asyncrat | 6e6577761b13f6a42f212419a8fcca10f35ab9315f24e9be39c8fc5cdfcfea10

Analysis

max time kernel
299s
max time network
305s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2024 20:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34-CITACION DEMANDA EN SU CONTRA -JUZGADO LABORAL 04 CIRCUITO ESPECIALIZADO EXTINXION-044.svg
Size

365KB
MD5

80193d67d0da94a9d928fe4bc5b3a7cc
SHA1

ec3b1f52e184dd87dfe9ceb2eb5cdca6f96f5dc4
SHA256

6e6577761b13f6a42f212419a8fcca10f35ab9315f24e9be39c8fc5cdfcfea10
SHA512

b376e9152c6ec0b45d8e9fa7d4f298a8ddf2d873c3b42b3f7d60704dbef3c7a4967a6e32fef5cd8fa0019bd6176401c2b8fcc0698437c2ae8082bfacb9088957
SSDEEP

3072:RCkLBpCoMXyV1d/Cl+XlwdgrJGwS4BHKlgeJtonukwUwPsWw5wzwQw6qmPwOhuqZ:RfBpCoK21dE+XlpJGwSsKldhLsuCY

Score

10^/10

asyncrat default discovery evasion execution rat trojan

Malware Config

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

Default

melo2024.kozow.com:8000

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_file
AnsyFelix
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	mshta.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	mshta.exe

Executes dropped EXE 1 IoCs

pid	Process
1356	01 NOTIFICACION DEMANDA..exe

Loads dropped DLL 10 IoCs

pid	Process
1356	01 NOTIFICACION DEMANDA..exe
1356	01 NOTIFICACION DEMANDA..exe
1356	01 NOTIFICACION DEMANDA..exe
1356	01 NOTIFICACION DEMANDA..exe
1356	01 NOTIFICACION DEMANDA..exe
1356	01 NOTIFICACION DEMANDA..exe
1356	01 NOTIFICACION DEMANDA..exe
1356	01 NOTIFICACION DEMANDA..exe
1356	01 NOTIFICACION DEMANDA..exe
1356	01 NOTIFICACION DEMANDA..exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\DriverStore\FileRepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe
File created	\??\c:\windows\system32\driverstore\filerepository\display.inf_amd64_71aa85b0e2292a7a\display.PNF	chrome.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1356 set thread context of 812	1356	01 NOTIFICACION DEMANDA..exe	114
PID 812 set thread context of 3136	812	cmd.exe	118

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
64	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 18 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	01 NOTIFICACION DEMANDA..exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmstp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmstp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmstp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mshta.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Kills process with taskkill 3 IoCs

evasion

pid	Process
2296	taskkill.exe
1412	taskkill.exe
1260	taskkill.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133664131154207383"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000_Classes\Local Settings	chrome.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
388	reg.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
4880	chrome.exe
4880	chrome.exe
1356	01 NOTIFICACION DEMANDA..exe
1356	01 NOTIFICACION DEMANDA..exe
1356	01 NOTIFICACION DEMANDA..exe
812	cmd.exe
812	cmd.exe
812	cmd.exe
812	cmd.exe
3136	MSBuild.exe
3136	MSBuild.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
1800	chrome.exe
4304	powershell.exe
4304	powershell.exe
4304	powershell.exe
4304	powershell.exe
64	powershell.exe
64	powershell.exe
64	powershell.exe
2200	powershell.exe
2200	powershell.exe
2200	powershell.exe
2200	powershell.exe
64	powershell.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1356	01 NOTIFICACION DEMANDA..exe
812	cmd.exe
812	cmd.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe
Token: SeShutdownPrivilege	4880	chrome.exe
Token: SeCreatePagefilePrivilege	4880	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
2168	7zG.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe
4880	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3136	MSBuild.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 4632	4880	chrome.exe	84
PID 4880 wrote to memory of 4632	4880	chrome.exe	84
PID 4880 wrote to memory of 824	4880	chrome.exe	85
PID 4880 wrote to memory of 824	4880	chrome.exe	85
PID 4880 wrote to memory of 824	4880	chrome.exe	85
PID 4880 wrote to memory of 824	4880	chrome.exe	85
PID 4880 wrote to memory of 824	4880	chrome.exe	85
PID 4880 wrote to memory of 824	4880	chrome.exe	85
PID 4880 wrote to memory of 824	4880	chrome.exe	85
PID 4880 wrote to memory of 824	4880	chrome.exe	85
PID 4880 wrote to memory of 824	4880	chrome.exe	85
PID 4880 wrote to memory of 824	4880	chrome.exe	85
PID 4880 wrote to memory of 824	4880	chrome.exe	85
PID 4880 wrote to memory of 824	4880	chrome.exe	85
PID 4880 wrote to memory of 824	4880	chrome.exe	85
PID 4880 wrote to memory of 824	4880	chrome.exe	85
PID 4880 wrote to memory of 824	4880	chrome.exe	85
PID 4880 wrote to memory of 824	4880	chrome.exe	85
PID 4880 wrote to memory of 824	4880	chrome.exe	85
PID 4880 wrote to memory of 824	4880	chrome.exe	85
PID 4880 wrote to memory of 824	4880	chrome.exe	85
PID 4880 wrote to memory of 824	4880	chrome.exe	85
PID 4880 wrote to memory of 824	4880	chrome.exe	85
PID 4880 wrote to memory of 824	4880	chrome.exe	85
PID 4880 wrote to memory of 824	4880	chrome.exe	85
PID 4880 wrote to memory of 824	4880	chrome.exe	85
PID 4880 wrote to memory of 824	4880	chrome.exe	85
PID 4880 wrote to memory of 824	4880	chrome.exe	85
PID 4880 wrote to memory of 824	4880	chrome.exe	85
PID 4880 wrote to memory of 824	4880	chrome.exe	85
PID 4880 wrote to memory of 824	4880	chrome.exe	85
PID 4880 wrote to memory of 824	4880	chrome.exe	85
PID 4880 wrote to memory of 2068	4880	chrome.exe	86
PID 4880 wrote to memory of 2068	4880	chrome.exe	86
PID 4880 wrote to memory of 1840	4880	chrome.exe	87
PID 4880 wrote to memory of 1840	4880	chrome.exe	87
PID 4880 wrote to memory of 1840	4880	chrome.exe	87
PID 4880 wrote to memory of 1840	4880	chrome.exe	87
PID 4880 wrote to memory of 1840	4880	chrome.exe	87
PID 4880 wrote to memory of 1840	4880	chrome.exe	87
PID 4880 wrote to memory of 1840	4880	chrome.exe	87
PID 4880 wrote to memory of 1840	4880	chrome.exe	87
PID 4880 wrote to memory of 1840	4880	chrome.exe	87
PID 4880 wrote to memory of 1840	4880	chrome.exe	87
PID 4880 wrote to memory of 1840	4880	chrome.exe	87
PID 4880 wrote to memory of 1840	4880	chrome.exe	87
PID 4880 wrote to memory of 1840	4880	chrome.exe	87
PID 4880 wrote to memory of 1840	4880	chrome.exe	87
PID 4880 wrote to memory of 1840	4880	chrome.exe	87
PID 4880 wrote to memory of 1840	4880	chrome.exe	87
PID 4880 wrote to memory of 1840	4880	chrome.exe	87
PID 4880 wrote to memory of 1840	4880	chrome.exe	87
PID 4880 wrote to memory of 1840	4880	chrome.exe	87
PID 4880 wrote to memory of 1840	4880	chrome.exe	87
PID 4880 wrote to memory of 1840	4880	chrome.exe	87
PID 4880 wrote to memory of 1840	4880	chrome.exe	87
PID 4880 wrote to memory of 1840	4880	chrome.exe	87
PID 4880 wrote to memory of 1840	4880	chrome.exe	87
PID 4880 wrote to memory of 1840	4880	chrome.exe	87
PID 4880 wrote to memory of 1840	4880	chrome.exe	87
PID 4880 wrote to memory of 1840	4880	chrome.exe	87
PID 4880 wrote to memory of 1840	4880	chrome.exe	87
PID 4880 wrote to memory of 1840	4880	chrome.exe	87
PID 4880 wrote to memory of 1840	4880	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\34-CITACION DEMANDA EN SU CONTRA -JUZGADO LABORAL 04 CIRCUITO ESPECIALIZADO EXTINXION-044.svg
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.106 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff946d4cc40,0x7ff946d4cc4c,0x7ff946d4cc58
  2⤵
  PID:4632
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1972,i,9127783945341386620,8410179554879408166,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=1968 /prefetch:2
  2⤵
  PID:824
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1948,i,9127783945341386620,8410179554879408166,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2020 /prefetch:3
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2244,i,9127783945341386620,8410179554879408166,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=2260 /prefetch:8
  2⤵
  PID:1840
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,9127783945341386620,8410179554879408166,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3140 /prefetch:1
  2⤵
  PID:3656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3108,i,9127783945341386620,8410179554879408166,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:2864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4632,i,9127783945341386620,8410179554879408166,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4644 /prefetch:8
  2⤵
  PID:4476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4480,i,9127783945341386620,8410179554879408166,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4856 /prefetch:1
  2⤵
  PID:1032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4676,i,9127783945341386620,8410179554879408166,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=5004 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4920,i,9127783945341386620,8410179554879408166,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4892 /prefetch:8
  2⤵
  PID:3808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4752,i,9127783945341386620,8410179554879408166,262144 --variations-seed-version=20240708-180128.343000 --mojo-platform-channel-handle=4868 /prefetch:8
  2⤵
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  PID:1800

C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.106\elevation_service.exe"
1⤵
PID:2100

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4624

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1384

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\01-CITACION DEMANDA EN SU CONTRA -JUZGADO PENAL 01 CIRCUITO ESPECIALIZADO EXTINXION-01\" -spe -an -ai#7zMap32082:236:7zEvent8211
1⤵
- Suspicious use of FindShellTrayWindow
PID:2168

C:\Users\Admin\Downloads\01-CITACION DEMANDA EN SU CONTRA -JUZGADO PENAL 01 CIRCUITO ESPECIALIZADO EXTINXION-01\01 NOTIFICACION DEMANDA..exe
"C:\Users\Admin\Downloads\01-CITACION DEMANDA EN SU CONTRA -JUZGADO PENAL 01 CIRCUITO ESPECIALIZADO EXTINXION-01\01 NOTIFICACION DEMANDA..exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:1356
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:812
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:3136
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /im cmstp.exe /f
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:2296
  - - C:\Windows\SysWOW64\cmstp.exe
      "C:\Windows\system32\cmstp.exe" /au C:\Windows\temp\zqhvuuks.inf
      4⤵
      System Location Discovery: System Language Discovery
      PID:3512
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /im cmstp.exe /f
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:1412
  - - C:\Windows\SysWOW64\cmstp.exe
      "C:\Windows\system32\cmstp.exe" /au C:\Windows\temp\aizcy0cn.inf
      4⤵
      System Location Discovery: System Language Discovery
      PID:4244
  - - C:\Windows\SysWOW64\taskkill.exe
      "C:\Windows\System32\taskkill.exe" /im cmstp.exe /f
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:1260
  - - C:\Windows\SysWOW64\cmstp.exe
      "C:\Windows\system32\cmstp.exe" /au C:\Windows\temp\eki13un4.inf
      4⤵
      System Location Discovery: System Language Discovery
      PID:4216

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
- System Location Discovery: System Language Discovery
PID:1512
- C:\Windows\SysWOW64\mshta.exe
  mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""REG ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f"", 0, true:close")
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:4544
- - C:\Windows\SysWOW64\reg.exe
    "C:\Windows\System32\reg.exe" ADD HKLM\software\microsoft\windows\currentversion\policies\system /v ConsentPromptBehaviorAdmin /t REG_DWORD /d 0 /f
    3⤵
    - UAC bypass
    - System Location Discovery: System Language Discovery
    - Modifies registry key
    PID:388
- C:\Windows\SysWOW64\mshta.exe
  mshta vbscript:Execute("CreateObject(ChrW(87) + ChrW(83) + ChrW(99) + ChrW(114) + ChrW(105) + ChrW(112) + ChrW(116) + ChrW(46) + ChrW(83) + ChrW(104) + ChrW(101) + ChrW(108) + ChrW(108)).Run ""powershell.exe Stop-Process -Name 'cmstp'"", 0, true:close")
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:3460
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Stop-Process -Name 'cmstp'
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:4304
- C:\Windows\SysWOW64\mshta.exe
  mshta vbscript:Execute("CreateObject(""WScript.Shell"").Run ""PowerShell -NoProfile -ExecutionPolicy Bypass -Command C:\Users\Public\Remove.ps1"",0:close")
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:2120
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -ExecutionPolicy Bypass -Command C:\Users\Public\Remove.ps1
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:64
- C:\Windows\SysWOW64\mshta.exe
  mshta vbscript:Execute("CreateObject(ChrW(87) + ChrW(83) + ChrW(99) + ChrW(114) + ChrW(105) + ChrW(112) + ChrW(116) + ChrW(46) + ChrW(83) + ChrW(104) + ChrW(101) + ChrW(108) + ChrW(108)).Run ""powershell.exe Stop-Process -Name 'cmstp'"", 0, true:close")
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  PID:764
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Stop-Process -Name 'cmstp'
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\111a39fc-7931-445d-b927-79ac48081507.tmp

Filesize
9KB

MD5
b17094d3cd47b81935a7a7aa269ee8b1

SHA1
18b57f5c0d08d4cb0e3a018a4f66132eabb10406

SHA256
76bbc3dade56cc56031a3bded3aceba49bda855a63c6358973e29a88ee61b3b5

SHA512
cd91df52e1f44118ec27c62771f0f87ff28a6cf5853b01c5d497e71b85d5cceeedb2635dd3d5bc81b36e05a25bb53d1f17a6c87188cadf76cb0a101d226ea64e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
4820b35df4a3353e74b2fe94cace64db

SHA1
669b3ade431b2aab5fdbeaa05d8c806802e9198c

SHA256
cdc8d995deb5c2b5cf4cec9ffbfadc4bc99d6fc8f102b6a105980d81747b8a2d

SHA512
0a19150e90e6d4386fa0e06bd1f5c74d0753b0c09fc340abf0aae314eb4fa9812042840af2b223a5fa43c8b0c515521236a088641155e24461d97d45781d6f37

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
2e3454287b1ae43a1ecafb4c1f54c61b

SHA1
4eead3ade14dd4b49aaba696cab01e5cee3aaed7

SHA256
bbea6dca453ec47462ce7c3d825c5ff759fe889f66611bd2bbbf105711e73bf0

SHA512
fb0455ec9a51c556fe074dee44ef7d94e498315b994eb5dc038ca9c6176093c91b48f10bd3b3c0811fa06844ecb9b02d39e98b6d556407aee748b71505586015

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
690B

MD5
22badae22a367bdeedb1f9e717edcf99

SHA1
9df104a0d406b5751756f2ef1ed5116f1b24fb7c

SHA256
7283bc859b3c50a0d1150b102493f8927c8c5876aee3a6255bd062fa433906c7

SHA512
e32a9d001f13dbfded67fb9b28073c78e15028caf0fc828f61b40c5044a75993aa0e7e14a85c52092a027b20ff906af56dcc74e217c6e39643b9b4c02aee9fce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fd3cf6c0a37e24498ac3e5ac4ec61954

SHA1
f6bd33ed88eaa43889a02aea3ee7fa712c4282eb

SHA256
6f5c082ecc832b1e44a50f070b5524e714ca9a5a27434480da369572eeb872a7

SHA512
51ddd4e0f574f852716468d872ca910224012abe76ec3f405452085824c89775183b6a5b831ce2f73724d4fea257c8c22a39c0e1f890a84fd359df3bc5318af9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1c49fd3ca868358e5d81e6568733fd44

SHA1
db5e304c8162002f9fc97931b3b14cedbf633e6d

SHA256
f49b7d2108671a61ef38d2e2ac9e09c8e06c3a8d18618c2cff0ff998184d57f2

SHA512
68c2f9a45fe865c9dda255e85881e328d02d39549bdcce952676f59f615ac100260906c66450d9d64ee4e71cd7b348da4bfd8d23a16eec5ff7257a8321d4a035

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9ca12c30bde7b811f6450aee6447d277

SHA1
a8d3fcd1dba8cc91c56fb93009c3a21edab0faaa

SHA256
3688c26b6c8b92007221fee1580baaa420fc93774b714b41493ee2e54e5fb81a

SHA512
07efb1c7b213b61092cd446b9c681d4e6816b13c0d48b295775d1ff2f431083f3b39978eebca3dc5eda37edb1a3a35d8eed95ba1b26cf6fa7c434c50d5e78dfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3def513eed17c494acb78aa675b1f63a

SHA1
7e010334f0f8dcdce62aef33c8bd2e71e03116ad

SHA256
f3093d8ccbdaf203cd39262c9b1a745077b9f389f2f9951894ce4b2d9b9e23f5

SHA512
16d8741b4deb234564a3bab26a67e22e042ad0858257dd03155f12ac21256afcd0140f155ae46c1c5ca8fce9d8fb87460ebdd2d2628c665d125a40b2b1722564

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
24fe60a95827abb0e6f9c3a5707e86b3

SHA1
92d24f4811cf2bd2d0591b4f91e80523f61c28ad

SHA256
d39c612962fd39629054b33c6da66ad32963f3f1875374e2084d15e42a8e1297

SHA512
b847848c89e6211103fb2a9ad66bd743192c38b642b7b4e795cd530285c5e572c682ee4b8a18e49d10d8a8931fd05c8516c518f5efe07a148ff3a4dfbd9ec574

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
72d0d164023dfb4a4ab1f4f4895357fe

SHA1
c02aeacfcd86c6d678eac13d180b328453b2545c

SHA256
259315dc8d5fc8d9fdb29d4394052e000c6b869d41b87e5c6cccf9aee048fdc0

SHA512
5d58b8d7ff395253ced5b93f10989c7d7eec56e858069ddd6ef45ab80cc95d517734c3711aa1420cce373c59732b69c60198d70af1a19ff77d264ac464ee26a9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7b3549a7add51b381384b8d666655b6b

SHA1
dd60a8487e37b4274b31bf0714b9e7db9f6ddf61

SHA256
2a69bcafe44771dc35201c48d54e1c5073feb6fa892cb9a1725c319576e2ad72

SHA512
2d7420a077f7f80e4f952589c86a6e81af73ca246de7b2d1b1558ca97124204f07a600b83036752bcbf82781dca947f5db96ebba6c62801fdf9137b9f459c008

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
07e332c8b9757da71109f92bc70e4505

SHA1
0193f30651ede776d11d86989c027eb4c981a90b

SHA256
16fb7695f4b0a66d23507d7281a1c79826c307b61f992f6e1b34887c34d958a6

SHA512
83b7ca75bea293577b283383897099c8e5e849866d37a238f7213c8a44715f62d7116e3c40a1ba038ec3c537f30dfd6c73d0ab906b43851eecea7ff99433be4a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7af41384c23e35b4e2f11b070d24b88c

SHA1
88ce1c39799f61a36e747ffb3d5c4e91260fee00

SHA256
8c882192bcc23b97996b386598adc645339c502cb78b98bd05615fe6e1dbea79

SHA512
5c99aa8695bd54365ba96eebda8057cf4aeacce2ccdc21092adb45ba42228a29bb99d6b807036b904373fc6d1686124370d0ae34c7914c3845dec77cf199f988

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1154d361c1615e2583a4c98e1737a27d

SHA1
c7143a5587dc8fa2ac64c067136d849750d10ea4

SHA256
48f4c295f3cd96c6a96266866dd60e30afd010bc022e18f93a032f048b31fd6f

SHA512
558890cae246677a4d1e59128dbba07d511f85f4d894fdbf8b53ec033da99ef66cb027ddafba8fe4dee555e994e5b04aa5832d9bbc9c62ea3100f9133e9b271d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fadda685688b0fa8e495204f503cb1d5

SHA1
84884da30b57059d85abf420d56479c62a5fc5d1

SHA256
a53b730408f8a3aa083be1ec50b7c34ded3862e18946ae8ab7ae172b28508a4d

SHA512
6120a57fc4a1fd118e0f960af3989b27bfebf26d4a38f3de3f2db3944d84ab82d54f32d5a4110e02fdc4131507036076cd2c09a9c8301e70a6ce60bdf1cb415d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
14fee9dcda7d084c1bfa280acd35941f

SHA1
1fa12ea657ec865315a6ef85dd8874f75ea1c2c6

SHA256
8719f868916e4b3fb145ed8e00b8f76fd704e0298dd212abbab8b32bb6cec19c

SHA512
5a38d63c23ba0629bf4db06385cdb27b8616a1d5e90266ad5fc62289a7de16582307006c419876f637042479c607f35eae2d9f3f5f284d156e769ca10c41c3c1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f7398a5d0af2159d3e21a9a81719ab75

SHA1
f217997ce050c24f37143414f7320a339807c014

SHA256
ee15c65026bcfab2a595795bd1e8b60227dbd4daa984eedb9faa1cf3707c6d30

SHA512
9a45a40f86d571b3aade5c60a52e27548d4f1eabfc36fb3729df8a25bdac9838d59a92d540489c61b4ce9a8cf3e3bbe998ff2ebb56d8ae32e3268aecfc7fa2ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
148dc8a8de9f525e3890151aadf66b49

SHA1
06361027ed30905e5b510b93d933032f3b0c0171

SHA256
6ba2ed439483121383a4daf0ccec79ebac5fb89483629754333d49ea301a9d21

SHA512
af7799826b44f7f50b1c68a562d3e2717890fe4d7c9d8a6756cbf0c231baa055cc9af108ed51f323975bfe36dc6fff5e6f0328fdb6b037163b08d40a3780029f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cb915f6f29fd038fdd91ef8d94a24cbd

SHA1
edbf7954fb7bbbfdfa4b052d6293a2fe618a5e12

SHA256
b4207a324b70dc0d7bf1a45410ef79f648b20187fd49a1cecf5b8f6e50f4c865

SHA512
fac8c4dad392b170820c4e127cccab2da483fd4bcebb1a1f501ac214123cf221da40793734385bf74d690ccab064f6b7f38b55c7f1ff077b4faff0da34b40d81

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
17374f0f78cba7710a3980e3b3759a06

SHA1
47245a16c1f4c67549f6f272010de40302fa3c01

SHA256
492fdf7e7a7641b07b7f8681b9afdb6905ceae56be41e41f6f872c66492f2216

SHA512
48b981bf897c13a18e248aae0a9a3643459795758a70cf2a3dddae115e2aa7193d3609f4b71ec2876f23f6db974863c6ae31a8673d0ad4af04903bfc3938ccbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
92KB

MD5
473d7ee45b817942da1d1cc5a56ff65e

SHA1
5acd422044bf9168d04573c5e891ca1f1c8b857c

SHA256
747522303701a30d1ddfa633aa4e916527adcf2ae13907f13b6577e1e267d5dd

SHA512
aa54b8ea0cf247bc4af22c82549637176c1b80ea3d1fc9e08a48ae880f736971d35a47ced266f8e8fe5262a7e5b3a909adb1ab972a5a02bd4ff3acdeb5a4d72b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
15KB

MD5
0aa64cede26e42582a2e95253f4d620f

SHA1
239ba6d3bf017ab1483872aa39c442374b63ce35

SHA256
e690121c98e223548293e8349fb777e5a305db4c5d1770290e69011b16537880

SHA512
1d22a3995039eaf2df65014fc875f018dbe4af8c4eb70e57e054b7bcead84e93e8a9093f1f973bbf6c7ea375e2fa0a7de3b15e7dd39933a8e87221530baa8fd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
19KB

MD5
cc7043fd1ef40fe05e4dd7ab1e604c15

SHA1
a8ce0b03af145994b86322c83fb70b36c4143b21

SHA256
23be1de3e51a85ee7abed56d1ad6d3a2bf5a60f5658ed0fae18d274a296c83a8

SHA512
b9b82abeb39e5bfb54b2a456c06942ee952574e01e6a0e337a64215941ab1be077584978b25a2aaf251e4a91ab48047b326f7e1bde17a10a913f2536fb9af1ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_oejsjxgg.xzo.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cda16973

Filesize
774KB

MD5
5df9d4d1223086526144377d5a901ed9

SHA1
ec4ae360f1f32628aa4b3407d5f3ef4ab70b59ea

SHA256
8509edc5630aadd34d3f78ee0ebc945bece92fafcda8359587597036f008b8d2

SHA512
e9213f17be8ebff3dd627955571d8321ce915bf6d5ef6fba39ef489006c2b10d1b860ce27265dbedc75c65e3be6360287c9a8194754d5e291117206753cc1548

Download Submit
C:\Users\Admin\Downloads\01-CITACION DEMANDA EN SU CONTRA -JUZGADO PENAL 01 CIRCUITO ESPECIALIZADO EXTINXION-01.zip.crdownload

Filesize
6.7MB

MD5
da0f823b67bc093b75d381f2a105ecb6

SHA1
11e82222f4070fbadc8c4c2f194ba65d9fa60ac5

SHA256
ed88b5c4a8be75f5da0400817a9514bdcb38e602aa3fe463d39cec523dcd3268

SHA512
3d2986bf2b9d6fc9c7251934f68eab8995dc33b1cf3886c2360afebdc2f9f35a088a2e0d92002a3c225a07095a5213677df78a4bf95ed77842d98a998b1e1016

Download Submit
C:\Users\Admin\Downloads\01-CITACION DEMANDA EN SU CONTRA -JUZGADO PENAL 01 CIRCUITO ESPECIALIZADO EXTINXION-01\01 NOTIFICACION DEMANDA..exe

Filesize
2.3MB

MD5
5d52ef45b6e5bf144307a84c2af1581b

SHA1
414a899ec327d4a9daa53983544245b209f25142

SHA256
26a24d3b0206c6808615c7049859c2fe62c4dcd87e7858be40ae8112b0482616

SHA512
458f47c1e4ccf41edaacc57abb663ee77ca098fffc596fad941bbdea67653aeabc79b34d607078b9ee5adb45614e26f5c28a09e8faf9532081fdd5dec9ac3c48

Download Submit
C:\Users\Admin\Downloads\01-CITACION DEMANDA EN SU CONTRA -JUZGADO PENAL 01 CIRCUITO ESPECIALIZADO EXTINXION-01\aigret.eps

Filesize
650KB

MD5
b16a26aee27cdc91b7f545e03877f9c0

SHA1
7eb68256ac0a97e4ee0ddc1db648968987406910

SHA256
b3abdc2b792cb4b0160bdcc291dcb13b31078d852bd20ae01ae0908a0b46b72f

SHA512
25b8a3155c9b30df90b64690b8f4d16b1de1dd321efe05f9c8e5e939e0884acd2e4cf07797dc7f1a87600793246640ef6e5ff3b2a82229406cce674fef15b446

Download Submit
C:\Users\Admin\Downloads\01-CITACION DEMANDA EN SU CONTRA -JUZGADO PENAL 01 CIRCUITO ESPECIALIZADO EXTINXION-01\barrette.accdb

Filesize
17KB

MD5
3de728173727b206fe14724ba05a28c2

SHA1
407ca05387c9fc1ac22cd409df1f0899d49a7cde

SHA256
f923b85549cf4d2f87c11f4cdeb5abb408974aea8235aa68acc849736ebdde28

SHA512
33b6e43f6bdaf31b7387ffa683e9581afb4d9b170767e6c6a51180608568db9675fb16643ff462dfd53c6ca76789902553d9bb6e834734fbd8ce4f8726b76206

Download Submit
C:\Users\Admin\Downloads\01-CITACION DEMANDA EN SU CONTRA -JUZGADO PENAL 01 CIRCUITO ESPECIALIZADO EXTINXION-01\madBasic_.bpl

Filesize
210KB

MD5
e03a0056e75d3a5707ba199bc2ea701f

SHA1
bf40ab316e65eb17a58e70a3f0ca8426f44f5bef

SHA256
7826395127e791a883359ea81308174700da0af8052cc9853b19fd29c2e4badb

SHA512
b0a3cfb6b34832f048fe0fc70c6fa76ae16a2cacda930f6529a83a967d6e8de1c69b93e0de3dc2126c5385d85e814687e695a0a4131399a69633141cad98da2a

Download Submit
C:\Users\Admin\Downloads\01-CITACION DEMANDA EN SU CONTRA -JUZGADO PENAL 01 CIRCUITO ESPECIALIZADO EXTINXION-01\madExcept_.bpl

Filesize
436KB

MD5
98e59596edd9b888d906c5409e515803

SHA1
b79d73967a2df21d00740bc77ccebda061b44ab6

SHA256
a6ca13af74a64e4ab5ebb2d12b757cecf1a683cb9cd0ae7906db1b4b2c8a90c0

SHA512
ba617227849d2eb3285395e2d1babfe01902be143144be895011f0389f1860d0d7f08c6bbc4d461384eba270f866cce3351f52af1dc9ef9719c677619de79e42

Download Submit
C:\Users\Admin\Downloads\01-CITACION DEMANDA EN SU CONTRA -JUZGADO PENAL 01 CIRCUITO ESPECIALIZADO EXTINXION-01\maddisAsm_.bpl

Filesize
63KB

MD5
ef3b47b2ea3884914c13c778ff29eb5b

SHA1
dc2b1fa7c7547d8f1ad3f20f9060f7bc686118e0

SHA256
475f7cdffd8ed4d6f52bd98ae2bb684f1c923a1be2a692757a9af788a39b1d87

SHA512
9648d951d8d3640436c8029fd0f06786f7ff8f52191cd6959569c87868bb6c40ac8c7e495c09377a8a5c85e8d3942551c37eb84e916b5c16327d8d43a167820e

Download Submit
C:\Users\Admin\Downloads\01-CITACION DEMANDA EN SU CONTRA -JUZGADO PENAL 01 CIRCUITO ESPECIALIZADO EXTINXION-01\rtl120.bpl

Filesize
1.1MB

MD5
1681f93e11a7ed23612a55bcef7f1023

SHA1
9b378bbdb287ebd7596944bce36b6156caa9ff7d

SHA256
7ed5369fcf0283ea18974c43dbff80e6006b155b76da7c72fa9619eb03f54cef

SHA512
726e8f58648a6abaf1f2d5bebcf28c1d8320551a3b6e7eef0cf8d99f9ef941e30e7004c24c98e9b5e931a86128d26de7decba202390665a005e972dcbe87ab93

Download Submit
C:\Users\Admin\Downloads\01-CITACION DEMANDA EN SU CONTRA -JUZGADO PENAL 01 CIRCUITO ESPECIALIZADO EXTINXION-01\vcl120.bpl

Filesize
1.9MB

MD5
1384dcc24a52cf63786848c0ed4a4d1b

SHA1
ea63180c94ea2d0417ad1860128980dd18c922ef

SHA256
d19f51871484cc4a737196bdb048193ad73f7f6bd061ec813766516eba26e406

SHA512
d405911672e3ea7abcbc898d7b807b9bc1dcbf4f83663d70bd8adab075960cf3d904b2710adbdafbcbb99ba4a41b9a40c64b7171e845255a91a042871b1ce8a3

Download Submit
C:\Users\Admin\Downloads\01-CITACION DEMANDA EN SU CONTRA -JUZGADO PENAL 01 CIRCUITO ESPECIALIZADO EXTINXION-01\vclx120.bpl

Filesize
222KB

MD5
3cb8f7606940c9b51c45ebaeb84af728

SHA1
7f33a8b5f8f7210bd93b330c5e27a1e70b22f57b

SHA256
2feec33d1e3f3d69c717f4528b8f7f5c030caae6fb37c2100cb0b5341367d053

SHA512
7559cdf6c8dbea052242f3b8129979f7d2d283f84040f1d68ae10438548072715a56a5af88b8562aeea7143194e7c5bddac3fdb01ded411a0b1cac9f0c6eef3f

Download Submit
C:\Users\Public\Remove.ps1

Filesize
506B

MD5
9a64016f9ad05a65db1862ff2e30da41

SHA1
0e41b0e5f20418cec6e5db6fd972b6b33474b6a8

SHA256
77366edf66bcfddce01230c562990a240bebd33f21484ee1e9306b9fac1592b5

SHA512
42758258e0085942ea4bd0896b15bc82c99ac29f049b404826306f1ecf1e730a547193ee2f208bff8e851e358deafd32186a6bf080db0246eae916c2c0589fc0

Download Submit
C:\Windows\temp\aizcy0cn.inf

Filesize
12KB

MD5
ab9c9d0e65025427cb889bc49395c11d

SHA1
d3941cb506d12c90716171068d2af4ee27816118

SHA256
bd08aa2dc5a16499de91b333978bed9a7df8680018ba4892691589ef165e22e4

SHA512
d743b3cd15c713f9a31d49b836e62f476e75a8ed46c84ee4ce14551fb116f247791e1359bde2ac8fb3f2e343957fd4425805381f63e3b0f17288b05115cdef58

Download Submit
C:\Windows\temp\zqhvuuks.inf

Filesize
12KB

MD5
bdfcaf3ebbd35863cd90fb057ebfe684

SHA1
98031d5eb63285428535e9f466b1afe763154637

SHA256
30f5adfa8ce2abc76285036627cb491f822270c8f5425d42a685db6319883026

SHA512
3e41ebe472084271af89eb5ec4f7b09bf44f40ad2e75d4c764d28b7a6cd3db4594cb545ed012c70b214b0337d5bbad8af5dbf3a3fba2c83cd1397af48bf201b8

Download Submit
memory/64-339-0x0000000007250000-0x000000000725E000-memory.dmp

Filesize
56KB

Download
memory/64-336-0x0000000007040000-0x000000000704A000-memory.dmp

Filesize
40KB

Download
memory/64-322-0x00000000062A0000-0x00000000062D2000-memory.dmp

Filesize
200KB

Download
memory/64-333-0x0000000006230000-0x000000000624E000-memory.dmp

Filesize
120KB

Download
memory/64-334-0x0000000006ED0000-0x0000000006F73000-memory.dmp

Filesize
652KB

Download
memory/64-335-0x0000000007620000-0x0000000007C9A000-memory.dmp

Filesize
6.5MB

Download
memory/64-311-0x0000000005D80000-0x0000000005DCC000-memory.dmp

Filesize
304KB

Download
memory/64-323-0x000000006D570000-0x000000006D5BC000-memory.dmp

Filesize
304KB

Download
memory/64-342-0x0000000007390000-0x0000000007398000-memory.dmp

Filesize
32KB

Download
memory/64-341-0x00000000073A0000-0x00000000073BA000-memory.dmp

Filesize
104KB

Download
memory/64-302-0x00000000056D0000-0x0000000005A24000-memory.dmp

Filesize
3.3MB

Download
memory/64-337-0x00000000071D0000-0x00000000071E1000-memory.dmp

Filesize
68KB

Download
memory/64-340-0x0000000007360000-0x0000000007374000-memory.dmp

Filesize
80KB

Download
memory/812-168-0x00007FF95A650000-0x00007FF95A845000-memory.dmp

Filesize
2.0MB

Download
memory/812-184-0x0000000074AC0000-0x0000000074C3B000-memory.dmp

Filesize
1.5MB

Download
memory/1356-140-0x00007FF95A650000-0x00007FF95A845000-memory.dmp

Filesize
2.0MB

Download
memory/1356-151-0x0000000000400000-0x0000000000698000-memory.dmp

Filesize
2.6MB

Download
memory/1356-139-0x0000000074AC0000-0x0000000074C3B000-memory.dmp

Filesize
1.5MB

Download
memory/1356-149-0x0000000074AC0000-0x0000000074C3B000-memory.dmp

Filesize
1.5MB

Download
memory/1356-157-0x0000000050310000-0x0000000050349000-memory.dmp

Filesize
228KB

Download
memory/1356-156-0x0000000050120000-0x000000005030D000-memory.dmp

Filesize
1.9MB

Download
memory/1356-155-0x0000000057800000-0x0000000057812000-memory.dmp

Filesize
72KB

Download
memory/1356-154-0x0000000057000000-0x000000005703F000-memory.dmp

Filesize
252KB

Download
memory/1356-153-0x0000000059800000-0x000000005986E000-memory.dmp

Filesize
440KB

Download
memory/1356-152-0x0000000050000000-0x0000000050116000-memory.dmp

Filesize
1.1MB

Download
memory/3136-201-0x0000000005830000-0x000000000583A000-memory.dmp

Filesize
40KB

Download
memory/3136-186-0x0000000073560000-0x00000000747B4000-memory.dmp

Filesize
18.3MB

Download
memory/3136-241-0x0000000001020000-0x000000000102C000-memory.dmp

Filesize
48KB

Download
memory/3136-203-0x00000000064D0000-0x0000000006536000-memory.dmp

Filesize
408KB

Download
memory/3136-202-0x0000000006430000-0x00000000064CC000-memory.dmp

Filesize
624KB

Download
memory/3136-244-0x00000000014B0000-0x00000000014BC000-memory.dmp

Filesize
48KB

Download
memory/3136-200-0x0000000005870000-0x0000000005902000-memory.dmp

Filesize
584KB

Download
memory/3136-199-0x0000000005C40000-0x00000000061E4000-memory.dmp

Filesize
5.6MB

Download
memory/3136-189-0x0000000000B70000-0x0000000000B86000-memory.dmp

Filesize
88KB

Download
memory/4304-262-0x00000000067D0000-0x00000000067EE000-memory.dmp

Filesize
120KB

Download
memory/4304-248-0x0000000002E70000-0x0000000002EA6000-memory.dmp

Filesize
216KB

Download
memory/4304-249-0x0000000005AA0000-0x00000000060C8000-memory.dmp

Filesize
6.2MB

Download
memory/4304-250-0x00000000057D0000-0x00000000057F2000-memory.dmp

Filesize
136KB

Download
memory/4304-251-0x0000000005870000-0x00000000058D6000-memory.dmp

Filesize
408KB

Download
memory/4304-275-0x0000000006D00000-0x0000000006D22000-memory.dmp

Filesize
136KB

Download
memory/4304-274-0x0000000006CB0000-0x0000000006CCA000-memory.dmp

Filesize
104KB

Download
memory/4304-273-0x0000000006D30000-0x0000000006DC6000-memory.dmp

Filesize
600KB

Download
memory/4304-257-0x00000000061B0000-0x0000000006504000-memory.dmp

Filesize
3.3MB

Download
memory/4304-263-0x0000000006800000-0x000000000684C000-memory.dmp

Filesize
304KB

Download