asyncrat | be8d4337bcbf873006a61419c7544a090b59962c78947ff588f10f4e0c1b5cdd

Analysis

max time kernel
130s
max time network
128s
platform
windows10-1703_x64
resource
win10-20240404-es
resource tags

arch:x64arch:x86image:win10-20240404-eslocale:es-esos:windows10-1703-x64systemwindows
submitted
29-05-2024 15:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.24.03-NOTIFICACION PROCESO DEMANDA EN SU CONTRA.svg
Size

298KB
MD5

5e29757a2e4e69edcf62ebe494fc7720
SHA1

e99af1b87bef9387d6fcadcf5fb819e445c5898d
SHA256

be8d4337bcbf873006a61419c7544a090b59962c78947ff588f10f4e0c1b5cdd
SHA512

a7060a31e2bb1f375cbe3beded2c7365d8cc6849173ec8b7877ba7c7267eeeaa4a6479c6e13a64937eba8149378e263833f4fb4975cecec8d749bce906ebab2f
SSDEEP

3072:4EPuUV5BP1U7u6+ni3Dx6DRVgEkO5I2vzUuvouO61uka6oFuZ0gudOupuTuCuwxi:7S

Score

10^/10

asyncrat clientes rat

Malware Config

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

Clientes

noescorrecto2023.kozow.com:2021

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

12 raw.githubusercontent.com
13 raw.githubusercontent.com

flow	ioc
12	raw.githubusercontent.com
13	raw.githubusercontent.com

Suspicious use of SetThreadContext 4 IoCs

Processes:

01 PROCESO JUDICIAL.execmd.exe01 PROCESO JUDICIAL.execmd.exe

description	pid	process	target process
PID 3084 set thread context of 372	3084	01 PROCESO JUDICIAL.exe	cmd.exe
PID 372 set thread context of 508	372	cmd.exe	MSBuild.exe
PID 3548 set thread context of 3120	3548	01 PROCESO JUDICIAL.exe	cmd.exe
PID 3120 set thread context of 4092	3120	cmd.exe	MSBuild.exe

Drops file in Windows directory 1 IoCs

Processes:

cmd.exe

description ioc process

File created C:\Windows\Tasks\makemake.job cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\Tasks\makemake.job	cmd.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133614699076027873"	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-160447019-1232603106-4168707212-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

Processes:

chrome.exe01 PROCESO JUDICIAL.execmd.exe01 PROCESO JUDICIAL.exeMSBuild.execmd.exechrome.exe

pid	process
1960	chrome.exe
1960	chrome.exe
3084	01 PROCESO JUDICIAL.exe
3084	01 PROCESO JUDICIAL.exe
372	cmd.exe
372	cmd.exe
3548	01 PROCESO JUDICIAL.exe
3548	01 PROCESO JUDICIAL.exe
3548	01 PROCESO JUDICIAL.exe
508	MSBuild.exe
508	MSBuild.exe
3120	cmd.exe
3120	cmd.exe
3120	cmd.exe
3120	cmd.exe
508	MSBuild.exe
508	MSBuild.exe
508	MSBuild.exe
508	MSBuild.exe
4176	chrome.exe
4176	chrome.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

01 PROCESO JUDICIAL.execmd.exe01 PROCESO JUDICIAL.execmd.exe

pid process

3084 01 PROCESO JUDICIAL.exe
372 cmd.exe
372 cmd.exe
3548 01 PROCESO JUDICIAL.exe
3120 cmd.exe
3120 cmd.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

Processes:

chrome.exe

pid process

1960 chrome.exe
1960 chrome.exe
1960 chrome.exe
1960 chrome.exe

pid	process
3084	01 PROCESO JUDICIAL.exe
372	cmd.exe
372	cmd.exe
3548	01 PROCESO JUDICIAL.exe
3120	cmd.exe
3120	cmd.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe
Token: SeShutdownPrivilege	1960	chrome.exe
Token: SeCreatePagefilePrivilege	1960	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	process
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe
1960	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MSBuild.exe

pid process

508 MSBuild.exe

pid	process
508	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 1960 wrote to memory of 4292	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4292	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 316	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 316	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 316	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 316	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 316	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 316	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 316	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 316	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 316	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 316	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 316	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 316	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 316	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 316	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 316	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 316	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 316	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 316	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 316	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 316	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 316	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 316	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 316	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 316	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 316	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 316	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 316	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 316	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 316	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 316	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 316	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 316	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 316	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 316	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 316	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 316	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 316	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 316	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4468	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 4468	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 3212	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 3212	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 3212	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 3212	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 3212	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 3212	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 3212	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 3212	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 3212	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 3212	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 3212	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 3212	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 3212	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 3212	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 3212	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 3212	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 3212	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 3212	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 3212	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 3212	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 3212	1960	chrome.exe	chrome.exe
PID 1960 wrote to memory of 3212	1960	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\1.24.03-NOTIFICACION PROCESO DEMANDA EN SU CONTRA.svg
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffc83de9758,0x7ffc83de9768,0x7ffc83de9778
  2⤵
  PID:4292
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1600 --field-trial-handle=2104,i,7677475351892328422,4090821900840950211,131072 /prefetch:2
  2⤵
  PID:316
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1772 --field-trial-handle=2104,i,7677475351892328422,4090821900840950211,131072 /prefetch:8
  2⤵
  PID:4468
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1804 --field-trial-handle=2104,i,7677475351892328422,4090821900840950211,131072 /prefetch:8
  2⤵
  PID:3212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2892 --field-trial-handle=2104,i,7677475351892328422,4090821900840950211,131072 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2664 --field-trial-handle=2104,i,7677475351892328422,4090821900840950211,131072 /prefetch:1
  2⤵
  PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4088 --field-trial-handle=2104,i,7677475351892328422,4090821900840950211,131072 /prefetch:8
  2⤵
  PID:628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4212 --field-trial-handle=2104,i,7677475351892328422,4090821900840950211,131072 /prefetch:8
  2⤵
  PID:1428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --mojo-platform-channel-handle=3280 --field-trial-handle=2104,i,7677475351892328422,4090821900840950211,131072 /prefetch:1
  2⤵
  PID:2812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --mojo-platform-channel-handle=4172 --field-trial-handle=2104,i,7677475351892328422,4090821900840950211,131072 /prefetch:1
  2⤵
  PID:380
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5036 --field-trial-handle=2104,i,7677475351892328422,4090821900840950211,131072 /prefetch:8
  2⤵
  PID:4796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5532 --field-trial-handle=2104,i,7677475351892328422,4090821900840950211,131072 /prefetch:8
  2⤵
  PID:4812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.15063.0 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5188 --field-trial-handle=2104,i,7677475351892328422,4090821900840950211,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4176

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2260

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2936

C:\Users\Admin\Desktop\PROCESO JUDICIAL JUZGADO CIVIL 02 DEL CIRCUITO\01 PROCESO JUDICIAL.exe
"C:\Users\Admin\Desktop\PROCESO JUDICIAL JUZGADO CIVIL 02 DEL CIRCUITO\01 PROCESO JUDICIAL.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3084
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:372
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:508

C:\Users\Admin\Desktop\PROCESO JUDICIAL JUZGADO CIVIL 02 DEL CIRCUITO\01 PROCESO JUDICIAL.exe
"C:\Users\Admin\Desktop\PROCESO JUDICIAL JUZGADO CIVIL 02 DEL CIRCUITO\01 PROCESO JUDICIAL.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3548
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3120
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    PID:4092

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
784B

MD5
7add5250f0fba973b5127a48db216d28

SHA1
3c2647a16aa94e30e48e65655c483769d5d33505

SHA256
f70f3b8107e0eb0bfe14c4346a40e0b38dd013b01d72d31a3605e27f251d6cd8

SHA512
15141c1b191e719167d26053fb1dbb4f60d0c078146e660e78196110cca59d6aeda942364aaf7ac49b4093cc61e66ebcccaf31da3ee51eb23cce8328765ee6e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
706B

MD5
fd8d86b193247efa5e71b94c08887907

SHA1
fa2b11d6a97064062556323b1966d534c14d3e49

SHA256
5789f6d1472c0f2579648233f530c1a4b2c892bb61dc1382483821159b81b4e3

SHA512
2bd0a310840f5d5176a2b43e280bb80a897c91377e98dc76fe57efeb6aa87c98059d2a5e6a0e56aa390d10c75fb9fdec21e9e31c2494edf32ee5f90f09892f8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
e8b7cdf4b5c7e0a8ac6038e3c73ddb81

SHA1
a0efa006bb37f6e2461cd28ef70830c07b2140a5

SHA256
1e01ddd2bb083dbcd3b2fd3d01d2ee458270f024d11b4a7b1b135525aa56ea35

SHA512
3ca29cbb6f3d04aa1adee5b2b12765601fac9d3a5e5d60cbcafeab595d4188f849136958cc40095c1b50c83e04ca4cd6cec3289e797e359c8044e996b62d9793

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
f0fbee2bb2c81c6de52f8c2dd9dcf20c

SHA1
4f6c3b9a78fc1a1ac6318438798b36362ba218ac

SHA256
ae0d3170031550e2f6999f568b7abf73c769c79ccc5ca7e965140a92638b6bc9

SHA512
41a0055ebe86ad979761a229310d37962d8cf7a12750970fd3a10e03dc310f16b22d43aef788d47eb5e34b215dc54a4c24a341eb405e9fee4f81d5bd4c343892

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ecc9fbeb3be7f43fa6828d8754c8e9fa

SHA1
b70c3af32aad18a4805b40da866817aa8f8d3f74

SHA256
09a7fdcf0be36def331583822987e78da2e2b11242545963ea9c30e3668a09c3

SHA512
68288f1ebd0433404f38412a75acb2ce694e37b73ac0ac8a798d5064e9f2a7eefeaaaef8164e6273307fd74097d0e467f87fc2a15ec065181449241051e2c80c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
4c431d5139266ecf25afb9c0fb5bd33a

SHA1
9e581bf0c3a09fdb00c09881c65974a888e26c8d

SHA256
2a2be254cf12c5562676be2d754617b4176fed090a651a4181a1331a37932a7a

SHA512
46db4bc402d221045e5d6b6235d89f9b3b3d88f9548fbf4c2ceba059d143c3dc740ef1845157a111727d2477682385fd54a456dd669ba594ebf9b97c5062b202

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
136KB

MD5
f184a5e2d18805b19761e1415ff985a7

SHA1
1dc71ace9d0fdb7850e1ff49c58512bf858358b2

SHA256
e2254d648c96f1c70757a4cbaa6f26b0a94016f986042823911ce901d84c919c

SHA512
5ca11f1b12c14786873e5e25d59d8f55d65820939e98f1324a0fb174af58f608f2b7d88f519f39116fc8f192632539f7aec2b32936554594fcd29a653d930fc4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\71352812

Filesize
774KB

MD5
b56bf7c65acd3d613210d6c649528ece

SHA1
1243466be3cc30238cf6e76baaa478609ef8abe0

SHA256
b1559e2a26ddf2ad6f111d6f8580a796d43935afbc160c80f4c3e031a8feca31

SHA512
2e9d99c527fa8981569ed7805d23cc1bdb67800297ff2d678fe6bda83bffc3142109ceb3c7b469edef0d1a847d3fe4e92775b257b75676c12a739c7c35510ddb

Download Submit
C:\Users\Admin\AppData\Local\Temp\ba42214

Filesize
774KB

MD5
3a76bbf7ac3ced1e3197e3f03772638d

SHA1
3a96dffdd0601d05cf8770549fdf423cecf6c6f3

SHA256
c3015d4dbe1214be9e8c97b3d8a8d3d7d67b659911aa59ed10efc33893319b9f

SHA512
d79e9f1b65b962738f2dd646623178eaf58b55e905ac1364601a59f486cb71f704511d6828a54246162e6f1ca03a15ae2663181d076947de90abaf66e73a8132

Download Submit
C:\Users\Admin\AppData\Roaming\readerWordpad_pv\Qt5Core.dll

Filesize
6.0MB

MD5
41dc9ae1fd9ed3ac3a2b2b756b14a1e6

SHA1
ea9884197acaf277b47f59711edba22b100519fd

SHA256
97fe174f5d78a12e60b5528bb1b5cfaad33126c0e908f8d3d74ef054c850b5bc

SHA512
fb59a5502471a5eb4c94836eda73f6c8d6da1e5992ef98260dbaf571d09716f0241b0ab3c11bbff33813d66be7060a3dbe9cbed6af1cf43bbd96a2b19e147170

Download Submit
C:\Users\Admin\AppData\Roaming\readerWordpad_pv\Qt5Network.dll

Filesize
1.3MB

MD5
c24c89879410889df656e3a961c59bcc

SHA1
25a9e4e545e86b0a5fe14ee0147746667892fabd

SHA256
739bedcfc8eb860927eb2057474be5b39518aaaa6703f9f85307a432fa1f236e

SHA512
0542c431049e4fd40619579062d206396bef2f6dadadbf9294619c918b9e6c96634dcd404b78c6045974295126ec35dd842c6ec8f42279d9598b57a751cd0034

Download Submit
C:\Users\Admin\AppData\Roaming\readerWordpad_pv\anesthesiology.ini

Filesize
49KB

MD5
b9e87107d06e2254c00ad9df942f1230

SHA1
1ff65597013ba51451d566412706d602ae76e585

SHA256
3d6eea36d854f539c04204a473ef65b3c8a11958ddc8816b72312e711c7d6fd3

SHA512
9c55ce069130fd49ba16c626be5a4603f5efde9891ebf451298dff8425f690e5dcab4743374eb273b08b365d2a058e8bdf593d46a5830b814560d00b2348e54f

Download Submit
C:\Users\Admin\AppData\Roaming\readerWordpad_pv\badge.dat

Filesize
541KB

MD5
d351e0adeacff321851fb1f570897eb6

SHA1
570d03d2d236de7f582f9dc3b991438b59c4df84

SHA256
fece3362b731b81e9c1cb7948c28e576bd357425f5827b76b0ef135cfc82267c

SHA512
8779fb22f35f732d609b87c3daa9a0346bb451e6ded306bad712bf93956ee11b4d32bedb12a4379e93c5449eabef845737faa38c7fd9f3ed3e6a441da0ca4e47

Download Submit
C:\Users\Admin\AppData\Roaming\readerWordpad_pv\libcrypto-1_1-x64.dll

Filesize
2.7MB

MD5
28dea3e780552eb5c53b3b9b1f556628

SHA1
55dccd5b30ce0363e8ebdfeb1cca38d1289748b8

SHA256
52415829d85c06df8724a3d3d00c98f12beabf5d6f3cbad919ec8000841a86e8

SHA512
19dfe5f71901e43ea34d257f693ae1a36433dbdbcd7c9440d9b0f9eea24de65c4a8fe332f7b88144e1a719a6ba791c2048b4dd3e5b1ed0fdd4c813603ad35112

Download Submit
C:\Users\Admin\AppData\Roaming\readerWordpad_pv\libssl-1_1-x64.dll

Filesize
669KB

MD5
4ad03043a32e9a1ef64115fc1ace5787

SHA1
352e0e3a628c8626cff7eed348221e889f6a25c4

SHA256
a0e43cbc4a2d8d39f225abd91980001b7b2b5001e8b2b8292537ae39b17b85d1

SHA512
edfae3660a5f19a9deda0375efba7261d211a74f1d8b6bf1a8440fed4619c4b747aca8301d221fd91230e7af1dab73123707cc6eda90e53eb8b6b80872689ba6

Download Submit
C:\Users\Admin\AppData\Roaming\readerWordpad_pv\msvcp140.dll

Filesize
564KB

MD5
1ba6d1cf0508775096f9e121a24e5863

SHA1
df552810d779476610da3c8b956cc921ed6c91ae

SHA256
74892d9b4028c05debaf0b9b5d9dc6d22f7956fa7d7eee00c681318c26792823

SHA512
9887d9f5838aa1555ea87968e014edfe2f7747f138f1b551d1f609bc1d5d8214a5fdab0d76fcac98864c1da5eb81405ca373b2a30cb12203c011d89ea6d069af

Download Submit
C:\Users\Admin\AppData\Roaming\readerWordpad_pv\msvcp140_1.dll

Filesize
34KB

MD5
69d96e09a54fbc5cf92a0e084ab33856

SHA1
b4629d51b5c4d8d78ccb3370b40a850f735b8949

SHA256
a3a1199de32bbbc8318ec33e2e1ce556247d012851e4b367fe853a51e74ce4ee

SHA512
2087827137c473cdbec87789361ed34fad88c9fe80ef86b54e72aea891d91af50b17b7a603f9ae2060b3089ce9966fad6d7fbe22dee980c07ed491a75503f2cf

Download Submit
C:\Users\Admin\AppData\Roaming\readerWordpad_pv\steam_api64.dll

Filesize
291KB

MD5
6b4ab6e60364c55f18a56a39021b74a6

SHA1
39cac2889d8ca497ee0d8434fc9f6966f18fa336

SHA256
1db3fd414039d3e5815a5721925dd2e0a3a9f2549603c6cab7c49b84966a1af3

SHA512
c08de8c6e331d13dfe868ab340e41552fc49123a9f782a5a63b95795d5d979e68b5a6ab171153978679c0791dc3e3809c883471a05864041ce60b240ccdd4c21

Download Submit
C:\Users\Admin\AppData\Roaming\readerWordpad_pv\vcruntime140.dll

Filesize
106KB

MD5
49c96cecda5c6c660a107d378fdfc3d4

SHA1
00149b7a66723e3f0310f139489fe172f818ca8e

SHA256
69320f278d90efaaeb67e2a1b55e5b0543883125834c812c8d9c39676e0494fc

SHA512
e09e072f3095379b0c921d41d6e64f4f1cd78400594a2317cfb5e5dca03dedb5a8239ed89905c9e967d1acb376b0585a35addf6648422c7ddb472ce38b1ba60d

Download Submit
C:\Users\Admin\AppData\Roaming\readerWordpad_pv\vcruntime140_1.dll

Filesize
48KB

MD5
cf0a1c4776ffe23ada5e570fc36e39fe

SHA1
2050fadecc11550ad9bde0b542bcf87e19d37f1a

SHA256
6fd366a691ed68430bcd0a3de3d8d19a0cb2102952bfc140bbef4354ed082c47

SHA512
d95cd98d22ca048d0fc5bca551c9db13d6fa705f6af120bbbb621cf2b30284bfdc7320d0a819bb26dab1e0a46253cc311a370bed4ef72ecb60c69791ed720168

Download Submit
C:\Users\Admin\Downloads\PROCESO JUDICIAL JUZGADO CIVIL 02 DEL CIRCUITO (2).zip.crdownload

Filesize
7.4MB

MD5
e55246f48c7ccf17d723774bdeedae9f

SHA1
666cd26bce03816fa7796de9fdfb94eb9ca796ab

SHA256
519bce5b9d1932d8533204de69cec2aacfc9118e1f159e6a8ca29898ad5bde6e

SHA512
a7d048dfee965505b9177b4bae6c3d135ebab4758d74e966d2d1b5c3ea3976333cb83b08ab3df47c8c1a547eea62f47f0d534763598735f4ce5bfc10cdaeded0

Download Submit
C:\Windows\Tasks\makemake.job

Filesize
362B

MD5
d2995f6e4e37d87f6992e5160dddf1d0

SHA1
0e273b8c0d3d9101b66d68fd0055cb9e40bc3569

SHA256
0b3a0bae7887efc28c88010f56bdf0e618b8f24939c53defae8e3a754d142f81

SHA512
eb724fc64e48357468c0f227f8d7b2bd2013e8cafd25313d0471df56d6ecf49bc764341d36e1111a5ee0294ab11a6b5aa7dfa339d167da8e445085769b386acd

Download Submit
\??\pipe\crashpad_1960_MRPGZVMZTYPLONAN

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/372-108-0x0000000074050000-0x00000000741CB000-memory.dmp

Filesize
1.5MB

Download
memory/372-105-0x0000000074050000-0x00000000741CB000-memory.dmp

Filesize
1.5MB

Download
memory/372-98-0x00007FFC8CEB0000-0x00007FFC8D08B000-memory.dmp

Filesize
1.9MB

Download
memory/508-145-0x0000000006B60000-0x0000000006C62000-memory.dmp

Filesize
1.0MB

Download
memory/508-133-0x00000000729B0000-0x0000000073D33000-memory.dmp

Filesize
19.5MB

Download
memory/508-136-0x0000000000FD0000-0x0000000000FE6000-memory.dmp

Filesize
88KB

Download
memory/508-144-0x00000000066A0000-0x0000000006706000-memory.dmp

Filesize
408KB

Download
memory/508-143-0x0000000006600000-0x000000000669C000-memory.dmp

Filesize
624KB

Download
memory/508-140-0x0000000005E50000-0x000000000634E000-memory.dmp

Filesize
5.0MB

Download
memory/508-141-0x0000000005B30000-0x0000000005BC2000-memory.dmp

Filesize
584KB

Download
memory/508-142-0x0000000005B00000-0x0000000005B0A000-memory.dmp

Filesize
40KB

Download
memory/3084-95-0x00007FFC6DA90000-0x00007FFC6DBFA000-memory.dmp

Filesize
1.4MB

Download
memory/3084-74-0x00007FFC6DA90000-0x00007FFC6DBFA000-memory.dmp

Filesize
1.4MB

Download
memory/3120-146-0x00007FFC8CEB0000-0x00007FFC8D08B000-memory.dmp

Filesize
1.9MB

Download
memory/3120-147-0x0000000073E40000-0x0000000073FBB000-memory.dmp

Filesize
1.5MB

Download
memory/3120-151-0x0000000073E40000-0x0000000073FBB000-memory.dmp

Filesize
1.5MB

Download
memory/3548-137-0x00007FFC6D320000-0x00007FFC6D48A000-memory.dmp

Filesize
1.4MB

Download
memory/3548-109-0x00007FFC6D320000-0x00007FFC6D48A000-memory.dmp

Filesize
1.4MB

Download
memory/4092-153-0x00000000729B0000-0x0000000073D33000-memory.dmp

Filesize
19.5MB

Download