asyncrat | hxxps://drive[.]google[.]com/uc?id=1_WBSRfZlNu3lXa8n4JlMue0JeaaI4I54&export=download&authuser=0

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-es
resource tags

arch:x64arch:x86image:win10v2004-20241007-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
18-10-2024 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/uc?id=1_WBSRfZlNu3lXa8n4JlMue0JeaaI4I54&export=download&authuser=0

Score

10^/10

asyncrat maximo9 discovery rat

Malware Config

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

MAXIMO9

delonuevomision.con-ip.com:2625

Mutex

tempcookiee

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs

Processes:

ACTO ADMINISTRATIVO No. 0216_SANCIÓN POR RESOLUCIÓN.pdf.exe

description pid process target process

PID 2228 created 3420 2228 ACTO ADMINISTRATIVO No. 0216_SANCIÓN POR RESOLUCIÓN.pdf.exe Explorer.EXE

description	pid	process	target process
PID 2228 created 3420	2228	ACTO ADMINISTRATIVO No. 0216_SANCIÓN POR RESOLUCIÓN.pdf.exe	Explorer.EXE

Drops startup file 1 IoCs

Processes:

ACTO ADMINISTRATIVO No. 0216_SANCIÓN POR RESOLUCIÓN.pdf.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Value.vbs	ACTO ADMINISTRATIVO No. 0216_SANCIÓN POR RESOLUCIÓN.pdf.exe

Executes dropped EXE 1 IoCs

Processes:

ACTO ADMINISTRATIVO No. 0216_SANCIÓN POR RESOLUCIÓN.pdf.exe

pid process

2228 ACTO ADMINISTRATIVO No. 0216_SANCIÓN POR RESOLUCIÓN.pdf.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

5 drive.google.com
3 drive.google.com

pid	process
2228	ACTO ADMINISTRATIVO No. 0216_SANCIÓN POR RESOLUCIÓN.pdf.exe

flow	ioc
5	drive.google.com
3	drive.google.com

Suspicious use of SetThreadContext 1 IoCs

Processes:

ACTO ADMINISTRATIVO No. 0216_SANCIÓN POR RESOLUCIÓN.pdf.exe

description	pid	process	target process
PID 2228 set thread context of 5636	2228	ACTO ADMINISTRATIVO No. 0216_SANCIÓN POR RESOLUCIÓN.pdf.exe	InstallUtil.exe

Drops file in Windows directory 1 IoCs

Processes:

chrome.exe

description ioc process

File opened for modification C:\Windows\INF\display.PNF chrome.exe
Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

description	ioc	process
File opened for modification	C:\Windows\INF\display.PNF	chrome.exe

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

ACTO ADMINISTRATIVO No. 0216_SANCIÓN POR RESOLUCIÓN.pdf.exeInstallUtil.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ACTO ADMINISTRATIVO No. 0216_SANCIÓN POR RESOLUCIÓN.pdf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133737511340935272"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 1 IoCs

Processes:

chrome.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	chrome.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

chrome.exeACTO ADMINISTRATIVO No. 0216_SANCIÓN POR RESOLUCIÓN.pdf.exe7zFM.exechrome.exe

pid	process
5036	chrome.exe
5036	chrome.exe
2228	ACTO ADMINISTRATIVO No. 0216_SANCIÓN POR RESOLUCIÓN.pdf.exe
2228	ACTO ADMINISTRATIVO No. 0216_SANCIÓN POR RESOLUCIÓN.pdf.exe
3404	7zFM.exe
3404	7zFM.exe
5132	chrome.exe
5132	chrome.exe
5132	chrome.exe
5132	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

Processes:

chrome.exe

pid process

5036 chrome.exe
5036 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe7zFM.exe

description	pid	process
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeRestorePrivilege	3404	7zFM.exe
Token: 35	3404	7zFM.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe
Token: SeShutdownPrivilege	5036	chrome.exe
Token: SeCreatePagefilePrivilege	5036	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

Processes:

chrome.exe7zFM.exe

pid	process
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
3404	7zFM.exe
3404	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe
5036	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

chrome.exe

description	pid	process	target process
PID 5036 wrote to memory of 2252	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 2252	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 1608	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 1608	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 1608	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 1608	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 1608	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 1608	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 1608	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 1608	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 1608	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 1608	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 1608	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 1608	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 1608	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 1608	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 1608	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 1608	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 1608	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 1608	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 1608	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 1608	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 1608	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 1608	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 1608	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 1608	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 1608	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 1608	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 1608	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 1608	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 1608	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 1608	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 3908	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 3908	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 4344	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 4344	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 4344	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 4344	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 4344	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 4344	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 4344	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 4344	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 4344	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 4344	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 4344	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 4344	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 4344	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 4344	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 4344	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 4344	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 4344	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 4344	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 4344	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 4344	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 4344	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 4344	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 4344	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 4344	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 4344	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 4344	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 4344	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 4344	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 4344	5036	chrome.exe	chrome.exe
PID 5036 wrote to memory of 4344	5036	chrome.exe	chrome.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/uc?id=1_WBSRfZlNu3lXa8n4JlMue0JeaaI4I54&export=download&authuser=0
2⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff9279cc40,0x7fff9279cc4c,0x7fff9279cc58
3⤵
PID:2252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1996,i,11394792285779540494,7363402823262258043,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1992 /prefetch:2
3⤵
PID:1608

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1892,i,11394792285779540494,7363402823262258043,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2028 /prefetch:3
3⤵
PID:3908

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1736,i,11394792285779540494,7363402823262258043,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1648 /prefetch:8
3⤵
PID:4344

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3092,i,11394792285779540494,7363402823262258043,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3132 /prefetch:1
3⤵
PID:1056

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,11394792285779540494,7363402823262258043,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3136 /prefetch:1
3⤵
PID:720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4584,i,11394792285779540494,7363402823262258043,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4596 /prefetch:8
3⤵
PID:4956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4908,i,11394792285779540494,7363402823262258043,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5040 /prefetch:8
3⤵
PID:2764

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4756,i,11394792285779540494,7363402823262258043,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=952 /prefetch:8
3⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:5132

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\ACTO ADMINISTRATIVO No. 0216_SANCIÓN POR RESOLUCIÓN.pdf.rar"
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3404

C:\Users\Admin\AppData\Local\Temp\7zOC4D87528\ACTO ADMINISTRATIVO No. 0216_SANCIÓN POR RESOLUCIÓN.pdf.exe
"C:\Users\Admin\AppData\Local\Temp\7zOC4D87528\ACTO ADMINISTRATIVO No. 0216_SANCIÓN POR RESOLUCIÓN.pdf.exe"
3⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Drops startup file
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:2228

C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
2⤵
- System Location Discovery: System Language Discovery
PID:5636

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4968

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2712

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
d35880b7246a3596de4304792357cb79

SHA1
d69abbd032b7ce8a6388b5a3cab5a6a58afa4069

SHA256
16a578c11060279d24d0de7d26ef58b56a324a6cbeeee82cbd9b9133820f4863

SHA512
c92c0167f7d3f6a14d94b71462651339b482733a823f0478f4c4b1f9674f8460329675db923f30b4bdaa091c3cdbd53ac7f1dc96dc9ee4f1af0d0374a39d86ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
3KB

MD5
4fae1611f9f0e443bf1ea24cd1c56bf2

SHA1
ca64569b7dbc6c31a35278de086aa1ba877a49b7

SHA256
2156c8095bb2b8ce6704416580966b33ab72bb09e6e73d299f0410c15c53e44e

SHA512
c727fe2babf30a1cabb6fbd7d2c5379caa3a24301ab914b65d67ecd84081ed637359b9f75a9e350a46a0b15070903f0b7f9ffefa4a60e252be7fce129ac46f8e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
d1085dc98e96602be5a1f2a747be9f31

SHA1
0d63d6268fb4e30e9570333c704c0378838b4cbe

SHA256
10ca4764e9aaff7f69251cfb7d26a0f6c920db99de8425294b018ebb1a931948

SHA512
3668513b9395d647d24302730d0c72f6c15f59d3c17f4c9a714e2b8091e18b055a30501250fb83a5811bc65c89415159655215a208421d54b1d7dd82dfa7d3e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3343aeeaeb45f6b94da4e78babd17c1f

SHA1
fcbc90e63c81979886caa1ca48eb6eb14339ea44

SHA256
d7a41b5b39aba924ca22a16b98c63cd2210ef3f3ea6cd0cca43bd7d3cd433040

SHA512
f148a995d66478db2a75aab9288c610df9d43133a388494acedc0f7ca9f3bd9b60641199886e8a19bb776de30dc4264105514e7682afd52ebc110281c48f0ed3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ce9969be08ce0f1f3fcacb53a771fba8

SHA1
a1f228d6b8ddf3460970d8c6d3613d42547750e1

SHA256
a2b3a747ea3c00d87bab51bc02edd8a6f524a62d20bd143a2d3c6de3ede9d015

SHA512
a9bad86e08d0858f89982505cce102e443c4a467093ab0950359a54bd8b06ff9bd6302ce5871ea1c80b2eeb7ca1d696f61368b5818be57b0794335c19c7c59b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cbde4fe22270fb4b8d395d7c54252092

SHA1
2efd82c4bbe519b8e37a604f4dd9c0d28c03bfc4

SHA256
db81206107cca3069c2b5c55b94fc2db18a4ce6d12a2f91fbe475a747630bae2

SHA512
66b96bbc2b7e77f4307641cf392f3eaaf839a0440d54c0fa1da9c7e78d4af1bddcd4ecba854a506abba25857b161bf68f98358b5bc31d5fd95331cce80cc0f43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
742562346df3a14fd7374835653740b9

SHA1
7913af572b332c94ea5a7339c3f12dd45c82e460

SHA256
c467cdee44819dda8467db4abace5c1b1e12cd16c8b0c867fde65d121e33400b

SHA512
f687580a1304a2d7e08ad58e70455a0e28a3005721da14ed2256d6090c6cc91c62a51b4956424fea0098fdf28e8038549863804d877ebde88e3e58da1671dd7b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
372fb1b86dfd41b9ebfac8225be2e9f9

SHA1
1b164fb232b9196fdeec2e7367277ec07a557504

SHA256
b2428dab7858ae100c6270103cd9fcfa7e13ec7bd6b03ee79bc5696b759a8db7

SHA512
39cad4a16d41e491d4382ae7314d3e5b0311e9ca19ea516eb563066b4b9a3a4b3195c738d59957aa7c987e8a374a9eb095a7c408f744d9eb31c5f31aa65745cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e61b80d0b5913f64c42b754b4c686d2a

SHA1
e98d5d53d58c0f47601907abd3ff62717c144ddf

SHA256
cf0becafe9fdd64da838669816fb121dc3c8f1dec6d4ba3479e873188f7502f1

SHA512
f70f6aec492cb88a47e6dcbcdfaff49f77a3acd5472541a65e03918d3080017cf15e327de3f2cfacc2d7b72b52cf40e40d76a97d28987da8a8b68fb296be67f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
097308b963c397211fca5755e2919f91

SHA1
46b51a566627020a260e8882f833ad679823ce0d

SHA256
7c5666698766bf19162fb3b4ba1e8b4eaf4d25f7ba451fe36c890910be4dcfd5

SHA512
e6949f483057998465092eb72de62ec86f48d2478e0e68cf8bef8d41403b2eb6e961748ebc1ca664c2151dd20653ae976514ef53ce35db5518415b1f1724e57c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a547ec376ebfaeebe224023a93cd110f

SHA1
b44f5b34e20e8beb43684b9a3cc6894f62fd6d20

SHA256
fa19398a94cae19ebbc63b31496a17bc12678da225b936e5fe1bcdcf824dff5d

SHA512
e34c7d8ae98db820cc0240bbc2156a0589dbfdc7dec6f2c22ee8cb483e3c0f79b3b2c104c1455fee3ea0d9032caa4928ccb924fee8795c7483282c67059fec17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
5a428b08bf122f641bae5afc5ce511ae

SHA1
ae22703993cef13f01d9bbf60f9fc82059daf614

SHA256
0e12f9815acaa4c241764eac733b23fc537df11260ae1f345d51a5626d815bfb

SHA512
43572eef7988ab2efb8e216b9c039eb21e28b39b93b051e501d11738837c74e1a8cecd194c2d132387383118038d92d34bb8d89e54bdcf89cc611b3f6b3c9131

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
372ca64b627522092c54238429823419

SHA1
eaa0f7043e307432c7f99d69e7df1d0681857e01

SHA256
a60a23291d711b14604146f27fe23abdc79a37bd619cb29549fbb0d3d1c790d2

SHA512
f06e6e88e4d961601312a42d35ddf9de25662bd2f66df0488c736c616029aaf921f99bbcd4da0e658da84d30281ddeda9cb24a4ceaa1e203c2bc278f882924e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zOC4D87528\ACTO ADMINISTRATIVO No. 0216_SANCIÓN POR RESOLUCIÓN.pdf.exe

Filesize
971KB

MD5
a6aca7334109f9557e4e36bcb0636db9

SHA1
0d48af64ab4ec6d5df3c3a3fd2e5d44ab63f1ad4

SHA256
8adc74379b29818e3185b0e289a1bf15c23c5974b99bbeb73b2155e17fcb1c35

SHA512
4247c3b5b782c7dd46bbfec37e805a35a3e982254754b6d7fe0d7c7abdc573f06dcef4dae6516b14278df7e8f0cc989e29d4b5907071cc7f8e8e019aff5f2e6d

Download Submit
C:\Users\Admin\Downloads\ACTO ADMINISTRATIVO No. 0216_SANCIÓN POR RESOLUCIÓN.pdf.rar

Filesize
943KB

MD5
94a6db989c7b1e1ef9e3331171eb4c2c

SHA1
7ef28db7f05d338055fea44ffb8ed15503c9ee35

SHA256
6456825e433ad5aee331a9f3b45c29d0dd4404b67ab2264cf51755d040a1d372

SHA512
6ac9ce8249c4cdca0f3b2c90f80ae8c1fda8bfcc7a637a6650930476030dfb5be9e01feaf6184237b87ca37cacab5915bbacc9615c932fd58e58305b9ff77898

Download Submit
\??\pipe\crashpad_5036_TSDFLKUHSLMSSCMV

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2228-135-0x0000000005AF0000-0x0000000005BD4000-memory.dmp

Filesize
912KB

Download
memory/2228-95-0x0000000005AF0000-0x0000000005BD4000-memory.dmp

Filesize
912KB

Download
memory/2228-137-0x0000000005AF0000-0x0000000005BD4000-memory.dmp

Filesize
912KB

Download
memory/2228-133-0x0000000005AF0000-0x0000000005BD4000-memory.dmp

Filesize
912KB

Download
memory/2228-131-0x0000000005AF0000-0x0000000005BD4000-memory.dmp

Filesize
912KB

Download
memory/2228-129-0x0000000005AF0000-0x0000000005BD4000-memory.dmp

Filesize
912KB

Download
memory/2228-127-0x0000000005AF0000-0x0000000005BD4000-memory.dmp

Filesize
912KB

Download
memory/2228-125-0x0000000005AF0000-0x0000000005BD4000-memory.dmp

Filesize
912KB

Download
memory/2228-123-0x0000000005AF0000-0x0000000005BD4000-memory.dmp

Filesize
912KB

Download
memory/2228-121-0x0000000005AF0000-0x0000000005BD4000-memory.dmp

Filesize
912KB

Download
memory/2228-119-0x0000000005AF0000-0x0000000005BD4000-memory.dmp

Filesize
912KB

Download
memory/2228-117-0x0000000005AF0000-0x0000000005BD4000-memory.dmp

Filesize
912KB

Download
memory/2228-115-0x0000000005AF0000-0x0000000005BD4000-memory.dmp

Filesize
912KB

Download
memory/2228-141-0x0000000005AF0000-0x0000000005BD4000-memory.dmp

Filesize
912KB

Download
memory/2228-113-0x0000000005AF0000-0x0000000005BD4000-memory.dmp

Filesize
912KB

Download
memory/2228-111-0x0000000005AF0000-0x0000000005BD4000-memory.dmp

Filesize
912KB

Download
memory/2228-109-0x0000000005AF0000-0x0000000005BD4000-memory.dmp

Filesize
912KB

Download
memory/2228-107-0x0000000005AF0000-0x0000000005BD4000-memory.dmp

Filesize
912KB

Download
memory/2228-105-0x0000000005AF0000-0x0000000005BD4000-memory.dmp

Filesize
912KB

Download
memory/2228-103-0x0000000005AF0000-0x0000000005BD4000-memory.dmp

Filesize
912KB

Download
memory/2228-101-0x0000000005AF0000-0x0000000005BD4000-memory.dmp

Filesize
912KB

Download
memory/2228-99-0x0000000005AF0000-0x0000000005BD4000-memory.dmp

Filesize
912KB

Download
memory/2228-97-0x0000000005AF0000-0x0000000005BD4000-memory.dmp

Filesize
912KB

Download
memory/2228-139-0x0000000005AF0000-0x0000000005BD4000-memory.dmp

Filesize
912KB

Download
memory/2228-89-0x0000000005AF0000-0x0000000005BD4000-memory.dmp

Filesize
912KB

Download
memory/2228-87-0x0000000005AF0000-0x0000000005BD4000-memory.dmp

Filesize
912KB

Download
memory/2228-85-0x0000000005AF0000-0x0000000005BD4000-memory.dmp

Filesize
912KB

Download
memory/2228-93-0x0000000005AF0000-0x0000000005BD4000-memory.dmp

Filesize
912KB

Download
memory/2228-81-0x0000000005AF0000-0x0000000005BD4000-memory.dmp

Filesize
912KB

Download
memory/2228-80-0x0000000005AF0000-0x0000000005BD4000-memory.dmp

Filesize
912KB

Download
memory/2228-1154-0x0000000005CC0000-0x0000000005D1C000-memory.dmp

Filesize
368KB

Download
memory/2228-1155-0x0000000005D50000-0x0000000005D9C000-memory.dmp

Filesize
304KB

Download
memory/2228-143-0x0000000005AF0000-0x0000000005BD4000-memory.dmp

Filesize
912KB

Download
memory/2228-91-0x0000000005AF0000-0x0000000005BD4000-memory.dmp

Filesize
912KB

Download
memory/2228-1177-0x0000000005E00000-0x0000000005E54000-memory.dmp

Filesize
336KB

Download
memory/2228-1178-0x0000000006A80000-0x0000000006B82000-memory.dmp

Filesize
1.0MB

Download
memory/2228-75-0x00000000009A0000-0x0000000000A94000-memory.dmp

Filesize
976KB

Download
memory/2228-76-0x00000000054E0000-0x0000000005572000-memory.dmp

Filesize
584KB

Download
memory/2228-77-0x0000000005880000-0x0000000005968000-memory.dmp

Filesize
928KB

Download
memory/2228-83-0x0000000005AF0000-0x0000000005BD4000-memory.dmp

Filesize
912KB

Download
memory/2228-79-0x00000000061A0000-0x0000000006744000-memory.dmp

Filesize
5.6MB

Download
memory/2228-78-0x0000000005AF0000-0x0000000005BDA000-memory.dmp

Filesize
936KB

Download
memory/5636-1186-0x0000000006250000-0x00000000062B6000-memory.dmp

Filesize
408KB

Download
memory/5636-1185-0x0000000005C50000-0x0000000005CEC000-memory.dmp

Filesize
624KB

Download
memory/5636-1182-0x0000000000400000-0x0000000000416000-memory.dmp

Filesize
88KB

Download