996062ad04c2598221b9a56b67cd85

Download Submit
C:\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022\xsd\2517.xsd
Filesize
18KB

MD5
10b50c95fd4f4ae3e4c92f4fe39d082e

SHA1
f26cad5d9b2d95db57e7503189ec438716b49155

SHA256
8f3157f15904dcf62417c632f88f05959fac030b09e9169f23721dc4a3e3568b

SHA512
45fb98b4f8ff2e3562401023afc16cd2a817d063bd1a89bde4cdb1460ce8a1cd0a25a82563ff7bcea89a7b5a1a7aaa252010f0c91ab9603a0149bca3f0141a41

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-220406195744Z-256.bmp
Filesize
69KB

MD5
c6092d886f3ca2455086e65ce055e2ef

SHA1
5ee63ec7a622ccc5e067a38c6e7aa117a501e39b

SHA256
260528ebff4e41b14eb79bd9d97286a5ca70f4f402924c4094aae9af65e97a00

SHA512
fc6770bb28e28d6f2e91d7cb143ec6ec09e5bc11cde3cb4c19121c048b73da333e40165a18b3ab0bb004752609c16d8f9321c9842277df5c0b77bc9b8d365a8a

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-220406195745Z-264.bmp
Filesize
69KB

MD5
4c9df47496d54c6b05f22a64e6c213bc

SHA1
e28947bc8f767701d4a60ec7674de63c3b251aa5

SHA256
f6bce446e06dfd3b25fea22729d14932790f6d4570fc241679027eaecd532a29

SHA512
7092954d6309c663641eb5331da196aba152a2795b10bc4689431e6fa5813bbae9531dc8f02dd1793f3597627cca6be2bcbdd130f59b9e03f72ef420461c9e06

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-220406195745Z-266.bmp
Filesize
69KB

MD5
4c9df47496d54c6b05f22a64e6c213bc

SHA1
e28947bc8f767701d4a60ec7674de63c3b251aa5

SHA256
f6bce446e06dfd3b25fea22729d14932790f6d4570fc241679027eaecd532a29

SHA512
7092954d6309c663641eb5331da196aba152a2795b10bc4689431e6fa5813bbae9531dc8f02dd1793f3597627cca6be2bcbdd130f59b9e03f72ef420461c9e06

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-220406195746Z-319.bmp
Filesize
69KB

MD5
56df8cbc8d43c2f5554ef1c489b2a41e

SHA1
fd36e207e81db49b3cfdbe14056bc4c94e8afd0e

SHA256
947cc5c0b38b4eef492d559be4f8580109c3205c94b219f91477dc5733e707b4

SHA512
8bbea96bdc9d3d393530365aa7ad20c869ff8c1208b332fb69aa9567699987429d69f54fc249879f84e0bcd63052dcf0b8f5895e3b1da30cf790885fdc6e6883

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ConnectorIcons\icon-220406195747Z-344.bmp
Filesize
69KB

MD5
45a37f50ebe528c1dd0e5965b1ea837b

SHA1
4c61396c71c1d1f7eba79011d04a6904c803480e

SHA256
e98261c40a923dc776b3089a03a6c40e567ec4f547f724736f6fca26827d7633

SHA512
e4420014e33d492e7d1a9b0156a4671b7c2ecfe5a33b2e12eb0c4d5aadd39bc033043333a6f225e2838a8147dc02bf9e9724549a6072d215f9be6802c041a8fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\8C4B3EC2-2E95-4D3B-AD79-AE1F337F7F7B
Filesize
142KB

MD5
afb67dd2efa9fab3534d5b1f027dc542

SHA1
8634fe562a176945405d3a39eafead29ed3ac439

SHA256
1eebc88eac2b7c4340b03370a23e2f390c62f1fd4c8ee1dc0c9591258db74541

SHA512
dbb657edd7a43b5b9752402e78d7b8faca642b324c7fd850456c458a2af8d2e99caf5117876a45c126f9a94e0024d44ae989594d11a2139b6a33ff79125364a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\16.0\winword.exe_Rules.xml
Filesize
306KB

MD5
299cf5ea41d183f6963a6c552c663fd9

SHA1
feffbb799532a9ee58e26a2943740ebaef610639

SHA256
019bd59bd49dcff430ab72c68525bd43b3c9eb286e20737220b1ac884937c2dd

SHA512
1b882bcb4151b5c9cbbfdbd55374b998b41a3e8911b9cb8ad861608d3f7c5956dcfb866858b9b11af84e0698e2b2ba442687ad76a5f435a15d83c190b636f23b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\TenantInfo.xml
Filesize
76B

MD5
0f8eb2423d2bf6cb5b8bdb44cb170ca3

SHA1
242755226012b4449a49b45491c0b1538ebf6410

SHA256
385347c0cbacdd3c61d2635fbd390e0095a008fd75eeb23af2f14f975c083944

SHA512
a9f23a42340b83a2f59df930d7563e8abd669b9f0955562cd3c2872e2e081f26d6d8b26357972b6d0423af05b2392bddbb46da769788e77fd169b3264ff53886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\DLP\TenantInfo.xml
Filesize
76B

MD5
0f8eb2423d2bf6cb5b8bdb44cb170ca3

SHA1
242755226012b4449a49b45491c0b1538ebf6410

SHA256
385347c0cbacdd3c61d2635fbd390e0095a008fd75eeb23af2f14f975c083944

SHA512
a9f23a42340b83a2f59df930d7563e8abd669b9f0955562cd3c2872e2e081f26d6d8b26357972b6d0423af05b2392bddbb46da769788e77fd169b3264ff53886

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Office\OTele\winword.exe.db-wal
Filesize
8KB

MD5
3331e5522d348254cd9d6a616b69ea9b

SHA1
532f0b081524a90ffdbc601c6de0329aa41abe4a

SHA256
1377bbc17b5cb47860dae43f67dd9f6ca532d08b2a93f81fea7c74433a9262c2

SHA512
d31cbb52ab6bfe4efaedb14a411ee83170a8aa6593fa10e5fc8c3ac5778d6ef9d7fbf185dedf574cb4f2badd65d83dc317766ae6d114c75bea0df60498ddc69b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
Filesize
667KB

MD5
80c134e287795665f14ffa476f3fe769

SHA1
6a390801f191c6e8cb980588dba7e12b2b8cd4da

SHA256
85fd4c73c137101ccbe9f576a5c9622c49203f604bf36be36a6ba9738da84ac3

SHA512
b22984f917503510345039ae9027386ab66bcf0ef9c537b595e3ed85a810e01ab5013d35e62e6d86ad2c58246c74260572996062ad04c2598221b9a56b67cd85

Download Submit
C:\Users\Admin\AppData\Local\Temp\_iu14D2N.tmp
Filesize
667KB

MD5
80c134e287795665f14ffa476f3fe769

SHA1
6a390801f191c6e8cb980588dba7e12b2b8cd4da

SHA256
85fd4c73c137101ccbe9f576a5c9622c49203f604bf36be36a6ba9738da84ac3

SHA512
b22984f917503510345039ae9027386ab66bcf0ef9c537b595e3ed85a810e01ab5013d35e62e6d86ad2c58246c74260572996062ad04c2598221b9a56b67cd85

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UUC41.tmp\is-73S33.tmp
Filesize
656KB

MD5
4fa180886ff7c0fd86a65f760ede6318

SHA1
2c89c271c71531362e84ddab5d3028f0756a9281

SHA256
1d9026c60374b056720cdfcfa598a641cc8fbc9932590d69b4cfbc32cd09871c

SHA512
a278b1d36332be9f3c284c0a4716c5e130cc6e1524c03bd693769497aeed97360c74fb8466b2d0ffd474ea8fe545c6961674ea2668a0867aee270659ad0142cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-UUC41.tmp\is-73S33.tmp
Filesize
656KB

MD5
4fa180886ff7c0fd86a65f760ede6318

SHA1
2c89c271c71531362e84ddab5d3028f0756a9281

SHA256
1d9026c60374b056720cdfcfa598a641cc8fbc9932590d69b4cfbc32cd09871c

SHA512
a278b1d36332be9f3c284c0a4716c5e130cc6e1524c03bd693769497aeed97360c74fb8466b2d0ffd474ea8fe545c6961674ea2668a0867aee270659ad0142cd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
664B

MD5
d0d7a7b71f59d72224dc3e1180d8f54a

SHA1
9eb5e6c1702a44641088d2d1b93c6336d7b1f9d3

SHA256
2bb14fb2cd064f4b32a63b822198b4249b5a9009af658dbfe3f6bde6e06bdbfc

SHA512
f47818aa43a03d5b0b9dee3aafe2d86ea601230f9f511caa80cc0ca18b763077a1d3cec6aaab4a3d7afa9a51cef79ba0538d54577f54670c6a70247c3f16a24f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Office\Recent\index.dat
Filesize
664B

MD5
d0d7a7b71f59d72224dc3e1180d8f54a

SHA1
9eb5e6c1702a44641088d2d1b93c6336d7b1f9d3

SHA256
2bb14fb2cd064f4b32a63b822198b4249b5a9009af658dbfe3f6bde6e06bdbfc

SHA512
f47818aa43a03d5b0b9dee3aafe2d86ea601230f9f511caa80cc0ca18b763077a1d3cec6aaab4a3d7afa9a51cef79ba0538d54577f54670c6a70247c3f16a24f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\UProof\ExcludeDictionaryES240a.lex
Filesize
2B

MD5
f3b25701fe362ec84616a93a45ce9998

SHA1
d62636d8caec13f04e28442a0a6fa1afeb024bbb

SHA256
b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209

SHA512
98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
b648832a144c9650ade25006e8192fc1

SHA1
49cf4dc8a7191d04686565c0573cc9352e43de39

SHA256
9d1cac82f8824e241acbd60aa04d109f8bf4ba95e3bd560b2e9065f366b0a16f

SHA512
653fa94d853993ad42979311b2ced49c0c11a59dd421ba50b27e37e8deeadb589b0606f210b887fe93368b678f04808a57be1d8cb9c516c7b863e15873f2d987

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
3KB

MD5
30242978b212a0f8f2c473959c530dc1

SHA1
933a92e7f27e0dff0a8630a2c548324d92196489

SHA256
5b59413980e0ed0d0b73294bc4f3732ccbdc6587a7da8a2fcd719eae053431a8

SHA512
85e3fa41f7cc3b01ce1d3f35e78ef45ae11a0d8640366a0ff98ed5ffc6bc2aba32a40a7a5401b394e683c3493ed1602986fcc94f05c1324a12fbe1bf3c5210f2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
4KB

MD5
03be57265d15b0d6121017dca1144efd

SHA1
283ffdf59ce5d1b3fd8efdc1dee74b8ba157fa7d

SHA256
74d6db8bae34fedc9343915c0663e744178d9eb086ced38fcf484f8b0472b41d

SHA512
65bcbf6d83b1175985238a679187520188a77045e475d8c7b5bd64b52d3f5aca5b47bc929d990bb223701afda4b14703f20f37f2e545810e62afc7dc0faad257

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
4KB

MD5
15fd147e2a5855241b386a46847d7ec5

SHA1
fc03bcbd7e075751673a0cf7d2db3c49ce14a960

SHA256
c4506a63c1dcbe8188816d06cb70215825e43d951fe76c90f4b81a29d41ead2f

SHA512
11fbf0e3c6ddb7cf5ec05fd91f54cd295d3616b6ff781e27ede909aec7be741130d244f38f597d1de5f78f0d1067decd73fe35cf4c7af11395c5c7f60008bdfc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\fb3b0dbfee58fac8.customDestinations-ms
Filesize
4KB

MD5
9f48925c98077231b325051cdd32e76a

SHA1
0a30628ac4201c7a4b73c5017ef784883b32626e

SHA256
f33aabf69d29dbb05e4fb267f452d944235249410aa8d0757087626e0dc3f3b6

SHA512
8daf2aad9cabffc285a1eded617e0c9396828af5088648dcb81135d5c83a0c90b1ffb7769f241dd016669696a2ee0ff4af1f298656cfd3fcc8841dea325d0080

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Prevalidador DIAN Prevalidador Reporte Conciliacón Fiscal v2.1.0-19\Carpeta de Salida.lnk
Filesize
860B

MD5
d9b5597583cb1690905ebbbe63e92ad8

SHA1
95ef3b1a21da2a3b797c341f8e004e12ef721672

SHA256
b537e06b4c9e048a18fde0829a055d50b44e1cbe1fb2730d75bf7c0c1dc8a02a

SHA512
156528b24d9034af84d4de2fda4375c192c83e0afb4e8fba6152c3aed203dce4e690278c43765e6c88fffebe0652bc010f1fb01c4ba8c19c4d110870dd8466c3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Prevalidador DIAN Prevalidador Reporte Conciliacón Fiscal v2.1.0-19\Desinstalar.lnk
Filesize
896B

MD5
ebc32a37c78da86d5f6ff2d2952ca22a

SHA1
a14ad5e0e946b40a4c4e2a9ecccf74b72fae33c4

SHA256
bb20d074a4e2c24eb4bd3afcc8f49fb5649c9155161a1f664b47d54dc3df1238

SHA512
ebe57c16e09eb9c39acf97b72a62bac5b079912d03286febd58f3c5be2095b04203e0a7a8ff175c14f20ec459798a255a729efe659aa8cd6692b2e738e397e29

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Prevalidador DIAN Prevalidador Reporte Conciliacón Fiscal v2.1.0-19\Manual.lnk
Filesize
1KB

MD5
f5df818869b2239831b0938536530fbe

SHA1
9db715f7ab87afb4e5ad4dd878019117f337d2a4

SHA256
5cc8e5504f49d7d60fcf8ae9f9d3a6e8f426365e95484f8b8adb90bc07c39dd7

SHA512
5abf1bb58bcc662bb360ce0d7bdc166fcaaf64787fa9a288adb8a89253165106b375dbc08a34cdbf76cff091d3112cc65fb1e1bafe3550fcfb56a8d2e8e18b22

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Prevalidador DIAN Prevalidador Reporte Conciliacón Fiscal v2.1.0-19\Reporte_Conciliación_Fiscal_F2517V4_AG2021_v1.0.0-2022.lnk
Filesize
1KB

MD5
119ced64ce0f5c416735534316845188

SHA1
512d595ad0161674e65ce87db88ba81209113ec2

SHA256
600560b3c6eb79aa60b68dca573968667aa660b92417c39b317a35512cd331c9

SHA512
7a4780696e257584939a3137b4782b052eec80cd481a858d2d71b37be0d486b7205fcad8f6384afb79e15eeef94e9bcf69d4e569b6269ab72fcd97049943cf0f

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
Filesize
21.4MB

MD5
6162dc0d922b3ffcdbcce0d98d0d958d

SHA1
14402a85d3d8ef7a3cf569d21307fe50e3ba3ba3

SHA256
9fd2c794f277895ddcf00c549af68124701ec98ec691d6682a658d0fe5712666

SHA512
3d0a878c349dee774a22994357f9b72c3d0841349d7769ca508153ba0e57f69c9d65d0cbd3b0e3fea89f8f075edd7ecfa5463689d9b68785ca7fb75758d34b73

Download Submit
\??\Volume{a02f78f7-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5ce9bc0c-fdf4-484f-ac30-a01ff1652a9a}_OnDiskSnapshotProp
Filesize
5KB

MD5
a2bf1be8d1651d8f39d655317260f264

SHA1
8611980bcd6b24763c97f6b20c1172c47dd5f173

SHA256
ef93dba2a5e4bd5f683ddce97cf14f491dee549be2ca07ca43485f1fbced7f94

SHA512
b3f04423da0cacd306478dc8fc47498c022e92f26bd284519b01ae1262b8989b8dba72cac874ababd50316b2ef7d4d24ba94806b4361da88da5ba1881c4b8143

Download Submit
memory/8-226-0x0000000000000000-mapping.dmp

Download
memory/608-200-0x0000000000000000-mapping.dmp

Download
memory/608-129-0x0000000000000000-mapping.dmp

Download
memory/800-162-0x0000000000000000-mapping.dmp

Download
memory/868-179-0x0000000000000000-mapping.dmp

Download
memory/1104-125-0x0000000000000000-mapping.dmp

Download
memory/1308-184-0x0000000000000000-mapping.dmp

Download
memory/1332-207-0x0000000000000000-mapping.dmp

Download
memory/1372-155-0x00007FFC6C070000-0x00007FFC6C080000-memory.dmp

Filesize
64KB

Download
memory/1372-136-0x0000000000000000-mapping.dmp

Download
memory/1372-143-0x00007FFC6C070000-0x00007FFC6C080000-memory.dmp

Filesize
64KB

Download
memory/1644-170-0x0000000000000000-mapping.dmp

Download
memory/1944-230-0x0000000000000000-mapping.dmp

Download
memory/2292-127-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2292-124-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2764-146-0x00007FFC6C070000-0x00007FFC6C080000-memory.dmp

Filesize
64KB

Download
memory/2764-149-0x00007FFC6C070000-0x00007FFC6C080000-memory.dmp

Filesize
64KB

Download
memory/2764-137-0x0000000000000000-mapping.dmp

Download
memory/3364-191-0x0000000000000000-mapping.dmp

Download
memory/3504-138-0x0000000000000000-mapping.dmp

Download
memory/3560-167-0x0000000000000000-mapping.dmp

Download
memory/3648-140-0x0000000000000000-mapping.dmp

Download
memory/3864-139-0x0000000000000000-mapping.dmp

Download
memory/3920-210-0x0000000000000000-mapping.dmp

Download
memory/4384-134-0x0000000000000000-mapping.dmp

Download
memory/4548-225-0x0000000000000000-mapping.dmp

Download
memory/4680-176-0x0000000000000000-mapping.dmp

Download
memory/4732-141-0x0000000000000000-mapping.dmp

Download
memory/4880-197-0x0000000000000000-mapping.dmp

Download
memory/4884-152-0x00007FFC6C070000-0x00007FFC6C080000-memory.dmp

Filesize
64KB

Download
memory/4884-135-0x0000000000000000-mapping.dmp

Download
memory/4980-131-0x0000000000000000-mapping.dmp

Download