asyncrat | hxxps://docs[.]google[.]com/uc?export=download&id=1JLDIqPBwfFqOwOAI9gBaNliRmZFmgPGx

Analysis

max time kernel
269s
max time network
274s
platform
windows10-2004_x64
resource
win10v2004-20241007-es
resource tags

arch:x64arch:x86image:win10v2004-20241007-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
18-10-2024 00:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://docs.google.com/uc?export=download&id=1JLDIqPBwfFqOwOAI9gBaNliRmZFmgPGx

Score

10^/10

asyncrat z-oct-16 discovery persistence rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Z-Oct-16

pt4040.4cloud.click:4004

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Executes dropped EXE 1 IoCs

Processes:

Demanda_Legal.N°7278263..exe

pid process

1756 Demanda_Legal.N°7278263..exe

pid	process
1756	Demanda_Legal.N°7278263..exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Demanda_Legal.N°7278263..exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TechDesignerEditor = "C:\\Users\\Admin\\Music\\TechDesignerUpdater\\TechConvertVideo.exe"	Demanda_Legal.N°7278263..exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Demanda_Legal.N°7278263..exe

description pid process target process

PID 1756 set thread context of 5028 1756 Demanda_Legal.N°7278263..exe csc.exe
Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Windows\INF\display.PNF chrome.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

description	pid	process	target process
PID 1756 set thread context of 5028	1756	Demanda_Legal.N°7278263..exe	csc.exe

description	ioc	process
File opened for modification	C:\Windows\INF\display.PNF	chrome.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

AcroRd32.exeRdrCEF.exeRdrCEF.exeDemanda_Legal.N°7278263..exeRdrCEF.exeRdrCEF.exeRdrCEF.exeRdrCEF.execsc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Demanda_Legal.N°7278263..exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133736849401450895"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 3 IoCs

Processes:

chrome.exeOpenWith.exeOpenWith.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

Processes:

chrome.exeAcroRd32.exechrome.exe7zFM.exe

pid	process
4892	chrome.exe
4892	chrome.exe
5116	AcroRd32.exe
5116	AcroRd32.exe
5116	AcroRd32.exe
5116	AcroRd32.exe
5116	AcroRd32.exe
5116	AcroRd32.exe
5116	AcroRd32.exe
5116	AcroRd32.exe
5116	AcroRd32.exe
5116	AcroRd32.exe
5116	AcroRd32.exe
5116	AcroRd32.exe
5116	AcroRd32.exe
5116	AcroRd32.exe
5116	AcroRd32.exe
5116	AcroRd32.exe
5116	AcroRd32.exe
5116	AcroRd32.exe
5116	AcroRd32.exe
5116	AcroRd32.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
2672	chrome.exe
1648	7zFM.exe
1648	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

Processes:

OpenWith.exe7zFM.exe

pid process

1996 OpenWith.exe
1648 7zFM.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

4892 chrome.exe
4892 chrome.exe

pid	process
1996	OpenWith.exe
1648	7zFM.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe
Token: SeShutdownPrivilege	4892	chrome.exe
Token: SeCreatePagefilePrivilege	4892	chrome.exe

Suspicious use of FindShellTrayWindow 37 IoCs

Processes:

chrome.exe7zFM.exe

pid	process
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
1648	7zFM.exe
1648	7zFM.exe
1648	7zFM.exe
4892	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe
4892	chrome.exe

Suspicious use of SetWindowsHookEx 39 IoCs

Processes:

OpenWith.exeOpenWith.exeAcroRd32.exe

pid	process
1104	OpenWith.exe
1996	OpenWith.exe
1996	OpenWith.exe
1996	OpenWith.exe
1996	OpenWith.exe
1996	OpenWith.exe
1996	OpenWith.exe
1996	OpenWith.exe
1996	OpenWith.exe
1996	OpenWith.exe
1996	OpenWith.exe
1996	OpenWith.exe
1996	OpenWith.exe
1996	OpenWith.exe
1996	OpenWith.exe
1996	OpenWith.exe
1996	OpenWith.exe
1996	OpenWith.exe
1996	OpenWith.exe
1996	OpenWith.exe
1996	OpenWith.exe
1996	OpenWith.exe
1996	OpenWith.exe
1996	OpenWith.exe
1996	OpenWith.exe
1996	OpenWith.exe
1996	OpenWith.exe
1996	OpenWith.exe
1996	OpenWith.exe
1996	OpenWith.exe
1996	OpenWith.exe
1996	OpenWith.exe
1996	OpenWith.exe
1996	OpenWith.exe
5116	AcroRd32.exe
5116	AcroRd32.exe
5116	AcroRd32.exe
5116	AcroRd32.exe
5116	AcroRd32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 4892 wrote to memory of 4812	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 4812	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 2340	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 2340	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 2340	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 2340	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 2340	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 2340	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 2340	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 2340	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 2340	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 2340	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 2340	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 2340	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 2340	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 2340	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 2340	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 2340	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 2340	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 2340	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 2340	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 2340	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 2340	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 2340	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 2340	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 2340	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 2340	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 2340	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 2340	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 2340	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 2340	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 2340	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 2176	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 2176	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 840	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 840	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 840	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 840	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 840	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 840	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 840	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 840	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 840	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 840	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 840	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 840	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 840	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 840	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 840	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 840	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 840	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 840	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 840	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 840	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 840	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 840	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 840	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 840	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 840	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 840	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 840	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 840	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 840	4892	chrome.exe	chrome.exe
PID 4892 wrote to memory of 840	4892	chrome.exe	chrome.exe

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://docs.google.com/uc?export=download&id=1JLDIqPBwfFqOwOAI9gBaNliRmZFmgPGx
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4892

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ff911cacc40,0x7ff911cacc4c,0x7ff911cacc58
2⤵
PID:4812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1892,i,15025906644971232252,1755601050394611919,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1900 /prefetch:2
2⤵
PID:2340

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2148,i,15025906644971232252,1755601050394611919,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2144 /prefetch:3
2⤵
PID:2176

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,15025906644971232252,1755601050394611919,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2444 /prefetch:8
2⤵
PID:840

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3128,i,15025906644971232252,1755601050394611919,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3156 /prefetch:1
2⤵
PID:3516

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3152,i,15025906644971232252,1755601050394611919,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:1
2⤵
PID:3048

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4584,i,15025906644971232252,1755601050394611919,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4600 /prefetch:8
2⤵
PID:2584

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4368,i,15025906644971232252,1755601050394611919,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3864 /prefetch:8
2⤵
PID:5072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=3544,i,15025906644971232252,1755601050394611919,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2384 /prefetch:8
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2672

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1760

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1096

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3908

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1104

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1996

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\Demanda_Legal.N°7278263.tar"
2⤵
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:5116

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
3⤵
- System Location Discovery: System Language Discovery
PID:2892

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=6AF766BBAE942E52236BCD81DC68E056 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
- System Location Discovery: System Language Discovery
PID:4544

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=0A592FC6C60F40FA3C1666887519856C --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=0A592FC6C60F40FA3C1666887519856C --renderer-client-id=2 --mojo-platform-channel-handle=1768 --allow-no-sandbox-job /prefetch:1
4⤵
- System Location Discovery: System Language Discovery
PID:4480

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=583CBB296753BE20B767B97CF41927A3 --mojo-platform-channel-handle=2348 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
- System Location Discovery: System Language Discovery
PID:3400

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=1D5E61C122356ECA43DDB8F95A40C8A2 --mojo-platform-channel-handle=1868 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
- System Location Discovery: System Language Discovery
PID:2416

C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
"C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=152AB084654FC564B5F105FDCFF926AD --mojo-platform-channel-handle=2340 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
4⤵
- System Location Discovery: System Language Discovery
PID:4204

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3908

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Demanda_Legal.N°7278263.tar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
PID:1648

C:\Users\Admin\AppData\Local\Temp\7zO0768B17A\Demanda_Legal.N°7278263..exe
"C:\Users\Admin\AppData\Local\Temp\7zO0768B17A\Demanda_Legal.N°7278263..exe"
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1756

C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
3⤵
- System Location Discovery: System Language Discovery
PID:5028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
36KB

MD5
b30d3becc8731792523d599d949e63f5

SHA1
19350257e42d7aee17fb3bf139a9d3adb330fad4

SHA256
b1b77e96279ead2b460de3de70e2ea4f5ad1b853598a4e27a5caf3f1a32cc4f3

SHA512
523f54895fb07f62b9a5f72c8b62e83d4d9506bda57b183818615f6eb7286e3b9c5a50409bc5c5164867c3ccdeae88aa395ecca6bc7e36d991552f857510792e

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
56KB

MD5
752a1f26b18748311b691c7d8fc20633

SHA1
c1f8e83eebc1cc1e9b88c773338eb09ff82ab862

SHA256
111dac2948e4cecb10b0d2e10d8afaa663d78d643826b592d6414a1fd77cc131

SHA512
a2f5f262faf2c3e9756da94b2c47787ce3a9391b5bd53581578aa9a764449e114836704d6dec4aadc097fed4c818831baa11affa1eb25be2bfad9349bb090fe5

Download Submit
C:\Users\Admin\AppData\LocalLow\Adobe\Acrobat\DC\ReaderMessages

Filesize
64KB

MD5
692c85ee7e1ee0fdcee15d0e60fdc063

SHA1
2904b97eccb2436d34f9d84823b7d2401d6c66b3

SHA256
237e12ca8d6791905244c314de06e2480e145f020f32bee05b6710499eaefd5c

SHA512
96347f7377eaf6c60345f695e63f704af4020e475804cc639881897aa45f9f0fc372a6e1939adf38492c4b0971274e92e1189306bb2d486ea546d678ea693f8b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\9c0f0624-aa9c-45d7-9ce2-5867ed3a7d31.tmp

Filesize
9KB

MD5
6c7b04db8f58fd90852d62d3e31d937a

SHA1
10340526f3cbc13e862e2927d9acc71a6593ec5e

SHA256
f9ba6f06921b94a408f3c768e88bbbdc81d3485eeb03cbebc148b4bb5d47fb22

SHA512
2c5eb63467000702971b25f025a1e27f77c965e0b4cc75476b0feaeac6861d05c651fbb793b611b860388909587e14a670251af760095f890cc1546365f512f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
6f548bc51b726c03c4a6eb9e8ad64d20

SHA1
27a8f9b47f6487e4ba843e60e38f748492d39aa8

SHA256
c0a078dc940bffc7085be31576060e48de64e2297b1af3dccddff67d606b161a

SHA512
6b7baccb487a6e35eb80fea5cddabee26ee19d9801ba880a7f3b89f9fe59780e1c6100610226ea20b1956d75fc2552536677f0e0e371617b835aaed9f4605c26

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
5533c05ac37ff7ac7577948dce1f38bc

SHA1
d52113bb8cfce854917151e7589e741b0838858c

SHA256
6d85223c3c51d5f4a88b515ebc94d51b41a11ecbecfb7e0ab72ad96b463f80fe

SHA512
164cb1c7a98929c04994637cf0281dcb5156f863240f05fb79553233350516025aa1f917497421e5b06bae54c6ce9b544b688c643d72f4068a6013a4d9c81cef

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
1804f204e8fb4e6962f0d5971c1d0388

SHA1
c94823d05ccdbd16d530ee9a661615d37c47e6fb

SHA256
8b32204f736b1af924c0cebcc02360f11f4d79f7d3637ec3201ed8b87110cf5a

SHA512
b979ca137d03725969135a922551c26a9f385f3964a481ab29257d998841815eec1c3bbb64eb60dbfef92e31d5e142d7452c629338d8b4c0aaeccec16b8258de

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
8520f1b9b97edc1078b363712f028c07

SHA1
7519413d5539c6afa241433fe8a27216d89a2e95

SHA256
c6cd33bce6a89531a55e85ade0f07f669df818a1b1aa7756593c5ce660ae7302

SHA512
bce08fa9a78c9ac2a5f8a2894dd2de5754672d638563dbd4691cae6534750ef29383486ba47870d564dccc3252d11d5d80283bd6e19a6fd31c8aebd993825637

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0e19aa3c024dca8b34b53f94a2c4fc12

SHA1
f8b14d611d3be7c6fb03f874a8a1c8ed1446944d

SHA256
d2b37ade20a37cb9339042602880d6db49301a863bc58850a7e0229810f1576c

SHA512
24e9f10a07b91c2565a9c62ec9cb7e343ef15fe5b085aa92a402e72ef7a4d0ab4fd6afa6c2a957723779aabfbfc0dee8f0314abc1fdd932f22f0f9e78dbe92a0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
65e4f051b992a69fe3ae267cc33088cc

SHA1
1c4e74a9e1adc80c73b3a7cf3fa98637f09490c8

SHA256
a3b4c620f9ecfcdfb8258cba2f3f14e990f4466c50446318f77b380dd17d1b2c

SHA512
0df45a2bbe6e79817e229f4296489cb4ad931118ce887bb87b52ee8f6239ab2e961284d14ab30919dc459397d90188a1c5c3759d19490a8ebeb51c62a747bcac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
86756f8af738f7bb5c815a05e02efe43

SHA1
bc4976c145439cb8cfcd996538b20c7943a5e497

SHA256
26c7053ad474672f0ca04e61b6aaff377e389b07d498b239cf46f7815071621e

SHA512
8bad016d6ad6eb175c7666ff81354db15e1fb4e73f6836abf96ac73ec76f46a8a999f9d02a0f308017c44b1607b0b3e1e04530759d83d0fb43b800b8c724be09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ed26e1cf0d2b419059e02ae949e07e3c

SHA1
72d7c6b46e0418d65d0292a3cf72c1a2f30e3ce4

SHA256
4025c88dd2ddbbd9748aefada619d92a71f63ece4c198715ccf7a187769bba9e

SHA512
f2de2cc0440bb48fc030280636cefa04e5a845e09f56eeebec2c7adb07270c116a8d7333fece8b28feb0504170159a2e67658a5c387a6c526a329b80c0d7ac0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c268b1e487b681e03d9069abe26be28e

SHA1
8385f4c60852227ef18852b9b7489dc03874cfb8

SHA256
4f997dae489161ec887b09a04de10b46e7b5810c2a5e56db5c895b0ca29c09ba

SHA512
b4d8e2d3a7d61af65b779abb1c85af590d089d8f62546b395a884ac8b16847f004b2331eb9294572712f1e796b4e14ec2579b4b9137c7e2500a6ac8f5ea8f205

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2dcf8e727841b6b72d46b4a887d33e1b

SHA1
3c3eff4a345765d5ac0a27cec76cffd6a7c56d0f

SHA256
6b15fafaead3768896719ae597b4c949a561954eda5e4ebb7c7355e95db19cb4

SHA512
ed6f210a0f1afaa4774d81103be32595608f4f6b2fff03a0cbb6e62dd9bef994df7c2e4a48711e29803fde0888a538c3b3e537f7fc70b3e3844e4fe81e3edc8c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
049a1a31c06e1c48051f8ccba7504c17

SHA1
ba9e5f734c5e0dfd58b5f4d2ba3ea063341ff373

SHA256
9a412db163ceb92609d4699eb442056899e2e4545cc7cb1835f3487277358f13

SHA512
339a6466d63cd836518e6f1f0b5d1183fbbdaaaa074458e498ffcc4f5b5a547a41dd9786e48a6a3584cdffdd2cde82ff0a4e75dab79dfa6733e04392948f1720

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
da5798f9abc8080f3c994ccb5502df93

SHA1
1c9b1d8a51411d063661381083808e51567a9ad0

SHA256
66dcd244a0f883c5f29b1d6458a5a0bc603b0a1fe1d22e993d30ddf43baa8b00

SHA512
c8ac380de202292974dccfa65bb6b96acd8c4eb859660eb4f659313f11bccb63bd75b97388c3ea25872be29e5c2189fe4d055541e57fbf08db24985deb8e1a52

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e0a51ac46d0df1f60658f9b94df1ec5d

SHA1
5c3337303afbe63b5b2edd9965ca992226a64806

SHA256
6990926925269345a90ae7f04d085cd174c626a3f2cc8aa748ec6b57fa82d381

SHA512
cf7f9176edac3b0b5c92d9e7f6813b40a958cdf108fa68e286d1de42cbf016beb34fb7cf06798cb05075fcf2c245fd68adc462c8d04c2c2455a5d60c6f3b645f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0848417fb8a3923ff188b57563788034

SHA1
40d65cb58b2993d9591b6c3a2ff96adff70d13b0

SHA256
32b56a5b7fccbf9aed9759e89f0559508af4dacdce9e3a8afff10b72970649ac

SHA512
14a7765a2f9fd192f56943cb884d9837213e609207cddb32a91cd9742820412d9934737972c80288017e52362ca43bd1aa337ffc485e0f1cd9f4268c52b85d2d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dd4407b31bb2182f7da3a242fc901199

SHA1
3d5af2a86c56af26797567097068713fab356d76

SHA256
8cf48cdeb1c46ae51fc1a46ffef871e9121fe5d9284906e930268349448fa4df

SHA512
5c853049e82b66dbe0719af3303e40f18f10fa4b60b8d0be4e55d4ae9e6cf48943be71885ecbe56ed23ad5c01b988a5584dd7acdd8658c6bdd8cfbc7b3a7b216

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
caec44542eecaa8f33cbaac3660fad6f

SHA1
f7dbf4f06c079ccb67eed02f136cc0ec318b2b2d

SHA256
22307f46c46b75c7e8b2a42de5bb1233b08415e960c007ae9051ed5b811140ae

SHA512
094469a19f5f333b5bf8bb1792324192974297a32bc36dde6bb32425b1f25bc377758009621da8749706585ecbfd6ddd0f9e1443ca52291a1dca4e0955efec51

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7528c558af3bf4c139d3e26a39cf3521

SHA1
824eec12e375cc39081668c5e3e53b82166ed16b

SHA256
35bbca061bee53f67ed65ea6a06f46aa6d1d808b0e8b1d3d0ed505e6efc19972

SHA512
841040c22198f0551752c4bf4db0301b263756702c809f7eb01a924a8fee57e7ab14701b7e69168f401a95219d6caef5be91f621087d7ffd85a0d7223c4e7618

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
84a71d5f7fde438054e198bea5027e3c

SHA1
bdb17e5a4f1061d07f6c6f45901195ab7f58e079

SHA256
c31500754b38e0d41e9e4ef9109bde2efa17a0c7bcbc0202b1440421156ff6a3

SHA512
03565c8ac3a22ab492ae45100dd2f83d459ee75889c54cc913e9866cf4277d01a95f54cf46eb5bbe25fcdfeb66c225bf40ab2244dbe278b881856b2ebcc5b1e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2a570dc9a6d076384a07bb22da95090e

SHA1
32d4bc89e143ded853c7baac67672e985b8e224b

SHA256
481212e46af64d0c7e717d0fe7aa42eb7a23d9e6ea69376875f40e10e244a0e1

SHA512
eb84fb69b275dc8d749e9d4b54f6a2bdd9239678043ad3a4e61c76a1d0f7af77c3ddc999db25460b43e9dedecea52c8c05b7a748990b212f30e8b7ded7f560be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
95ed89e8b42c0acc02ac56bfad792140

SHA1
8316560681c7a381081165a0b65aa49bccb13acf

SHA256
22332fa2cc2f9f517ec3d9f3ea4d29abcf17930fb3dccb0bf7050987cccdd061

SHA512
78c970fbda251cf81bf30495c38b9f78382ae4f573b2203081edbd320a978ab1d12996fe84aac99657ceca3b884b354bf999caee3811ef2048478ef0fb92d2cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GraphiteDawnCache\data_1

Filesize
264KB

MD5
38fd6698841937bc72a4a36b56297270

SHA1
f7824b1c425a9f9bf8e4e22c056527440377ab64

SHA256
95f971be0beaca5f022f13e3f48d533545b0035c69fd319caea1bd38ad53df0f

SHA512
58d2f170b3ac01dd299ba40e8d6a6c24531f02cac46bfdbfe815962ffd196bd9e856392d4d892275191a34b020051deac10a0f63d7f654e9e8f0834b723465ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
b2f116ac0c56b48911d2c250562d74c6

SHA1
c8fecdfe8d64220046997df7037576ec5e620799

SHA256
1e27c4d735b6c28e04cb8c284deacb60fb5c12690db62fa867ccb7290df9dcb7

SHA512
bc1a861a077817daf108473d7f3cf6355b4751242df8f6ae9d734646f87f727897bdcd4f4dfcb80530721125e3d9bb941e8d1ff1c1bd9b58acdb1e1607dfe912

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
4185e4d8291f2795eb22943463201b4d

SHA1
0c5ced2f0b33f791f56e45ec82c0744963adb396

SHA256
b8bd5390fa01cac493678afcbff3905ffa888eb3f2ffd5e14512cc05216b776f

SHA512
6553b9d27fae130b65091dfe00bc32c0ac97e3f07f5cb193eb451c2b67ad76f8fa2093906d535fe18fcdc86cf9f6470d2ebef25c166639dcae8e51f3331f6c01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
aeeb402cfc1c07f1d115ea511878c847

SHA1
532942c5531fce16ba20f3bd6026d4659395f8e7

SHA256
c5cf2c7b1e5938cc45fc37e5e06428ef15f81976a39d576069f3910e357f1b21

SHA512
34798f6f8107526e6a78024f31770ff79c2e14b3b136f4669232734415b5cf42a3dfdafc078948ac22f663b5ced704383aad93ccb47656da82798241796fb531

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO0768B17A\Demanda_Legal.N°7278263..exe

Filesize
2.5MB

MD5
49ec7b0a10c0c2fddf8ee9931e220a87

SHA1
54389b474b33191afaf45fb464199f1a3089154a

SHA256
edd192a65b9a5d7df1076294077e896a872bf8c6c1ab8799415f1ddaf32e0144

SHA512
12b51b3782016b178b963ac7d598baf66b1c14bd04d5171c568ee82eea5f5e51fadace586053f726eb894c8f8a1dc2027e80d1e8aab5284c00c55f0705ff83a0

Download Submit
C:\Users\Admin\Downloads\Demanda_Legal.N°7278263.tar

Filesize
886KB

MD5
df7bb250b6147f305194312f5e4cf1fa

SHA1
33c0bb81149aeb8c786fc981051162e7a101d07f

SHA256
508c19196d361079268da5506273d2ba60c45ed443a1f543afe383ad8a69c912

SHA512
f3305f880038d98ad6049657b4448a7fd24fc877aa3a6c0f81a446fb9d04027efd537113c9755d9cb0083bcb7773d6023c46fdd8b5d004a31b81c39ff4c0ea66

Download Submit
\??\pipe\crashpad_4892_HLFNYCXEHXUKQWXL

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1756-390-0x0000000000400000-0x00000000006A5000-memory.dmp

Filesize
2.6MB

Download
memory/1756-389-0x0000000000400000-0x00000000006A5000-memory.dmp

Filesize
2.6MB

Download
memory/1756-394-0x0000000000400000-0x00000000006A5000-memory.dmp

Filesize
2.6MB

Download
memory/1756-395-0x0000000000400000-0x00000000006A5000-memory.dmp

Filesize
2.6MB

Download
memory/1756-391-0x0000000000400000-0x00000000006A5000-memory.dmp

Filesize
2.6MB

Download
memory/1756-392-0x0000000000400000-0x00000000006A5000-memory.dmp

Filesize
2.6MB

Download
memory/1756-388-0x0000000000400000-0x00000000006A5000-memory.dmp

Filesize
2.6MB

Download
memory/5028-393-0x0000000000900000-0x0000000000912000-memory.dmp

Filesize
72KB

Download
memory/5028-396-0x0000000005B70000-0x0000000005C72000-memory.dmp

Filesize
1.0MB

Download