asyncrat | hxxps://bitbucket[.]org/trabajo21/trabajoc/raw/a3f2e8b58eb09532adf630f0d83cf192b2f1dda4/DEMANDA%20EMITIDA%20EL%20DIA%2022%20DEL%20MES%20EN%20CURSO%20N%C2%B0%2020240710-5427-572468-87[.]tar[.]BIN[.]tar[.]001

Analysis

max time kernel
407s
max time network
408s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-11-2024 22:25

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://bitbucket.org/trabajo21/trabajoc/raw/a3f2e8b58eb09532adf630f0d83cf192b2f1dda4/DEMANDA%20EMITIDA%20EL%20DIA%2022%20DEL%20MES%20EN%20CURSO%20N%C2%B0%2020240710-5427-572468-87.tar.BIN.tar.001

Score

10^/10

asyncrat default discovery rat

Malware Config

Extracted

Family

asyncrat

Version

| CRACKED BY https://t.me/xworm_v2

Botnet

Default

nuevo12.duckdns.org:3000

Mutex

AsyncMutex_6SI8OkPnk

Attributes

delay
3
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat
Executes dropped EXE 2 IoCs

Processes:

demanda N° 20240710-5427-572468-87.exedemanda N° 20240710-5427-572468-87.exe

pid process

5072 demanda N° 20240710-5427-572468-87.exe
3000 demanda N° 20240710-5427-572468-87.exe

Loads dropped DLL 4 IoCs

Processes:

demanda N° 20240710-5427-572468-87.exedemanda N° 20240710-5427-572468-87.exe

pid	process
5072	demanda N° 20240710-5427-572468-87.exe
5072	demanda N° 20240710-5427-572468-87.exe
3000	demanda N° 20240710-5427-572468-87.exe
3000	demanda N° 20240710-5427-572468-87.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service
T1102

Processes:

flow ioc

6 bitbucket.org
9 bitbucket.org

flow	ioc
6	bitbucket.org
9	bitbucket.org

Suspicious use of SetThreadContext 4 IoCs

Processes:

demanda N° 20240710-5427-572468-87.execmd.exedemanda N° 20240710-5427-572468-87.execmd.exe

description	pid	process	target process
PID 5072 set thread context of 3900	5072	demanda N° 20240710-5427-572468-87.exe	cmd.exe
PID 3900 set thread context of 2440	3900	cmd.exe	MSBuild.exe
PID 3000 set thread context of 3608	3000	demanda N° 20240710-5427-572468-87.exe	cmd.exe
PID 3608 set thread context of 5036	3608	cmd.exe	MSBuild.exe

Drops file in Windows directory 2 IoCs

Processes:

mspaint.exemspaint.exe

description	ioc	process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	mspaint.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

AcroRd32.exeRdrCEF.exeRdrCEF.exeRdrCEF.exeRdrCEF.exeRdrCEF.execmd.execmd.exeMSBuild.exeMSBuild.exeRdrCEF.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RdrCEF.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

AcroRd32.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	AcroRd32.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	AcroRd32.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

Processes:

AcroRd32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION	AcroRd32.exe

Modifies data under HKEY_USERS 15 IoCs

Processes:

LogonUI.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "218"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Modifies registry class 5 IoCs

Processes:

OpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exemsedge.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

Processes:

vlc.exe

pid process

3120 vlc.exe

pid	process
3120	vlc.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

Processes:

msedge.exemsedge.exeidentity_helper.exemsedge.exemsedge.exedemanda N° 20240710-5427-572468-87.execmd.exedemanda N° 20240710-5427-572468-87.execmd.exemspaint.exemspaint.exe

pid	process
4668	msedge.exe
4668	msedge.exe
4732	msedge.exe
4732	msedge.exe
556	identity_helper.exe
556	identity_helper.exe
4328	msedge.exe
4328	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
1028	msedge.exe
5072	demanda N° 20240710-5427-572468-87.exe
5072	demanda N° 20240710-5427-572468-87.exe
3900	cmd.exe
3900	cmd.exe
3000	demanda N° 20240710-5427-572468-87.exe
3000	demanda N° 20240710-5427-572468-87.exe
3000	demanda N° 20240710-5427-572468-87.exe
3608	cmd.exe
3608	cmd.exe
3608	cmd.exe
3608	cmd.exe
2260	mspaint.exe
2260	mspaint.exe
2560	mspaint.exe
2560	mspaint.exe

Suspicious behavior: GetForegroundWindowSpam 6 IoCs

Processes:

7zG.exeOpenWith.exeOpenWith.exeOpenWith.exeOpenWith.exevlc.exe

pid process

3700 7zG.exe
4504 OpenWith.exe
3864 OpenWith.exe
3780 OpenWith.exe
3956 OpenWith.exe
3120 vlc.exe
Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

demanda N° 20240710-5427-572468-87.execmd.exedemanda N° 20240710-5427-572468-87.execmd.exe

pid process

5072 demanda N° 20240710-5427-572468-87.exe
3900 cmd.exe
3900 cmd.exe
3000 demanda N° 20240710-5427-572468-87.exe
3608 cmd.exe
3608 cmd.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

Processes:

msedge.exe

pid process

4732 msedge.exe
4732 msedge.exe
4732 msedge.exe
4732 msedge.exe
4732 msedge.exe
4732 msedge.exe
4732 msedge.exe
4732 msedge.exe

pid	process
3700	7zG.exe
4504	OpenWith.exe
3864	OpenWith.exe
3780	OpenWith.exe
3956	OpenWith.exe
3120	vlc.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

Processes:

7zG.exe7zG.exeMSBuild.exeAUDIODG.EXEvlc.exe7zG.exe7zG.exe

description	pid	process
Token: SeRestorePrivilege	3700	7zG.exe
Token: 35	3700	7zG.exe
Token: SeSecurityPrivilege	3700	7zG.exe
Token: SeSecurityPrivilege	3700	7zG.exe
Token: SeRestorePrivilege	5100	7zG.exe
Token: 35	5100	7zG.exe
Token: SeSecurityPrivilege	5100	7zG.exe
Token: SeSecurityPrivilege	5100	7zG.exe
Token: SeDebugPrivilege	2440	MSBuild.exe
Token: 33	2276	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2276	AUDIODG.EXE
Token: 33	3120	vlc.exe
Token: SeIncBasePriorityPrivilege	3120	vlc.exe
Token: SeRestorePrivilege	3988	7zG.exe
Token: 35	3988	7zG.exe
Token: SeSecurityPrivilege	3988	7zG.exe
Token: SeSecurityPrivilege	3988	7zG.exe
Token: SeRestorePrivilege	3048	7zG.exe
Token: 35	3048	7zG.exe
Token: SeSecurityPrivilege	3048	7zG.exe

Suspicious use of FindShellTrayWindow 63 IoCs

Processes:

msedge.exe7zG.exe7zG.exevlc.exe7zG.exe7zG.exe

pid	process
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
3700	7zG.exe
5100	7zG.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3988	7zG.exe
3048	7zG.exe
4732	msedge.exe

Suspicious use of SendNotifyMessage 48 IoCs

Processes:

msedge.exevlc.exe

pid	process
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
4732	msedge.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe
3120	vlc.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

OpenWith.exeOpenWith.exeOpenWith.exe

pid	process
4504	OpenWith.exe
4504	OpenWith.exe
4504	OpenWith.exe
4504	OpenWith.exe
4504	OpenWith.exe
4504	OpenWith.exe
4504	OpenWith.exe
4504	OpenWith.exe
4504	OpenWith.exe
4504	OpenWith.exe
4504	OpenWith.exe
4504	OpenWith.exe
4504	OpenWith.exe
4504	OpenWith.exe
4504	OpenWith.exe
4504	OpenWith.exe
4504	OpenWith.exe
4504	OpenWith.exe
4504	OpenWith.exe
4504	OpenWith.exe
4504	OpenWith.exe
4504	OpenWith.exe
4504	OpenWith.exe
4504	OpenWith.exe
4504	OpenWith.exe
3864	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe
3780	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 4732 wrote to memory of 892	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 892	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 3516	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 4668	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 4668	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 2644	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 2644	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 2644	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 2644	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 2644	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 2644	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 2644	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 2644	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 2644	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 2644	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 2644	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 2644	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 2644	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 2644	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 2644	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 2644	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 2644	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 2644	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 2644	4732	msedge.exe	msedge.exe
PID 4732 wrote to memory of 2644	4732	msedge.exe	msedge.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://bitbucket.org/trabajo21/trabajoc/raw/a3f2e8b58eb09532adf630f0d83cf192b2f1dda4/DEMANDA%20EMITIDA%20EL%20DIA%2022%20DEL%20MES%20EN%20CURSO%20N%C2%B0%2020240710-5427-572468-87.tar.BIN.tar.001
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xb4,0xe4,0xe0,0x40,0x108,0x7ffd875a46f8,0x7ffd875a4708,0x7ffd875a4718
  2⤵
  PID:892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,15075476152714166206,5729888437584323063,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2124 /prefetch:2
  2⤵
  PID:3516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2108,15075476152714166206,5729888437584323063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2180 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2108,15075476152714166206,5729888437584323063,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:2644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15075476152714166206,5729888437584323063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:4372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15075476152714166206,5729888437584323063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:2836
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,15075476152714166206,5729888437584323063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
  2⤵
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2108,15075476152714166206,5729888437584323063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5204 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15075476152714166206,5729888437584323063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5168 /prefetch:1
  2⤵
  PID:4212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15075476152714166206,5729888437584323063,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5404 /prefetch:1
  2⤵
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2108,15075476152714166206,5729888437584323063,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5528 /prefetch:8
  2⤵
  PID:3456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15075476152714166206,5729888437584323063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:668
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2108,15075476152714166206,5729888437584323063,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5928 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15075476152714166206,5729888437584323063,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5920 /prefetch:1
  2⤵
  PID:5012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15075476152714166206,5729888437584323063,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6132 /prefetch:1
  2⤵
  PID:4816
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2108,15075476152714166206,5729888437584323063,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=904 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2108,15075476152714166206,5729888437584323063,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3908 /prefetch:1
  2⤵
  PID:1332

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:864

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2560

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3280

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\" -an -ai#7zMap20326:224:7zEvent4911
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3700

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4504

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\DEMANDA EMITIDA EL DIA 22 DEL MES EN CURSO N° 20240710-5427-572468-87.tar.BIN\" -spe -an -ai#7zMap24238:216:7zEvent9161
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5100

C:\Users\Admin\Downloads\DEMANDA EMITIDA EL DIA 22 DEL MES EN CURSO N° 20240710-5427-572468-87.tar.BIN\DEMANDA EMITIDA EL DIA 22 DEL MES EN CURSO N° 20240710-5427-572468-87\demanda N° 20240710-5427-572468-87.exe
"C:\Users\Admin\Downloads\DEMANDA EMITIDA EL DIA 22 DEL MES EN CURSO N° 20240710-5427-572468-87.tar.BIN\DEMANDA EMITIDA EL DIA 22 DEL MES EN CURSO N° 20240710-5427-572468-87\demanda N° 20240710-5427-572468-87.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:5072
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3900
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2440

C:\Users\Admin\Downloads\DEMANDA EMITIDA EL DIA 22 DEL MES EN CURSO N° 20240710-5427-572468-87.tar.BIN\DEMANDA EMITIDA EL DIA 22 DEL MES EN CURSO N° 20240710-5427-572468-87\demanda N° 20240710-5427-572468-87.exe
"C:\Users\Admin\Downloads\DEMANDA EMITIDA EL DIA 22 DEL MES EN CURSO N° 20240710-5427-572468-87.tar.BIN\DEMANDA EMITIDA EL DIA 22 DEL MES EN CURSO N° 20240710-5427-572468-87\demanda N° 20240710-5427-572468-87.exe"
1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:3000
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\SysWOW64\cmd.exe
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:3608
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5036

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3864

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:3780
- C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroRd32.exe" "C:\Users\Admin\Downloads\DEMANDA EMITIDA EL DIA 22 DEL MES EN CURSO N° 20240710-5427-572468-87.tar.BIN\DEMANDA EMITIDA EL DIA 22 DEL MES EN CURSO N° 20240710-5427-572468-87\xepfywx"
  2⤵
  - System Location Discovery: System Language Discovery
  - Checks processor information in registry
  - Modifies Internet Explorer settings
  PID:856
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --backgroundcolor=16514043
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1728
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=B4ADD34804B0C5F157E1BE9140B0A048 --mojo-platform-channel-handle=1760 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:668
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=renderer --disable-browser-side-navigation --disable-gpu-compositing --service-pipe-token=9806513FB86A0310C2374BBA668E6D1D --lang=en-US --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --enable-pinch --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --enable-gpu-async-worker-context --content-image-texture-target=0,0,3553;0,1,3553;0,2,3553;0,3,3553;0,4,3553;0,5,3553;0,6,3553;0,7,3553;0,8,3553;0,9,3553;0,10,3553;0,11,3553;0,12,3553;0,13,3553;0,14,3553;0,15,3553;0,16,3553;0,17,3553;0,18,3553;1,0,3553;1,1,3553;1,2,3553;1,3,3553;1,4,3553;1,5,3553;1,6,3553;1,7,3553;1,8,3553;1,9,3553;1,10,3553;1,11,3553;1,12,3553;1,13,3553;1,14,3553;1,15,3553;1,16,3553;1,17,3553;1,18,3553;2,0,3553;2,1,3553;2,2,3553;2,3,3553;2,4,3553;2,5,3553;2,6,3553;2,7,3553;2,8,3553;2,9,3553;2,10,3553;2,11,3553;2,12,3553;2,13,3553;2,14,3553;2,15,3553;2,16,3553;2,17,3553;2,18,3553;3,0,3553;3,1,3553;3,2,3553;3,3,3553;3,4,3553;3,5,3553;3,6,3553;3,7,3553;3,8,3553;3,9,3553;3,10,3553;3,11,3553;3,12,3553;3,13,3553;3,14,3553;3,15,3553;3,16,3553;3,17,3553;3,18,3553;4,0,3553;4,1,3553;4,2,3553;4,3,3553;4,4,3553;4,5,3553;4,6,3553;4,7,3553;4,8,3553;4,9,3553;4,10,3553;4,11,3553;4,12,3553;4,13,3553;4,14,3553;4,15,3553;4,16,3553;4,17,3553;4,18,3553;5,0,3553;5,1,3553;5,2,3553;5,3,3553;5,4,3553;5,5,3553;5,6,3553;5,7,3553;5,8,3553;5,9,3553;5,10,3553;5,11,3553;5,12,3553;5,13,3553;5,14,3553;5,15,3553;5,16,3553;5,17,3553;5,18,3553;6,0,3553;6,1,3553;6,2,3553;6,3,3553;6,4,3553;6,5,3553;6,6,3553;6,7,3553;6,8,3553;6,9,3553;6,10,3553;6,11,3553;6,12,3553;6,13,3553;6,14,3553;6,15,3553;6,16,3553;6,17,3553;6,18,3553 --disable-accelerated-video-decode --service-request-channel-token=9806513FB86A0310C2374BBA668E6D1D --renderer-client-id=2 --mojo-platform-channel-handle=1776 --allow-no-sandbox-job /prefetch:1
      4⤵
      System Location Discovery: System Language Discovery
      PID:3268
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=FDF8245053351C6F95B295E0C978B2F8 --mojo-platform-channel-handle=2324 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:4936
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=E62988F5EBAB1840703772F5BAE43A24 --mojo-platform-channel-handle=1944 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:556
  - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe
      "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrCEF.exe" --type=gpu-process --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --gpu-preferences=GAAAAAAAAAAAB4AAAQAAAAAAAAAAAGAA --use-gl=swiftshader-webgl --gpu-vendor-id=0x1234 --gpu-device-id=0x1111 --gpu-driver-vendor="Google Inc." --gpu-driver-version=3.3.0.2 --gpu-driver-date=2017/04/07 --disable-pack-loading --lang=en-US --log-file="C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\debug.log" --log-severity=disable --product-version="ReaderServices/19.10.20064 Chrome/64.0.3282.119" --service-request-channel-token=469A5790AFE4AC8830264C8CF6BC233E --mojo-platform-channel-handle=2400 --allow-no-sandbox-job --ignored=" --type=renderer " /prefetch:2
      4⤵
      System Location Discovery: System Language Discovery
      PID:1736

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:3956
- C:\Windows\system32\NOTEPAD.EXE
  "C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Downloads\DEMANDA EMITIDA EL DIA 22 DEL MES EN CURSO N° 20240710-5427-572468-87.tar.BIN\DEMANDA EMITIDA EL DIA 22 DEL MES EN CURSO N° 20240710-5427-572468-87\xileopa
  2⤵
  PID:2568

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file --no-playlist-enqueue "C:\Users\Admin\Downloads\DEMANDA EMITIDA EL DIA 22 DEL MES EN CURSO N° 20240710-5427-572468-87.tar.BIN"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3120

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2ec 0x458
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2276

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" a -i#7zMap9706:208:7zEvent17470 -tzip -seml. -sae -- "DEMANDA EMITIDA EL DIA 22 DEL MES EN CURSO N° 20240710-5427-572468-87.tar.BIN.zip"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3988

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Downloads\DEMANDA EMITIDA EL DIA 22 DEL MES EN CURSO N° 20240710-5427-572468-87.tar.BIN.tar\" -ad -an -ai#7zMap1981:224:7zEvent12732
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3048

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\RequestRedo.bmp"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2260

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\RequestRedo.bmp"
1⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
PID:2560

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DeviceAssociationService
1⤵
PID:1084

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3978055 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
PID:2260

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:5100

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe shell32.dll,SHCreateLocalServerRunDll {9BA05972-F6A8-11CF-A442-00A0C90A8F39} -Embedding
1⤵
PID:1540

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {3eef301f-b596-4c0b-bd92-013beafce793} -Embedding
1⤵
PID:928

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56a4f78e21616a6e19da57228569489b

SHA1
21bfabbfc294d5f2aa1da825c5590d760483bc76

SHA256
d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

SHA512
c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e443ee4336fcf13c698b8ab5f3c173d0

SHA1
9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

SHA256
79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

SHA512
cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
181B

MD5
eb3358a18fe3482fe6cabeeed2000c89

SHA1
4b1ff6435aa3e6d0a5c91f9ed6774a3b6885fc92

SHA256
56c6e02a473adbb53783f5f5bcc2027ad0cb7e1718d3d8e8464baa26a82fff32

SHA512
6d8da42c17b6efbc9434e5e5484dcb58b23895ea4e6100d84ae3a7fe5e1beda2a94510263fffc4b0376aeb1ff87de35fd05eec632691b61eeb2676653a10a57d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
736bb195c0e5277563bc20647d3d6dd0

SHA1
18e60d4868c44154442b3e805dbbc802eb557d3e

SHA256
edcd820933423e4ccb69e0c2ad5f50b48845ab4c13e7624b95bc6616704c1e50

SHA512
4fef99d0f780338d5a63417a53133bb3c7510eeb38c7e42e4dc24ef5e9e5e9eb08382858ff1d389e4d2783e0fcca57ca5eee3820eeef7fb245e4abb15b94b87b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
16a38da651cc5b875edba550f24d7903

SHA1
35697003e949bbf1621ac41073c52743aeeb9683

SHA256
b52bf1ed55a2f93f14ca9965c333ae2e9d5bcaaf242716922a11e245a05ef725

SHA512
448990279b6cd9b9d0d69b1feaa04a7ad3215594ad3bd966d690605b222e571eddc97436db73e585d0c7459acdb625400680fa255893a6ec2df311f6beeed01c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
8000a9051fbd516a8ca09156fae1b842

SHA1
b118b7bd6a99cd69685cb1d5cc408a95058b4cec

SHA256
bfae2d2ab42c64cb1cb222018744eda72328f4d1431059d32b1ddb5eb61c8727

SHA512
7d52a983e509e42bc0659dd8ebf1c227d430b1e27ba94876948ffcc3f4c2259b1849c83c3895dc1675eaca716540b5859458ecb5536b99266afe16d943264e1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
68a6264cb42f2475f954247d807afd28

SHA1
68110b328f39c686b81d218bdeb3a8dcfd7c8ced

SHA256
ffa2a378517cbb91cc9100b436ea3e10e958329a0849e5f4fddb9965fc405277

SHA512
e4c21bc060996a71b4de9c0c85fb5c739c15741af468028880602bb5c4fdf16a1a2a7228f78a30b86f7d4befa7609049781a231b1831fc1d5df31de18815c60f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b39e29312f42fa91e11bde15198b6ac0

SHA1
f21529488ab27e4bf75c3ee2f87ea0f30186cb64

SHA256
1b8216d513f818a5a3d0e9301eaf7bafc472c502e800470efe8198176fe2a959

SHA512
5e7ba110837317d1df2e7b9ce25917db8833ac8da3a586acd3141ded1acb965ba69e99251f6e124b6dcfdafef3a6ad3c71ff058cf5a0f502b2d3f063e2489d8f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
86bca0f3587d6190d5470a9c4942267e

SHA1
407c397dee3a25df218533b91ae5fe99e7a15bcc

SHA256
db6f4e1e90976c1ba7d111607e37ba6d23a526dcc3c38b21c797533350980b3c

SHA512
500f75b13ac44380629200a87f11ca27d4fdda0ca7ad73584f287aadda42ede98e997272892c50530b31c4858575ce8245273e1f785f6a283068fe1839dd1003

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
59c831131878b16297062d6315ebb0cf

SHA1
3e57bf5d4937aaf02c5e641688b1942468a5e3d4

SHA256
75a455ea8c207465883f39016c44ce38bed2ec0ea3fc39dce69ef46508ae816b

SHA512
041f943f02fda285f79bf0923dd4f97380e13ed60ec86e4964b0caf8a5ce2ed8497805bcc852a0df09e99dcbc9ed5e6f0e54aa8ac6c5a5c0a81f102c65605410

Download Submit
C:\Users\Admin\AppData\Local\Temp\9937f2f1

Filesize
780KB

MD5
e33fe975592207208da948ca3624952d

SHA1
730745e16d28625826f2c355f2942d6e3d123799

SHA256
7c0f4000ebc3b5de21219de7204936bf5335477ac5a0717909ea5d3b12c10b99

SHA512
b5b39035576a20aeb4266a01bf23212609f36e4a0a5bca303d950d0660567c5f34139756d068e8ac2b8d225437eafa2908c45c485e750971d4cf0cc519922505

Download Submit
C:\Users\Admin\AppData\Local\Temp\f56f377d

Filesize
780KB

MD5
13dc78d03deac36bbacacbae96b6cd68

SHA1
76e3a7c5469e039e67bbf98c4fd689d83fe24ce6

SHA256
2d411fd9bc5b01d5cf8de01bb731ca494cc325544bdf9954d27802720ddb004e

SHA512
10f8a5f123196835af27037b738205fd06ebb4a67460f45c0d24a1f55b074f2a9b6bf14d9e17b2d6490f0accbfca5c6e1623f0b1d127bbe0d198bf1c0333b24e

Download Submit
C:\Users\Admin\Downloads\DEMANDA EMITIDA EL DIA 22 DEL MES EN CURSO N° 20240710-5427-572468-87.tar.BIN.bin

Filesize
4.3MB

MD5
bfab59b0fd348d9ef38c4d0c04eab56f

SHA1
212b8d0273c2fcb9c05cc823163032f7976398be

SHA256
35d6e94d581a6717da3eba6f5ea9633082b0d70757637cd5cc25c5e7f132b0d8

SHA512
fb5c3f1bd737de15ac31232736e0d1006d1b1bd1e96362f115cdce6c03528ad8e16af140df471f6300173f5740a92f137422c7b0b8e267b62f37afa59dabcc2b

Download Submit
C:\Users\Admin\Downloads\DEMANDA EMITIDA EL DIA 22 DEL MES EN CURSO N° 20240710-5427-572468-87.tar.BIN.tar.001

Filesize
2.0MB

MD5
7cbcd62b53718359ad00e60265ecf328

SHA1
29de9f20926a531a512fae929519543f30800712

SHA256
d7cc2871b126a7a15ca25d63c65938669a3fa0a59ad0692fc3d643545da99791

SHA512
67d6042af5b9b490a2b87002b6c87f8110d6fc77de5af753d42192a26e928d7bfc791e6a87a6a397f88ccf145cc9855bd3a8049d8e962ce26f634b59608df207

Download Submit
C:\Users\Admin\Downloads\DEMANDA EMITIDA EL DIA 22 DEL MES EN CURSO N° 20240710-5427-572468-87.tar.BIN\DEMANDA EMITIDA EL DIA 22 DEL MES EN CURSO N° 20240710-5427-572468-87\demanda N° 20240710-5427-572468-87.exe

Filesize
966KB

MD5
e634616d3b445fc1cd55ee79cf5326ea

SHA1
ca27a368d87bc776884322ca996f3b24e20645f4

SHA256
1fcd04fe1a3d519c7d585216b414cd947d16997d77d81a2892821f588c630937

SHA512
7d491c0a97ce60e22238a1a3530f45fbb3c82377b400d7986db09eccad05c9c22fb5daa2b4781882f870ab088326e5f6156613124caa67b54601cbad8f66aa90

Download Submit
C:\Users\Admin\Downloads\DEMANDA EMITIDA EL DIA 22 DEL MES EN CURSO N° 20240710-5427-572468-87.tar.BIN\DEMANDA EMITIDA EL DIA 22 DEL MES EN CURSO N° 20240710-5427-572468-87\libvlc.dll

Filesize
186KB

MD5
4b262612db64f26ea1168ca569811110

SHA1
8e59964d1302a3109513cd4fd22c1f313e79654c

SHA256
a9340c99206f3388153d85df4ca94d33b28c60879406cc10ff1fd10eae16523f

SHA512
9902e64eb1e5ed4c67f4b7e523b41bde4535148c6be20db5f386a1da74533ca575383f1b3154f5985e379df9e1e164b6bda25a66504edcfaa57d40b04fc658c7

Download Submit
C:\Users\Admin\Downloads\DEMANDA EMITIDA EL DIA 22 DEL MES EN CURSO N° 20240710-5427-572468-87.tar.BIN\DEMANDA EMITIDA EL DIA 22 DEL MES EN CURSO N° 20240710-5427-572468-87\libvlccore.dll

Filesize
2.7MB

MD5
97a73457e3ee2b11618c3e57e3989ffa

SHA1
d38cbe532661b6ff271d231594cad4b8fb37f158

SHA256
d03d0853e0104b47b595d64f79e7ee3d3821fe4cd962f6bd80e9df1507f8f2f4

SHA512
ab786207ef73fd637d9318fcf7a1969158e335d344dcf620888fa8f645715f0bfc098fda12e84fa67406dd80e2b63a1928bee2f13e8e7a9a8c327fa1c94dfe2d

Download Submit
C:\Users\Admin\Downloads\DEMANDA EMITIDA EL DIA 22 DEL MES EN CURSO N° 20240710-5427-572468-87.tar.BIN\DEMANDA EMITIDA EL DIA 22 DEL MES EN CURSO N° 20240710-5427-572468-87\xepfywx

Filesize
14KB

MD5
11e48a9d6e5c8968b41b4bf41ae2f8a7

SHA1
64ed5f145089924cfce9ca924f767c46b2750875

SHA256
0791505e72374ed0ea12a5559988c2d1b8cfd4ab7d690aae06f2e3130b792f4e

SHA512
ad7a3d8f2b95ff20d5fb9efcd51decd03fbc6baf120bcc18ca8f7210311d3aa16b3eadb158b3a7a7db9b655b89974c665385fa23433d03687a7e38bca0af6100

Download Submit
C:\Users\Admin\Downloads\DEMANDA EMITIDA EL DIA 22 DEL MES EN CURSO N° 20240710-5427-572468-87.tar.BIN\DEMANDA EMITIDA EL DIA 22 DEL MES EN CURSO N° 20240710-5427-572468-87\xileopa

Filesize
543KB

MD5
6b67ad0b2b9ef3ba03c4f4e04fcc957e

SHA1
e92f9e393f272621177eca2683dcc38724514fd7

SHA256
3be576d1ca15a0e4479d1cafc644b144b01306254d1981e9b8bf5f5f15b34f2b

SHA512
48a5a8c14471410dde38161842205fb857fedbf4d3c1a5492fbb6cfa90b7622e62fe47de078bf0d839a20abe45790b67009319d4fd0a4bf04c8ae59509c85637

Download Submit
\??\pipe\LOCAL\crashpad_4732_VSAVEQJOQXCHWDFW

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2440-278-0x00000000069F0000-0x0000000006A66000-memory.dmp

Filesize
472KB

Download
memory/2440-197-0x0000000000F80000-0x0000000000F96000-memory.dmp

Filesize
88KB

Download
memory/2440-280-0x0000000007190000-0x00000000071AE000-memory.dmp

Filesize
120KB

Download
memory/2440-200-0x00000000063C0000-0x0000000006964000-memory.dmp

Filesize
5.6MB

Download
memory/2440-188-0x0000000073930000-0x0000000074B84000-memory.dmp

Filesize
18.3MB

Download
memory/2440-199-0x0000000005D70000-0x0000000005E0C000-memory.dmp

Filesize
624KB

Download
memory/2440-201-0x0000000005E80000-0x0000000005EE6000-memory.dmp

Filesize
408KB

Download
memory/2440-279-0x0000000005E60000-0x0000000005E74000-memory.dmp

Filesize
80KB

Download
memory/2440-281-0x00000000076A0000-0x0000000007732000-memory.dmp

Filesize
584KB

Download
memory/3000-193-0x00007FF7FB7B0000-0x00007FF7FB8A8000-memory.dmp

Filesize
992KB

Download
memory/3000-194-0x00007FFD87B90000-0x00007FFD87BC4000-memory.dmp

Filesize
208KB

Download
memory/3000-195-0x00007FFD76090000-0x00007FFD76345000-memory.dmp

Filesize
2.7MB

Download
memory/3000-191-0x00007FFD756C0000-0x00007FFD75832000-memory.dmp

Filesize
1.4MB

Download
memory/3000-178-0x00007FFD756C0000-0x00007FFD75832000-memory.dmp

Filesize
1.4MB

Download
memory/3120-263-0x00007FFD86400000-0x00007FFD86411000-memory.dmp

Filesize
68KB

Download
memory/3120-264-0x00007FFD75510000-0x00007FFD75545000-memory.dmp

Filesize
212KB

Download
memory/3120-246-0x00007FF65D8D0000-0x00007FF65D9C8000-memory.dmp

Filesize
992KB

Download
memory/3120-247-0x00007FFD87B90000-0x00007FFD87BC4000-memory.dmp

Filesize
208KB

Download
memory/3120-248-0x00007FFD73940000-0x00007FFD73BF6000-memory.dmp

Filesize
2.7MB

Download
memory/3120-255-0x00007FFD875F0000-0x00007FFD87601000-memory.dmp

Filesize
68KB

Download
memory/3120-254-0x00007FFD87760000-0x00007FFD8777D000-memory.dmp

Filesize
116KB

Download
memory/3120-256-0x00007FFD75630000-0x00007FFD7583B000-memory.dmp

Filesize
2.0MB

Download
memory/3120-253-0x00007FFD878B0000-0x00007FFD878C1000-memory.dmp

Filesize
68KB

Download
memory/3120-252-0x00007FFD879A0000-0x00007FFD879B7000-memory.dmp

Filesize
92KB

Download
memory/3120-251-0x00007FFD879C0000-0x00007FFD879D1000-memory.dmp

Filesize
68KB

Download
memory/3120-250-0x00007FFD883F0000-0x00007FFD88407000-memory.dmp

Filesize
92KB

Download
memory/3120-249-0x00007FFD8B0E0000-0x00007FFD8B0F8000-memory.dmp

Filesize
96KB

Download
memory/3120-274-0x00007FFD73940000-0x00007FFD73BF6000-memory.dmp

Filesize
2.7MB

Download
memory/3120-262-0x00007FFD86C10000-0x00007FFD86C2B000-memory.dmp

Filesize
108KB

Download
memory/3120-275-0x0000021451870000-0x0000021452920000-memory.dmp

Filesize
16.7MB

Download
memory/3120-261-0x00007FFD86C90000-0x00007FFD86CA1000-memory.dmp

Filesize
68KB

Download
memory/3120-260-0x00007FFD87430000-0x00007FFD87448000-memory.dmp

Filesize
96KB

Download
memory/3120-259-0x00007FFD86D00000-0x00007FFD86D21000-memory.dmp

Filesize
132KB

Download
memory/3120-257-0x0000021451870000-0x0000021452920000-memory.dmp

Filesize
16.7MB

Download
memory/3120-258-0x00007FFD80DF0000-0x00007FFD80E31000-memory.dmp

Filesize
260KB

Download
memory/3120-272-0x00007FF65D8D0000-0x00007FF65D9C8000-memory.dmp

Filesize
992KB

Download
memory/3120-273-0x00007FFD87B90000-0x00007FFD87BC4000-memory.dmp

Filesize
208KB

Download
memory/3608-198-0x00007FFD96130000-0x00007FFD96325000-memory.dmp

Filesize
2.0MB

Download
memory/3900-174-0x00000000753B0000-0x000000007552B000-memory.dmp

Filesize
1.5MB

Download
memory/3900-172-0x00007FFD96130000-0x00007FFD96325000-memory.dmp

Filesize
2.0MB

Download
memory/5036-204-0x0000000073930000-0x0000000074B84000-memory.dmp

Filesize
18.3MB

Download
memory/5072-169-0x00007FFD8C7F0000-0x00007FFD8C824000-memory.dmp

Filesize
208KB

Download
memory/5072-170-0x00007FFD76350000-0x00007FFD76605000-memory.dmp

Filesize
2.7MB

Download
memory/5072-168-0x00007FF7FB7B0000-0x00007FF7FB8A8000-memory.dmp

Filesize
992KB

Download
memory/5072-166-0x00007FFD76BF0000-0x00007FFD76D62000-memory.dmp

Filesize
1.4MB

Download
memory/5072-161-0x00007FFD76BF0000-0x00007FFD76D62000-memory.dmp

Filesize
1.4MB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads