d5a68a111c359a22965206e7ac7d602d92789dd1aa3f0e0c8d89412fc84e24a5

Resubmissions

11-03-2023 15:23

230311-sse8csbh7z 8

11-03-2023 15:04

230311-sfsmxsbh31 8

11-03-2023 14:55

230311-sas2hahh97 8

12-10-2020 19:17

201012-xxyy2r88tj 10

Analysis

max time kernel
160s
max time network
402s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
11-03-2023 14:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fechas de pago programadas.xls
Size

91KB
MD5

e98b2ac88a1f33a371175e24c189ef5e
SHA1

bd9207d48d365c37466abd11c4e10af114632bad
SHA256

d5a68a111c359a22965206e7ac7d602d92789dd1aa3f0e0c8d89412fc84e24a5
SHA512

b116d252e667fbb3254ce17f2decfe0e938a9557a7162f3d8e4fe4cf55755fd11458c44608cf4623750f51dce4de86d5b8522bbbf581489585c83c6417edd3a3
SSDEEP

1536:J5555qfeNEtlDWZNgng9sqm4xEtjPOtioVjDGUU1qfDlaGGx+cL2QnATySBCK5z4:A4xEtjPOtioVjDGUU1qfDlaGGx+cL2Qk

Score

8^/10

macro

Malware Config

Signatures

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

Processes:

resource
C:\Users\Admin\AppData\Local\Temp\Fechas de pago programadas.xlsm

Deletes itself 1 IoCs

Processes:

EXCEL.EXE

pid process

1888 EXCEL.EXE
Office loads VBA resources, possible macro or embedded object present

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exeEXCEL.EXE

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

Processes:

EXCEL.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit"	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell	EXCEL.EXE
Key created	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105"	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes"	EXCEL.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1914912747-3343861975-731272777-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE

Modifies registry class 64 IoCs

Processes:

EXCEL.EXE

description	ioc	process
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\ = "&Print"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0045005800430045004c00460069006c00650073003e00560069006a00710042006f006600280059003800270077002100460049006400310067004c00510020002f0064006400650000000000	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe"	EXCEL.EXE
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohevi.dll"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\InprocServer32\ThreadingModel = "Apartment"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\ = "&Edit"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\""	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\command	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open"	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\EXCEL.EXE\" /dde"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe	EXCEL.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\ = "&Open"	EXCEL.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit	EXCEL.EXE

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

NOTEPAD.EXE

pid process

920 NOTEPAD.EXE
Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

EXCEL.EXE

pid process

1888 EXCEL.EXE
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

1276 chrome.exe
1276 chrome.exe

pid	process
920	NOTEPAD.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe
Token: SeShutdownPrivilege	1276	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

Processes:

EXCEL.EXEchrome.exe

pid	process
1888	EXCEL.EXE
1888	EXCEL.EXE
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

Processes:

chrome.exe

pid	process
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe
1276	chrome.exe

Suspicious use of SetWindowsHookEx 8 IoCs

Processes:

EXCEL.EXE

pid process

1888 EXCEL.EXE
1888 EXCEL.EXE
1888 EXCEL.EXE
1888 EXCEL.EXE
1888 EXCEL.EXE
1888 EXCEL.EXE
1888 EXCEL.EXE
1888 EXCEL.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1276 wrote to memory of 1452	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1452	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1452	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1392	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1900	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1900	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1900	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1968	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1968	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1968	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1968	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1968	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1968	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1968	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1968	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1968	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1968	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1968	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1968	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1968	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1968	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1968	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1968	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1968	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1968	1276	chrome.exe	chrome.exe
PID 1276 wrote to memory of 1968	1276	chrome.exe	chrome.exe

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde "C:\Users\Admin\AppData\Local\Temp\Fechas de pago programadas.xls"
1⤵
- Deletes itself
- Enumerates system info in registry
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1888

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1276

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6799758,0x7fef6799768,0x7fef6799778
2⤵
PID:1452

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1208 --field-trial-handle=1272,i,8478147707275200153,6548501905948871875,131072 /prefetch:2
2⤵
PID:1392

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1508 --field-trial-handle=1272,i,8478147707275200153,6548501905948871875,131072 /prefetch:8
2⤵
PID:1900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1624 --field-trial-handle=1272,i,8478147707275200153,6548501905948871875,131072 /prefetch:8
2⤵
PID:1968

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2204 --field-trial-handle=1272,i,8478147707275200153,6548501905948871875,131072 /prefetch:1
2⤵
PID:1744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2232 --field-trial-handle=1272,i,8478147707275200153,6548501905948871875,131072 /prefetch:1
2⤵
PID:1988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1440 --field-trial-handle=1272,i,8478147707275200153,6548501905948871875,131072 /prefetch:2
2⤵
PID:2304

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1568 --field-trial-handle=1272,i,8478147707275200153,6548501905948871875,131072 /prefetch:1
2⤵
PID:2388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3896 --field-trial-handle=1272,i,8478147707275200153,6548501905948871875,131072 /prefetch:8
2⤵
PID:2424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4012 --field-trial-handle=1272,i,8478147707275200153,6548501905948871875,131072 /prefetch:8
2⤵
PID:2440

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4152 --field-trial-handle=1272,i,8478147707275200153,6548501905948871875,131072 /prefetch:1
2⤵
PID:2644

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2308 --field-trial-handle=1272,i,8478147707275200153,6548501905948871875,131072 /prefetch:8
2⤵
PID:864

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1732

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:280

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0xc8
1⤵
PID:2428

C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\java_install.log
1⤵
- Opens file in notepad (likely ransom note)
PID:920

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /dde
1⤵
PID:584

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\2703f5e7-d95f-4a79-aa1c-2237858f8dcd.tmp

Filesize
4KB

MD5
b3b1a3b312836697167d1f20616f85fa

SHA1
c278244b5382b8c5c3c26f2562889e3dbfacb1f3

SHA256
8f0ae850486cade5e54f3d92f0fa737c94eed6cdb1521c28cdad512d8a39cbe0

SHA512
09338251b56547c9c28a15bf45c2d686cee28444f2ca526c943dbbee1baf6fc1c58f158b34a34e9a69a49a5ca282cd88cc8632f2a4e98aaf0dd511a92299a083

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\84543d1a-3726-4f65-af51-2d635da45c33.tmp

Filesize
4KB

MD5
cf944712842c2875e5626fe7d8cec7f5

SHA1
16e2cbad22488e3c40d78abbbcdf633af11d7181

SHA256
32c445c7185141f0fcc718efb088a5900003b4e589743ff6e3969f5549789090

SHA512
adf318666bffe3ab0f81390e37625ab4057a1f4eeb6f2db727c46242e645d80ae13388a0e8c3bc0c27ed55b3798e751e909c9ebd351f868c3e7b2bd08fe45da9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\CURRENT~RF6f9a2e.TMP

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
72606e662d03e800a5d565f3162f83ce

SHA1
50529aad37202a6582680f3d5c8a1cd75d180874

SHA256
a0314dcf9a1daed7ea155ef3bc73b5afe85eb3fe753f24775928a98a11f417a1

SHA512
473a9247dd068069eb386832aa808e07d490e3ec1104e1a5da8bbd6ddd623a9ee8e31bffa8eb74827ebad9adeeba96a688782e5148f0258c8489cb765352f04a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
4250c67c67c3710258210f0c45b4555d

SHA1
02ec9d3ed7602d86e3f348567d494d6737b0aa37

SHA256
8c3d7009769d928f822f27e8d0e44ae499218a94854c1beabbeac4b8ffdd823d

SHA512
dc7c3904771ef4d74b10308f8edb8f3040ef96e93c5e2ab1a4c07f3fc7cae90abc42799a7950c8cfe9acb1da64e664305d7b6bb414f95e9037b094fbda6505a6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
fa3b5e306c9bd5d3117817f7c1d544b8

SHA1
a0301cc87f92dbf000b37dbdec13a70f5a677d5b

SHA256
97c2cb82b216c2ef4ee694639ef1fe73f7215d316cf1f665fb28f4bad3334292

SHA512
e282ea21b3699a50c90deede2ee2d119dcafb7e7dfc333480586768c1bb93f78cffecf3bfd9e5e8e15e1176d3edd016a34ee98c355833ad2238aedf7b8d1c1a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
87b480b7b01e81a24829f61158613b22

SHA1
6a432fbca2f3a45887b14cacec7973f131a3285b

SHA256
df60d87e28bbe52518c4a6357a70d74476c6e2cc526a5b9c96289999ff1baadd

SHA512
56329d9b74453c023aeb86de9d46faa22c1ddb613f3467aa25c487008ca2073fc0e9bb6a6a2b48e16b43f85852a1ff08f6184352dae869b2c54a4bd806df3713

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
98cdcd56dc22b6a22a1bd5a108e316dd

SHA1
3d99345dc8beb20ca44b763ded101d6167ce2246

SHA256
df9ec010c76c98b62d430b91f5f29a0b8ad58d5ff87d3eca37899fa13944bdb2

SHA512
af58641117176696bb140dece83245bb2856c35d291e2f319dfd78a42cc7c55b035ee6dde19ed136042bd51db2c1b0e33c085204b1ea382c8fd19cfa479f8ad6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
75f2e3193f683775214dd9ffb13f3e7d

SHA1
93acf4de6277c41d00102543750b5571e5b5f900

SHA256
fba36de0dde3ab6855315902652194331d4ca07a8e8dff6646e2243415a7c47c

SHA512
2431b85da8e0605623ede01e38f8b65ce74f7e91d83499c5cc14b7ff6e3b8703a396b2ed4f17dbe53e711b6a7e0c9a228a6a353dd13a2de7247599dc2c99bba8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000004.dbtmp

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\R2EIRHNV\Xehmigm[1].htm

Filesize
541B

MD5
f28076e74df201204d0638103ad1fb40

SHA1
f16b853e534d8f7a65df72263850f96a2d9c01b5

SHA256
597cbf9f54490967480ce847c588478242bf664a37a6c8d144aa7586c31ab8a4

SHA512
cb148064958443ae64f321ad6bc04cf604f416201253ffbc153d3638fb9b183409a1c6a8f4fc1a98b5ac74101d1d776ef1ffa1ac39560606bcfa13b7d52994cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fechas de pago programadas.xlsm

Filesize
66KB

MD5
aa0746c2f7c8ef5a37ef655957e60e30

SHA1
a808d7cd3018e31c29a2c259bc5d5e57ee99c4e6

SHA256
9a7c3d755b51404fc3e1f76bc865f6abff058f47b0455a737b9b304dd4ae66ca

SHA512
16a1755cc927df3d5ace4cd1eb239ff1bbfa4641d21f58fc58d8edb88a3221c4b09ea85a591b19a8cb28fb98a1cbd5fc7827baa29b79af8e36b2c290d8a1f5c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fechas de pago programadas.xlsm

Filesize
66KB

MD5
aa0746c2f7c8ef5a37ef655957e60e30

SHA1
a808d7cd3018e31c29a2c259bc5d5e57ee99c4e6

SHA256
9a7c3d755b51404fc3e1f76bc865f6abff058f47b0455a737b9b304dd4ae66ca

SHA512
16a1755cc927df3d5ace4cd1eb239ff1bbfa4641d21f58fc58d8edb88a3221c4b09ea85a591b19a8cb28fb98a1cbd5fc7827baa29b79af8e36b2c290d8a1f5c0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\6C12MZF0.txt

Filesize
107B

MD5
d4d0b6e8104d37b9192695718b140105

SHA1
346b7307f32f32cc79cca0ab2e48cef07300a497

SHA256
e606313f3d7de62c6699369e688395fe9339e1f69fb5e413fddc098214f37e87

SHA512
b343ead629dc10cc0e089e25af91df5742cbd9cc380d02d70bf6db9e90d4d26e383673c0a1f67bff8484132e73dbde2ca6fd2cf4df3541dbc3808ee8c8362d04

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\NRDTIQH.exe

Filesize
541B

MD5
13bc29dbbb1e33314bd2acf9cbf20c90

SHA1
ab242eeb2fcde34b4cc94b2f99772962b682b53a

SHA256
ba72aca978713bc6f3a21beea6095bc3e89d2e9e163c2e68f2edf1c51969e869

SHA512
d47fa241b6715cad5862f1a1f208edbd491906a479d6ae08324426a80861bbd2640bb9de81a19007dfe628f1107a3843dc6fe1d580e141692d4ed8378aff83d6

Download Submit
\??\pipe\crashpad_1276_IWLCFKDQJXUQZUKW

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/584-372-0x0000000005DA0000-0x0000000005DA1000-memory.dmp

Filesize
4KB

Download
memory/584-371-0x0000000005DA0000-0x0000000005DA1000-memory.dmp

Filesize
4KB

Download
memory/584-347-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1888-54-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1888-98-0x0000000000810000-0x0000000000910000-memory.dmp

Filesize
1024KB

Download
memory/1888-128-0x0000000000810000-0x0000000000910000-memory.dmp

Filesize
1024KB

Download
memory/1888-129-0x0000000000810000-0x0000000000910000-memory.dmp

Filesize
1024KB

Download
memory/1888-130-0x0000000000810000-0x0000000000910000-memory.dmp

Filesize
1024KB

Download
memory/1888-131-0x0000000000810000-0x0000000000910000-memory.dmp

Filesize
1024KB

Download
memory/1888-133-0x0000000000810000-0x0000000000910000-memory.dmp

Filesize
1024KB

Download
memory/1888-132-0x0000000000810000-0x0000000000910000-memory.dmp

Filesize
1024KB

Download
memory/1888-125-0x0000000000810000-0x0000000000910000-memory.dmp

Filesize
1024KB

Download
memory/1888-120-0x0000000000810000-0x0000000000910000-memory.dmp

Filesize
1024KB

Download
memory/1888-107-0x0000000006390000-0x0000000006391000-memory.dmp

Filesize
4KB

Download
memory/1888-106-0x0000000006390000-0x0000000006391000-memory.dmp

Filesize
4KB

Download
memory/1888-97-0x0000000000810000-0x0000000000910000-memory.dmp

Filesize
1024KB

Download
memory/1888-127-0x0000000000810000-0x0000000000910000-memory.dmp

Filesize
1024KB

Download
memory/1888-99-0x0000000000810000-0x0000000000910000-memory.dmp

Filesize
1024KB

Download
memory/1888-82-0x0000000000810000-0x0000000000910000-memory.dmp

Filesize
1024KB

Download
memory/1888-83-0x0000000000810000-0x0000000000910000-memory.dmp

Filesize
1024KB

Download
memory/1888-84-0x0000000000810000-0x0000000000910000-memory.dmp

Filesize
1024KB

Download
memory/1888-339-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/1888-69-0x0000000000810000-0x0000000000910000-memory.dmp

Filesize
1024KB

Download
memory/1888-126-0x0000000000810000-0x0000000000910000-memory.dmp

Filesize
1024KB

Download
memory/1888-124-0x0000000000810000-0x0000000000910000-memory.dmp

Filesize
1024KB

Download
memory/1888-122-0x0000000000810000-0x0000000000910000-memory.dmp

Filesize
1024KB

Download
memory/1888-68-0x0000000000810000-0x0000000000910000-memory.dmp

Filesize
1024KB

Download
memory/1888-123-0x0000000000810000-0x0000000000910000-memory.dmp

Filesize
1024KB

Download
memory/1888-121-0x0000000000810000-0x0000000000910000-memory.dmp

Filesize
1024KB

Download
memory/1888-119-0x0000000000810000-0x0000000000910000-memory.dmp

Filesize
1024KB

Download
memory/1888-67-0x0000000000810000-0x0000000000910000-memory.dmp

Filesize
1024KB

Download