hxxps://docs[.]google[.]com/uc?export=download&id=1GXzoGud7TjDspQvDYrAB43JRZndT9HJD

Analysis

max time kernel
1800s
max time network
1799s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
22-01-2024 19:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://docs.google.com/uc?export=download&id=1GXzoGud7TjDspQvDYrAB43JRZndT9HJD

Score

7^/10

upx

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2000	VER_LISTA DE PRECIOS.exe

UPX packed file 6 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/460-268-0x0000000013140000-0x000000001496E000-memory.dmp	upx
behavioral1/memory/460-269-0x0000000013140000-0x000000001496E000-memory.dmp	upx
behavioral1/memory/460-271-0x0000000013140000-0x000000001496E000-memory.dmp	upx
behavioral1/memory/460-270-0x0000000013140000-0x000000001496E000-memory.dmp	upx
behavioral1/memory/460-272-0x0000000013140000-0x000000001496E000-memory.dmp	upx
behavioral1/memory/460-279-0x0000000013140000-0x000000001496E000-memory.dmp	upx

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	taskmgr.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	taskmgr.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133504239147355137"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1232405761-1209240240-3206092754-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4444	chrome.exe
4444	chrome.exe
2652	chrome.exe
2652	chrome.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
3000	7zFM.exe
3352	taskmgr.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

pid	Process
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe
Token: SeShutdownPrivilege	4444	chrome.exe
Token: SeCreatePagefilePrivilege	4444	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
3000	7zFM.exe
404	7zG.exe
1368	7zG.exe
4444	chrome.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
4444	chrome.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe
3352	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4444 wrote to memory of 684	4444	chrome.exe	86
PID 4444 wrote to memory of 684	4444	chrome.exe	86
PID 4444 wrote to memory of 2344	4444	chrome.exe	89
PID 4444 wrote to memory of 2344	4444	chrome.exe	89
PID 4444 wrote to memory of 2344	4444	chrome.exe	89
PID 4444 wrote to memory of 2344	4444	chrome.exe	89
PID 4444 wrote to memory of 2344	4444	chrome.exe	89
PID 4444 wrote to memory of 2344	4444	chrome.exe	89
PID 4444 wrote to memory of 2344	4444	chrome.exe	89
PID 4444 wrote to memory of 2344	4444	chrome.exe	89
PID 4444 wrote to memory of 2344	4444	chrome.exe	89
PID 4444 wrote to memory of 2344	4444	chrome.exe	89
PID 4444 wrote to memory of 2344	4444	chrome.exe	89
PID 4444 wrote to memory of 2344	4444	chrome.exe	89
PID 4444 wrote to memory of 2344	4444	chrome.exe	89
PID 4444 wrote to memory of 2344	4444	chrome.exe	89
PID 4444 wrote to memory of 2344	4444	chrome.exe	89
PID 4444 wrote to memory of 2344	4444	chrome.exe	89
PID 4444 wrote to memory of 2344	4444	chrome.exe	89
PID 4444 wrote to memory of 2344	4444	chrome.exe	89
PID 4444 wrote to memory of 2344	4444	chrome.exe	89
PID 4444 wrote to memory of 2344	4444	chrome.exe	89
PID 4444 wrote to memory of 2344	4444	chrome.exe	89
PID 4444 wrote to memory of 2344	4444	chrome.exe	89
PID 4444 wrote to memory of 2344	4444	chrome.exe	89
PID 4444 wrote to memory of 2344	4444	chrome.exe	89
PID 4444 wrote to memory of 2344	4444	chrome.exe	89
PID 4444 wrote to memory of 2344	4444	chrome.exe	89
PID 4444 wrote to memory of 2344	4444	chrome.exe	89
PID 4444 wrote to memory of 2344	4444	chrome.exe	89
PID 4444 wrote to memory of 2344	4444	chrome.exe	89
PID 4444 wrote to memory of 2344	4444	chrome.exe	89
PID 4444 wrote to memory of 2344	4444	chrome.exe	89
PID 4444 wrote to memory of 2344	4444	chrome.exe	89
PID 4444 wrote to memory of 2344	4444	chrome.exe	89
PID 4444 wrote to memory of 2344	4444	chrome.exe	89
PID 4444 wrote to memory of 2344	4444	chrome.exe	89
PID 4444 wrote to memory of 2344	4444	chrome.exe	89
PID 4444 wrote to memory of 2344	4444	chrome.exe	89
PID 4444 wrote to memory of 2344	4444	chrome.exe	89
PID 4444 wrote to memory of 3908	4444	chrome.exe	91
PID 4444 wrote to memory of 3908	4444	chrome.exe	91
PID 4444 wrote to memory of 2332	4444	chrome.exe	90
PID 4444 wrote to memory of 2332	4444	chrome.exe	90
PID 4444 wrote to memory of 2332	4444	chrome.exe	90
PID 4444 wrote to memory of 2332	4444	chrome.exe	90
PID 4444 wrote to memory of 2332	4444	chrome.exe	90
PID 4444 wrote to memory of 2332	4444	chrome.exe	90
PID 4444 wrote to memory of 2332	4444	chrome.exe	90
PID 4444 wrote to memory of 2332	4444	chrome.exe	90
PID 4444 wrote to memory of 2332	4444	chrome.exe	90
PID 4444 wrote to memory of 2332	4444	chrome.exe	90
PID 4444 wrote to memory of 2332	4444	chrome.exe	90
PID 4444 wrote to memory of 2332	4444	chrome.exe	90
PID 4444 wrote to memory of 2332	4444	chrome.exe	90
PID 4444 wrote to memory of 2332	4444	chrome.exe	90
PID 4444 wrote to memory of 2332	4444	chrome.exe	90
PID 4444 wrote to memory of 2332	4444	chrome.exe	90
PID 4444 wrote to memory of 2332	4444	chrome.exe	90
PID 4444 wrote to memory of 2332	4444	chrome.exe	90
PID 4444 wrote to memory of 2332	4444	chrome.exe	90
PID 4444 wrote to memory of 2332	4444	chrome.exe	90
PID 4444 wrote to memory of 2332	4444	chrome.exe	90
PID 4444 wrote to memory of 2332	4444	chrome.exe	90

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://docs.google.com/uc?export=download&id=1GXzoGud7TjDspQvDYrAB43JRZndT9HJD
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4444
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcf2159758,0x7ffcf2159768,0x7ffcf2159778
  2⤵
  PID:684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1696 --field-trial-handle=1872,i,12401672131215797977,7845029763928740811,131072 /prefetch:2
  2⤵
  PID:2344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2200 --field-trial-handle=1872,i,12401672131215797977,7845029763928740811,131072 /prefetch:8
  2⤵
  PID:2332
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2120 --field-trial-handle=1872,i,12401672131215797977,7845029763928740811,131072 /prefetch:8
  2⤵
  PID:3908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2964 --field-trial-handle=1872,i,12401672131215797977,7845029763928740811,131072 /prefetch:1
  2⤵
  PID:3460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2956 --field-trial-handle=1872,i,12401672131215797977,7845029763928740811,131072 /prefetch:1
  2⤵
  PID:3172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5224 --field-trial-handle=1872,i,12401672131215797977,7845029763928740811,131072 /prefetch:8
  2⤵
  PID:2280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5332 --field-trial-handle=1872,i,12401672131215797977,7845029763928740811,131072 /prefetch:8
  2⤵
  PID:4052
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3740 --field-trial-handle=1872,i,12401672131215797977,7845029763928740811,131072 /prefetch:8
  2⤵
  PID:3920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3264 --field-trial-handle=1872,i,12401672131215797977,7845029763928740811,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5468 --field-trial-handle=1872,i,12401672131215797977,7845029763928740811,131072 /prefetch:8
  2⤵
  PID:5064
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\LISTA DE PRECIOS FERRETODO INDUSTRIAL CA.7z"
  2⤵
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of FindShellTrayWindow
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=5132 --field-trial-handle=1872,i,12401672131215797977,7845029763928740811,131072 /prefetch:1
  2⤵
  PID:1388
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5772 --field-trial-handle=1872,i,12401672131215797977,7845029763928740811,131072 /prefetch:8
  2⤵
  PID:5000

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4912

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2724

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap20909:140:7zEvent11068
1⤵
- Suspicious use of FindShellTrayWindow
PID:404

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\LISTA DE PRECIOS FERRETODO INDUSTRIAL CA\" -an -ai#7zMap23400:196:7zEvent30124
1⤵
- Suspicious use of FindShellTrayWindow
PID:1368

C:\Users\Admin\Downloads\LISTA DE PRECIOS FERRETODO INDUSTRIAL CA\VER_LISTA DE PRECIOS.exe
"C:\Users\Admin\Downloads\LISTA DE PRECIOS FERRETODO INDUSTRIAL CA\VER_LISTA DE PRECIOS.exe"
1⤵
- Executes dropped EXE
PID:2000
- C:\windows\SysWOW64\grpconv.exe
  C:\windows\syswow64\grpconv.exe
  2⤵
  PID:460

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /7
1⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
PID:3260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
7c752e080d32d74e4e4359f3a7b57816

SHA1
0051e8f63a5877483377dfccb8c62041ca0368a3

SHA256
41290fdddd02c39fba93e6a244e5b0036138c4880702c95574d941aaac86eeb5

SHA512
bdffd420d348566d44e6d73e5ffe7f817a017276a05aeb197476d07af199c789c1020cae4a0558fffd488b13a450a3bf84315be1386b819a02c809abacbdb612

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
276795eb174045a37f5ec28c7c61d9d6

SHA1
58408636c6c01973d199907a1365ab9ef05d0bc7

SHA256
35731e6dea4e39172534ae7cc6cf65600ef865b01db93d7e3d3ccb30437d6e4a

SHA512
925c6c5cb2c9a09aa72a860fcc601cf98fed26304eec49a1ebe12bf760168c4c02cef25e817ce529b39284a9350bcfcfc22ead32340e0dcd9b9f2c8a2cb653aa

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
539B

MD5
2a54de27797a0667b9e3404afcc50aa8

SHA1
aeae268bbc1ec97f6dfffe81d782e3548439a89e

SHA256
bc04626ce83819f7be9d36dc07b0cc04eb9c0f63f21c6f4f46d1bf20a539da55

SHA512
dc70602063da1bfeb6d0a35d9bd96484f0ff7858c871995620dfdf2e7967dd50750e1dcb48b446677de032b086849d0dd9a5adef9ef0222274c26a8f64c0e73a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
fb2b3785962dfbf527824dc45cdf8190

SHA1
34ea1a330695f1d9fc863bca4ab914aa235e69e4

SHA256
68caed93266d905ec4287296871daefb7460033a9efb9ce7ed8d7550d13e6b32

SHA512
ee0f973c1e53f79059f6e58bc5dbffa8960b050c6334b613127a84fb39c46a1cd962ee96a709b67591bc1bc6433eb1afda35d46bb51aa224147b7e0b66abef2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b525df34aa5060211a15692d2dda581e

SHA1
f188865aba5ea18e7a00bde80398c85e9967207c

SHA256
505afe6c0269d52db936c58544b6dbc56ae578809972a2fad8595c4197eacc3a

SHA512
358221918da0fa383d7c02920b73c9613adba6c8b756e14bca8332c3b4a473368dd9c47021b19edd6a2a5110a85d789749a64d56e8ad1581b0bf30433ea5bdd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
8d47a2a6137da26766025df786bd0dda

SHA1
c770308d293c4bf7666a8047c82281ae1e34e2e8

SHA256
f4802276359913f617a744ca76a0a6bfea3509d28a7e44331555b7177db34196

SHA512
8fb95d9e7dc3a39b8d83e7c66c190fbab9f8cbe26f10cf57a75b5700d0a578d941d1753c6b9ec0d49e3ec159670c70c2cebd8739f370e77fe4cd9205ac4259a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
db62524953dc7b50274851694359937e

SHA1
fd4a32ce6683faf9f00c98a082b1ac1cc1084575

SHA256
955acb2810ce23490f6ba744df64d95cf387324116e84d583dcebad92aaf84e4

SHA512
8972f7f1227c231136a1e4610ef26477d3d0778fb7b3a2ba308593be19a1c58e248982cae4ba1f08fd77df762078f5592317001ffbe20c6b2fea613aa6f2ed42

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
c87640f43900d7bffa53e5c7f875d53b

SHA1
eac3c3b4a46037fcb103e47f7c325c1bf9bbc000

SHA256
68fe88553e83a1374cba6ab3bdca58118c70311bf38e90818e2ea2946adae1d8

SHA512
1aa2b5123ca5f7b2745186705996ff7d1a72c034459357a4cdcefcd0bbb31cf2c3a4ae0e99b9c385721925661bfb58ecd284370c009fc85aa085856a03cd44af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
110KB

MD5
649942b8599e05674836d10b6bf4ee1d

SHA1
acf7d8a119dd2f9652eb26ffe558a2922581c1a3

SHA256
b5a1eb9121ffc6158f90a149654c0bdfd6648b6c3492e89f9ab049a872e144f4

SHA512
8f46518ce815b07fa13a21e334ded7089d431e87b0d5abba4c29070d6206888b8f4691988158ef1e855f6956736fafe09fa1b579030647598a7330ad2a6f186e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
111KB

MD5
5a5169c12f183432493c0f64c4283b3c

SHA1
69a78182c9afc17c388e97fa7947d16e4d50729c

SHA256
ab1dee3216d52b435aa145b2c65c96e63a3e5d82b72518e981c7f2246547de33

SHA512
3190717aa77a00a163bf3784833c641e96b85da2f938923958632212b2ffc96f196726b53e4e5c37859ea643a98c551d67617ded7992c5832fe776a7ec9d62ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5a53fd.TMP

Filesize
103KB

MD5
b1652c77a8a402007597aa3da534cd16

SHA1
dd398ad412d655c1327480fd7b3ccbb0b67552ee

SHA256
49ee4cd2aa79229202d1283ecefa407320815d279d210795b9db14e103bda197

SHA512
205bd552e50862076cb347ea6479dd2f05db72b650a8312a5a790ffc8914e671bce71f4995dfca2fe17ef7b5ae940383e688483128d411a617b904d0b42ab276

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
78160c1f10eafdf9af68b57e77239e82

SHA1
125af85616cec920d101e3848dc22575db9ba49c

SHA256
670b75a6d932e8a3258d97682fa3a965de57c630352aad14ceaa8e1f640d9035

SHA512
bbd6fa105d68c0661bce5259f40524da03cab69a28320ca74562c6a0d59421dafa308cfc975cba302dfeb5392fc24646e51318bedc03b0413ee6d4a69a8e04ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\LISTA DE PRECIOS FERRETODO INDUSTRIAL CA.7z

Filesize
12.8MB

MD5
1f942e64c7a056f95540b3e890c65093

SHA1
c183a78f8a41b151f8828e401cee60b869a68d8c

SHA256
4aa51cd9d88877796f5e503842d70356ea4c0894cb4b328ddf237a359809f9b0

SHA512
c77b8459895e93c514e02326ec8ac66c05a5ede497fc5e39e03d1b9cf2c2c7b2cc4f8612e849db11c6a4aad4a34d94debc5b0e95e722912bbfbf6298efedde8b

Download Submit
C:\Users\Admin\Downloads\LISTA DE PRECIOS FERRETODO INDUSTRIAL CA.7z

Filesize
14.1MB

MD5
725d2ee5c870ff962115ee308a7d3b5d

SHA1
2d5874dce2877f0132e04c83ec51ded62e92e18c

SHA256
8e59747922f416a4bf6a7f7b988f69e8673215fa71615117067c9234ccc676f9

SHA512
4181a419f5a4cd62d0769a9dcb662b39b18b1ade6cd5f28efe55f86b4b97496b1dd292c421d50e464bed6a74ba6cbd1cab48223deefe9c6d56fab5b3ed84de5c

Download Submit
C:\Users\Admin\Downloads\LISTA DE PRECIOS FERRETODO INDUSTRIAL CA\VER_LISTA DE PRECIOS.exe

Filesize
2.4MB

MD5
fc1230cece5083034616fa54c36219a7

SHA1
06d9eb6365d3b9ea1c7d72ac0caebef61e42cfc6

SHA256
04ad5cea4b3bc8aba154e41d69123a3d2b96dcf46dc597bbcb2cdb51c6f13510

SHA512
c66e26834d26585c55a3232a0de0879fec3fe490c4dae84d35fa847287e2e6655d560200cb97f9023b3e2d467527eb0e442b5650dec4a479d2b401d52589eb3e

Download Submit
C:\Users\Admin\Downloads\LISTA DE PRECIOS FERRETODO INDUSTRIAL CA\VER_LISTA DE PRECIOS.exe

Filesize
1.7MB

MD5
1250604635f661aaa8796c49032ba616

SHA1
91ba9b486c12a9c92fbaf8c5d858e83e5640a258

SHA256
d70b4d9c96e4da938e07b09e852a2b06679285cf9bb34f4ea35589e87912447e

SHA512
9d3d9f5e7dd26c1e9b6746d69e84f9d506bbfe508af20a04869391a76aadfed691fed80a6c6c0d24751547a53d052ab86d74e41c81702df651f2ed33f2b877db

Download Submit
C:\Users\Admin\Downloads\LISTA DE PRECIOS FERRETODO INDUSTRIAL CA\VER_LISTA DE PRECIOS.part1.rar

Filesize
1.7MB

MD5
610d26ec91ad279a8fdf512ba95d0a4b

SHA1
f89d9b594027b7a076c412a2430b1b5acaa735b2

SHA256
c2c7cac71f50527d5b09ec617efccce5f3634446d0e85136522449093e03a2fd

SHA512
3b80e26d151ed7fd2f4f48dfb45e042f02b89ee6f378b1081b0f190aa9fbdbeaf4ffef2316f54588423038354e0972210f4743aa1005f0d4098ace8d782a6dad

Download Submit
C:\Users\Admin\Downloads\LISTA DE PRECIOS FERRETODO INDUSTRIAL CA\VER_LISTA DE PRECIOS.part2.rar

Filesize
1.6MB

MD5
7aad21d8979b06e437858c23fe350f41

SHA1
aa926759516eb73ca4c88a8e8701df7fafbb44ba

SHA256
a68117a0393cc41c9c6f034a01db8f662975609b92f0cd6fd86773baf91a0f18

SHA512
494a430da2f6889be38f9d7b1b0d99130f9f9108b9b1fc6b233193e3df6c825ee760cb2ed80084e4ea4bcbd6dc2b964d0bf19dd3add76355182cf5418c9cffe0

Download Submit
C:\Users\Admin\Downloads\LISTA DE PRECIOS FERRETODO INDUSTRIAL CA\VER_LISTA DE PRECIOS.part3.rar

Filesize
891KB

MD5
b05430630551c18ef6d777d28ca7d098

SHA1
6ad5631f53b16dd6d8a36a89e9101948253fabda

SHA256
4b7d7cc4e39f3c1df4d87ca7183ad84bddd2f227cd91a7eb356bdc9966199c40

SHA512
c61b8b7177224725319cfbc490e7a51dfb93028c81718648997948b076d3a2259a6b5f96e2ccbce628671c2d9892c5d1d9b965fa0484db023930509adadffcd1

Download Submit
C:\Users\Admin\Downloads\LISTA DE PRECIOS FERRETODO INDUSTRIAL CA\VER_LISTA DE PRECIOS.part4.rar

Filesize
1.1MB

MD5
fd3bd08f5da180617ded0881d3a6f54e

SHA1
ac9b7a973bc81defbdab17b2b8a8203974bb49bf

SHA256
a4d163a4e6ccf297ddaadf0deabed85fbf61fc278c06fbbf37931160d0216fe4

SHA512
0258a229497d464a48faa38e22c7f55a9dc2611a91bb3eb8eecede2bdbfaaedf4432bb778ccf746ec2ba33c3fd5bc93879dea153baa4114b943004a5d65d3c5a

Download Submit
memory/460-269-0x0000000013140000-0x000000001496E000-memory.dmp

Filesize
24.2MB

Download
memory/460-272-0x0000000013140000-0x000000001496E000-memory.dmp

Filesize
24.2MB

Download
memory/460-270-0x0000000013140000-0x000000001496E000-memory.dmp

Filesize
24.2MB

Download
memory/460-271-0x0000000013140000-0x000000001496E000-memory.dmp

Filesize
24.2MB

Download
memory/460-268-0x0000000013140000-0x000000001496E000-memory.dmp

Filesize
24.2MB

Download
memory/460-279-0x0000000013140000-0x000000001496E000-memory.dmp

Filesize
24.2MB

Download
memory/2000-234-0x0000000000400000-0x0000000001BB1000-memory.dmp

Filesize
23.7MB

Download
memory/2000-253-0x0000000000400000-0x0000000001BB1000-memory.dmp

Filesize
23.7MB

Download
memory/2000-284-0x0000000000400000-0x0000000001BB1000-memory.dmp

Filesize
23.7MB

Download
memory/2000-149-0x0000000001D50000-0x0000000001D51000-memory.dmp

Filesize
4KB

Download
memory/2000-273-0x0000000000400000-0x0000000001BB1000-memory.dmp

Filesize
23.7MB

Download
memory/2000-230-0x0000000000400000-0x0000000001BB1000-memory.dmp

Filesize
23.7MB

Download
memory/2000-232-0x0000000000400000-0x0000000001BB1000-memory.dmp

Filesize
23.7MB

Download
memory/2000-233-0x0000000000400000-0x0000000001BB1000-memory.dmp

Filesize
23.7MB

Download
memory/2000-267-0x0000000000400000-0x0000000001BB1000-memory.dmp

Filesize
23.7MB

Download
memory/2000-248-0x0000000000400000-0x0000000001BB1000-memory.dmp

Filesize
23.7MB

Download
memory/2000-249-0x0000000000400000-0x0000000001BB1000-memory.dmp

Filesize
23.7MB

Download
memory/2000-252-0x0000000000400000-0x0000000001BB1000-memory.dmp

Filesize
23.7MB

Download
memory/3352-241-0x00000225952D0000-0x00000225952D1000-memory.dmp

Filesize
4KB

Download
memory/3352-254-0x0000022595220000-0x0000022595230000-memory.dmp

Filesize
64KB

Download
memory/3352-260-0x0000022595BE0000-0x0000022595BF0000-memory.dmp

Filesize
64KB

Download
memory/3352-235-0x00000225952D0000-0x00000225952D1000-memory.dmp

Filesize
4KB

Download
memory/3352-247-0x00000225952D0000-0x00000225952D1000-memory.dmp

Filesize
4KB

Download
memory/3352-237-0x00000225952D0000-0x00000225952D1000-memory.dmp

Filesize
4KB

Download
memory/3352-236-0x00000225952D0000-0x00000225952D1000-memory.dmp

Filesize
4KB

Download
memory/3352-246-0x00000225952D0000-0x00000225952D1000-memory.dmp

Filesize
4KB

Download
memory/3352-242-0x00000225952D0000-0x00000225952D1000-memory.dmp

Filesize
4KB

Download
memory/3352-243-0x00000225952D0000-0x00000225952D1000-memory.dmp

Filesize
4KB

Download
memory/3352-244-0x00000225952D0000-0x00000225952D1000-memory.dmp

Filesize
4KB

Download
memory/3352-245-0x00000225952D0000-0x00000225952D1000-memory.dmp

Filesize
4KB

Download