asyncrat | hxxps://drive[.]google[.]com/open?id=1CpbGoHZWE_xilafF7mS4wZdWDsUoVi7l

Analysis

max time kernel
150s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-es
resource tags

arch:x64arch:x86image:win10v2004-20241007-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
13-11-2024 19:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://drive.google.com/open?id=1CpbGoHZWE_xilafF7mS4wZdWDsUoVi7l

Score

10^/10

asyncrat pesca discovery rat

Malware Config

Extracted

Family

asyncrat

Version

0.5.7A

Botnet

PESCA

pesca12.duckdns.org:7707

pesca12.duckdns.org:6606

Mutex

uuooxuxbnkywum

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\TypeId.vbs	ANEXOS Y DOCUMENTOS DETALLADOS, PROCESO LEGAL ANTE JUZGADO 2198748O7364O729310486397291043869572014863957428163594326947.exe

Executes dropped EXE 2 IoCs

pid	Process
1016	ANEXOS Y DOCUMENTOS DETALLADOS, PROCESO LEGAL ANTE JUZGADO 2198748O7364O729310486397291043869572014863957428163594326947.exe
5520	ANEXOS Y DOCUMENTOS DETALLADOS, PROCESO LEGAL ANTE JUZGADO 2198748O7364O729310486397291043869572014863957428163594326947.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	drive.google.com
6	drive.google.com

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1016 set thread context of 5356	1016	ANEXOS Y DOCUMENTOS DETALLADOS, PROCESO LEGAL ANTE JUZGADO 2198748O7364O729310486397291043869572014863957428163594326947.exe	115
PID 5520 set thread context of 6076	5520	ANEXOS Y DOCUMENTOS DETALLADOS, PROCESO LEGAL ANTE JUZGADO 2198748O7364O729310486397291043869572014863957428163594326947.exe	118

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ANEXOS Y DOCUMENTOS DETALLADOS, PROCESO LEGAL ANTE JUZGADO 2198748O7364O729310486397291043869572014863957428163594326947.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ANEXOS Y DOCUMENTOS DETALLADOS, PROCESO LEGAL ANTE JUZGADO 2198748O7364O729310486397291043869572014863957428163594326947.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	InstallUtil.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133759984719346451"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2436	chrome.exe
2436	chrome.exe
3620	7zFM.exe
3620	7zFM.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
5832	chrome.exe
3620	7zFM.exe
3620	7zFM.exe
3620	7zFM.exe
3620	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3620	7zFM.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeRestorePrivilege	3620	7zFM.exe
Token: 35	3620	7zFM.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe
Token: SeShutdownPrivilege	2436	chrome.exe
Token: SeCreatePagefilePrivilege	2436	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
3620	7zFM.exe
3620	7zFM.exe
3620	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe
2436	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4328	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2436 wrote to memory of 812	2436	chrome.exe	83
PID 2436 wrote to memory of 812	2436	chrome.exe	83
PID 2436 wrote to memory of 980	2436	chrome.exe	84
PID 2436 wrote to memory of 980	2436	chrome.exe	84
PID 2436 wrote to memory of 980	2436	chrome.exe	84
PID 2436 wrote to memory of 980	2436	chrome.exe	84
PID 2436 wrote to memory of 980	2436	chrome.exe	84
PID 2436 wrote to memory of 980	2436	chrome.exe	84
PID 2436 wrote to memory of 980	2436	chrome.exe	84
PID 2436 wrote to memory of 980	2436	chrome.exe	84
PID 2436 wrote to memory of 980	2436	chrome.exe	84
PID 2436 wrote to memory of 980	2436	chrome.exe	84
PID 2436 wrote to memory of 980	2436	chrome.exe	84
PID 2436 wrote to memory of 980	2436	chrome.exe	84
PID 2436 wrote to memory of 980	2436	chrome.exe	84
PID 2436 wrote to memory of 980	2436	chrome.exe	84
PID 2436 wrote to memory of 980	2436	chrome.exe	84
PID 2436 wrote to memory of 980	2436	chrome.exe	84
PID 2436 wrote to memory of 980	2436	chrome.exe	84
PID 2436 wrote to memory of 980	2436	chrome.exe	84
PID 2436 wrote to memory of 980	2436	chrome.exe	84
PID 2436 wrote to memory of 980	2436	chrome.exe	84
PID 2436 wrote to memory of 980	2436	chrome.exe	84
PID 2436 wrote to memory of 980	2436	chrome.exe	84
PID 2436 wrote to memory of 980	2436	chrome.exe	84
PID 2436 wrote to memory of 980	2436	chrome.exe	84
PID 2436 wrote to memory of 980	2436	chrome.exe	84
PID 2436 wrote to memory of 980	2436	chrome.exe	84
PID 2436 wrote to memory of 980	2436	chrome.exe	84
PID 2436 wrote to memory of 980	2436	chrome.exe	84
PID 2436 wrote to memory of 980	2436	chrome.exe	84
PID 2436 wrote to memory of 980	2436	chrome.exe	84
PID 2436 wrote to memory of 4868	2436	chrome.exe	85
PID 2436 wrote to memory of 4868	2436	chrome.exe	85
PID 2436 wrote to memory of 2240	2436	chrome.exe	86
PID 2436 wrote to memory of 2240	2436	chrome.exe	86
PID 2436 wrote to memory of 2240	2436	chrome.exe	86
PID 2436 wrote to memory of 2240	2436	chrome.exe	86
PID 2436 wrote to memory of 2240	2436	chrome.exe	86
PID 2436 wrote to memory of 2240	2436	chrome.exe	86
PID 2436 wrote to memory of 2240	2436	chrome.exe	86
PID 2436 wrote to memory of 2240	2436	chrome.exe	86
PID 2436 wrote to memory of 2240	2436	chrome.exe	86
PID 2436 wrote to memory of 2240	2436	chrome.exe	86
PID 2436 wrote to memory of 2240	2436	chrome.exe	86
PID 2436 wrote to memory of 2240	2436	chrome.exe	86
PID 2436 wrote to memory of 2240	2436	chrome.exe	86
PID 2436 wrote to memory of 2240	2436	chrome.exe	86
PID 2436 wrote to memory of 2240	2436	chrome.exe	86
PID 2436 wrote to memory of 2240	2436	chrome.exe	86
PID 2436 wrote to memory of 2240	2436	chrome.exe	86
PID 2436 wrote to memory of 2240	2436	chrome.exe	86
PID 2436 wrote to memory of 2240	2436	chrome.exe	86
PID 2436 wrote to memory of 2240	2436	chrome.exe	86
PID 2436 wrote to memory of 2240	2436	chrome.exe	86
PID 2436 wrote to memory of 2240	2436	chrome.exe	86
PID 2436 wrote to memory of 2240	2436	chrome.exe	86
PID 2436 wrote to memory of 2240	2436	chrome.exe	86
PID 2436 wrote to memory of 2240	2436	chrome.exe	86
PID 2436 wrote to memory of 2240	2436	chrome.exe	86
PID 2436 wrote to memory of 2240	2436	chrome.exe	86
PID 2436 wrote to memory of 2240	2436	chrome.exe	86
PID 2436 wrote to memory of 2240	2436	chrome.exe	86
PID 2436 wrote to memory of 2240	2436	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://drive.google.com/open?id=1CpbGoHZWE_xilafF7mS4wZdWDsUoVi7l
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff4e27cc40,0x7fff4e27cc4c,0x7fff4e27cc58
  2⤵
  PID:812
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1908,i,18215919693644705700,4463250900544558620,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1904 /prefetch:2
  2⤵
  PID:980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2144,i,18215919693644705700,4463250900544558620,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2224,i,18215919693644705700,4463250900544558620,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2428 /prefetch:8
  2⤵
  PID:2240
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3116,i,18215919693644705700,4463250900544558620,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:932
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,18215919693644705700,4463250900544558620,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3176 /prefetch:1
  2⤵
  PID:4808
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4484,i,18215919693644705700,4463250900544558620,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3668 /prefetch:1
  2⤵
  PID:1452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4660,i,18215919693644705700,4463250900544558620,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4828 /prefetch:8
  2⤵
  PID:4296
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=5064,i,18215919693644705700,4463250900544558620,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4400 /prefetch:1
  2⤵
  PID:3356
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5296,i,18215919693644705700,4463250900544558620,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4404 /prefetch:8
  2⤵
  PID:2944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5592,i,18215919693644705700,4463250900544558620,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5588 /prefetch:1
  2⤵
  PID:392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4932,i,18215919693644705700,4463250900544558620,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5768 /prefetch:8
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:5832

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4572

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:428

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4328

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3668

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\ANEXOS Y DOCUMENTOS DETALLADOS, PROCESO LEGAL ANTE JUZGADO 21994326947.rar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3620
- C:\Users\Admin\AppData\Local\Temp\7zO42E5B838\ANEXOS Y DOCUMENTOS DETALLADOS, PROCESO LEGAL ANTE JUZGADO 2198748O7364O729310486397291043869572014863957428163594326947.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO42E5B838\ANEXOS Y DOCUMENTOS DETALLADOS, PROCESO LEGAL ANTE JUZGADO 2198748O7364O729310486397291043869572014863957428163594326947.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:1016
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5356
- C:\Users\Admin\AppData\Local\Temp\7zO42EB6109\ANEXOS Y DOCUMENTOS DETALLADOS, PROCESO LEGAL ANTE JUZGADO 2198748O7364O729310486397291043869572014863957428163594326947.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO42EB6109\ANEXOS Y DOCUMENTOS DETALLADOS, PROCESO LEGAL ANTE JUZGADO 2198748O7364O729310486397291043869572014863957428163594326947.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:5520
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\InstallUtil.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
a3bc57c1906ac28413331d32cbe2ee19

SHA1
97b6185274f2011d0eed49b656af368b28e6657e

SHA256
1a8b47f405b27a21455a1a61932042e49f9dbb2801ec57e5c5e88ce597ff1686

SHA512
1e37622767adfd9daf03999f12ddefa96c04ce8b0011c837fc6f51dfc4231cbcfb9e986e8898816d28bcb31f26a5d0ed7f8c59fdec4693a50805df3faa2140bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
360B

MD5
5f1d3d63d8f863f726af3da44c5b4b6a

SHA1
5e409a3a50f01ff3ed26f8f6f37539a5870d50fc

SHA256
54aac0e1557c0a535defa16e94c0fb3bae6249d5d78828a71719606ed1e8b334

SHA512
d17873cc370c1d8578baba4b2004624be03fd91ea200ddc8891a81309eb5f9fbbae66f1494e341bda9ea4080737b3257bd08430db048a052bce125ba0eb435e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
5KB

MD5
2c6cd6c277ba2d8707b6bfad8a8348c0

SHA1
fb63d8781b95e48706ac87c78be12faee7b4b13f

SHA256
ae586e102f4787e6c83d3f231fe7d11613c3c6ed5a9c1436ea7bbdb097cfea25

SHA512
7ccadc80d24e16c4146480bd78469ce72a115047626e21094e76d3a60046610f2dce82a882eefe124a99e2c2be1c600ebc13a37f4126c1e3c2db1d39a5786b39

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
0d85ae35498d310cecb89294a5d57360

SHA1
9aa93dea1658ed58a8c24eb556971f24444f8402

SHA256
2bae4b861e7ad8d9c70279598a89331aeda4fdef7711865a31d0746cffbe014e

SHA512
c4c467aafc3897e9a1703d18d65b54b7b73e63e810e3e32eb166e8234c7ebb23c2bcbbd1c5af40c4685da1e6034734e7bf13c60a659f6ce0d46225a5239c84d8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1024B

MD5
d3bab80372160c5cad124ef7433ed34b

SHA1
41958bd870c19bc34d8bb7f8bbc4676ab1a85910

SHA256
428664342a44af68cd556672ee52d9e31a47f952136dcbedec1c65cac8a8d641

SHA512
57b8ba9b4190fdbe2b2b24ddaf4507be173d14a3b185c1650d8c151f400829df2f3720758e11ee662c1c24d6fa41b4f580d619946acb8afeb42bc229ecab8d86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f47c2bd99c69ae3f5072b039a11955e1

SHA1
fcfb0ea8d3061218e661478980fa2960edf8ff96

SHA256
f573b3d03035802448d4c362533e038a71451510cfe12b2aa7dc3aa8dd3c1f49

SHA512
9a0cbd00185b9c949aacb4ebad8ffb4733c8afd30c1ec1b3258a896d4071169838a73bfa2e355342595927d66bc31c48bef3bb2493af9359601739952ef16d7d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
5e56cf3c2f169666c9eac4fd36ab96f1

SHA1
b1865a820934ea77cea669f2214e1afe5d042ea5

SHA256
c872886ca35f1c1f81120836b269772bb7eee2121e57fe71b9723ed5a3902fcf

SHA512
a9a06a83bcd079e73c74db78ee1738778d58c573da5fcdf93f6d3d1d2211760e8098ad0696b929a14ecdab556743d01af6ad36a731a2dba3d40baa130205d18f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3fbcb87987a134c6c882ffce5401f451

SHA1
f933361b989c3f852668f90119592c333acb6048

SHA256
0c63b811f09b1654c8432033cddefdcbf641ddb265dc1024aa23c3cb265eb8fb

SHA512
0fb10cb8f955a041abfac7bf06b7cdf489ccb119f7a018c59a220877965dcf4e66cbce2ee0a7c16db36c711d5861eaeb0702b3b3590287bc9540a59660719731

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
9526f9dede27c8a0587c7b07a03f02cd

SHA1
0d42c6a92381b893c4f12189f92f8e592cf13d07

SHA256
5c1f3e9d752475ea5b6df00b73c13b78c8344c372c0dced3a45682ec3cf3e7c6

SHA512
d7ef713db37654fae663806fa65c13e4ef94aa7b75b66521b716c94be733ca0f21e16a348689b0f59e86617061d97745d6a3b551ca0a3cd31b6916e804287926

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
83bf4fa771a699708d273c9b6b853a8d

SHA1
741436f39cd438ae2524e1da3131731fad1940c7

SHA256
463437b1cd57f120992ce41bdaa8f2e97c0b7a231060eae227bcbdf715459b4d

SHA512
25b2057f97889917a35b50303812d66396b7df6abc69791857b2a94ebbc087820dc48f08b07ebdc5ac3cb3a48deb23eb505b7b7277a828baa786966eedb678a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
f245730d1a90e49fb65a4d3e3c34ac2f

SHA1
223c00ea0ada1f018985b530da3bcf1f6189a73b

SHA256
d8f9265de037dfbef3575b9c219e8c2fe2f365ca60583ecd3655c57e7272360d

SHA512
39ffc1d9458ca54a49b78091232618dd68e14afac7d642e42d0395e21f3af4e4c5f319641e10e4d7cf0a3e99c904c3e2e46870491cafdc27088ab4455de79c5a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b35c027e0bf2c533f3397fd017b56f63

SHA1
7b214db2a59c6b38f620899d754cacef4619d644

SHA256
0745d6a36dd96e7295bb19d198b66e36d213ad397509acbdb7f260e544479a07

SHA512
2baa2d211e920fb577c2fce0ea413cddc559fcbff68aebfda8bd320242f6dfda34b4190a4745a690e309945eb4736e163f8f75c7d30638960d5ad70e82fe7f4b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
425ae1fd56a9296d28332c88d4f9eb09

SHA1
68ccb5e7880acaf6a15d7719939a7668ced725bb

SHA256
19c2b97eccde5a84530122138ff194635e307bc3186a9c2946f76f75a0bdfaa9

SHA512
6e952fe3d41e3aec8bcf89f9cc8b2c1bd9557252a0d377bd17169545160c1b3e76c4884ee830f3068be105f9f402a2c536de20ef5aab570d2f1919bade67c539

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
3a0ac909d6a8d187d48cc6ad3f318000

SHA1
9aa7588e244efe5935025250280b32486f5730e0

SHA256
c7ac0db70d44fa79ab800bf4d63d9345835c1512fa4b32f673407e4c1056a8d0

SHA512
e7698f86dce16fe7e5c12e487fa99d87adc72dee0b9514efe53b5a6162ef4f5584ceca4bccf523a10dd9ec742a98daba8f38ba9709cfd84d2ac69cdee46f5bc6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6c692d35b59439ef51f64f33506f97f5

SHA1
3f168612662da53b74d1fa6f6def5c4efee3a015

SHA256
881ee2febc64cbe88861b033863503ac87ccf6ddde7022468d6ad95ca30db869

SHA512
2d42a3a0e27fde795b890cadeffaff890d4aaa1825c93022a8df3e899dd899173ab878b3a97b88cf20702f1132940436b3a5eaed0bbe58310ca7142de9c0fbde

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
41e10e3e89e38e58eb62280340cd0c54

SHA1
ba1475caa1a327be7ea9acfbf42834cbb98a3c9d

SHA256
ba18b4eb36566aa512c583e2d629baa084bc3351a4e7086800294ec8d360039e

SHA512
6da415f220b6daed8862adea2d829b10fa89c4c979d7ce48f7ef37e85ed1820841063a94165bc04aba9ffe57258e6493b6897018c706f4babe62858df2742144

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
a96cb7021f0cb4eacd38a1e7697015a1

SHA1
b65be603eed0fc34e707d45f8f69d68acf120402

SHA256
24bc0cd8a491c6e51f5bd2b059abf459c56bb94450b215d622788fd8965aa84e

SHA512
825894a33e38f49811921644ba9df68d1da631d8d24ad9dc91724c5bbc744861096528d5c9bf360f004fff89926a113119c79613efe25545393a6b85867e485e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO42E5B838\ANEXOS Y DOCUMENTOS DETALLADOS, PROCESO LEGAL ANTE JUZGADO 2198748O7364O729310486397291043869572014863957428163594326947.exe

Filesize
1.1MB

MD5
bfa2bc658d2270623baf2069bac872d0

SHA1
af61ae30d446da19a74294c367eb16a51b11cd48

SHA256
ae8a9e172bccbe1f002771f0142ed8811e2e7047301ac366e356b33762c34f8e

SHA512
ee40e1e2349b650ef9b8b4c27d3f37b6912332e8d7c6cb94ac9150cb2273701573fa8ad8052ae20cbf1eb2bc40dcca579b6bd174f2b1ca12f73ad1cb160d7180

Download Submit
C:\Users\Admin\Downloads\ANEXOS Y DOCUMENTOS DETALLADOS, PROCESO LEGAL ANTE JUZGADO 21994326947.rar.crdownload

Filesize
1004KB

MD5
73f25f0eeeed095f7e7bb93d7ffcad6d

SHA1
72dad412407a5147f82ab557a2d2e4724a93cf9c

SHA256
eaf70dd14383dfae93d7bb83c77b5ba5164ba49d5b5f38a957a4b2f8a9ec9de7

SHA512
3f2c954f00819d87f698635a64c4c869e385b146383c3ae71f891f0f3f01d4cad312478944ee7fd037357f572c5c71af6299182db2f385904565d5a625802977

Download Submit
memory/1016-184-0x0000000005410000-0x00000000054F2000-memory.dmp

Filesize
904KB

Download
memory/1016-166-0x0000000005410000-0x00000000054F2000-memory.dmp

Filesize
904KB

Download
memory/1016-208-0x0000000005410000-0x00000000054F2000-memory.dmp

Filesize
904KB

Download
memory/1016-206-0x0000000005410000-0x00000000054F2000-memory.dmp

Filesize
904KB

Download
memory/1016-204-0x0000000005410000-0x00000000054F2000-memory.dmp

Filesize
904KB

Download
memory/1016-203-0x0000000005410000-0x00000000054F2000-memory.dmp

Filesize
904KB

Download
memory/1016-200-0x0000000005410000-0x00000000054F2000-memory.dmp

Filesize
904KB

Download
memory/1016-198-0x0000000005410000-0x00000000054F2000-memory.dmp

Filesize
904KB

Download
memory/1016-197-0x0000000005410000-0x00000000054F2000-memory.dmp

Filesize
904KB

Download
memory/1016-192-0x0000000005410000-0x00000000054F2000-memory.dmp

Filesize
904KB

Download
memory/1016-186-0x0000000005410000-0x00000000054F2000-memory.dmp

Filesize
904KB

Download
memory/1016-190-0x0000000005410000-0x00000000054F2000-memory.dmp

Filesize
904KB

Download
memory/1016-182-0x0000000005410000-0x00000000054F2000-memory.dmp

Filesize
904KB

Download
memory/1016-180-0x0000000005410000-0x00000000054F2000-memory.dmp

Filesize
904KB

Download
memory/1016-178-0x0000000005410000-0x00000000054F2000-memory.dmp

Filesize
904KB

Download
memory/1016-174-0x0000000005410000-0x00000000054F2000-memory.dmp

Filesize
904KB

Download
memory/1016-172-0x0000000005410000-0x00000000054F2000-memory.dmp

Filesize
904KB

Download
memory/1016-188-0x0000000005410000-0x00000000054F2000-memory.dmp

Filesize
904KB

Download
memory/1016-176-0x0000000005410000-0x00000000054F2000-memory.dmp

Filesize
904KB

Download
memory/1016-170-0x0000000005410000-0x00000000054F2000-memory.dmp

Filesize
904KB

Download
memory/1016-168-0x0000000005410000-0x00000000054F2000-memory.dmp

Filesize
904KB

Download
memory/1016-194-0x0000000005410000-0x00000000054F2000-memory.dmp

Filesize
904KB

Download
memory/1016-164-0x0000000005410000-0x00000000054F2000-memory.dmp

Filesize
904KB

Download
memory/1016-162-0x0000000005410000-0x00000000054F2000-memory.dmp

Filesize
904KB

Download
memory/1016-160-0x0000000005410000-0x00000000054F2000-memory.dmp

Filesize
904KB

Download
memory/1016-156-0x0000000005410000-0x00000000054F2000-memory.dmp

Filesize
904KB

Download
memory/1016-154-0x0000000005410000-0x00000000054F2000-memory.dmp

Filesize
904KB

Download
memory/1016-152-0x0000000005410000-0x00000000054F2000-memory.dmp

Filesize
904KB

Download
memory/1016-1219-0x00000000056A0000-0x00000000056FC000-memory.dmp

Filesize
368KB

Download
memory/1016-1220-0x0000000005700000-0x000000000574C000-memory.dmp

Filesize
304KB

Download
memory/1016-1225-0x0000000006120000-0x00000000066C4000-memory.dmp

Filesize
5.6MB

Download
memory/1016-1226-0x0000000005940000-0x0000000005994000-memory.dmp

Filesize
336KB

Download
memory/1016-1227-0x0000000005B70000-0x0000000005C72000-memory.dmp

Filesize
1.0MB

Download
memory/1016-142-0x0000000000280000-0x000000000039E000-memory.dmp

Filesize
1.1MB

Download
memory/1016-145-0x0000000005410000-0x00000000054F2000-memory.dmp

Filesize
904KB

Download
memory/1016-146-0x0000000005410000-0x00000000054F2000-memory.dmp

Filesize
904KB

Download
memory/1016-143-0x00000000052A0000-0x0000000005388000-memory.dmp

Filesize
928KB

Download
memory/1016-158-0x0000000005410000-0x00000000054F2000-memory.dmp

Filesize
904KB

Download
memory/1016-148-0x0000000005410000-0x00000000054F2000-memory.dmp

Filesize
904KB

Download
memory/1016-150-0x0000000005410000-0x00000000054F2000-memory.dmp

Filesize
904KB

Download
memory/1016-144-0x0000000005410000-0x00000000054F8000-memory.dmp

Filesize
928KB

Download
memory/5356-1246-0x0000000005A40000-0x0000000005A80000-memory.dmp

Filesize
256KB

Download
memory/5356-1231-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download