dbb232cf56cc45611e7ad1c6b4f085c6d83a76adb88f53f0ef4b73f61f69ac38

Analysis

max time kernel
149s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
29/05/2024, 13:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SOLICITUD DE PRESUPUESTO_.html
Size

441KB
MD5

8617c9d7288bece66be3540c59905c15
SHA1

2c15f2fcef0d79a9a2b21c8de6b871619f28913e
SHA256

dbb232cf56cc45611e7ad1c6b4f085c6d83a76adb88f53f0ef4b73f61f69ac38
SHA512

94652a77fb773b84ca3d0a28953ecbcd1a9828dc283f4210a36aaa8ca1e95b1646a7bd3ee9169d6f3f25a016bc55e02417ecf0456342092d1371f2d3a0013652
SSDEEP

12288:DOdf/jOF2Az2WOrxqg1cEO+1VcEh/DSFrf:6w5GxlvOQ/DS5

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3436	VER_DOCUMENTO.exe
3648	VER_DOCUMENTO.exe
2248	VER_DOCUMENTO.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
22	drive.google.com
23	drive.google.com

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1156	msedge.exe
1156	msedge.exe
4480	msedge.exe
4480	msedge.exe
4260	identity_helper.exe
4260	identity_helper.exe
2240	msedge.exe
2240	msedge.exe
2984	msedge.exe
2984	msedge.exe
716	msedge.exe
716	msedge.exe
716	msedge.exe
716	msedge.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1564	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

description	pid	Process
Token: SeRestorePrivilege	1188	7zG.exe
Token: 35	1188	7zG.exe
Token: SeSecurityPrivilege	1188	7zG.exe
Token: SeSecurityPrivilege	1188	7zG.exe
Token: SeBackupPrivilege	4876	svchost.exe
Token: SeRestorePrivilege	4876	svchost.exe
Token: SeSecurityPrivilege	4876	svchost.exe
Token: SeTakeOwnershipPrivilege	4876	svchost.exe
Token: 35	4876	svchost.exe

Suspicious use of FindShellTrayWindow 48 IoCs

pid	Process
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
1188	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe

Suspicious use of SetWindowsHookEx 15 IoCs

pid	Process
1564	OpenWith.exe
1564	OpenWith.exe
1564	OpenWith.exe
1564	OpenWith.exe
1564	OpenWith.exe
1564	OpenWith.exe
1564	OpenWith.exe
1564	OpenWith.exe
1564	OpenWith.exe
1564	OpenWith.exe
1564	OpenWith.exe
1564	OpenWith.exe
1564	OpenWith.exe
1564	OpenWith.exe
1564	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 220	4480	msedge.exe	83
PID 4480 wrote to memory of 220	4480	msedge.exe	83
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 4264	4480	msedge.exe	84
PID 4480 wrote to memory of 1156	4480	msedge.exe	85
PID 4480 wrote to memory of 1156	4480	msedge.exe	85
PID 4480 wrote to memory of 3904	4480	msedge.exe	86
PID 4480 wrote to memory of 3904	4480	msedge.exe	86
PID 4480 wrote to memory of 3904	4480	msedge.exe	86
PID 4480 wrote to memory of 3904	4480	msedge.exe	86
PID 4480 wrote to memory of 3904	4480	msedge.exe	86
PID 4480 wrote to memory of 3904	4480	msedge.exe	86
PID 4480 wrote to memory of 3904	4480	msedge.exe	86
PID 4480 wrote to memory of 3904	4480	msedge.exe	86
PID 4480 wrote to memory of 3904	4480	msedge.exe	86
PID 4480 wrote to memory of 3904	4480	msedge.exe	86
PID 4480 wrote to memory of 3904	4480	msedge.exe	86
PID 4480 wrote to memory of 3904	4480	msedge.exe	86
PID 4480 wrote to memory of 3904	4480	msedge.exe	86
PID 4480 wrote to memory of 3904	4480	msedge.exe	86
PID 4480 wrote to memory of 3904	4480	msedge.exe	86
PID 4480 wrote to memory of 3904	4480	msedge.exe	86
PID 4480 wrote to memory of 3904	4480	msedge.exe	86
PID 4480 wrote to memory of 3904	4480	msedge.exe	86
PID 4480 wrote to memory of 3904	4480	msedge.exe	86
PID 4480 wrote to memory of 3904	4480	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument C:\Users\Admin\AppData\Local\Temp\SOLICITUD DE PRESUPUESTO_.html
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff96de446f8,0x7ff96de44708,0x7ff96de44718
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,10414952639070069345,17809527813705339319,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2040 /prefetch:2
  2⤵
  PID:4264
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1996,10414952639070069345,17809527813705339319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2520 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1156
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1996,10414952639070069345,17809527813705339319,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2940 /prefetch:8
  2⤵
  PID:3904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,10414952639070069345,17809527813705339319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:4716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,10414952639070069345,17809527813705339319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:2036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,10414952639070069345,17809527813705339319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4236 /prefetch:1
  2⤵
  PID:1584
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,10414952639070069345,17809527813705339319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5796 /prefetch:8
  2⤵
  PID:2916
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1996,10414952639070069345,17809527813705339319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5796 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,10414952639070069345,17809527813705339319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:1504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,10414952639070069345,17809527813705339319,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4860 /prefetch:1
  2⤵
  PID:2184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,10414952639070069345,17809527813705339319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5824 /prefetch:1
  2⤵
  PID:2316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,10414952639070069345,17809527813705339319,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
  2⤵
  PID:1048
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,10414952639070069345,17809527813705339319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
  2⤵
  PID:2716
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1996,10414952639070069345,17809527813705339319,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=1448 /prefetch:8
  2⤵
  PID:2740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,10414952639070069345,17809527813705339319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1460 /prefetch:1
  2⤵
  PID:372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1996,10414952639070069345,17809527813705339319,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5072 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1996,10414952639070069345,17809527813705339319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5644 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1996,10414952639070069345,17809527813705339319,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3480 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2984
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1996,10414952639070069345,17809527813705339319,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2744 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:716

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4156

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2780

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1564

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:4676

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap21053:86:7zEvent27808
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1188

C:\Users\Admin\Downloads\VER_DOCUMENTO.exe
"C:\Users\Admin\Downloads\VER_DOCUMENTO.exe"
1⤵
- Executes dropped EXE
PID:3436

C:\Users\Admin\Downloads\VER_DOCUMENTO.exe
"C:\Users\Admin\Downloads\VER_DOCUMENTO.exe"
1⤵
- Executes dropped EXE
PID:3648

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k SDRSVC
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4876

C:\Users\Admin\Downloads\VER_DOCUMENTO.exe
"C:\Users\Admin\Downloads\VER_DOCUMENTO.exe"
1⤵
- Executes dropped EXE
PID:2248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4f7152bc5a1a715ef481e37d1c791959

SHA1
c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7

SHA256
704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc

SHA512
2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
ea98e583ad99df195d29aa066204ab56

SHA1
f89398664af0179641aa0138b337097b617cb2db

SHA256
a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6

SHA512
e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002

Filesize
14.6MB

MD5
8cf54e3723342a21be7a82d144a9e64f

SHA1
634a4b4225039828f2ab8661b82fd0aea843e968

SHA256
81c0d89423936f46493992a7807e20150ae2b67234a9a296b7fc3a84eacbdd9b

SHA512
d544bbcda579b98b862a7c45fc957716c5ae9ae8a3466396e4f84d871bd36b247ff8ee2c51011ee8c8f5009fddd9210a5e4d93326595d01962e15c8e79d3b314

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
634B

MD5
9a4736d21fe0166895c52d76efc56f21

SHA1
132dae72febecd6273c787958302696767e4c9c9

SHA256
bae80760465880d8a93dc225de0fb50ca9d07b20aaa060b8da771967394b4ef9

SHA512
356c3de031243101d5c7690ad908cf1c66346d93423e46d8c0cac0ff513ea4caaf2b7a832d9dec8668567021f339c4a103c865685a0dbdeb3795ab3ef9e596ff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
696B

MD5
d1fa2d0eb20a9151f71009310e8e5259

SHA1
dedbe4cb5513d3e403139e6a6652914086ebcbca

SHA256
ec3a2b9012d0b356b6ca61af2e2b01ed0df5aaa5c05f8330332b7d03c0c2e39e

SHA512
7755c6416840b9effc0f6a805c1ff2e186ec1bdff9cb2c00639908611377395fedab7489919b282ed9b35d6f588010c35b60dc71a31d220e56857c4b1836c2b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f74be6d63622eb25a498299147a43224

SHA1
041b22ff573912b0444a47ea38091b3f283a4842

SHA256
7cc2db733e9a888784846879a5cd0f116f05bb84d13efc05315ed6560c72cb98

SHA512
fd0d84f291b31b13857fdf2d2f9d2aa2061c1be247535320c920654c869312694808e973de3cf04a0518d5a80a0bf053f73ad2f2e288f6326c0d37ddfc49c5aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
a76079a1e59119d4a61278c75b3589da

SHA1
e04ad4d72772b435c50575d5fb6180c629110d16

SHA256
68a72c2344c6fd9c4a41d3db0934b4afae80204e21c2099704fa14cc45d8d8a2

SHA512
63e8d243038f0ef88317a25bf0716dec6c32ca6d63f1d1d254dcfb583dcbaf293be6e69ae95c6ff23476dc346dadb352d491fabe8c6ad0289f7eb877db80ccb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
14e5a972cc01a3e7c8e2172848478188

SHA1
2cf8c726d0cb8f984a039a55613d02d7aed15a62

SHA256
1d989d7dcdc03e3359c6f7d9bfbdb7480ae75cd620c33e727dce2c6260460f80

SHA512
018a72d946ddac4bf9dd7a69a5f36c12b6141e0847ac9f0d552bc2532a78309286d3b850785759fad10cb229a81f020e68b72d3447c5702f66817af8b3753f0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
204B

MD5
a8ab3fe9c082325e746b9675a033f154

SHA1
3a7881d4e9c985fef65873b7f282258dc13a1b1f

SHA256
f25c1a4c05c6c8d92e96629867ed45d156e28409e1f13e7634b3a40b53f21a31

SHA512
5b18df1a188ea74570ddddcec81078b6baecfeb40b4225c4005af74bd30a7ccb27da536f5248d57651e473f0d84462b9dee29e3a0a321662320de2d984fc2318

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
204B

MD5
ce9fa094f878886724a73ce52eb5d16c

SHA1
22216952e3a2579ec95280a4b4337baa0c6991b0

SHA256
24a51a47e7f560c9f64f022e0115c5cd8051c693041fb365f53d8b8527c8eabf

SHA512
33b4b30c11a0d66b5c6fcf3ad214f3d1933ca934add4b10a216a406b3a95c61e0f3bbd73f4a25e7ef20ee0c06a6e7c8cfbd16b2e754620b65015029876c495b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c525.TMP

Filesize
204B

MD5
ffb0a581ee3db80054bb35d2bda90fbd

SHA1
b6d7e6d2f24659dc6d95cdadac62071f78578806

SHA256
6f878b89952a323abfe7976ca70710bc4cbae10a9873b6f589d8bd4df595c6d4

SHA512
9c3267285a060f8281e1e167eec2033f77fa6eab5c67be4cc41722b7b65a855d9065c8625cbb4d245d2f9d7e9050bfcdeb9607f2e50c18c5a0643d36edeb49e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
588f5b0f870dceefc24372ee61d298dd

SHA1
47087d86ed2ec54addd3a49b19b520cb30c50896

SHA256
ec3a2657a8e6f08949622f0bbc1e5b87493f71c97dc7cd1ff9f87ce10c22da51

SHA512
847a5eb3009278159a5d6306d9fea2d4ef9feab87cb63083674f9bf1a3eae2b16ef4459299e12e059dadc6a2a5b2eab8a29bf4dae3d5a3f4c06b60a5b8311fa3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
6ac424896ad1016701ce923e0001cb0f

SHA1
73059ffe1d918ab7f0172be1fe779bdf540b7d80

SHA256
eeba1c6dcd3489ebaf6889f80ec25d1b6264b6f1a2ea0884d77c992a735286f2

SHA512
3822f4c9ab934400cfd546c641389d94c05fcc8d7f589ca711d869a7d818db08a0428ee21dcd9018c6300fe680c564fb05a881f1873a0b5bffca58a1c9e82c10

Download Submit
C:\Users\Admin\Downloads\VER_DOCUMENTO.exe

Filesize
19.5MB

MD5
9e931d542e54e7797eb08af28faf46c6

SHA1
e323f0684db989219304fcf3713a47f20d8d818b

SHA256
ef37f52b7efdfe399b4e52df360733779d70da28e8218d23ed6dadbacf3037b4

SHA512
f9801abb3dae1fb53268dc9193103272004658bd91589c5377fb09f5f7ead72423bd3b07d977058c75f9f6e9475b0ad7cb0c9a62467202d650d4b2d58e2b5fdc

Download Submit
memory/2248-182-0x0000000000400000-0x0000000001784000-memory.dmp

Filesize
19.5MB

Download
memory/2248-199-0x0000000000400000-0x0000000001784000-memory.dmp

Filesize
19.5MB

Download
memory/3436-172-0x0000000000400000-0x0000000001784000-memory.dmp

Filesize
19.5MB

Download
memory/3436-176-0x0000000000400000-0x0000000001784000-memory.dmp

Filesize
19.5MB

Download
memory/3436-181-0x0000000000400000-0x0000000001784000-memory.dmp

Filesize
19.5MB

Download
memory/3436-198-0x0000000000400000-0x0000000001784000-memory.dmp

Filesize
19.5MB

Download
memory/3648-174-0x0000000000400000-0x0000000001784000-memory.dmp

Filesize
19.5MB

Download
memory/3648-178-0x0000000000400000-0x0000000001784000-memory.dmp

Filesize
19.5MB

Download
memory/3648-197-0x0000000000400000-0x0000000001784000-memory.dmp

Filesize
19.5MB

Download