remcos | bad948017a4001a3e9a82fd53bfddb4fd9ddeba4a03eae6aa71a48f3eb69eaad

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
31-01-2025 16:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cotización.exe
Size

633KB
MD5

a3d33d33f8b10595c252ee8e61a8892c
SHA1

f8bf529297b99ebdd0d6214a1a8a20bffb1bd875
SHA256

fe0c0a5da033e86e09a721070bb2e1116a28160aaffd803b8e65a57ed25e62c1
SHA512

5a8d8cfcb0ad0e73ce3a4ca2d23a8cb55216f97b1d4f490b3a7beee963e494e8c122fd7ec70a32eef8c1eb9b6b4e86da4cf2207beba6324d70fada7c36303bf0
SSDEEP

6144:pe3DUlId51RnG/LXJKIA5ZaPLi+bWVSBKtnfuvOVYER0u+GIIIIIIIhIIIIIIIIB:M3DkId5HnWLXMJABWVbnf/Vjm5a/s

Score

10^/10

remcos remotehost discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

2.58.56.182:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-GM05WY
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe

Suspicious use of SetThreadContext 26 IoCs

description	pid	Process	procid_target
PID 5052 set thread context of 2032	5052	Cotización.exe	87
PID 5052 set thread context of 1948	5052	Cotización.exe	92
PID 5052 set thread context of 4420	5052	Cotización.exe	97
PID 5052 set thread context of 2796	5052	Cotización.exe	102
PID 5052 set thread context of 4996	5052	Cotización.exe	107
PID 5052 set thread context of 748	5052	Cotización.exe	112
PID 5052 set thread context of 3256	5052	Cotización.exe	117
PID 5052 set thread context of 5064	5052	Cotización.exe	122
PID 5052 set thread context of 2716	5052	Cotización.exe	127
PID 5052 set thread context of 3848	5052	Cotización.exe	88
PID 5052 set thread context of 5016	5052	Cotización.exe	138
PID 5052 set thread context of 3704	5052	Cotización.exe	144
PID 5052 set thread context of 1060	5052	Cotización.exe	149
PID 5052 set thread context of 2712	5052	Cotización.exe	154
PID 5052 set thread context of 1836	5052	Cotización.exe	159
PID 5052 set thread context of 4140	5052	Cotización.exe	164
PID 5052 set thread context of 2216	5052	Cotización.exe	176
PID 5052 set thread context of 3052	5052	Cotización.exe	181
PID 5052 set thread context of 4984	5052	Cotización.exe	187
PID 5052 set thread context of 636	5052	Cotización.exe	192
PID 5052 set thread context of 2444	5052	Cotización.exe	197
PID 5052 set thread context of 1620	5052	Cotización.exe	203
PID 5052 set thread context of 5116	5052	Cotización.exe	208
PID 5052 set thread context of 4896	5052	Cotización.exe	215
PID 5052 set thread context of 4740	5052	Cotización.exe	220
PID 5052 set thread context of 4804	5052	Cotización.exe	226

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft .NET Framework 4.7.2 Setup_20241007_092205779.html	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\SPDEBJWH-20241007-0927.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistMSI3BC2.txt	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistUI3BA4.txt	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft .NET Framework 4.7.2 Setup_20241007_092205779.html	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\AdobeSFX.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\aria-debug-4964.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20241007092242_000_dotnet_runtime_6.0.27_win_x64.msi.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20241007092340_001_dotnet_hostfxr_8.0.2_win_x64.msi.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\BroadcastMsg_1728293199.txt	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20241007092319_000_dotnet_runtime_7.0.16_win_x64.msi.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20241007092319_002_dotnet_host_7.0.16_win_x64.msi.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistMSI3BC2.txt	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20241007092319_003_windowsdesktop_runtime_7.0.16_win_x64.msi.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\wct4EDB.tmp	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20241007092340.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\chrome_installer.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\wct709C.tmp	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\aria-debug-4964.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\{C6F2505A-B2B8-4458-8F35-509BF52EADED} - OProcSessId.dat	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20241007092340_003_windowsdesktop_runtime_8.0.2_win_x64.msi.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\wctB296.tmp	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20241007092242_003_windowsdesktop_runtime_6.0.27_win_x64.msi.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20241007092340_003_windowsdesktop_runtime_8.0.2_win_x64.msi.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\msedge_installer.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\tier0_s64.dll	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20241007092242_002_dotnet_host_6.0.27_win_x64.msi.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20241007092319.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20241007092340_000_dotnet_runtime_8.0.2_win_x64.msi.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistMSI3BA4.txt	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistMSI3BA4.txt	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20241007092242_001_dotnet_hostfxr_6.0.27_win_x64.msi.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20241007092319_003_windowsdesktop_runtime_7.0.16_win_x64.msi.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\wct951.tmp	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\BroadcastMsg_1728293199.txt	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20241007092319_002_dotnet_host_7.0.16_win_x64.msi.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20241007092340.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20241007092340_000_dotnet_runtime_8.0.2_win_x64.msi.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20241007092242.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\tier0_s64.dll	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\wct4EDB.tmp	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\AdobeSFX.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20241007092340_002_dotnet_host_8.0.2_win_x64.msi.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\vcruntime211.dll	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\BIT4F0B.tmp	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20241007092242_000_dotnet_runtime_6.0.27_win_x64.msi.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\SPDEBJWH-20241007-0927a.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20241007092242.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20241007092242_002_dotnet_host_6.0.27_win_x64.msi.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\{C6F2505A-B2B8-4458-8F35-509BF52EADED} - OProcSessId.dat	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\JavaDeployReg.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\mapping.csv	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\msedge_installer.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20241007092340_001_dotnet_hostfxr_8.0.2_win_x64.msi.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\vstdlib_s64.dll	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\wmsetup.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\BIT4F0B.tmp	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\chrome_installer.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\jusched.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20241007092340_002_dotnet_host_8.0.2_win_x64.msi.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\vcruntime211.dll	Cotización.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	5052	Cotización.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5052 wrote to memory of 2752	5052	Cotización.exe	178
PID 5052 wrote to memory of 2752	5052	Cotización.exe	178
PID 2752 wrote to memory of 5076	2752	cmd.exe	84
PID 2752 wrote to memory of 5076	2752	cmd.exe	84
PID 5076 wrote to memory of 3812	5076	cmd.exe	85
PID 5076 wrote to memory of 3812	5076	cmd.exe	85
PID 5052 wrote to memory of 3296	5052	Cotización.exe	86
PID 5052 wrote to memory of 3296	5052	Cotización.exe	86
PID 5052 wrote to memory of 3296	5052	Cotización.exe	86
PID 5052 wrote to memory of 2032	5052	Cotización.exe	87
PID 5052 wrote to memory of 2032	5052	Cotización.exe	87
PID 5052 wrote to memory of 2032	5052	Cotización.exe	87
PID 5052 wrote to memory of 2032	5052	Cotización.exe	87
PID 5052 wrote to memory of 2032	5052	Cotización.exe	87
PID 5052 wrote to memory of 2032	5052	Cotización.exe	87
PID 5052 wrote to memory of 2032	5052	Cotización.exe	87
PID 5052 wrote to memory of 2032	5052	Cotización.exe	87
PID 5052 wrote to memory of 2032	5052	Cotización.exe	87
PID 5052 wrote to memory of 2032	5052	Cotización.exe	87
PID 5052 wrote to memory of 3848	5052	Cotización.exe	88
PID 5052 wrote to memory of 3848	5052	Cotización.exe	88
PID 3848 wrote to memory of 2056	3848	cmd.exe	90
PID 3848 wrote to memory of 2056	3848	cmd.exe	90
PID 2056 wrote to memory of 1468	2056	cmd.exe	179
PID 2056 wrote to memory of 1468	2056	cmd.exe	179
PID 5052 wrote to memory of 1948	5052	Cotización.exe	92
PID 5052 wrote to memory of 1948	5052	Cotización.exe	92
PID 5052 wrote to memory of 1948	5052	Cotización.exe	92
PID 5052 wrote to memory of 1948	5052	Cotización.exe	92
PID 5052 wrote to memory of 1948	5052	Cotización.exe	92
PID 5052 wrote to memory of 1948	5052	Cotización.exe	92
PID 5052 wrote to memory of 1948	5052	Cotización.exe	92
PID 5052 wrote to memory of 1948	5052	Cotización.exe	92
PID 5052 wrote to memory of 1948	5052	Cotización.exe	92
PID 5052 wrote to memory of 1948	5052	Cotización.exe	92
PID 5052 wrote to memory of 2832	5052	Cotización.exe	93
PID 5052 wrote to memory of 2832	5052	Cotización.exe	93
PID 2832 wrote to memory of 4984	2832	cmd.exe	187
PID 2832 wrote to memory of 4984	2832	cmd.exe	187
PID 4984 wrote to memory of 5072	4984	cmd.exe	96
PID 4984 wrote to memory of 5072	4984	cmd.exe	96
PID 5052 wrote to memory of 4420	5052	Cotización.exe	97
PID 5052 wrote to memory of 4420	5052	Cotización.exe	97
PID 5052 wrote to memory of 4420	5052	Cotización.exe	97
PID 5052 wrote to memory of 4420	5052	Cotización.exe	97
PID 5052 wrote to memory of 4420	5052	Cotización.exe	97
PID 5052 wrote to memory of 4420	5052	Cotización.exe	97
PID 5052 wrote to memory of 4420	5052	Cotización.exe	97
PID 5052 wrote to memory of 4420	5052	Cotización.exe	97
PID 5052 wrote to memory of 4420	5052	Cotización.exe	97
PID 5052 wrote to memory of 4420	5052	Cotización.exe	97
PID 5052 wrote to memory of 1004	5052	Cotización.exe	204
PID 5052 wrote to memory of 1004	5052	Cotización.exe	204
PID 1004 wrote to memory of 640	1004	cmd.exe	100
PID 1004 wrote to memory of 640	1004	cmd.exe	100
PID 640 wrote to memory of 3924	640	cmd.exe	101
PID 640 wrote to memory of 3924	640	cmd.exe	101
PID 5052 wrote to memory of 2796	5052	Cotización.exe	102
PID 5052 wrote to memory of 2796	5052	Cotización.exe	102
PID 5052 wrote to memory of 2796	5052	Cotización.exe	102
PID 5052 wrote to memory of 2796	5052	Cotización.exe	102
PID 5052 wrote to memory of 2796	5052	Cotización.exe	102
PID 5052 wrote to memory of 2796	5052	Cotización.exe	102
PID 5052 wrote to memory of 2796	5052	Cotización.exe	102

C:\Users\Admin\AppData\Local\Temp\Cotización.exe
"C:\Users\Admin\AppData\Local\Temp\Cotización.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5052
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2752
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5076
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:3812
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:3296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2032
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3848
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:1468
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:1948
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2832
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4984
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:5072
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:4420
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1004
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:640
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:3924
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:2796
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:2812
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:4380
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:3636
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:4996
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:4556
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:1384
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:2436
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:748
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:4896
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:1488
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:2944
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:3256
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:1432
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:2924
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:4172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:5064
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:4348
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:5000
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:1496
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:2716
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:928
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:4740
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:1080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:5084
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:3848
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:424
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:1312
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:3020
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:5016
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:2812
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:4424
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:1304
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:1560
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:3704
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:1140
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:3812
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:5076
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:1060
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:2732
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:4988
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:4296
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:2712
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:4896
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:4476
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:3356
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:1836
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:1004
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:3004
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:2552
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:4140
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:4064
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:2060
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:2024
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:4400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:2588
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2216
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:1904
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2752
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:1468
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:1064
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:3052
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:3616
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:2736
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:4008
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:432
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:4984
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:3208
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:3244
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:5028
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:636
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:3880
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:4168
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:2964
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:2444
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:3932
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:4216
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:1372
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:1620
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:1004
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:1920
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:2364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:5116
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:5000
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:1788
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:2080
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:3128
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:1404
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:4896
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:4768
- - C:\Windows\System32\Conhost.exe
    \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    3⤵
    PID:2552
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:1500
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:1308
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:4740
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:1072
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:2660
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:4540
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:880
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:4804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\AdobeSFX.log

Filesize
1KB

MD5
d3d9f79c09659eff60bf12a04a822375

SHA1
cf33a0dcbddb3a6ba6f5f7654ab6be21194a4146

SHA256
8be446598e73baa4deb962a089433cfb0cb0fe62eadb9c4d8a9b1e6723b3d189

SHA512
60d05581ece742a59df9f3b2a50a1baee897adab4330600f9a8e4ab0d9e035aa3f74a6d8c9e3475187ccf285f653791648995813f6adda12156f5621b7e11bd1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\BIT4F0B.tmp

Filesize
1.6MB

MD5
6e6c9eead0bf1a09c9bc0f4516139bfe

SHA1
1aba1e90b8f7db2ea484521ea3247e1e1dffcc74

SHA256
812012ea1a55b4a8b6980d0c9f352be6bbdc1c69bfe13b5116400057aca30662

SHA512
f844a2bcb06b0421a94160a88647ca6d3ae51cad056b3db186da846df336bf57e84a60d95d8310a2becc32c7ca6334098e13b1315ac66f32ede266e0d4d85e08

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe

Filesize
633KB

MD5
a3d33d33f8b10595c252ee8e61a8892c

SHA1
f8bf529297b99ebdd0d6214a1a8a20bffb1bd875

SHA256
fe0c0a5da033e86e09a721070bb2e1116a28160aaffd803b8e65a57ed25e62c1

SHA512
5a8d8cfcb0ad0e73ce3a4ca2d23a8cb55216f97b1d4f490b3a7beee963e494e8c122fd7ec70a32eef8c1eb9b6b4e86da4cf2207beba6324d70fada7c36303bf0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\JavaDeployReg.log

Filesize
13KB

MD5
938aab855d4cfd32e15e6758c4a0a759

SHA1
c9ee3d64a140ddc714353440c92207c854d9b757

SHA256
8f880709f642565d9f8133ab16be2cc953fc8d527bbf7f8c799ec89f19913abd

SHA512
e5f7b8845b2fa5b8432ffe94c5c743482ee2bcfe02dfc4cc64df2338aa4dddeee79aa0cb7bb2deb45678b656290ef1dcceed7b7a0fdd2f37ed88a31699fc2f49

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft .NET Framework 4.7.2 Setup_20241007_092205779.html

Filesize
93KB

MD5
75c1bd59d4895dc5c147220b56d7fcf3

SHA1
b068a640ec469d6d1acb09f5c03bf27883a02f77

SHA256
3c1dedf957f6c88571a2a94b7306f24327b1397d791ecc1b9972dce6f4f67452

SHA512
77fa96de374ba8c6bc813292a40a84b1fa2f9551fb1a72bc8d9ce0157f238f0f5e8efdb0ac302797c38150c99a49019166a46e2147c120906213d8a130ed85c5

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20241007092242.log

Filesize
15KB

MD5
92290e8a24e0a66d1068b48a6294e7b8

SHA1
a71c3341659ce9e9c565aaf404f42f71a16102d7

SHA256
0d829353e51361e2d80d42e2ae228d76c488033eb9eefad88eba52eeb988bd01

SHA512
257b95577dfe4ba2dac1b18b23379c3e1d5a4f7444badeeb4561208beff17d9ad2641eb2ab5bc99398eff7c772f6ceaf311292be8bce5dd38dbc5ab8b7323231

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20241007092242_000_dotnet_runtime_6.0.27_win_x64.msi.log

Filesize
551KB

MD5
061e48c3f3bc1d8d877f7614a45c9f93

SHA1
0aa9057205c2680c7f0670064554cacdd36f6863

SHA256
b2a7608ce8380af926c81f305b11fc537261daa13252df1adb73d0ac62a2ec43

SHA512
7554217ab1d1909d36f59d662e4d70988eaae27fbab431a3471be3918279348ca98ae026099c95d7ff1daaf6b53cc41ebd1fb8b897b383b2c6f5913d244cdbd9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20241007092242_001_dotnet_hostfxr_6.0.27_win_x64.msi.log

Filesize
95KB

MD5
ef6af4a23a00bee5e6055ae252a29d61

SHA1
69780f15bf3f01cb3172008410b3a833e97d2f2d

SHA256
106f97d28de3b50f649dfa7b2a4f0f4bdebb7a11782d5cfcbc18eebeea6758b4

SHA512
9ece7feb593bd31f847c789645ef6c221b1764f37a8b285ef3b0fd4b598099082c59bc68d7fe493b1f78207d5cbbd6998a9df0e13056978bd9a784273ee6dde6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20241007092242_002_dotnet_host_6.0.27_win_x64.msi.log

Filesize
105KB

MD5
ba77f43888bf00d59d712012a839c96c

SHA1
01a4e4967913633a2167cc85a70ee0570db5b9fa

SHA256
fa2fcd9b36182fd3e12948859600f675096fe5da6bd21870958bed8e55f15658

SHA512
f92f6bac66f41c034f264459bdb61ad313d51959c695e5fcac1794e13ed699668902789d259bb12e4be5c6a65d5d33976909c84f19ad6c8696381eb2f44462e2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20241007092242_003_windowsdesktop_runtime_6.0.27_win_x64.msi.log

Filesize
847KB

MD5
a6eed33555bf7a1876ec90a266047d94

SHA1
295fb6f1556d69311f8877996845bbb2c1d49861

SHA256
75291b28062b408b0f817745b1928e43767013bd5bc2b16ffc7360481466fb19

SHA512
b9b83873fa47a0d3f3331b441c96f40751f04fc179fde0852c56a4b413877507eb451b83f71a9b927e1c43a6e7a5b6569824da821a287de936b3937a75a34c0b

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20241007092319.log

Filesize
15KB

MD5
2c5d8290b9e78e95d06c58fc7f3f463c

SHA1
770b04aaefb644af5b8c1c38da2a2290b4afed23

SHA256
41d3e388a3e8393144bd40767223f9c0a6f2e3b36864efa42263e2f72db70dfe

SHA512
c19c8395adfcf2d26c3e11a8f424460d375c2b7fb7a3680884024c192ec80adef0a48121a58e0988534bbaa2ea143c66720d4856c08b1ee13578dce805327902

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20241007092319_000_dotnet_runtime_7.0.16_win_x64.msi.log

Filesize
470KB

MD5
1a9a300879679826e396c8f97e5778d3

SHA1
2a8181230128887adae1d456f7528203bc7f9805

SHA256
9e31ac79dea2708b2c4b78dc3f49940afbd8e4b40343dd5fe08bc711effa0fa2

SHA512
8e2fc21713895dd674a95d12f72bb2914e290b9da4e57099ace10c1bd2e8c9cb3adb469a2db470d6b5f6b07d93ba973630df0d064a0bbd2f5dc62f0d33c48c66

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20241007092319_001_dotnet_hostfxr_7.0.16_win_x64.msi.log

Filesize
95KB

MD5
1c390a913f633c8fb9b7d9c5a5354cfa

SHA1
de41c4c1130e2652cf7d7452a71e993dd3e39baf

SHA256
dda9f4abc3e7aada0c88b9c9b0b0dabd9e0e02961206447fe531eea3bd4f1b24

SHA512
6aa80c47c9e233af48091251bffca661dec9f4c4396c2e44136a4ce6b490393d98b71d556e0c34a0de0d77d7448889d53222f71e74bb0a1b97994397fb1bfcfe

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20241007092319_002_dotnet_host_7.0.16_win_x64.msi.log

Filesize
109KB

MD5
54d6178c4b07c2083b3a19a400a23f3c

SHA1
e1f9d0381c442a9221450378cf4653c1e7d4a379

SHA256
4203a7275f6e411b7aff29542fcdd731b8d83b75dbccf10ff23ca2c70e131e97

SHA512
5f0ee7772cc0faea319933fafde13a9d93d2ba43da00ca54c8b4f198d76c2abd6bb7eb25895d40c7b6f1c0538ddedfe29c59471ac75f6c34df1d3a35827931e1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20241007092319_003_windowsdesktop_runtime_7.0.16_win_x64.msi.log

Filesize
852KB

MD5
f672160cef38437951ece790b1c1a83e

SHA1
e3c0b0a8f2b7273fbc6a2ca231be096b08100a63

SHA256
cf01281c01dfa30e222446db8144b32377d9dc6b1c2455eddadbb773a849845f

SHA512
e91c9acc7cf5cd2656f3b5b68c04a8f447bdb571840276be7c2d38aa055ecb9259c4b270eaf93e80e4b3b1f7044d5cda24c16288794a548b0ceaaa98e25c3463

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20241007092340.log

Filesize
15KB

MD5
d10711a292bc4f5be135c2d91cc55e1f

SHA1
ec624d33b44c71f8e39a68f90c80f2619d91fe51

SHA256
19ec4a9e275fc5105111c135ac0efb617d6a163fe07f54bcbe8c9f81798c336d

SHA512
533b280d9ddc6f038db3e5f5fd24dc7481ab48cefe44d44ba07070c8084ffea59e824635dbd42d76f6d2d4f9fbf2f27ef08e26d051964acdb4604be27ba116d4

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20241007092340_000_dotnet_runtime_8.0.2_win_x64.msi.log

Filesize
469KB

MD5
6810cd5d7f40cc220e8921d93bb30579

SHA1
34eb2d3341c79cf67d0b4939e2a3d94076c1f704

SHA256
94069cfc24ad4a837343856e410921f0d41242f2f8095a4c110b9a1a548edae9

SHA512
f1a93c7bb2c8ffd2cd256a06539f2f932a954539370dc7b7d8a4b130c179fbdfe3fce5e8f4dae18a88f43c1c54f17c3952009c08ab80b4f2a097e98726da1aac

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20241007092340_001_dotnet_hostfxr_8.0.2_win_x64.msi.log

Filesize
95KB

MD5
668ab26d99a8105722c35b783cd45f73

SHA1
818d67e21d74d0c52ddfc7d9c6a2c740f3e7ee1c

SHA256
d8426a128e633a252ada0b07a9c6291c04820c3838e9bab142663377bbab53eb

SHA512
8e993d4cd3cf040ea65f3512cbb2cdefa29cfe1bef2a0e246afe707b8aa3da51d882684cbf98227a9f5368e58c9349f01cf761694adc12efc992c8738a0d7ea9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20241007092340_002_dotnet_host_8.0.2_win_x64.msi.log

Filesize
109KB

MD5
f8420ff770a3261d69c842394584068d

SHA1
e7b2ac4da4881c095b1dcf5095a16680f2778f8e

SHA256
d737f289af249498540e0005d5e4ef11ffada4d1c9a99795701d8e0726f5173c

SHA512
4091696f28252872d46e14bb2056041229d61cfbf60adb8ed197b9a62236694c0582d5e3e44a736594887d9e47f4225704141d975e82a37da302a0ee458899fc

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20241007092340_003_windowsdesktop_runtime_8.0.2_win_x64.msi.log

Filesize
846KB

MD5
3cc38c0f54a0c1320a32c228ed9ccfa3

SHA1
748f73d0ba3961f527725ddb8b3f0fc332b203af

SHA256
c010c4b43da0b953144fc123fd459166e58a9f4feabc6afc25f7d649765f606f

SHA512
b8be9946b7f3ddc6155ef44e2c46ed9719c383cdc5c6d792cb79fe650b4979231a1e0b7a944d81011665ed58ac93f04283a25a7410078431bf19f4d780e886d6

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\SPDEBJWH-20241007-0927.log

Filesize
57KB

MD5
207af9ec6c63318b96c75e0c27d59b23

SHA1
5493c9d49e437c6701035d1537fbebf107b94d67

SHA256
28af8915afc87f52dada357ef09597cf57f880b70e69b25f86404800fd45cf08

SHA512
4a0dfe5595a81c33c53496e2b0350950a9315aae8951fa4db8747b44531dc3d94cfde24e2ab49359fe566e69f7ece2756bb5c1d447085003a7550941ace7f6fa

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\SPDEBJWH-20241007-0927a.log

Filesize
181KB

MD5
c8b9b4a8b75d9ec098569e0536987b0e

SHA1
76516e7d0a84a40c3ad5596e0c221c8dfa10310c

SHA256
c7d6a605bfe85577036a4683a67420a029bfb6abb626c75ddd88a00cda8c7a22

SHA512
3920e6f97e8908a340d2af0a964e689c9b197faf43c1586d1b78e749beb2a2ce7a3736bddd63f576ac75af09c15dde7c658640955b2e1edbb053b3d148891a30

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\aria-debug-4964.log

Filesize
470B

MD5
02873b7ae05445e9a93c48bef5799a03

SHA1
41504c1a7e672d9640610fbc7cb355a43d23e507

SHA256
9ee018e2a3516bb6414de2534646d15683cf1b54250d34a9f15c42c78a1ff6e6

SHA512
1df0ef1967398e8c482858dc8efa5ae2528e658b12a2b2f0be4b3220e8ed50119516a0ef2d323579e265fbe770c63097443b823226ce1041cce2579de0301b9c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\chrome_installer.log

Filesize
6KB

MD5
9f7fd795f780fadda98967275626ec4a

SHA1
b7c3a6c1465a29fc00cea813d3bf32cfbf82c4c6

SHA256
dc2698b542e670a7b712ac354e2e51e2780b8a23f0721bb6ddc6d7273960ee9d

SHA512
34790bbfcdf35ffef5440ba924ff390a5c4cf64e73a4e05859003887dcfa7d840a8127b133b667bf4550a7451fc16472b1a084d1433e4cff289c44e58aa0309c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt

Filesize
1KB

MD5
2cd10fb2df28fe129426561d3983cfa2

SHA1
1ef6d2ad7acccd70c128c94aee07e1e64f6e6abb

SHA256
f76ce95d45a34d2ec324ffcc340bb9a52614914d713e8b6c951626ab913718e5

SHA512
819e03778f2b602bae6a36a2afcfffe5b0743bdba2317f8878443e08f0ae117a6272ec23ef0099f4ac4c7537994cf6b0def60cebf3c6ad3ca6e8d93eaac86d10

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistMSI3BA4.txt

Filesize
427KB

MD5
b645519cb039961ba223641497f4db88

SHA1
c189038edf9128f90dd02cec5b867d2b1a60ff7b

SHA256
e619cd5bc0223bd092076fdd7dc6fb0f2b6c90cf6fa9d3cc558d2710b4a9a84c

SHA512
b72e625108c636f76cb94d655c866ab5d64ebc1d52c2e00e339cc01f6c397bf94a231e1353071d8e5ff3d40ec797f193fb4ffa6389fbe0df05f9de20f9515190

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistMSI3BC2.txt

Filesize
414KB

MD5
667b74dd8097aac7b6f15a936f251b00

SHA1
573786f83c4185a47d01e9d52f9ceacb9ee84448

SHA256
f8c281c37f47d5db23b65efd3fd1ee9c81e92b5ed0c7a42695f01430bfb7dfb8

SHA512
73ab3d22b6fed8e881391d003490cbef19e0add845a2538566758e92f90116e1f3e9192b8fe6db61e164c0fabc2b0cafbefa66635ab45b9d996766273dd6d821

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistUI3BA4.txt

Filesize
11KB

MD5
8f10433000d9548f7bb8264be3d4c51e

SHA1
9c4b63f7abe832c864f1c24f024516cd7a8d9e66

SHA256
5f8d68870a8f5a3cf470b835d9ac8ea4074fe0933e7d1d45284b9429d92d1eb0

SHA512
48b46b8292aa48d29ee22f638575fee62465f28f3142f3a20d0acf78f4fa270c4a575d12a5c8b3739168d7b6b70986792f5474ce112543906e78e112153ba0ea

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistUI3BC2.txt

Filesize
11KB

MD5
95ab87942e7db7eff10539163d1ab08f

SHA1
ee9d6e39093db1ae4ad4fa6e8f0f152abac43996

SHA256
81fb90d0cd4237b1b3731b91cdcabd8e222b5ef4172eec6fa4cb775ce39ba172

SHA512
f858fded2b8be96034b654f274bf403504d79793980b7c9c2357bac13dda18b63d6bb4aa067c07206f70c3158a47075ff15abc565cf0766d23d16306fef05f07

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\jawshtml.html

Filesize
13B

MD5
b2a4bc176e9f29b0c439ef9a53a62a1a

SHA1
1ae520cbbf7e14af867232784194366b3d1c3f34

SHA256
7b4f72a40bd21934680f085afe8a30bf85acff1a8365af43102025c4ccf52b73

SHA512
e04b85d8d45d43479abbbe34f57265b64d1d325753ec3d2ecadb5f83fa5822b1d999b39571801ca39fa32e4a0a7caab073ccd003007e5b86dac7b1c892a5de3f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\jusched.log

Filesize
163KB

MD5
26d1ec6bb0e3535932c3880217f63ac9

SHA1
776293a1bb8f214c56ec605111d6fa41f64fd629

SHA256
521d0497b2e8134036a4eb62b29afdd50c6adc2f961284191e336f94d47bf42f

SHA512
69bda513135558c398af4a3a0616441bad3a79abd3d12656181968abc845f3d6e8d51abd1f4e600a238590da4ae3c734262a170654d3953eb23e1938cb332772

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\mapping.csv

Filesize
120KB

MD5
d3186aada63877a1fe1c2ed4b2e2b77d

SHA1
f66d9307be6cbbb22941c724d2cf6954b41d7bb0

SHA256
2684d360ec473113d922a2738c5c6f6702975e6ac7ee4023258a12ed26c9fefe

SHA512
c94e8aa368a44f1df9f0318ca266f5a6a9140945d55a579dee2fd10aff3d4704a72a216718b35e44429012d68c2bb30a92d5179fbc9fb4b222456a017d8981c0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\msedge_installer.log

Filesize
3KB

MD5
c7c0a1907b114f36db65cb7b3bf23e44

SHA1
29a5c6214fc81bc85cf1545351eb9db446330ae9

SHA256
5fcb4d4a8bf1f23f10e24668a093e6d25a60bc85639a83b4f7525c45da0a3c1e

SHA512
9cc787eeda1e319cf7f74e4a0059c565f1ea7404881608e2214d6f7cf78698e210d40520f507a6427aef93ea7e34e5e6710b8a428227b8b5326a110183da5479

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\tier0_s64.dll

Filesize
410KB

MD5
328655e0f2611479a90db044ab130373

SHA1
d678fd28927f05bde277bc3dc5fc51e2b4dce8b8

SHA256
586a9c2a27e906a54182166ec63a02bb6a28eb4e2e7e53a799db928b76fd036d

SHA512
8849dbfa9406c94b9750a6771ba391be95d8b41c53f19f446be92f4f22633975aa7d11b999e9f25b93bc682173ad6e4993486a2ec51c7475046db8daf9b1ebc2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\vcruntime210.dll

Filesize
26KB

MD5
6e9d70d69f6b5edabf77afd544f23cdc

SHA1
60fb31409c332d169e3902871e829a9727c0f7c4

SHA256
63b18b5492e5f53386557724f5e3fbcbe621ff3ee9468a5b1be96ef3aefa1def

SHA512
dbbb45fa0dcc02c5c9d75ebe78eaa664d4086134e2ad39731ab11ff30db6aa410d5b004778812680e0282fdc7114f5c3f7b7d6b7d033217caac7be195ecac707

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\vcruntime211.dll

Filesize
482KB

MD5
e020b99503a66ed0ffd3f097142b1acf

SHA1
af915e18622e38a6d36633bb735ca888c8963630

SHA256
d962edea5d135f3254ba1e9e886a343293b84c65d417411976c0e2bbf7b3932d

SHA512
e15dfa25884a8c801ef83fb9ac380005068a27c941806e12fba2b22e52a2e6cee9e88582faed3a633796e3a12fc339cbc6dbf63160f251cce4299b59368ee28e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\vstdlib_s64.dll

Filesize
6.4MB

MD5
30f01772f0dc5a541c6414d469d6b1cc

SHA1
fba8c571e0ebe5d7d24e3674fbd97081b0645d58

SHA256
e51be022d4f2f731b79a1432f227e23b1e3bbfc3f03a123a8c8825a5a1b84490

SHA512
e127d38e5a554f882f8d9d8f1239a3a71d1cd5a05e02cfb1c5c11e4417c9bbc20915d8f26cb9fb6ab1bb58b51c3b8177d8f831f44b765444bad78ae4413097fb

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\wct1776.tmp

Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\wct709C.tmp

Filesize
768KB

MD5
61ae3c110791e3a98989ab89b198ba1f

SHA1
d35ad11ea2308871de6622bf9a05186cb667317a

SHA256
9735703975b217e33ab1039c07e32d0b931e4d101ee7088855b905ede18ad3c8

SHA512
cbd956e33dd2ba9579e2c48f7fc084732da847bf709bb462e28663818343f844aaaf4ac99986dfe713652af080755494f51668543d3c3743a2feed8b68d42827

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\wmsetup.log

Filesize
697B

MD5
2f60efa39a34db6bf0c5572512009ab7

SHA1
91606d31bbafd247ccde598e72f4b0c7f3420992

SHA256
c0608acfa2189af66a2ecebd978ef9ce4cff94eaa276653208842df4862ef1e2

SHA512
4d3499fbf4b8dfe6288b3db444fd4f7e5e2f3b9b66c5b60801ec81990511087e5ef60542555818bb9a4695c6ceac88ec150601bf4ddbff16086ad3c1754a6826

Download Submit
memory/636-919-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/748-282-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1060-616-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1620-1014-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1836-699-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1948-98-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2032-269-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2032-1182-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2032-274-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2032-1184-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2032-275-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2032-71-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2032-44-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2032-92-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2032-85-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2032-998-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2032-1181-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2032-1183-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2032-91-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2032-90-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2216-789-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2444-963-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2712-656-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2716-428-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2796-187-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3052-828-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3256-334-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3704-559-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3848-474-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4140-729-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4420-145-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4740-1154-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4804-1180-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4896-1100-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4984-880-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4996-238-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5016-514-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5052-2-0x0000021A1C4A0000-0x0000021A1C4B0000-memory.dmp

Filesize
64KB

Download
memory/5064-379-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5116-1055-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads