Analysis
-
max time kernel
143s -
max time network
107s -
platform
windows10-2004_x64 -
resource
win10v2004-20231130-en -
resource tags
arch:x64arch:x86image:win10v2004-20231130-enlocale:en-usos:windows10-2004-x64system -
submitted
05-12-2023 18:16
Static task
static1
Behavioral task
behavioral1
Sample
7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exe
Resource
win10v2004-20231130-en
General
-
Target
7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exe
-
Size
1008KB
-
MD5
c556abc2e04d6889cf0a059f9133af60
-
SHA1
80d768a65c200d34517bdf788e8ae649e4f4addf
-
SHA256
7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220a
-
SHA512
1b766194cf4c7419366f9c05d1ba58ead14413125ce309825d4cd607edb4cb49bee7d4af46397df9d9bf27ea3418d96f642932ef068ea403f89a91b7e29162f7
-
SSDEEP
24576:p1tk+pJ16fvFeZ81CAH9ddcuq+vHWH32M4L:rZJUf9HH9Euqn32r
Malware Config
Extracted
agenttesla
Protocol: smtp- Host:
mail.worlorderbillions.top - Port:
587 - Username:
[email protected] - Password:
vqpF.#;cCodu - Email To:
[email protected]
Signatures
-
AgentTesla
Agent Tesla is a remote access tool (RAT) written in visual basic.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000\Control Panel\International\Geo\Nation 7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exe -
Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
-
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 6 ip-api.com -
Suspicious use of SetThreadContext 1 IoCs
Processes:
7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exedescription pid process target process PID 236 set thread context of 1668 236 7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exe 7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
AcroRd32.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 AcroRd32.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz AcroRd32.exe -
Processes:
AcroRd32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION AcroRd32.exe -
Modifies registry class 1 IoCs
Processes:
7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-433534792-1200107535-3148087551-1000_Classes\Local Settings 7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exepid process 1668 7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exe 1668 7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exedescription pid process Token: SeDebugPrivilege 1668 7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
AcroRd32.exepid process 1804 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
AcroRd32.exepid process 1804 AcroRd32.exe 1804 AcroRd32.exe 1804 AcroRd32.exe 1804 AcroRd32.exe 1804 AcroRd32.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exe7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exeAcroRd32.exeRdrCEF.exedescription pid process target process PID 236 wrote to memory of 1668 236 7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exe 7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exe PID 236 wrote to memory of 1668 236 7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exe 7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exe PID 236 wrote to memory of 1668 236 7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exe 7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exe PID 236 wrote to memory of 1668 236 7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exe 7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exe PID 236 wrote to memory of 1668 236 7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exe 7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exe PID 236 wrote to memory of 1668 236 7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exe 7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exe PID 236 wrote to memory of 1668 236 7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exe 7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exe PID 236 wrote to memory of 1668 236 7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exe 7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exe PID 1668 wrote to memory of 1804 1668 7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exe AcroRd32.exe PID 1668 wrote to memory of 1804 1668 7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exe AcroRd32.exe PID 1668 wrote to memory of 1804 1668 7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exe AcroRd32.exe PID 1804 wrote to memory of 456 1804 AcroRd32.exe RdrCEF.exe PID 1804 wrote to memory of 456 1804 AcroRd32.exe RdrCEF.exe PID 1804 wrote to memory of 456 1804 AcroRd32.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 3408 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 1000 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 1000 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 1000 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 1000 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 1000 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 1000 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 1000 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 1000 456 RdrCEF.exe RdrCEF.exe PID 456 wrote to memory of 1000 456 RdrCEF.exe RdrCEF.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exe"C:\Users\Admin\AppData\Local\Temp\7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:236 -
C:\Users\Admin\AppData\Local\Temp\7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exe"C:\Users\Admin\AppData\Local\Temp\7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exe"2⤵
- Checks computer location settings
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\EMBARGO SALARIAL_MURILLO UMAÑA ANTONIO ROSARIO.pdf"3⤵
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=165140434⤵
- Suspicious use of WriteProcessMemory
PID:456 -
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=04738A2966F24B0D43D3543E9558DD54 --mojo-platform-channel-handle=1748 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:3408
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=F3B627B8EC7015681A2B3634720F64A1 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=F3B627B8EC7015681A2B3634720F64A1 --renderer-client-id=2 --mojo-platform-channel-handle=1740 --allow-no-sandbox-job /prefetch:15⤵PID:1000
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=F513E3C68161D8596DD9BCD054D2B3DF --mojo-platform-channel-handle=2156 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:5028
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=AB0E2F07AD904B14DBC1A0B7B2C628E1 --mojo-platform-channel-handle=1976 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:2364
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=9D7D1C9B714BB539464233D0D5ECC954 --mojo-platform-channel-handle=2216 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:25⤵PID:4352
-
C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=E7CFE5089E5759C9C3AD8F60DB4E4EA5 --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=E7CFE5089E5759C9C3AD8F60DB4E4EA5 --renderer-client-id=7 --mojo-platform-channel-handle=2160 --allow-no-sandbox-job /prefetch:15⤵PID:4360
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
64KB
MD5acea1f133c8355343c8eb0c87465d60f
SHA182395142487997eb67e14e5626eed550cad10fbc
SHA25656537e8400e83c3ea5291060c5932e439a252b6a55719ddde7524ebfaf918c75
SHA51247d34ae9fb5924ea5377850622f0e842b6752a4545374784cd248b975fde770f8d708752c93977f0169fac5195d7d0e615d1f3f8b68447789cba12ba562dd66f
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\7313bba3ca9b2518cc049ad47ab159f47675c0199fc812b6bc5a0584616b220aexe.exe.log
Filesize1KB
MD58ec831f3e3a3f77e4a7b9cd32b48384c
SHA1d83f09fd87c5bd86e045873c231c14836e76a05c
SHA2567667e538030e3f8ce2886e47a01af24cb0ea70528b1e821c5d8832c5076cb982
SHA51226bffa2406b66368bd412bf25869a792631455645992cdcade2dbc13a2e56fb546414a6a9223b94c96c38d89187add6678d4779a88b38b0c9e36be8527b213c3
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\EMBARGO SALARIAL_MURILLO UMAÑA ANTONIO ROSARIO.pdf
Filesize120KB
MD55fcdd51c3cd1d44b10275bec6e299ab5
SHA123f6b41f34950a0d6776b3b593c57474c7440797
SHA256abcd38761579196d1f5fd4efa7c5eebc1f1e32c031775cb5539acef2dfc24bf5
SHA51252c3bc80621716adbd9126d8ab284053bc298ab9c425ba455509851d32ae644eefb0856a33846eebe084d64d37495b479b21e7c26188aab4ed71f0b3a2ab50d6