Malware Analysis Report

2025-06-16 02:14

Sample ID 240122-vvsycabee4
Target 6DEMANDA POR DAÑOS Y PERJUICIOS_..msg mwr.msg
SHA256 8a7d5bc88cfc31834e41e91e034e305c8b18efde8ee86b69cc315d3dee3785d0
Tags
asyncrat default rat
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

8a7d5bc88cfc31834e41e91e034e305c8b18efde8ee86b69cc315d3dee3785d0

Threat Level: Known bad

The file 6DEMANDA POR DAÑOS Y PERJUICIOS_..msg mwr.msg was found to be: Known bad.

Malicious Activity Summary

asyncrat default rat

AsyncRat

Async RAT payload

Executes dropped EXE

Loads dropped DLL

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Suspicious use of SetThreadContext

Drops file in Windows directory

Enumerates physical storage devices

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

Suspicious behavior: MapViewOfSection

Uses Volume Shadow Copy WMI provider

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

Uses Volume Shadow Copy service COM API

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Modifies Internet Explorer Phishing Filter

Suspicious use of FindShellTrayWindow

Suspicious use of AdjustPrivilegeToken

Enumerates system info in registry

Suspicious behavior: AddClipboardFormatListener

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-01-22 17:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-01-22 17:19

Reported

2024-01-22 17:48

Platform

win7-20231215-en

Max time kernel

519s

Max time network

753s

Command Line

"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\Admin\AppData\Local\Temp\6DEMANDA POR DAÑOS Y PERJUICIOS_..msg mwr.msg"

Signatures

AsyncRat

rat asyncrat

Async RAT payload

rat
Description Indicator Process Target
N/A N/A N/A N/A

Legitimate hosting services abused for malware hosting/C2

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\system32\perfc010.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc011.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh009.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh00C.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc00A.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\SysWOW64\PerfStringBackup.TMP C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc007.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh011.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh00A.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc00C.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfc009.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh010.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File opened for modification C:\Windows\SysWOW64\PerfStringBackup.INI C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\system32\perfh007.dat C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\inf\Outlook\outlperf.h C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File opened for modification C:\Windows\inf\Outlook\outlperf.h C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
File created C:\Windows\inf\Outlook\0009\outlperf.ini C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Enumerates physical storage devices

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Modifies Internet Explorer Phishing Filter

Description Indicator Process Target
Set value (data) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = a8855c02594dda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\PhishingFilter C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000969d72c3e5a03a40a0257479feadc03a000000000200000000001066000000010000200000009d00df7dfa2bba35ea1b0e0a807b2426ad39fb089a7b0ad7e0afb93542753059000000000e8000000002000020000000e4da676c55ee61e9c7efb847884c359f9991a9158f4a9f1ece7204b9cf62fb989000000025c30f7d406a076d8872c3f56b09335b35dcf9174990283aaca5013e4cc774b7854a4babe5d41fe096429cee4deae59417cbdcd026306a37b0ae3b925503ec0efeff5a424fd22e0e7a0fb60f611adb03f92ef4fe84563b0604b70d80acf72979b09009ab272126a92939da65faf59370fcec436df70c0aa8a046a87bb0e9e682e4610db4f23cf03d3825b783d34a92db400000002a8881bbd55543178a608451df03f3a94161102b3bca2d5c3df5e568d176d5b76973464a4caf3b0976d88d108156d79dc9e43d8e34c65648dcdf21510280eccc C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50c64dfb584dda01 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar\ShowDiscussionButton = "Yes" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\COMMAND C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{256E78D1-B94C-11EE-A586-F2B23B8A8DD7} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\ONBttnIE.dll/105" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\Contexts = "1" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote\Contexts = "55" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default HTML Editor\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Internet Explorer\Default MHTML Editor\shell\edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\Se&nd to OneNote C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "412106586" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\MenuExt\E&xport to Microsoft Excel\ = "res://C:\\PROGRA~2\\MICROS~1\\Office14\\EXCEL.EXE/3000" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597} C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Codepage C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec\application\ = "Excel" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Publisher\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\ = "&Print" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" %1" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b0057004f0052004400460069006c00650073003e00620069002400540021005600210030005a003d007b0050006b00300076006d007e0041005a00750020002f006e002000220025003100220000000000 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shellex\IconHandler\ = "{42042206-2D85-11D3-8CFF-005004838597}" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\ddeexec C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Word\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\application C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Excel\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Microsoft Publisher\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\DefaultIcon\ = "\"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Old Icon\mhtmlfile C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Excel\shell\edit\ddeexec\ = "[open(\"%1\")]" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Excel.exe\shell\edit\ddeexec\topic\ = "system" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\ShellEx C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\Excel.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Print\command C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\WinWord.exe\shell\edit\ = "&Open" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{42042206-2D85-11D3-8CFF-005004838597}\Version\14\ = "C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\WinWord.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\WINWORD.EXE\" /n \"%1\"" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\command = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b005000750062005000720069006d006100720079003e00520024006e0075006a0053005700460065003f007d0061004c00720052007000390078004000570020002500310000000000 C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key deleted \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\command C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\Edit\ = "&Edit" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\shell\Print\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\msohtmed.exe\" /p %1" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithList\MSPub.exe\shell\edit\command\ = "\"C:\\Program Files (x86)\\Microsoft Office\\Office14\\MSPUB.EXE\" %1" C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.mht\OpenWithList\Microsoft Word\shell\edit C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\2 NOTIFICACION DEMANDA ...exe N/A
N/A N/A C:\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\2 NOTIFICACION DEMANDA ...exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\2 NOTIFICACION DEMANDA ...exe N/A
N/A N/A C:\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\2 NOTIFICACION DEMANDA ...exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\2 NOTIFICACION DEMANDA ...exe N/A
N/A N/A C:\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\2 NOTIFICACION DEMANDA ...exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zG.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\7-Zip\7zG.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A
N/A N/A C:\Program Files\Google\Chrome\Application\chrome.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2312 wrote to memory of 1480 N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2312 wrote to memory of 1480 N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2312 wrote to memory of 1480 N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 2312 wrote to memory of 1480 N/A C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE C:\Program Files\Internet Explorer\iexplore.exe
PID 1480 wrote to memory of 2912 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1480 wrote to memory of 2912 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1480 wrote to memory of 2912 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1480 wrote to memory of 2912 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2596 wrote to memory of 2780 N/A C:\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\2 NOTIFICACION DEMANDA ...exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2780 N/A C:\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\2 NOTIFICACION DEMANDA ...exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2780 N/A C:\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\2 NOTIFICACION DEMANDA ...exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2780 N/A C:\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\2 NOTIFICACION DEMANDA ...exe C:\Windows\SysWOW64\cmd.exe
PID 2596 wrote to memory of 2780 N/A C:\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\2 NOTIFICACION DEMANDA ...exe C:\Windows\SysWOW64\cmd.exe
PID 2780 wrote to memory of 2116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2780 wrote to memory of 2116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2780 wrote to memory of 2116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2780 wrote to memory of 2116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2780 wrote to memory of 2116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2780 wrote to memory of 2116 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1220 wrote to memory of 2200 N/A C:\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\2 NOTIFICACION DEMANDA ...exe C:\Windows\SysWOW64\cmd.exe
PID 1220 wrote to memory of 2200 N/A C:\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\2 NOTIFICACION DEMANDA ...exe C:\Windows\SysWOW64\cmd.exe
PID 1220 wrote to memory of 2200 N/A C:\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\2 NOTIFICACION DEMANDA ...exe C:\Windows\SysWOW64\cmd.exe
PID 1220 wrote to memory of 2200 N/A C:\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\2 NOTIFICACION DEMANDA ...exe C:\Windows\SysWOW64\cmd.exe
PID 1220 wrote to memory of 2200 N/A C:\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\2 NOTIFICACION DEMANDA ...exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2336 N/A C:\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\2 NOTIFICACION DEMANDA ...exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2336 N/A C:\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\2 NOTIFICACION DEMANDA ...exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2336 N/A C:\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\2 NOTIFICACION DEMANDA ...exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2336 N/A C:\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\2 NOTIFICACION DEMANDA ...exe C:\Windows\SysWOW64\cmd.exe
PID 2408 wrote to memory of 2336 N/A C:\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\2 NOTIFICACION DEMANDA ...exe C:\Windows\SysWOW64\cmd.exe
PID 2200 wrote to memory of 1652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2200 wrote to memory of 1652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2200 wrote to memory of 1652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2200 wrote to memory of 1652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2200 wrote to memory of 1652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2200 wrote to memory of 1652 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2336 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2336 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2336 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2336 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2336 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 2336 wrote to memory of 2772 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
PID 1620 wrote to memory of 708 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1620 wrote to memory of 708 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1620 wrote to memory of 708 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1620 wrote to memory of 2492 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1620 wrote to memory of 2492 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1620 wrote to memory of 2492 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1620 wrote to memory of 2492 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1620 wrote to memory of 2492 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1620 wrote to memory of 2492 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1620 wrote to memory of 2492 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1620 wrote to memory of 2492 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1620 wrote to memory of 2492 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1620 wrote to memory of 2492 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1620 wrote to memory of 2492 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1620 wrote to memory of 2492 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1620 wrote to memory of 2492 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1620 wrote to memory of 2492 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1620 wrote to memory of 2492 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1620 wrote to memory of 2492 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1620 wrote to memory of 2492 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1620 wrote to memory of 2492 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1620 wrote to memory of 2492 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe
PID 1620 wrote to memory of 2492 N/A C:\Program Files\Google\Chrome\Application\chrome.exe C:\Program Files\Google\Chrome\Application\chrome.exe

Uses Task Scheduler COM API

persistence

Uses Volume Shadow Copy WMI provider

ransomware

Uses Volume Shadow Copy service COM API

ransomware

Processes

C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE

"C:\Program Files (x86)\Microsoft Office\Office14\OUTLOOK.EXE" /f "C:\Users\Admin\AppData\Local\Temp\6DEMANDA POR DAÑOS Y PERJUICIOS_..msg mwr.msg"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://drive.google.com/file/d/1P4O12_4zwvJp-ShBm4ZEDLlPItPj8z9b/view?usp=drive_web

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1480 CREDAT:275457 /prefetch:2

C:\Windows\explorer.exe

"C:\Windows\explorer.exe"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x4ec

C:\Program Files\7-Zip\7zG.exe

"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap19245:106:7zEvent6279

C:\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\2 NOTIFICACION DEMANDA ...exe

"C:\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\2 NOTIFICACION DEMANDA ...exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\2 NOTIFICACION DEMANDA ...exe

"C:\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\2 NOTIFICACION DEMANDA ...exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\2 NOTIFICACION DEMANDA ...exe

"C:\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\2 NOTIFICACION DEMANDA ...exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\SysWOW64\cmd.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5c99758,0x7fef5c99768,0x7fef5c99778

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1180 --field-trial-handle=1224,i,1968830099871303979,3481151867426030581,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1528 --field-trial-handle=1224,i,1968830099871303979,3481151867426030581,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1620 --field-trial-handle=1224,i,1968830099871303979,3481151867426030581,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=1552 --field-trial-handle=1224,i,1968830099871303979,3481151867426030581,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2196 --field-trial-handle=1224,i,1968830099871303979,3481151867426030581,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1180 --field-trial-handle=1224,i,1968830099871303979,3481151867426030581,131072 /prefetch:2

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1464 --field-trial-handle=1224,i,1968830099871303979,3481151867426030581,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3472 --field-trial-handle=1224,i,1968830099871303979,3481151867426030581,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3444 --field-trial-handle=1224,i,1968830099871303979,3481151867426030581,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3660 --field-trial-handle=1224,i,1968830099871303979,3481151867426030581,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --reenable-autoupdates --system-level

C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe

"C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\Crashpad --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x154,0x158,0x15c,0x128,0x160,0x13f8c7688,0x13f8c7698,0x13f8c76a8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2300 --field-trial-handle=1224,i,1968830099871303979,3481151867426030581,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=1340 --field-trial-handle=1224,i,1968830099871303979,3481151867426030581,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2064 --field-trial-handle=1224,i,1968830099871303979,3481151867426030581,131072 /prefetch:8

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=1896 --field-trial-handle=1224,i,1968830099871303979,3481151867426030581,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=2708 --field-trial-handle=1224,i,1968830099871303979,3481151867426030581,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2348 --field-trial-handle=1224,i,1968830099871303979,3481151867426030581,131072 /prefetch:1

C:\Program Files\Google\Chrome\Application\chrome.exe

"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3736 --field-trial-handle=1224,i,1968830099871303979,3481151867426030581,131072 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 config.messenger.msn.com udp
US 64.4.26.155:80 config.messenger.msn.com tcp
US 8.8.8.8:53 drive.google.com udp
GB 172.217.16.238:443 drive.google.com tcp
GB 172.217.16.238:443 drive.google.com tcp
US 8.8.8.8:53 apis.google.com udp
US 8.8.8.8:53 play.google.com udp
GB 142.250.187.238:443 apis.google.com tcp
GB 142.250.187.238:443 apis.google.com tcp
US 8.8.8.8:53 ssl.gstatic.com udp
GB 142.250.179.238:443 play.google.com tcp
GB 142.250.179.238:443 play.google.com tcp
US 8.8.8.8:53 drive-thirdparty.googleusercontent.com udp
US 8.8.8.8:53 www.google.com udp
GB 142.250.180.1:443 drive-thirdparty.googleusercontent.com tcp
GB 142.250.180.1:443 drive-thirdparty.googleusercontent.com tcp
GB 216.58.204.68:443 www.google.com tcp
GB 216.58.204.68:443 www.google.com tcp
US 8.8.8.8:53 blobcomments-pa.clients6.google.com udp
US 8.8.8.8:53 content.googleapis.com udp
GB 172.217.169.10:443 content.googleapis.com tcp
GB 172.217.169.10:443 content.googleapis.com tcp
GB 216.58.213.10:443 content.googleapis.com tcp
GB 216.58.213.10:443 content.googleapis.com tcp
US 8.8.8.8:53 lh3.googleusercontent.com udp
GB 142.250.180.1:443 lh3.googleusercontent.com tcp
GB 142.250.180.1:443 lh3.googleusercontent.com tcp
US 8.8.8.8:53 doc-0c-24-docs.googleusercontent.com udp
GB 142.250.180.1:443 doc-0c-24-docs.googleusercontent.com tcp
GB 142.250.180.1:443 doc-0c-24-docs.googleusercontent.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 bollon8.kozow.com udp
US 45.32.173.196:6969 bollon8.kozow.com tcp
US 8.8.8.8:53 www.google.com udp
GB 216.58.204.68:443 www.google.com tcp
GB 216.58.204.68:443 www.google.com tcp
GB 216.58.204.68:443 www.google.com tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 apis.google.com udp
GB 142.250.187.238:443 apis.google.com tcp
GB 142.250.187.238:443 apis.google.com tcp
GB 216.58.204.68:443 www.google.com udp
US 8.8.8.8:53 www.virustotal.com udp
US 74.125.34.46:443 www.virustotal.com tcp
US 74.125.34.46:443 www.virustotal.com tcp
US 8.8.8.8:53 consent.google.com udp
GB 216.58.213.14:443 consent.google.com tcp
US 8.8.8.8:53 content-autofill.googleapis.com udp
GB 142.250.187.238:443 apis.google.com udp
GB 216.58.212.234:443 content-autofill.googleapis.com tcp
US 74.125.34.46:443 www.virustotal.com tcp
US 74.125.34.46:443 www.virustotal.com tcp
GB 142.250.187.227:80 www.gstatic.com tcp
US 74.125.34.46:443 www.virustotal.com tcp
US 74.125.34.46:443 www.virustotal.com tcp
US 74.125.34.46:443 www.virustotal.com tcp
US 8.8.8.8:53 www.recaptcha.net udp
GB 142.250.200.3:443 www.recaptcha.net tcp
US 8.8.8.8:53 recaptcha.net udp
GB 142.250.179.227:443 recaptcha.net tcp
US 8.8.8.8:53 region1.google-analytics.com udp
US 216.239.32.36:443 region1.google-analytics.com tcp
GB 142.250.179.227:443 recaptcha.net udp
GB 216.58.212.234:443 content-autofill.googleapis.com udp
US 216.239.32.36:443 region1.google-analytics.com udp
US 8.8.8.8:53 www.virustotal.com udp
US 74.125.34.46:443 www.virustotal.com tcp
US 74.125.34.46:443 www.virustotal.com tcp
US 8.8.8.8:53 beacons.gcp.gvt2.com udp
US 192.178.49.3:443 beacons.gcp.gvt2.com tcp
US 192.178.49.3:443 beacons.gcp.gvt2.com udp
GB 142.250.187.238:443 apis.google.com udp
US 192.178.49.3:443 beacons.gcp.gvt2.com tcp
US 74.125.34.46:443 www.virustotal.com tcp
US 74.125.34.46:443 www.virustotal.com tcp
US 8.8.8.8:53 clients2.google.com udp
GB 142.250.179.238:443 clients2.google.com tcp
GB 142.250.179.238:443 clients2.google.com tcp
GB 142.250.179.238:443 clients2.google.com tcp
US 74.125.34.46:443 www.virustotal.com tcp
US 74.125.34.46:443 www.virustotal.com tcp
US 74.125.34.46:443 www.virustotal.com tcp
US 192.178.49.3:443 beacons.gcp.gvt2.com udp
GB 142.250.187.238:443 apis.google.com udp
US 192.178.49.3:443 beacons.gcp.gvt2.com tcp
GB 142.250.179.227:443 recaptcha.net udp
GB 142.250.179.227:443 recaptcha.net tcp
US 216.239.32.36:443 region1.google-analytics.com udp
US 8.8.8.8:53 beacons.gvt2.com udp
US 8.8.8.8:53 beacons3.gvt2.com udp
GB 216.58.212.227:443 beacons.gvt2.com tcp
GB 216.58.213.3:443 beacons3.gvt2.com tcp
GB 216.58.212.227:443 beacons.gvt2.com udp
GB 216.58.213.3:443 beacons3.gvt2.com udp
US 74.125.34.46:443 www.virustotal.com tcp

Files

memory/2312-0-0x000000005FFF0000-0x0000000060000000-memory.dmp

memory/2312-1-0x000000007349D000-0x00000000734A8000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\FORMS\FRMCACHE.DAT

MD5 25d52a06b1a8433e75eeaad48e467c60
SHA1 5f5bce086f1e7228cfe983dad9a67c9287ab7fd9
SHA256 33fd2a88826bc738ff625e520fcf0e269f93e9e49ec72d9fb9c5f65891cde7dc
SHA512 115b38f739c05f55a36f49cb260c0d800fdd3e09f50c0047e7024cb875154d1e4237417237f431485135d5ec055993f38b85593a37f6bcfeedcf175952c70bf5

C:\Users\Admin\AppData\Local\Microsoft\Outlook\mapisvc.inf

MD5 48dd6cae43ce26b992c35799fcd76898
SHA1 8e600544df0250da7d634599ce6ee50da11c0355
SHA256 7bfe1f3691e2b4fb4d61fbf5e9f7782fbe49da1342dbd32201c2cc8e540dbd1a
SHA512 c1b9322c900f5be0ad166ddcfec9146918fb2589a17607d61490fd816602123f3af310a3e6d98a37d16000d4acbbcd599236f03c3c7f9376aeba7a489b329f31

memory/2312-124-0x000000007349D000-0x00000000734A8000-memory.dmp

memory/2312-163-0x0000000069371000-0x0000000069372000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\{F09468A4-290C-48D1-9722-BF67A075134D}.html

MD5 adf3db405fe75820ba7ddc92dc3c54fb
SHA1 af664360e136fd5af829fd7f297eb493a2928d60
SHA256 4c73525d8b563d65a16dee49c4fd6af4a52852d3e8f579c0fb2f9bb1da83e476
SHA512 69de07622b0422d86f7960579b15b3f2e4d4b4e92c6e5fcc7e7e0b8c64075c3609aa6e5152beec13f9950ed68330939f6827df26525fc6520628226f598b7a72

C:\Users\Admin\AppData\Roaming\Microsoft\UProof\CUSTOM.DIC

MD5 f3b25701fe362ec84616a93a45ce9998
SHA1 d62636d8caec13f04e28442a0a6fa1afeb024bbb
SHA256 b3d510ef04275ca8e698e5b3cbb0ece3949ef9252f0cdc839e9ee347409a2209
SHA512 98c5f56f3de340690c139e58eb7dac111979f0d4dffe9c4b24ff849510f4b6ffa9fd608c0a3de9ac3c9fd2190f0efaf715309061490f9755a9bfdf1c54ca0d84

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HVBRC7A9\cb=gapi[3].js

MD5 8c79846f2b3509923d28dd933f2f0146
SHA1 0bd969df614e46ffc63bced7d8335de2fd63e019
SHA256 1b35e98600b2582e0efe7f7c741831081d8ca0c5226986efe1e090c9ea7556c6
SHA512 7683e3983e9239e710cf17a6831381096229f9b82bda9dff926f1741bd797e12a6076ae27195638517111528aab1dcfb0191db555ab3121b77b9afac1160fcb4

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 72dca9c7b82d47ed546488bad4f26a46
SHA1 9c13bfc2a0135b626e9161e74400f254b1ef9f2d
SHA256 5d77c361afd951dd1290d95e44689afd521b2b065e6ede92dcedf5c2d54b7f52
SHA512 9c989e1a7c0c5ecb3a624ffecaeab9f847e428f26c355b0204a07794a389d5c119979b760273e5140f783118c8fd52dfb7f1d238707f3359c4f34ca5c399bbaf

C:\Users\Admin\AppData\Local\Temp\Cab983.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Tar986.tmp

MD5 9c0c641c06238516f27941aa1166d427
SHA1 64cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA256 4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512 936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ade902f4271370e9c8a10df740229f57
SHA1 4ec7837871f1ab34d9558c3eeee91920e79f97f8
SHA256 727f234420f0f29fdf02f7f7799eb8ab6d0f6f18fa83cae8a78e356a06af5a9d
SHA512 5b357c2d88a4d35e03bc7b44ff8ed21235c0562d6a5aa48e3fb8acf7f3c15f7b26f6d2a5347fd05d4f7a48b6f9fb7c219ba9e6aecf1089bbf3d2e3de338dcd9e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 71478b1ef945852e109d87885c347437
SHA1 9e4d434d0c328cf2ce39851a760e8734f618442f
SHA256 fe12f94400c02bad20e61d9afdb5762c105ae481580562fcb33a8350d4d82666
SHA512 659d0b42098921da79dcc64b0fca14ebdc81d7af616a6beac277ca1d20fff4a4ee644c60474d7ecf7124b3c6824e469358beb9b8d6717cb69b4d302ddaaad5fb

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 8cb0052ff1bc08d27e3b3d3bc3b2eb22
SHA1 905c896ef213700b3589ab70aa982bd48aa6411e
SHA256 505156bc6fc5c3ff1985d803bf74442f42bfe76348f9b3368b200011e324a616
SHA512 0e5235088d6eedbaafe1f198a7d6faa91d3835c81e5d85d82f8533a18d24a840b995152c562f2da445633753f06b46f7d3d0bc6941357c081d51ff900160c96d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 709befaa66446716e637ba6edcf88ea5
SHA1 2ec4465cdf3dd66ac044d7d5c62aba2a64ec1e5c
SHA256 612804ebf00196e0be60e55e78699f0e14e110e295e6e2bfaac1f081660ae254
SHA512 5e636ae61458b9c9d4ba50dae760467ab07142e54b2808794beae3c752b04e4ea842674092bad23e9fd007e80a874824647c4618cf6f684d85b1182cc82996ee

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 96cfed3214eebb886b2a9499d7f19034
SHA1 bad09972c4321c896b0ff828751830901bab67b7
SHA256 bcfbc16a78a605ba63b7570c5e322ee139c0e25c4a73f06425e9b03603ebe15b
SHA512 b7cc14014775b2ba953189fb19ad2b555ac708ccb5740e0faad1f3f26a4ce64b3d99222be8a2c131151b9048681b5a710e632a43645f0bca7b00bcf453859d09

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b244de3d7a4751d1e5e409019a901c46
SHA1 8d0ec6762d9ca5ecde9bcb1041751e6fc28bf689
SHA256 e4a3d38393584a07f44ea63bc5aad59040a364a7e1728c6bdc4d1cf781733d03
SHA512 11b9d874ce219d7e25620a0271db76bbd9598aa0e695d1444b6a9916483aea1a518a81f32e699f5ef0ee7f90ee82ca1de1dd51d910c8a58563b77aad51b9c711

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 15cf3d18a8a91d186b972d2b5d5c9f52
SHA1 8b87dd24e20b8a0ed9989960f218e99930beb2fc
SHA256 1dd8ffdfaa88df0304a76be94ba251f32f38a596e908437f0d8bbf5059f45611
SHA512 e23cc359edb15b022f3442e4f1bc9b3a606e8f4849d0fdaffe641f4d049eeffa93cbe98e3800e4915e6b6690a3e43d5d8915db4c1d66ea6b07a2ef6eb4625a9a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 34b8699b02c950d6a14fe8709ddd91b5
SHA1 9207b344a6fa3ce0582ec3dbfdc614a6bb9e2256
SHA256 7957afb8426cf75c014e2aab4763808de5d7284e77cce9a799708c0a694542dd
SHA512 37dad8bba4f288afea041947849dd91910dd5741a76b945381d6ac97cffbaff8ec36a3e4d02b773c758ee6addf64d7c740cb4ce69a5ad2adcae3608f4cfc9989

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 b6df9d654220a4b78eafd66c017ab9c7
SHA1 bc16e4e5a3094bdec741e4df46729cb5ade91ae4
SHA256 9a27179189336440a917d893eec088f1c1f36eb5c5b54024f0c16cba892d1fea
SHA512 bb5a3f29d471ad67834c79b02269cedb0634972009c47174058fdfe4b50965c3e77d847d5074bf839bd2e540479b8b62999bb928d95d47939057833a8771cec3

memory/2312-725-0x000000000DD20000-0x000000000DE9C000-memory.dmp

C:\Users\Admin\Downloads\2 NOTIFICACION DEMANDA.REV.ah6swao.partial

MD5 d2eecd1049b5589554ce98e435b25577
SHA1 2853443a6b362c7cdb72736e8cce8eaf8ceb10b5
SHA256 29701ac7f43aaeb5935fe27ec7f3727b16029321f602dd8e22e4b500069c59a4
SHA512 b21aa2c2b31079b296e06f3e86323b90ba26433fe7211a87dc259154065d5164c4d0e3f232417de47be92bb029404f9745c01e3ece99ac8159c0502a6a109b6b

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\JIH1AB02\2%20NOTIFICACION%20DEMANDA[1].REV

MD5 70dc48a6546096505f38a7a465e46bb5
SHA1 951c382335d894d4584e70f320afe87a4d2fdc56
SHA256 78b6037f8d164abfb7dd43643a77765f663819605e2cce78bbc66c7a713e9daf
SHA512 106aee693cb1454447610a344be257c005df96b459b4c95bf6d06a6d7bd24336b9fc716c76b6fce926fc7519bb3c73fda08594a6e602c3800bdbba50e9b19902

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c6744ae19886b642807065968f68dee0
SHA1 f1a00e04b85bdf79721bfc2d1383cbb054f4f76a
SHA256 ec284565d240588a0fd9b70c83085052699a2d086a604071bd3ed0f8f98975b7
SHA512 1a3fb536c3fb0e0791e68c0e14885bff48c0cbed65fa415794d264eecc717bb089bbcd48112cab3ac96cefdd76e5c2913c23a7b1d6385c28e0a3e75fd39ccdcc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ff879b518d0c145db45ceb485c8345e8
SHA1 98ec5488211321f8bb4d65a1fbd502ca9d987848
SHA256 f4c605a7d47696c2f682711c68e9e254e0ed1fdd18b2aa7009f9321f694d0ba3
SHA512 118d9be1016afa7b466bef6b19fa71aed8c6a3a1771e2dfed69e6f82c95f69286278769706e5510a7179db2c16c87cf518d336b5c626d539f0958080d8ed21c1

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 045020c196f0115c7b1b297099f60783
SHA1 08e197ea74e2ad69c52662e4ba72f22b71b8db4b
SHA256 67c269c37bcaae89742e5dae9980f93d411eb3ad61f0a400cda2611e4b8c1293
SHA512 a804d7b9bc01df486425aa8a89fefa4377bc869aaccc0c82db472f4e17788d2fe0d82d09dabc2a052ad9aed899589801b52db22e86cb595126b9b8f4a43583b6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 351e9b4c9bdd0b20d8daa7ca8bf67bc3
SHA1 2831740f2c0745b3307771f57c58031e5e98df05
SHA256 4618fff5ad5a4d1eaa7016813579313270c1f92f028601e52fea1c16850ad0f8
SHA512 2fc21f4cad6c770eac838fefdb4a5a351c9670a7c54045a27ea024bf0bb81b15ffc038cedc20a6011aa0675415bdc24211eae07e941771b72052a511be081ab2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ad42c46cda73f64083f0ddbee2627e94
SHA1 5326dbeb147dc84f1636e55b3724c1210abb8c86
SHA256 04ffe235dd39acde621b1511ea507a356263aa375addcbb212a51a7bf06aba07
SHA512 334392a1f2d0839b96b1b5d45e48561cbe4d111ba8876bb4a2bb87356b50e09565e6e531f704610402ae6568095cefa81371f74896931b84cd6d013b312fdcc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a29afbecc8c45ce30390f579057de4f6
SHA1 d1848322252de202d32a2cb6d803d36ddf580989
SHA256 66df4ad98e6763cbd3617c44af014fece004715f0fd0e6aa63e7a769b0dc6e6c
SHA512 e22e7bcfb6937403fbde551c73c98a67c2be3dff96b534dda5f6f9a8f83565402eb4734e9bfea7ae8bc58694920922efe79ea42cf6ab33345c3ba9350931fa1a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 539803394cb6a1c05d85e298d3d7e694
SHA1 d9249729659ab7886f3b2e3f2bcc5191fa325713
SHA256 be3ddf98e9ac4fe74d02d9ce9ae9a10b2dabb7c028df6efb8845f794dcda0a6d
SHA512 8af15f163774f21fe3e04b962e32d830424a89224684ad19fdb6a530924cb7ec01889c8d7adf517afb8789bfdc981a467cb3d3e0e29f0f91b4654e8cc8139bd0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e75d7b92a6127fcf77b57ab522af8d4f
SHA1 a8b7f1ee5b09658afc57ea51b5a45528da7fe7b5
SHA256 6204e47471640a98617b29671bd244f82195c16df492a540ae8b77f2cf0585ca
SHA512 1acca4bf24974e69f6178654dab0f45d7d41fb88e66aeb7af611889dbd3c65cfeb86736da5a878f33f6b0836f9092bcf0acbb855231e071b55ccc9b0499622b2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0cfabd23eb478c929e0eb0ca7ee37608
SHA1 1beeb94c3baa12350c5e5f831fc271b382c6fd62
SHA256 ea9ddecfb5c5ef5e25359d51f9e3e33b6e0a07a0bb227ccb05b6ed617ca7aeed
SHA512 a5120966d16bdd40b63cef3f0dc72b8373fa99d0e31af325921cd1d8ac8e596c12b4118e208f54a136f7a3d8ddafbbd58e15975537df60b5aaa00d7124570f32

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7fa5c549b49d734ab755c7cb60451ce3
SHA1 05feac4f3ac82929c5fa885146406741a15b543f
SHA256 786ba327e531874dacc630c0544881959e620592b59776f881ab3a4c22001360
SHA512 6e06eafd093581ea6d5e4175e198b35a2ac478a82fe1a993b208c1b051dc350bedcff78a48e27f430147d1bd84510007d9c1092ced853d990d0fdee0cbaffb18

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9f14ed7ecbfcc119e531b5c6660f1404
SHA1 36d95b45b7fb42c6739be20d1d54aa647014ce51
SHA256 e966c22ba4ef723fb8b0ab5cdbe2e2bd8f3f0004d22aaefa57ae765dc3d14e44
SHA512 16a74c1b7db0166f9f5239d0f6f505f2df5512a6ec1bd8b561d202dcb49280649e16bf2376cb48e1211d7eb714e9b5c9b7b98c474f311d721780a5291398e507

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 4ee54b67cff46465b173bafc451e478e
SHA1 01fc034340779409c3a5b5728ca7e445c8636993
SHA256 73050c9bf2a4c0f9b40155cf268390d7c6909e75bd0546029395bfc330792e77
SHA512 c2fd80e7427b6f46fd78bac8b58ad2b19264966c412b8de6cbf56cca1f561a2592103b0a589090b23af48b586d433ab0d394f05c14b6be5b8a9a916b908360c5

C:\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\2 NOTIFICACION DEMANDA ...exe

MD5 a2d70fbab5181a509369d96b682fc641
SHA1 22afcdc180400c4d2b9e5a6db2b8a26bff54dd38
SHA256 8aed681ad8d660257c10d2f0e85ae673184055a341901643f27afc38e5ef8473
SHA512 219c6e7e88004fad9f4392be9a852c58fc43b7f6900e40370991427f37eaea5c18f48d2954f9479dde8bcb787345f4e292d5620add8224aec4d93d7968820b83

C:\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\vcl120.bpl

MD5 db0923bc81fda6fc9edbccd9ce0c1f96
SHA1 10613b32649951a4e5032896b770a42697e0f820
SHA256 1a683e719acc70ad5fc14ac5e3072c6c51df57eb6b9f406b1eae19c77f1e11f0
SHA512 c105f8de371e5c8963e53a079f9caea224ea24147d45f230dcd417a240f7f28991e860b00b38d8d209cd9c47bfdf6eb4e1c78c19f9feec24939452549ec28424

\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\vcl120.bpl

MD5 88bc3db58e577b49efb4a0c9060db524
SHA1 fa3669d18c59584a563e425dc83c3e6ea760e400
SHA256 5112e9f6d5d0be37de4d4f5447fe93f0cee92689cad076891e2424cb633809ac
SHA512 86884bc721c96f2127af85827c290fba2030ec89e7ea6ffb6d92b16e23f953cade6ca86f646afa1263a86e7adbcb4961fdca1cbed9655561fed5bc9d5dd8319f

\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\rtl120.bpl

MD5 adf82ed333fb5567f8097c7235b0e17f
SHA1 e6ccaf016fc45edcdadeb40da64c207ddb33859f
SHA256 d6dd7a4f46f2cfde9c4eb9463b79d5ff90fc690da14672ba1da39708ee1b9b50
SHA512 2253c7b51317a3b5734025b6c7639105dbc81c340703718d679a00c13d40dd74ccaba1f6d04b21ee440f19e82ba680aa4b2a6a75c618aed91bd85a132be9fc92

\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\Register.dll

MD5 dd001e7a2f751f6c9e8c40e23307d102
SHA1 22fdeab3d891334e2e27d970b3a5680d45cb3371
SHA256 e2b66236119bfea1571f423a721b1c4495b2363a0af83b8ec2ea728b4fdd7d7a
SHA512 ee9591e952028aab264ed6fa51369bb5c8d7aee4eaf735fd2f78b4559e2d07791d4d9777478d93be9de8952fa70105d9c431a48d380eebe637138fa188d7aae7

memory/2596-1303-0x0000000000230000-0x0000000000231000-memory.dmp

C:\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\fascinator.psd

MD5 82d2c77994c7cef5421400b19864b0ea
SHA1 56bef4cbe02af14bad3839874085f0fbc15bb2b5
SHA256 f326b66018701486dec5ef90d28524ba6112127940ed681e0663b541e7784d50
SHA512 5566ba4b1bae56f0c6c55e3ca549c8f5e03099fec392470bc4ab363391117ec10aa154fb61a372985c0b1df503473f558fd0f70335aeecc101caf9232a4008c6

C:\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\breakage.ogg

MD5 25ceb30a246b5e35393c3014a8458610
SHA1 30d174a20e735cd86458be23017a5e09ce46e85d
SHA256 23df8661729e5cd150bc5821f3a3d57d918332c4e34cca70eec6495fcb5582d1
SHA512 fe80bd336b87818c0e4091ad5d8c0c2a3ec167840072ead2c7533b20318360bc85b71d5b943973fb11018889e06c51042e0ecf7fe903f08487597e93970338ba

memory/2596-1306-0x00000000023D0000-0x00000000024DF000-memory.dmp

memory/2596-1309-0x0000000064DD0000-0x0000000064F44000-memory.dmp

memory/2596-1310-0x00000000770A0000-0x0000000077249000-memory.dmp

memory/2596-1316-0x0000000064DD0000-0x0000000064F44000-memory.dmp

memory/2596-1317-0x0000000064DD0000-0x0000000064F44000-memory.dmp

memory/2596-1319-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2596-1322-0x0000000050000000-0x0000000050116000-memory.dmp

memory/2596-1323-0x0000000050120000-0x000000005030D000-memory.dmp

memory/2780-1321-0x0000000064DD0000-0x0000000064F44000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\3db6b245

MD5 423a58e5f9272194302d83565f6887e5
SHA1 5d9928338a1c2ab590ec8ef60e0f4e35ba65f225
SHA256 8ac163fe5b6a46b2b9606d073590ed2a82991fa9e5fb904cf94b5b4b9ab57036
SHA512 7fcc95f089451207ecf55047f98ed667f72a26c8887e7011df06b45cddfe8caa2ba64483c5e238abbf2b4d5944c8c2696e6f1930d3b754d9f218233e8525cce3

memory/2596-1324-0x00000000023D0000-0x00000000024DF000-memory.dmp

memory/2780-1325-0x00000000770A0000-0x0000000077249000-memory.dmp

memory/2780-1351-0x0000000064DD0000-0x0000000064F44000-memory.dmp

memory/2780-1352-0x0000000064DD0000-0x0000000064F44000-memory.dmp

memory/2780-1355-0x0000000064DD0000-0x0000000064F44000-memory.dmp

memory/2116-1354-0x0000000067140000-0x00000000681A2000-memory.dmp

memory/2116-1356-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2116-1357-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2116-1358-0x0000000000400000-0x0000000000416000-memory.dmp

memory/2116-1359-0x00000000645F0000-0x0000000064CDE000-memory.dmp

memory/1220-1364-0x0000000002000000-0x000000000210F000-memory.dmp

memory/1220-1366-0x00000000630E0000-0x0000000063254000-memory.dmp

memory/1220-1367-0x00000000770A0000-0x0000000077249000-memory.dmp

C:\Users\Admin\AppData\Roaming\installReader_test\fascinator.psd

MD5 ab3a1a7d51ac97783e3fcdde6bfc0e8d
SHA1 72f4d4af80cf6a57d438575304daaa178028867f
SHA256 007f03dabd40ee4090dd902b8edfe7d4fd4d2b3d66504133def8933f83ed6f8a
SHA512 e171ef563532d72fba2731b7f9cfce64bf0a510f1c05fead3dc85b900c91149f1f7399fa7df5f2e6385dda9b4232ca2c48a43aafdcbe6e1719590186a39f56a3

memory/1220-1378-0x00000000630E0000-0x0000000063254000-memory.dmp

C:\Users\Admin\AppData\Roaming\installReader_test\vcl120.bpl

MD5 355edf9f488cc807124b2d25866ec7a5
SHA1 4e56bcc13cc12c6f59572bfca50039bc870f695e
SHA256 ea87d77e4c29fa1166d5e28c19b9e1d9e71afa16f19ad6f3dd0b4955831a1941
SHA512 c068f79f5bf2d09c892790977ac3069c9e6441648b6b76ae74a8a70759a127892308da70846804979ce236060ff51df411f2aade29565ebb394d5756ab09283b

C:\Users\Admin\AppData\Roaming\installReader_test\rtl120.bpl

MD5 e0ae4f6ebfbd827cc988cd6381a97f35
SHA1 c76e231b22ebed34dd08520f01038e5e6051f08b
SHA256 68d2430c2c84ce8a53eeef0d924c651017b27dcd54b4f18ac751422b93760d0a
SHA512 fba829dca921bd08a5bceb87a9fb70d7fbd2c71bc0c65d65be127ac3955248fa2d1bf8c58b6488647a9c7a356f899aa05c2631b89df619f57bc74c17c8542fd2

memory/2116-1379-0x0000000004C10000-0x0000000004C50000-memory.dmp

C:\Users\Admin\AppData\Roaming\installReader_test\Register.dll

MD5 fcd6bcb56c1689fcef28b57c22475bad
SHA1 1adc95bebe9eea8c112d40cd04ab7a8d75c4f961
SHA256 de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31
SHA512 73e4153936dab198397b74ee9efc26093dda721eaab2f8d92786891153b45b04265a161b169c988edb0db2c53124607b6eaaa816559c5ce54f3dbc9fa6a7a4b2

memory/1220-1365-0x0000000000230000-0x0000000000231000-memory.dmp

\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\Register.dll

MD5 70c0b89487845885d33868c69e9780a3
SHA1 768ec55b0adcd37e046accbc38d29f557df83cd5
SHA256 4cdfb809491d8c49b443de9a42723c374749d4a23636cfea94d4e25b2e33d900
SHA512 9bf469a5302bd4df0a6952bbe8644c2fc928a96557eb3c8d3fc7a2a67ba59c1769ae99378d18a7321e4965fd8292cc6152c55fbb547af1dc8ac1a1bb718c1abd

\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\vcl120.bpl

MD5 419ae41fd26f02d01d0db5b1563fd79b
SHA1 75435a5313185a52fcf02414d3cafcfec147805b
SHA256 249e130951a61979b61818565ab3be32196ea6d1410f71523fce60583944635d
SHA512 9bf6fd1b0dbdc4d80d29a0e38fcc96b02bb4693cabca1c5c07059ce989db4ab875f93b36bcef1a97dce905abf4e9d5698658c1a3dca657039fb5ada0221ca9f1

\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\rtl120.bpl

MD5 5d553df78e3ccc6e7859af29db9c7ffe
SHA1 75f424380176d34995f27432250f3b3d0855002a
SHA256 bdb8f00dff5c461add774636038cad04a9001edd37f8c4388d18272ec1ac6264
SHA512 75ef0c3b7d3b51e105e4ecc5ec5015303711a52db988a6dcd6a7cfbdf820dbb91b3f2ea20d69c9fbf29c17474f0faca17683cd9b89937b984ca8b69c0f3c95d0

C:\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\2 NOTIFICACION DEMANDA ...exe

MD5 918d8c4483fc25e02933ab4191cd63a1
SHA1 9a5f546d0b75fd44ed59e3585eb030e504eee356
SHA256 fe2a4f724dc92ab16d8dbf852c872adfba922e47558328436eb281caeb418cbc
SHA512 5935540f2dc746325d1a014f88d50c4f4bd40e8a18c987b46353260453176c113b1be06dd68d6dec8422c7761bf076d06a8df780ca678a6cb42263c79577b8c3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d2cb82c4406cf286549d0acf540504d3
SHA1 dea2967c52f67b64cbaffa166a1d9a6a784045f0
SHA256 7fc2639ab14bdb00280224df4dcdf412c910b74b87893570b4215d86795cbca4
SHA512 21a620f1216ec037306764825bc3ed2ce340d225ceaeab8f2f1ac13b1c0b482f031591d0224ae7307b9defa12487b9832619cc939e7790139a953af22b70e451

memory/1220-1401-0x0000000000400000-0x0000000000421000-memory.dmp

memory/2200-1404-0x00000000630E0000-0x0000000063254000-memory.dmp

memory/1220-1403-0x0000000050000000-0x0000000050116000-memory.dmp

memory/1220-1406-0x0000000002000000-0x000000000210F000-memory.dmp

memory/1220-1405-0x0000000050120000-0x000000005030D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\2500aaa

MD5 12c80f95619551ffd9253c296bc53721
SHA1 e186edc66e01c1d27d94294185df233c5cffa5f4
SHA256 1744df05e1e7038a81054c4ebfae62fdc2cfcd282a517c803596ae93fc606263
SHA512 2387e7652795fed01bb0110210da958e854e403a3d024abac009355f92933e73af431230c7ab367ff83ad87f8c866a77d12d0f20ebf4fff2d4a0e512b3e5f6cb

memory/1220-1399-0x00000000630E0000-0x0000000063254000-memory.dmp

memory/2200-1407-0x00000000770A0000-0x0000000077249000-memory.dmp

memory/2408-1412-0x0000000003080000-0x000000000318F000-memory.dmp

\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\Register.dll

MD5 89e652283e532a1a785730f7d9aae796
SHA1 657e1a2d9e3fbff4cbc8002f53d849584966b5a8
SHA256 bfdd871cbcfaeb76793f5363d0a8df2ee1468a67bc340c3c61aea36f29e8688a
SHA512 2d5f7c2ea38bb50d4107fa7a51aa63d99f4eccd00f1c15467e04c7fe95559da4889808751106a6d3db9ead4598e9b2d14ca929109a5d11ce249b7ff73575255f

memory/2116-1413-0x00000000645F0000-0x0000000064CDE000-memory.dmp

\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\vcl120.bpl

MD5 86a3b362cc78f12fde1184046bf610e9
SHA1 93ad4bae5d014525e502d92f68588f3aeba6b4b2
SHA256 62027e6baf938b192c12d91f4492aefbf1b2ea64da3a81e67e4d477235672205
SHA512 682f6e36862b564c4aefed064d25d5c89282d5200be25d6455528f480c6f96c1ab3762da47d32a48542ed808d61fd4f4cb2b86774d342f6da43d6b11f0594b9e

\Users\Admin\Downloads\2 NOTIFICACION DEMANDA\rtl120.bpl

MD5 b888c4ac579118fe86403c83221f7f12
SHA1 737c0d620f14868d4ebeb73e48c994f9968f525c
SHA256 f15d9cfbc20c9ae8bee9068b6e2c1e89615fc5abceb7bc3982a512244571e96a
SHA512 8aad19d10f73a3f304a86b0a7d673745534c4e9074febc6c8887ea03468553d9030b578f0e1dc264746bbac6d1eb239cf8a075c42bced4997fe5c41ad67cd354

memory/2408-1414-0x00000000630E0000-0x0000000063254000-memory.dmp

memory/2408-1415-0x0000000000300000-0x0000000000301000-memory.dmp

C:\Users\Admin\AppData\Roaming\installReader_test\fascinator.psd

MD5 f79d508ff2438424073d1d5bb7cc9b55
SHA1 35c32b755a7b3a71cd33f62abf5faf21c6524f17
SHA256 b6198227782003b86f5a566fd69c2757795c13f92ca5ace4330f944abacec23f
SHA512 83ac9a7ca10728fc3dfd150cd2e7235a1b5036f4a9f95e444250b9e35128a7413216672a4735d3d7d43bec4b4b664605d01e011f573d6498d5c05f0e759f5ec7

memory/2408-1427-0x00000000630E0000-0x0000000063254000-memory.dmp

C:\Users\Admin\AppData\Roaming\installReader_test\fascinator.psd

MD5 16c38e18c19388fc1981f0b90385c8e0
SHA1 0c8855ee8c7e82ae3876e3067803b71a3b807234
SHA256 e6e342ee799e275b2ca3ab29809c22f4a91ce308b1c07210a3d3f4d1dcf60897
SHA512 69eafc52b569ce88162b047eb24a2861b1da8a58f8cd37484de7f33edd01f32a70cc7dac4e034e3dec2f08418e56942de99f753861f56872d25e3664b0ccc8af

C:\Users\Admin\AppData\Roaming\installReader_test\vcl120.bpl

MD5 033660d8a8847f99c8d96a96998e2085
SHA1 99916b149a165274f236342c1b827f0288a04991
SHA256 46b9f1cde63455d230505e3507a4b447a781b7d3494647faf21c892e2e5858a6
SHA512 fc4bc6712b133bddc47f6dc5107e2547ef5f4a814e62bc0981d43753e74a5245ecca48fcedc80cd03a505553104a0e4316a37946ecd901db28976da0c267ddee

C:\Users\Admin\AppData\Roaming\installReader_test\vcl120.bpl

MD5 80e1bf29091d58b3fd1aea25ab135819
SHA1 cf89d2bf5e78b739a619918711f36cebd4cfe401
SHA256 e1294d6f3dc97461d20133afe9986432e684753df6abaf9aab0bf02b679ab9e6
SHA512 e1bfff7dad6a9ebad43cb20eb1fc3f63fcf7790103f4b50afc506b756a58b864fff5b9f966ab5e1b881556a2584abc985ab9747cdf8094dc57a47eebebefab67

C:\Users\Admin\AppData\Roaming\installReader_test\rtl120.bpl

MD5 41b5ef6063b37bd46cb3830a1b3994a8
SHA1 a4056000a7315943c15424d9d6d723ceb791d9a0
SHA256 103a699937581add8205f716f3e83c59bff6969f8f1faebea8912db098788933
SHA512 75f9298d6c6ae175c6149ea3edd731bcd61a8af9b43eec0b389e7b36ac70b10543b3094fbe58e1d1659ee008af22a0669029dbf493c988c98da2d68b70da326f

C:\Users\Admin\AppData\Roaming\installReader_test\rtl120.bpl

MD5 2c6909c738bc6b6896e13f35dbcbeab2
SHA1 ee24517e75ec385e8b1d8025561bf3af6ec39824
SHA256 55c8ec8c0b6553015ec4ec9c802eb9ef034872acffbcdad1ec1c340c2a388fb5
SHA512 79a6311db8cb373f516a5a3c8626d01ac77f05582c2df114b0aca1ab8c0f91025d1d0ef6847229965946945a5c80d67ca4be321ea57f939d947bcf5aaf38d6ab

C:\Users\Admin\AppData\Roaming\installReader_test\Register.dll

MD5 0702674fad45b89e8020369ce564bc5e
SHA1 762a3242eb3975aa437b850bb550eccbcf82ed89
SHA256 a38a1adc37f7750bc38d1a4f34fb49376cd96b30ec700431f03cb5043ab45a3b
SHA512 1e3e11dd7cc50f51e571685c20ecb4d6a915aaf0159b81e923b549e7cf047576e380f19db3be8dd034e27274c19cd03f1a2a23547f819d7766b0b3443d3dcde9

C:\Users\Admin\AppData\Roaming\installReader_test\Register.dll

MD5 1e8e41d432bbf5d9f17a2f32dca3f3ee
SHA1 bb7b5a4350819824d851093035eca91f7b22a8be
SHA256 77cf3819305950ca6da1e76374a4537d3c730169610214ef96cd231abab19359
SHA512 66c3bf59ec3a9a3fd47f3ae27d4518393a772a39b4fdcc9a81569bc5050a5126cea77c0c5453925da034e77d0afef8927c246a24e480c8aef89dc3ba3e19f97a

C:\Users\Admin\AppData\Roaming\installReader_test\breakage.ogg

MD5 594c677c607eff9af51df20208c5f544
SHA1 3c3a1c8d363e42eb0209ef09ee54ec2be90f33b2
SHA256 404be0ee58d12e9be0b64a85371999484178f8e6175a9b34effdd1042256d564
SHA512 bd35d77487217efb2dd821fbf829f437f21896cbab71f3919880c48ba0c97305d754bf65b4ed1eefb28804e4aae8f8bc444370ba822e94095552f2988cce7b5c

memory/2408-1416-0x00000000770A0000-0x0000000077249000-memory.dmp

memory/2408-1428-0x00000000630E0000-0x0000000063254000-memory.dmp

memory/2408-1434-0x0000000050120000-0x000000005030D000-memory.dmp

memory/2408-1435-0x0000000003080000-0x000000000318F000-memory.dmp

memory/2116-1432-0x0000000004C10000-0x0000000004C50000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\485f2050

MD5 30eee0452a87cc50187cf7a2032fe78d
SHA1 bbbacf32c0e235772f44e505cbab286a19904bdc
SHA256 fb71e5050f44fb4a49cd56eb2b49bde5a0303ca01e5ed6892bbe3ef4947fe2a5
SHA512 0a2c0c10abbf019adb6b61e5448b5bdded396b1860f1af8503082ca42f70d79927ddde1adb3ba8b14c391844260a863e669c2cce45ca298b9bcd1ea5f99beeae

memory/2408-1433-0x0000000050000000-0x0000000050116000-memory.dmp

memory/2200-1436-0x00000000630E0000-0x0000000063254000-memory.dmp

memory/2200-1437-0x00000000630E0000-0x0000000063254000-memory.dmp

memory/2336-1438-0x00000000770A0000-0x0000000077249000-memory.dmp

memory/1652-1442-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/2200-1441-0x00000000630E0000-0x0000000063254000-memory.dmp

memory/1652-1443-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

memory/1652-1444-0x00000000645F0000-0x0000000064CDE000-memory.dmp

memory/1652-1445-0x00000000010A0000-0x00000000010E0000-memory.dmp

memory/1652-1446-0x00000000645F0000-0x0000000064CDE000-memory.dmp

memory/2772-1452-0x00000000645F0000-0x0000000064CDE000-memory.dmp

memory/2772-1453-0x0000000000F20000-0x0000000000F60000-memory.dmp

memory/2772-1454-0x00000000645F0000-0x0000000064CDE000-memory.dmp

\??\PIPE\samr

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

MD5 18e723571b00fb1694a3bad6c78e4054
SHA1 afcc0ef32d46fe59e0483f9a3c891d3034d12f32
SHA256 8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa
SHA512 43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_625B6A317EF9FBF256D00704E8512DA8

MD5 569a1927e42cd71cfd81d7530a1c4486
SHA1 9e5f6e986e89741a5746d8d7420152a3317e1f3a
SHA256 519261d9002d6c6b16404a772cb9e1e3a7fd229833b712ab27d6daa9a5c6f6ce
SHA512 0d8ed81a8b690b8b2d09b603a643204012a0e632205e4213d37744f5707ec0da6ab633d35af483b71c2e04095fb037193fecc5fcf3c0522935a006afa635e183

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_625B6A317EF9FBF256D00704E8512DA8

MD5 616d029773850381e4f7dae945c2ad6d
SHA1 f606300038e2345470a5bb5b8cfd2bc3a7714370
SHA256 d20a0ee4d58f481a0ecee0b736fa7fcee3acd198408e43fb855cf87eeae847c6
SHA512 783a3da428102505a4fa637b3c14c60cc890a4b831f36265d908d9e43468c3228f96d28b0069ef2d038f13728478b746a52447b6eba87ef9db8e89313344b2c8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 ac89a852c2aaa3d389b2d2dd312ad367
SHA1 8f421dd6493c61dbda6b839e2debb7b50a20c930
SHA256 0b720e19270c672f9b6e0ec40b468ac49376807de08a814573fe038779534f45
SHA512 c6a88f33688cc0c287f04005e07d5b5e4a8721d204aa429f93ade2a56aeb86e05d89a8f7a44c1e93359a185a4c5f418240c6cdbc5a21314226681c744cf37f36

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\CAF4703619713E3F18D8A9D5D88D6288_A7725538C46DE2D0088EE44974E2CEBA

MD5 b1d66a1b0f0bc6af99dfd1a22e15a6ef
SHA1 c6cd4a9897420b27e94ee66806bd71ebbc0dcc81
SHA256 717f4b84f86f9de705353fb234d0e15303b566d57a934bb1f44699e5b16b0aef
SHA512 02bcd658b689f390858b1eb4739a99a7041efb9e4c5c3513cdcc9be1fb2118f87b1f17da673ee3e5610349933532b8d59fbf0b430f4b09966db971a23c79b1b6

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 64e836a61886ec9e8b2669670291803a
SHA1 64303e0bb55dec85bbb71d8fa346e4ba8add8eed
SHA256 876c691b537616a3b2f3c480edf644060cb72c92254be828c11c040c857be6ed
SHA512 4824cf64d7d97b0fd7ed5e5710273127102a47fa5e8b57320b33a338399da78c49bc1a306b5051a4e717ac32fa721b78cccfa7ce12e89b09db6c37feca874d41

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\24BD96D5497F70B3F510A6B53CD43F3E_3A89246FB90C5EE6620004F1AE0EB0EA

MD5 e5e6836018438496427a99c05235c848
SHA1 1d44f992395906082d9e25c0ff4bc5147b48399a
SHA256 661d20abf4ba15decb2a5c4164113565917de5fc95c49ff506fffb1e5fe09943
SHA512 d74fe3300f21e2e52e9d9c7cff3d375f4fe32b93f0597d97150b514c4e93109e60dbbe1638863ae243f943b22aaf5e6219915015c2972e555fc1eeb9d8a9d8e4

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

MD5 f50f89a0a91564d0b8a211f8921aa7de
SHA1 112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256 b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512 bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_F6683F4776D0303FB83B8F5DA6BFA751

MD5 2cf7e10e94610160665bd9e61bf8f4c9
SHA1 ad3af72b814bb51e5d6960cd5a86ab59f226dc6c
SHA256 2f3e747617b619dabb2837790822456c446532e2f955c42405127a78425fe378
SHA512 d2ef6cd43e0879d3bf1336a2c8a08d13a6945fc37e8979221d8bca522b6ca0fe8e0c865eb750693873459a1eac6bcd4c0e34bcb912a5b78ef03983c7ea3a23f5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_F6683F4776D0303FB83B8F5DA6BFA751

MD5 a4ff004f254f74252daa28245e1be758
SHA1 3d3ab0a0cce45a9664e84ab2f492bab56d777e10
SHA256 56769962153766c661a1e773375435fb0c47b09e408881cdb3bc0374e6f87930
SHA512 c7dd80cdfec3e913a8d560236e081c5bcf386b5c0924486f63c56cd59f6e24bc9546357979ff76c7c34d6d00f3a1729a75b5ca5b2c579b9571652096812076ac

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

MD5 aefd77f47fb84fae5ea194496b44c67a
SHA1 dcfbb6a5b8d05662c4858664f81693bb7f803b82
SHA256 4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611
SHA512 b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\A16C6C16D94F76E0808C087DFC657D99_1362B7791428C28A832A1F1A09A6ACBB

MD5 40bd5c9d420c5ef86c805b027b3db1ee
SHA1 f6b7bc9c0bafbda8accabe90624dbaedbd136222
SHA256 367b655565ca3a0bc7ab21dad4d011b596516f1b699a9b3005fe6564325935ce
SHA512 cf593a845d1d06bf6ba998c781d747c30a8236956eeabcebe6da93fbe67c3575559ea49de3fd0e8a9b02df91a853cd59c6ef1a2f237cabb406bb9cb01a1877c0

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\A16C6C16D94F76E0808C087DFC657D99_1362B7791428C28A832A1F1A09A6ACBB

MD5 202ac72becb1837b7330c48371d55d02
SHA1 bd33e59e4e3489520f576e99e928f4cabe464631
SHA256 e756f3eccb57e762f382e3e09a4db7d1bd1c5e79e5c61a6eb654c3ea726b7e16
SHA512 e94de78f4410779b9e0dd3543456703a885b0be421ff3aa00033774228125da266308904798cc9075876f5dbf9970f9864afcbaabba0c6f4555e6ba3d3336afc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F07644E38ED7C9F37D11EEC6D4335E02_9D33622E5AB2773AF26A81395E3DD2B8

MD5 0a66b4f98dc2d91574ab7cf98623d044
SHA1 74f4fe144bbd2e40784ca7bd9771e2acc9baee07
SHA256 3777220a1f9ecb7d6a5a760c616601705069ec1597e6322e8fe5e8f7a6913dd1
SHA512 be608955691f0dd91efc6727421a13af986a113e0b839be871d648d3a50345ec7450ab87d4d3f202661b1edc2d0366ced6fd4d7592e8f52a64d9a5d037be1eca

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F07644E38ED7C9F37D11EEC6D4335E02_9D33622E5AB2773AF26A81395E3DD2B8

MD5 5651a7efd780fc2ab6884896367eccb4
SHA1 23cfc175f5d52464d6705cd70e6efbd4c7008d1c
SHA256 c31c35268ea70b0400ae1cab9fb494b1d3fce049a2211a17550f60d357cab7f8
SHA512 c19a08449fbd519a0ec75b83091fad1d371dbd4668b0615dc84e24331b525a3921c91593bc05e1026afbbcf7277fd7e1b5bd087b472a54e7dfdef30a929a2587

memory/2116-1584-0x0000000004C10000-0x0000000004C50000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E87CE99F124623F95572A696C80EFCAF_ACE741CAE478F9E8195FFCECA66B0544

MD5 98a9264f3436df37c415984ab4cfbf52
SHA1 dccb884c0cc027e43cfaaae4840b5cff87681965
SHA256 c78ee68524182eb297f58026d8857d86664b7d2c78cd8eec4bf10a1e10f702bd
SHA512 e79d359c5a3120ed8a3b526ef90b1ab2dee2521c4d9cd8ba0008b10bd08041a428a0078f284300ddea7b62d80bf0d4e98ebe64ff8123c568018b9364bcc156b7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E87CE99F124623F95572A696C80EFCAF_ACE741CAE478F9E8195FFCECA66B0544

MD5 22ca16f38f22f61e7d700a16f65cc229
SHA1 59e977f1b501d217f0d1909bd87ec07d26e8bdfe
SHA256 51c9c6dd6542b214e57f3d63018f3c9f346bc6fb797bd4088b010b32ea5221f9
SHA512 c2be4f048760020a9104b050c2945439378bd908102df6bba48310db99a56ec4ed4eccf2ffaf6378588ee12b3deb558d5fd445d53541048c51d7c4d2c9236f7c

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 5d171827e4fb4ea1d50cb32cb6e402f5
SHA1 11a38996ee4f9b3198641422e98d70d1a44e49c5
SHA256 3eab0cf679a614f718b01ba55a020812ff2aafe606a02229e3a3f5ab4b44d8bf
SHA512 1a663854cddfae17768f7f5d3378f3a161f2da6a36f9d3edb09cf492f3febe82de87f2730c15d9f5eaa163b8a9e5c6064cb9cb8b36c66191ae3ab2eb055ba4b9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 7d3dd6b167a92da760640e1bee56579b
SHA1 20a79763eb08fbaa6db62298161582b47f3c3492
SHA256 bece4997bb719e36a31e235844b0a5f22eec9ae48bc92511a5a7d3208ccbf945
SHA512 2500b8069ed8a3eecfc0c86d95d8d1ccfd428d5f60fecaf01fcf6d506eef0f575dbd61c93e5e68d1043ab6d5b9d59eac885dc6d81c0f19c2c1f8bff9fc444575

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 4f3df8877ab18df2c547fd4096a2e629
SHA1 437c88561f17772473efdeac5db5c7fe7f3c2810
SHA256 3990da4a22e9e000c720fe136317383b7ecde417aa8aca3f0a6bcdbb73403c3e
SHA512 c05b8e4396ed44d8208ea2aa1c0a09522075c3c4383eccd76ec9033152e9470736e474b79b3aadbc5acf8ee501ac658172cf72d4d566deebe054a7a669f5261a

memory/2116-1685-0x0000000004C10000-0x0000000004C50000-memory.dmp

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 a100bd45111da94b88d96337a47be659
SHA1 630163a0d874d483978f048ba8467a554402a20c
SHA256 c93ca3326c3b7fb2dfc38db41a28b4b4927a4aa1ba8e3b29e870c3b3295d37e3
SHA512 205da5f855a5f521b6adf810997e5852efeecfe6dbe32a5fbcb769dc29a03ba2748d084457619a066f0b1765465c81cff1790f8a5946fe5eda286d4fd959f329

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 26d4027cf2d2793962207e00ae6033bd
SHA1 a0dc769e27b8efab3b28b5fc6e7d0006b8488f2a
SHA256 27be5aab79099d354aa970f633fd61e3884ce1209b6f8633bb7d382bdd1a4e5b
SHA512 03dec06597a8d1a42a7f8aa085955ab3adbf70ad0a1049b196d7dedeb49ce6d1830b787a0db8bde7221aba45bf1160510613a0a82613953561cb511ea8464f70

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

MD5 105771661ad2f3f43ee98dc6f1bdd2f0
SHA1 b559cd7faf7948ccdc47109da31ca320b3a090d0
SHA256 80977b6a09fbef67c0b56d352aa18e5e075e9c178983beeada0f3c41d15746f9
SHA512 b6a362017b130d70bb355e5851bb4f8a184d6e5b5cf45297ecc15b13dfc9affac5561f02457364a17acffc4f04a9c27b0b737e63863598a46080b84ed3e86f71

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

MD5 ae67874089a2b9846f1b0d5b191be32e
SHA1 5d604ae193286492a87fe060fb4fd617424099c5
SHA256 b288da6bf5720b30a4051167da9177c572e7f81a56bf31cbfe2dbba1cb96460e
SHA512 8e3ad9384c837af49ed17f11136271e1d5d678f377fa7596d401e65ab9a73cd1b483a3afee4c8da6bfe67c78ba42935c875183e9de856729290b589d53836a82

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000019

MD5 c445ab4315d0633d446998c80764cc36
SHA1 47d3dee9845cc6e29b6771dd6560793b8b93000e
SHA256 5635695eeb70b51c449aea7a5bd3c9699c3c28c64498fb7fcb8173aad45d7242
SHA512 83a32ffdddf3ee56e89f232c8d05a4b00265895b0e41d13700f90fa389f0bf3f112c291c24c3819751803322b11e2ff866971d835d601672b36818c4e099bff1

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT~RFf7eadad.TMP

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

MD5 de50256eec2fd32101482d861b070a40
SHA1 2c39177e16563dbc5118cff5f751a651c91c76f2
SHA256 f084dca85642435f2f5780f44ee3c6b67c1dc35164cba38b03038a0565931fda
SHA512 a26fc96b969a02c9fe1f889282b0fd14a23cd94f175ec85c7977fa635737bd0f3af1e99e993b2457d6066aab693e8f3e65719a49fb96e69582305fcce2787f89

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\674c7ae8-4fbd-446d-acab-b09d98a451e2.tmp

MD5 ff7cd6c1b3621dd15d3728126bf9f69f
SHA1 ad28cb1a3edf29a3ee1d71d18b9387ab3bc22540
SHA256 1df6455de891a887a1710d85f2286c87858f9baeba76238609fc2707624d334b
SHA512 71297d0af1163669ead0aa5391dc81e43fba4d43d10a1d6cc5340f57c6e49c8ad7674c7ba9af0fc85deceeda52ec10a179bdce0927d89c691ba77d432a4a913d

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 9dfc4f415fc0d7ae081d4128b87f0b45
SHA1 e313fcaaf0d954d42b6b33d2ccf6719b781c5b5e
SHA256 f02b06622f903cd22821ddc29d8a2f70d131cdb9e261ae9423a0a7ce6916d5de
SHA512 05629e7cc39d0086165e46deff59debfb99b386ca9c6e82872d8440f470880b6153c4cd36e4b6dc942c84fc5b470d457d8b63bd81c9981e8bd20a69aa7467a50

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 9a0e75e9fd713e223c494fc8c991bd89
SHA1 0ff6993c2f908b58c83c206a423d01e17d38a772
SHA256 778e8a3b5b081710b4a115e7f4e729f5ecdc5b92c6c2295e3bdcec1fd1da47ed
SHA512 1787efe7840b6112208e87e23b61e6d659795425abd9bbb1b4e544f057e3568bd9b20bacd35178b563b5c6389d0f6eab2262887f85ad4a4d0f31ef6c7b9aaaa9

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 b5525aec69e1ce76ea01921395a13ceb
SHA1 82500ab60854284a41bfe36725ebf19bdff5cdd8
SHA256 9dd2b49875c69a046344c818aae31bfdb3488a81ab0b99d01d2a09b245dc759d
SHA512 0e9d60b622f516f030f06489ffad7c2a0a61a02aaf77e3bd532c5892639227d6a0f915387effffdfda0255afe7550217e15d675aa9469240f5d031a6a5c94aab

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

MD5 1107581fdda72b2bc6eaa6733681563e
SHA1 dc55e6cbfaa0a9ef910b796b3ea2577923cd23f5
SHA256 a18aa43c76775c9ae756387435ac58cb4d9c881a3f4ddebc1bb9ed40b774ee39
SHA512 3b7d499069482e3b7581e8e30cc8874bfc764edc64e59a068c4dea6402eb0944071952119560341ce00be3ccbf013dc7322158ebf81c429d938ea668edaf17a0

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

MD5 76bc970473bbde6da1998a6676e808e3
SHA1 8ed63e79359c94affd2d88e163ee2ee78743c525
SHA256 0542d24155587621f439b5a876bdb6c1031925ddeeb4a12e0b5af8c9d4a97f56
SHA512 a5f74a5dffacf2c7a738b6560df822d8c63ebbd505221aadc0320910f6c77149a6db5564ad16cdd4fb37f462c7fb6b29b43fd814ae3527256fa5257bbe552ac6

Analysis: behavioral2

Detonation Overview

Submitted

2024-01-22 17:19

Reported

2024-01-22 17:51

Platform

win10v2004-20231215-en

Max time kernel

1165s

Max time network

1170s

Command Line

cmd /c "C:\Users\Admin\AppData\Local\Temp\6DEMANDA POR DAÑOS Y PERJUICIOS_..msg mwr.msg"

Signatures

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings C:\Windows\system32\cmd.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3336304223-2978740688-3645194410-1000_Classes\Local Settings C:\Windows\system32\OpenWith.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\system32\OpenWith.exe N/A

Processes

C:\Windows\system32\cmd.exe

cmd /c "C:\Users\Admin\AppData\Local\Temp\6DEMANDA POR DAÑOS Y PERJUICIOS_..msg mwr.msg"

C:\Windows\system32\OpenWith.exe

C:\Windows\system32\OpenWith.exe -Embedding

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 187.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 214.80.50.20.in-addr.arpa udp
US 8.8.8.8:53 81.171.91.138.in-addr.arpa udp

Files

N/A