Analysis
-
max time kernel
201s -
max time network
211s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
12-11-2024 20:33
Static task
static1
Behavioral task
behavioral1
Sample
ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe
Resource
win7-20240903-en
General
-
Target
ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe
-
Size
1.0MB
-
MD5
afe62e59ee54125c18bd9dfdb72edcb2
-
SHA1
859ee99717dc6f6f627d2fc5c16b35bc41a6a91f
-
SHA256
cc5ce9a489dfd3806be60936b6f53ac009a9720379a664e3b71e131106830939
-
SHA512
507e476a6fe7058de6ec48acee2a40e4e971bdc0f9be9146c7b9932a2ef573fe1e72e29b53d3527d90cdb3296cedf487afd660e4ea95901acc02da040b346bbc
-
SSDEEP
24576:ryKFgz6I6Y/2aPToM2qdCDTFgBxp1tVz5UVlMhyI:Jux1PToMxOgTPtV52Mh/
Malware Config
Extracted
asyncrat
0.5.7A
CAERLITOS
carlitos24.duckdns.org:7707
carlitos24.duckdns.org:6606
uuooxuxbnkywum
-
delay
1
-
install
false
-
install_folder
%AppData%
Signatures
-
Asyncrat family
-
Drops startup file 2 IoCs
Processes:
ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exeANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HResult.vbs ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\HResult.vbs ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe -
Suspicious use of SetThreadContext 5 IoCs
Processes:
ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exeANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exeANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exeANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exeANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exedescription pid Process procid_target PID 1444 set thread context of 2448 1444 ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe 99 PID 4832 set thread context of 844 4832 ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe 129 PID 3544 set thread context of 2064 3544 ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe 130 PID 4184 set thread context of 4488 4184 ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe 133 PID 1640 set thread context of 4216 1640 ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe 135 -
System Location Discovery: System Language Discovery 1 TTPs 10 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
InstallUtil.exeANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exeInstallUtil.exeANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exeANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exeInstallUtil.exeANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exeInstallUtil.exeInstallUtil.exeANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language InstallUtil.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
msedge.exemsedge.exepid Process 4940 msedge.exe 4940 msedge.exe 2136 msedge.exe 2136 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs
Processes:
msedge.exepid Process 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe -
Suspicious use of AdjustPrivilegeToken 11 IoCs
Processes:
ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exeInstallUtil.exeANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exeANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exeANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exeANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exedescription pid Process Token: SeDebugPrivilege 1444 ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe Token: SeDebugPrivilege 1444 ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe Token: SeDebugPrivilege 2448 InstallUtil.exe Token: SeDebugPrivilege 4832 ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe Token: SeDebugPrivilege 3544 ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe Token: SeDebugPrivilege 4832 ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe Token: SeDebugPrivilege 3544 ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe Token: SeDebugPrivilege 4184 ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe Token: SeDebugPrivilege 4184 ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe Token: SeDebugPrivilege 1640 ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe Token: SeDebugPrivilege 1640 ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe -
Suspicious use of FindShellTrayWindow 26 IoCs
Processes:
msedge.exepid Process 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid Process 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe 2136 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exemsedge.exedescription pid Process procid_target PID 1444 wrote to memory of 2448 1444 ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe 99 PID 1444 wrote to memory of 2448 1444 ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe 99 PID 1444 wrote to memory of 2448 1444 ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe 99 PID 1444 wrote to memory of 2448 1444 ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe 99 PID 1444 wrote to memory of 2448 1444 ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe 99 PID 1444 wrote to memory of 2448 1444 ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe 99 PID 1444 wrote to memory of 2448 1444 ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe 99 PID 1444 wrote to memory of 2448 1444 ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe 99 PID 2136 wrote to memory of 4540 2136 msedge.exe 113 PID 2136 wrote to memory of 4540 2136 msedge.exe 113 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4124 2136 msedge.exe 114 PID 2136 wrote to memory of 4940 2136 msedge.exe 115 PID 2136 wrote to memory of 4940 2136 msedge.exe 115 PID 2136 wrote to memory of 3708 2136 msedge.exe 116 PID 2136 wrote to memory of 3708 2136 msedge.exe 116 PID 2136 wrote to memory of 3708 2136 msedge.exe 116 PID 2136 wrote to memory of 3708 2136 msedge.exe 116 PID 2136 wrote to memory of 3708 2136 msedge.exe 116 PID 2136 wrote to memory of 3708 2136 msedge.exe 116 PID 2136 wrote to memory of 3708 2136 msedge.exe 116 PID 2136 wrote to memory of 3708 2136 msedge.exe 116 PID 2136 wrote to memory of 3708 2136 msedge.exe 116 PID 2136 wrote to memory of 3708 2136 msedge.exe 116 PID 2136 wrote to memory of 3708 2136 msedge.exe 116 PID 2136 wrote to memory of 3708 2136 msedge.exe 116
Processes
-
C:\Users\Admin\AppData\Local\Temp\ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe"C:\Users\Admin\AppData\Local\Temp\ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1444 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2448
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1100
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://temp/1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x120,0x124,0x128,0xf8,0x12c,0x7ffe547646f8,0x7ffe54764708,0x7ffe547647182⤵PID:4540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,18075044923906023066,1814379036668615616,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:22⤵PID:4124
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,18075044923906023066,1814379036668615616,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2276 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:4940
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,18075044923906023066,1814379036668615616,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2464 /prefetch:82⤵PID:3708
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,18075044923906023066,1814379036668615616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:12⤵PID:1444
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,18075044923906023066,1814379036668615616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:12⤵PID:2732
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,18075044923906023066,1814379036668615616,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4172 /prefetch:12⤵PID:4780
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5028
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1096
-
C:\Users\Admin\AppData\Local\Temp\ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe"C:\Users\Admin\AppData\Local\Temp\ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4832 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- System Location Discovery: System Language Discovery
PID:844
-
-
C:\Users\Admin\AppData\Local\Temp\ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe"C:\Users\Admin\AppData\Local\Temp\ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3544 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- System Location Discovery: System Language Discovery
PID:2064
-
-
C:\Users\Admin\AppData\Local\Temp\ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe"C:\Users\Admin\AppData\Local\Temp\ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe"1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:4184 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- System Location Discovery: System Language Discovery
PID:4488
-
-
C:\Users\Admin\Desktop\ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe"C:\Users\Admin\Desktop\ANEXOS Y DOCUMENTOS POR PROCESO LEGAL; NORMATIVA Y RADICACION VIGENTE 179235412184152786572135.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1640 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"2⤵
- System Location Discovery: System Language Discovery
PID:4216
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
425B
MD54eaca4566b22b01cd3bc115b9b0b2196
SHA1e743e0792c19f71740416e7b3c061d9f1336bf94
SHA25634ba0ab8d1850e7825763f413142a333ccbc05fa2b5499a28a7d27b8a1c5b4bb
SHA512bc2b1bf45203e3bb3009a7d37617b8f0f7ffa613680b32de2b963e39d2cf1650614d7035a0cf78f35a4f5cb17a2a439e2e07deaefd2a4275a62efd0a5c0184a1
-
Filesize
152B
MD57de1bbdc1f9cf1a58ae1de4951ce8cb9
SHA1010da169e15457c25bd80ef02d76a940c1210301
SHA2566e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e
SHA512e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c
-
Filesize
152B
MD585ba073d7015b6ce7da19235a275f6da
SHA1a23c8c2125e45a0788bac14423ae1f3eab92cf00
SHA2565ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617
SHA512eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3
-
Filesize
6KB
MD52e6ec1ca4fb64c0f0c991e902d900b60
SHA19cfcac5aa9bd0031f68fcf300dea479140f4bb48
SHA256d9ec306ff953faf48c78b206167cd28a199c16ab265c861d1c50a48b1d239935
SHA512eda880bb732dde537d7a33f4225e428bda324ee4288622988969f106e41a4ce6db5df937ea7d08ab575243a1481df427cb88abeb3574ec1cfc49ec11d224d565
-
Filesize
5KB
MD59906ce97f34aeb2d7204995d4b268028
SHA1ed68e7734195380ed09eb1debccc580f1358aa50
SHA2560e08d63be449a2e2e39ea63a966c8a5c7b9356f12abd9e01d2c449f7a632aa51
SHA51227dec290c0bf07854943cce01a52ac3d42af21c8acdabc3f3b90c3dca6698a6d5cd29d6c4e0bb8bbfe3b984319338cb8f77ad5163837f61a57a1e9be0f15d627
-
Filesize
10KB
MD55582e62f6ff04f135e8e3e0b559bc648
SHA118e195c5a14537e0999f3324b9186f7d757ee196
SHA256c964597720e59c95c06f407f0fc7b0b471936011fd43fceccf278882220f624c
SHA512d6f7280f3cb627534c8b0e20bfcb3c4ae92909154790f60c15c371b3a767e8ee833fe49c765b636e70a2a6f0fadaff69420b4ebd2fda706d991b6f86b0a2d2f3
-
Filesize
264KB
MD5f50f89a0a91564d0b8a211f8921aa7de
SHA1112403a17dd69d5b9018b8cede023cb3b54eab7d
SHA256b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec
SHA512bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58
-
Filesize
82B
MD5a2a3e139d3bc74096ea68cd3419a208f
SHA16c8ed282d9f7b807cbd60b23f5fa3e4331d3a448
SHA256f016ee511112be72a119c2a6eb078bb70026a2bb6af7d45a361918445bae516f
SHA5125adc44926d85b7ccc700f1a6ae2c3b1e426623000803c4f755ad18aaef5002b79644f15bd93f5e7b8c5d0a5e34989dee47f7edc40a3d8b4afd9b0bed431401fa
-
Filesize
1.0MB
MD5afe62e59ee54125c18bd9dfdb72edcb2
SHA1859ee99717dc6f6f627d2fc5c16b35bc41a6a91f
SHA256cc5ce9a489dfd3806be60936b6f53ac009a9720379a664e3b71e131106830939
SHA512507e476a6fe7058de6ec48acee2a40e4e971bdc0f9be9146c7b9932a2ef573fe1e72e29b53d3527d90cdb3296cedf487afd660e4ea95901acc02da040b346bbc
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e