remcos | bad948017a4001a3e9a82fd53bfddb4fd9ddeba4a03eae6aa71a48f3eb69eaad

Analysis

max time kernel
148s
max time network
131s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
01-02-2025 03:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Cotización.exe
Size

633KB
MD5

a3d33d33f8b10595c252ee8e61a8892c
SHA1

f8bf529297b99ebdd0d6214a1a8a20bffb1bd875
SHA256

fe0c0a5da033e86e09a721070bb2e1116a28160aaffd803b8e65a57ed25e62c1
SHA512

5a8d8cfcb0ad0e73ce3a4ca2d23a8cb55216f97b1d4f490b3a7beee963e494e8c122fd7ec70a32eef8c1eb9b6b4e86da4cf2207beba6324d70fada7c36303bf0
SSDEEP

6144:pe3DUlId51RnG/LXJKIA5ZaPLi+bWVSBKtnfuvOVYER0u+GIIIIIIIhIIIIIIIIB:M3DkId5HnWLXMJABWVbnf/Vjm5a/s

Score

10^/10

remcos remotehost discovery persistence rat

Malware Config

Extracted

Family

remcos

Botnet

RemoteHost

2.58.56.182:2404

Attributes

audio_folder
MicRecords
audio_path
ApplicationPath
audio_record_time
5
connect_delay
0
connect_interval
1
copy_file
remcos.exe
copy_folder
Remcos
delete_file
false
hide_file
false
hide_keylog_file
false
install_flag
false
keylog_crypt
false
keylog_file
logs.dat
keylog_flag
false
keylog_folder
remcos
mouse_option
false
mutex
Rmc-GM05WY
screenshot_crypt
false
screenshot_flag
false
screenshot_folder
Screenshots
screenshot_path
%AppData%
screenshot_time
10
take_screenshot_option
false
take_screenshot_time
5

Signatures

Remcos
Remcos is a closed-source remote control and surveillance software.
rat remcos
Remcos family
remcos
Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 26 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Cotización = "cmd.exe /C start \"\" /D \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\" \"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\RootServices\\Cotización.exe\""	reg.exe

Suspicious use of SetThreadContext 26 IoCs

description	pid	Process	procid_target
PID 1152 set thread context of 3936	1152	Cotización.exe	89
PID 1152 set thread context of 1212	1152	Cotización.exe	94
PID 1152 set thread context of 2056	1152	Cotización.exe	101
PID 1152 set thread context of 1356	1152	Cotización.exe	106
PID 1152 set thread context of 4920	1152	Cotización.exe	111
PID 1152 set thread context of 4420	1152	Cotización.exe	116
PID 1152 set thread context of 5104	1152	Cotización.exe	121
PID 1152 set thread context of 2684	1152	Cotización.exe	126
PID 1152 set thread context of 4724	1152	Cotización.exe	131
PID 1152 set thread context of 4520	1152	Cotización.exe	136
PID 1152 set thread context of 4860	1152	Cotización.exe	141
PID 1152 set thread context of 464	1152	Cotización.exe	148
PID 1152 set thread context of 4216	1152	Cotización.exe	154
PID 1152 set thread context of 2328	1152	Cotización.exe	163
PID 1152 set thread context of 5048	1152	Cotización.exe	170
PID 1152 set thread context of 2936	1152	Cotización.exe	178
PID 1152 set thread context of 4240	1152	Cotización.exe	183
PID 1152 set thread context of 1652	1152	Cotización.exe	188
PID 1152 set thread context of 1064	1152	Cotización.exe	193
PID 1152 set thread context of 1904	1152	Cotización.exe	198
PID 1152 set thread context of 3076	1152	Cotización.exe	203
PID 1152 set thread context of 556	1152	Cotización.exe	212
PID 1152 set thread context of 1728	1152	Cotización.exe	217
PID 1152 set thread context of 2248	1152	Cotización.exe	225
PID 1152 set thread context of 2436	1152	Cotización.exe	230
PID 1152 set thread context of 2312	1152	Cotización.exe	235

Drops file in Windows directory 64 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistUI06B3.txt	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft .NET Framework 4.7.2 Setup_20250129_092203953.html	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20250129092248_002_dotnet_host_7.0.16_win_x64.msi.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\vcruntime210.dll	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\PWIJICDD-20250129-0926.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\AdobeSFX.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\tier0_s64.dll	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\WER84B2.tmp.WERDataCollectionStatus.txt	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\JavaDeployReg.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\mapping.csv	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft .NET Framework 4.7.2 Setup_20250129_092203953.html	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\wct122B.tmp	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\WER8530.tmp.WERDataCollectionStatus.txt	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20250129092226_000_dotnet_runtime_6.0.27_win_x64.msi.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\BIT52B3.tmp	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20250129092226_000_dotnet_runtime_6.0.27_win_x64.msi.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20250129092248.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\vcruntime210.dll	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\vstdlib_s64.dll	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\wmsetup.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\WER84B2.tmp.WERDataCollectionStatus.txt	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\mapping.csv	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\WER9BE3.tmp.WERDataCollectionStatus.txt	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20250129092248.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20250129092311_000_dotnet_runtime_8.0.2_win_x64.msi.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20250129092226_002_dotnet_host_6.0.27_win_x64.msi.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20250129092311_001_dotnet_hostfxr_8.0.2_win_x64.msi.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\BroadcastMsg_1738142775.txt	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\vcruntime211.dll	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\wct5087.tmp	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\aria-debug-3108.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistMSI06B3.txt	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\jusched.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\wct786C.tmp	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\{0038DF76-A10B-4FD1-874E-75B8E67CEC57} - OProcSessId.dat	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\StructuredQuery.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\wctBDF1.tmp	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20250129092311.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\StructuredQuery.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20250129092226_001_dotnet_hostfxr_6.0.27_win_x64.msi.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20250129092248_001_dotnet_hostfxr_7.0.16_win_x64.msi.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\{0038DF76-A10B-4FD1-874E-75B8E67CEC57} - OProcSessId.dat	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20250129092248_003_windowsdesktop_runtime_7.0.16_win_x64.msi.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\wctBDF1.tmp	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\aria-debug-3108.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20250129092311_001_dotnet_hostfxr_8.0.2_win_x64.msi.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\wct786C.tmp	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\BroadcastMsg_1738142775.txt	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistMSI06D1.txt	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20250129092311_000_dotnet_runtime_8.0.2_win_x64.msi.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\vcruntime211.dll	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20250129092226_003_windowsdesktop_runtime_6.0.27_win_x64.msi.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20250129092248_003_windowsdesktop_runtime_7.0.16_win_x64.msi.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\vstdlib_s64.dll	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistUI06D1.txt	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\jawshtml.html	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20250129092248_000_dotnet_runtime_7.0.16_win_x64.msi.log	Cotización.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20250129092311_003_windowsdesktop_runtime_8.0.2_win_x64.msi.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20250129092226_002_dotnet_host_6.0.27_win_x64.msi.log	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\WER9BE3.tmp.WERDataCollectionStatus.txt	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt	Cotización.exe
File created	C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\msedge_installer.log	Cotización.exe

Program crash 4 IoCs

pid	pid_target	Process	procid_target
4208	4860	WerFault.exe	141
2384	4216	WerFault.exe	154
3640	3076	WerFault.exe	203
2368	2312	WerFault.exe	235

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aspnet_wp.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1152	Cotización.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1152 wrote to memory of 4540	1152	Cotización.exe	85
PID 1152 wrote to memory of 4540	1152	Cotización.exe	85
PID 4540 wrote to memory of 3976	4540	cmd.exe	87
PID 4540 wrote to memory of 3976	4540	cmd.exe	87
PID 3976 wrote to memory of 3952	3976	cmd.exe	88
PID 3976 wrote to memory of 3952	3976	cmd.exe	88
PID 1152 wrote to memory of 3936	1152	Cotización.exe	89
PID 1152 wrote to memory of 3936	1152	Cotización.exe	89
PID 1152 wrote to memory of 3936	1152	Cotización.exe	89
PID 1152 wrote to memory of 3936	1152	Cotización.exe	89
PID 1152 wrote to memory of 3936	1152	Cotización.exe	89
PID 1152 wrote to memory of 3936	1152	Cotización.exe	89
PID 1152 wrote to memory of 3936	1152	Cotización.exe	89
PID 1152 wrote to memory of 3936	1152	Cotización.exe	89
PID 1152 wrote to memory of 3936	1152	Cotización.exe	89
PID 1152 wrote to memory of 3936	1152	Cotización.exe	89
PID 1152 wrote to memory of 1396	1152	Cotización.exe	90
PID 1152 wrote to memory of 1396	1152	Cotización.exe	90
PID 1396 wrote to memory of 1920	1396	cmd.exe	92
PID 1396 wrote to memory of 1920	1396	cmd.exe	92
PID 1920 wrote to memory of 2660	1920	cmd.exe	93
PID 1920 wrote to memory of 2660	1920	cmd.exe	93
PID 1152 wrote to memory of 1212	1152	Cotización.exe	94
PID 1152 wrote to memory of 1212	1152	Cotización.exe	94
PID 1152 wrote to memory of 1212	1152	Cotización.exe	94
PID 1152 wrote to memory of 1212	1152	Cotización.exe	94
PID 1152 wrote to memory of 1212	1152	Cotización.exe	94
PID 1152 wrote to memory of 1212	1152	Cotización.exe	94
PID 1152 wrote to memory of 1212	1152	Cotización.exe	94
PID 1152 wrote to memory of 1212	1152	Cotización.exe	94
PID 1152 wrote to memory of 1212	1152	Cotización.exe	94
PID 1152 wrote to memory of 1212	1152	Cotización.exe	94
PID 1152 wrote to memory of 2260	1152	Cotización.exe	95
PID 1152 wrote to memory of 2260	1152	Cotización.exe	95
PID 2260 wrote to memory of 3904	2260	cmd.exe	97
PID 2260 wrote to memory of 3904	2260	cmd.exe	97
PID 3904 wrote to memory of 3884	3904	cmd.exe	98
PID 3904 wrote to memory of 3884	3904	cmd.exe	98
PID 1152 wrote to memory of 3460	1152	Cotización.exe	99
PID 1152 wrote to memory of 3460	1152	Cotización.exe	99
PID 1152 wrote to memory of 3460	1152	Cotización.exe	99
PID 1152 wrote to memory of 3100	1152	Cotización.exe	100
PID 1152 wrote to memory of 3100	1152	Cotización.exe	100
PID 1152 wrote to memory of 3100	1152	Cotización.exe	100
PID 1152 wrote to memory of 2056	1152	Cotización.exe	101
PID 1152 wrote to memory of 2056	1152	Cotización.exe	101
PID 1152 wrote to memory of 2056	1152	Cotización.exe	101
PID 1152 wrote to memory of 2056	1152	Cotización.exe	101
PID 1152 wrote to memory of 2056	1152	Cotización.exe	101
PID 1152 wrote to memory of 2056	1152	Cotización.exe	101
PID 1152 wrote to memory of 2056	1152	Cotización.exe	101
PID 1152 wrote to memory of 2056	1152	Cotización.exe	101
PID 1152 wrote to memory of 2056	1152	Cotización.exe	101
PID 1152 wrote to memory of 2056	1152	Cotización.exe	101
PID 1152 wrote to memory of 3932	1152	Cotización.exe	102
PID 1152 wrote to memory of 3932	1152	Cotización.exe	102
PID 3932 wrote to memory of 4768	3932	cmd.exe	104
PID 3932 wrote to memory of 4768	3932	cmd.exe	104
PID 4768 wrote to memory of 3756	4768	cmd.exe	105
PID 4768 wrote to memory of 3756	4768	cmd.exe	105
PID 1152 wrote to memory of 1356	1152	Cotización.exe	106
PID 1152 wrote to memory of 1356	1152	Cotización.exe	106
PID 1152 wrote to memory of 1356	1152	Cotización.exe	106
PID 1152 wrote to memory of 1356	1152	Cotización.exe	106

C:\Users\Admin\AppData\Local\Temp\Cotización.exe
"C:\Users\Admin\AppData\Local\Temp\Cotización.exe"
1⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3976
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:3952
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:3936
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1396
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1920
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:2660
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:1212
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3904
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:3884
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:3460
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:3100
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:2056
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3932
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4768
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:3756
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:1356
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:4304
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:2304
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:2324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:4920
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:1908
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:1376
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:3200
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:4420
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:4756
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:4028
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:2716
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:5104
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:992
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:3724
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:1444
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:2684
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:1080
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:4768
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:4380
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:4724
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:4384
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:2324
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:4364
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:4520
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:2140
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:2692
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:8
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:4860
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4860 -s 76
    3⤵
    - Program crash
    PID:4208
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:2716
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:1448
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:4808
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:464
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:760
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:3928
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:2868
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:4216
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4216 -s 76
    3⤵
    - Program crash
    PID:2384
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:4224
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:5112
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:3528
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:3052
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:3852
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:2328
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:1332
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:1792
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:864
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:2292
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:1740
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:5048
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:3996
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:3324
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:1664
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:1504
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:2736
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:4872
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2936
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:3132
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:372
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:1384
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:4240
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:1924
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:1540
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:3180
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:1652
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:4648
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:3612
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:3752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:1064
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:1948
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:380
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:4324
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:1904
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:2776
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:1484
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:1172
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:3076
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3076 -s 76
    3⤵
    - Program crash
    PID:3640
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:452
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:3832
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:1524
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:2656
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:1384
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:556
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:992
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:4684
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:5044
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:1728
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:4892
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:864
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:3752
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:3612
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
  2⤵
  PID:1328
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ilasm.exe"
  2⤵
  PID:680
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\vbc.exe"
  2⤵
  PID:2248
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:1664
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:380
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:4272
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:2436
- C:\Windows\SYSTEM32\cmd.exe
  "cmd.exe" /C cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
  2⤵
  PID:3748
- - C:\Windows\system32\cmd.exe
    cmd.exe /C reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
    3⤵
    PID:4828
  - - C:\Windows\system32\reg.exe
      reg add "HKLM\Software\Microsoft\Windows\CurrentVersion\Run" /v "Cotización" /t REG_SZ /d "cmd.exe /C start \"\" /D \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\" \"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe\"" /f
      4⤵
      Adds Run key to start application
      PID:3400
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:2312
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2312 -s 76
    3⤵
    - Program crash
    PID:2368

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4860 -ip 4860
1⤵
PID:3132

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 4216 -ip 4216
1⤵
PID:2260

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3076 -ip 3076
1⤵
PID:2384

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 512 -p 2312 -ip 2312
1⤵
PID:2140

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\AdobeSFX.log

Filesize
1KB

MD5
b7ea005ccca1c944f7ae3c88228ce8d4

SHA1
d87b8131438ce0094cc94df94cb9f7e342cafe31

SHA256
e91f9d94165d944fabb72f0bea3bdcef166c460e3d6812adc78e6f348ac36dd1

SHA512
d6d7c96bfe23ffbf4f8a0bb7c6bb2af2811bb4c0c8c1cdb6aed2b9f8730e38e4d4277cc3a276e5d1ccfcdbf7896da9d8d6d73b29812d27347e38beb03ff37093

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\BIT52B3.tmp

Filesize
1.6MB

MD5
83f7907f5d4dc316bd1f0f659bb73d52

SHA1
6fc1ac577f127d231b2a6bf5630e852be5192cf2

SHA256
dac76ce6445baeae894875c114c76f95507539cb32a581f152b6f4ed4ff43819

SHA512
a57059ef5d66d3c5260c725cae02012cf763268bd060fa6bc3064aedff9275d5d1628ff8138261f474136ab11724e9f951a5fdd3759f91476336903eb3b53224

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Cotización.exe

Filesize
633KB

MD5
a3d33d33f8b10595c252ee8e61a8892c

SHA1
f8bf529297b99ebdd0d6214a1a8a20bffb1bd875

SHA256
fe0c0a5da033e86e09a721070bb2e1116a28160aaffd803b8e65a57ed25e62c1

SHA512
5a8d8cfcb0ad0e73ce3a4ca2d23a8cb55216f97b1d4f490b3a7beee963e494e8c122fd7ec70a32eef8c1eb9b6b4e86da4cf2207beba6324d70fada7c36303bf0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\JavaDeployReg.log

Filesize
13KB

MD5
9384559818ce62f25f3405a2732c16f3

SHA1
080170a5d9d9f854de5362ec7d0b77969b065f30

SHA256
f3d8d0d52354a85ff3220c083b6523aa93a10eaeadeec581b14988d173cc3b2f

SHA512
0f40f332b45ab6fb25a15ae2550ad5eb539930e5b6f75efed51829aa5eade0a76eedde2cd0d27dc4914d8a2981d8b79750c7cefac9321983864447d192a41aa1

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft .NET Framework 4.7.2 Setup_20250129_092203953.html

Filesize
93KB

MD5
e7b8643e7594210894f386f4c3bfacaa

SHA1
4d01758bbef658358e1f85771b30b200a7e32bbf

SHA256
44ac0a049ba301662171a389a0901fae078573061c29125ff8cd359f03ed5c09

SHA512
8ae854473bff36ff255f126cee384782cd0005a5c5563206e786d6018d33b28cf061de000c86b2b96b370ddca3c3e596b587fe1561ee56d72cee34d2e2f07a8c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20250129092226.log

Filesize
15KB

MD5
e736765f90af73e73f336b16835f8660

SHA1
e324fd092cb3fe2e6e00a6d50f2bd218884fc080

SHA256
97b6b5d1b86647cbf65714e0c3fea53d43c94d09d05628b4db93872e05121d44

SHA512
dccfc8b68170d5f353a4e60a53f0d3cc603324aa947f1c45ff599184a065ab881bf9bcd42a081d3e0b7dfc0cbefa77ae0aaaa65d86bd73b831a362a3c711ce2d

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20250129092226_000_dotnet_runtime_6.0.27_win_x64.msi.log

Filesize
551KB

MD5
342647325a2b9ef5018d9f21b7fd202a

SHA1
e6bfec428238c4c3e7506e78315cdc35c58d544f

SHA256
e0421a46e89f43a9a3d294883b8339e36565acc81ca4860e68bb9f648a4b9600

SHA512
677381040aaa744e6742286ed01b357438c3083ded12c69571957134eaad5a56523a97c76314ca478ffe581bb2e1084577555ab866b63a5dfe5a45314007b8d7

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20250129092226_001_dotnet_hostfxr_6.0.27_win_x64.msi.log

Filesize
95KB

MD5
0543bc52183ae63eb6752e338bc449cf

SHA1
1e2e22e4b4f4ffa904f05b438d51ca2595590f7e

SHA256
80427d108d782b4e823599eab631e0e0e268d6a0fb625571f56c2dad74b016e6

SHA512
b265f53834f5aa0f463e6e314b79a53666dafaa71b4590057cf214f4eedc4b97278e1cd05e648924835708ec3894e89bc05703703aa1a9ee8a753c64042623a8

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20250129092226_002_dotnet_host_6.0.27_win_x64.msi.log

Filesize
105KB

MD5
660f5d42912d7f5a9d7e22569ccdc4de

SHA1
865baed8705f9b04946b860a6c270f9b59e2c0b8

SHA256
5c76b82971bbb6cc11ab0572e4a7ec9b0acbcc0ee190df81eb8ba8637c5dd419

SHA512
02fff2d362df129e1cc84a68d83845e7b993472e0302443baba339ef28736e83f53885bb844e5b5e98f119126cf21bddc7b51ac62ddc17882e37fbaddd28a087

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_6.0.27_(x64)_20250129092226_003_windowsdesktop_runtime_6.0.27_win_x64.msi.log

Filesize
847KB

MD5
c9d0c80cadb83dd981f30f8fedecf9fa

SHA1
39b387e32a1bd22c102f5f86536460dc8d800cf6

SHA256
667f9752350936cb3161ad6eafe10901ede99cd83209800329a34192d2415603

SHA512
a33b936eaa9f0d08f93612216610251327fe51ce988ee66b61b8b613936b8aceb85e95ecfa18e51ea02dd5f53888595c7810910bd60856983243d3833c7792ce

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20250129092248.log

Filesize
15KB

MD5
efd5b0adf0b5a05464f16db7da6805e9

SHA1
d45b28e49e06a94eb25ed17f6a24fd24ee31551f

SHA256
ff913feb5a468fa107165fe5474c1547a8c44c943e5c56eec5571283e550f249

SHA512
aaea88c3f6cad2dae3ccd4ad93cf6f96adf233f5b314e7873812f81234962adea7edfc17acca1c9328a0772bfdff21549ed99316e7f950206ebece026cf44f9a

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20250129092248_000_dotnet_runtime_7.0.16_win_x64.msi.log

Filesize
470KB

MD5
6044980f8b7ac61702f3bdeda57eded1

SHA1
b6a5e643731368f8c7f0ee4623afd42258290149

SHA256
bd14b1d12123aa09a61634504b6e64b5098bb39884cd08d564759be4532cefbf

SHA512
923495406b63548d53fee8a858fdf4d1fe346cde986f32bcd88d92bf827fb66ca65a4b526c732ca22af094ce46ed3e8ec858990395a9d368eb15479740c02281

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20250129092248_001_dotnet_hostfxr_7.0.16_win_x64.msi.log

Filesize
95KB

MD5
0bf5c4e62dffac044d195d83faaf28a0

SHA1
aea93d7978177f28ba67837be99315e34a3d17c4

SHA256
499ff0c7d2ccca64a3f268c9b987585dd4d1ae30cb215fe4949535204dac74b4

SHA512
868e516dbcf932f1ca6483c63ca882ff7d6807153d9eb6b092c33612c83999aace42fb551dda9c97219ad63c15312cc1a3dc18470490d57115a25f4df1226ebc

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20250129092248_002_dotnet_host_7.0.16_win_x64.msi.log

Filesize
109KB

MD5
281c998419e6097882018f817a00bd85

SHA1
b27ce711946299d8eddcd9133355e2d74bebd354

SHA256
e224ecdb21dc674398e736f6c5efdf2f364383ef18cbe9c2ed86685285cff99b

SHA512
85093db654a1913ff9f134c8e83ce7c5149f9f762ebc94458b1c5269826dcb0b8c2155b9bee400bdf770c78654c3aa75005f3c3cde1db87ac146c1b86bcdfa94

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_7.0.16_(x64)_20250129092248_003_windowsdesktop_runtime_7.0.16_win_x64.msi.log

Filesize
852KB

MD5
6fd549b9cc9720e2bf2358a563a58818

SHA1
f92c4d9583d1fa86e622afba689bd6b3bd225458

SHA256
782084b909acaaa22c1ebb27b7f243326c9ae321af7f428ab4ff61d3336a159f

SHA512
928f27a836a802c6baec28c109335852ce4ccf2a6287d081bd666455003a38b3fba17abe114416e1ea58ccf604d77e31992ef8b9f9e7798873052955e5fbeeee

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20250129092311.log

Filesize
15KB

MD5
26ce2361f035f993a15cf3f603ec19a7

SHA1
25860378360938deafc75953bb93a834ec2f1540

SHA256
766f2317096e0c2414b65b3ff892ccec95c5cbfc0b943817bea12c0cc7970568

SHA512
5bfd701a9116211742601d06064da5b6e7cb45ae018615c5733763036b0f3d5b0d327890b7f7e8e1f807a3381596865a888944938a441b378f22714fbdc95095

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20250129092311_000_dotnet_runtime_8.0.2_win_x64.msi.log

Filesize
469KB

MD5
3993f05723bd92d5687b99b977990d04

SHA1
5716d71fb9a43e89166c7cabc854c69df41845e9

SHA256
b44213d41558e734aed43ddfd3fb4de6bfc2ffce8bc283847a8d90f8f3ffa5bf

SHA512
c09c9dc17f284e2c15e40c0e669190d1e5a1bf5ee5de7db769ea73db07017f484620345974fbec2969e10846d55c5c6d3aa16e380a5969dd282f8ac03e7c282c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20250129092311_001_dotnet_hostfxr_8.0.2_win_x64.msi.log

Filesize
95KB

MD5
7ca293f1269e5a49556636c68e33d21f

SHA1
3fc1c413b12ccb47e4ee1b3cb5512d5714598644

SHA256
07686deca92be24f8ccc0ab0cc2ece70581e3681df36860e2c40dd04c85f0084

SHA512
8b01fea8b6d967f63278ed9b61117a32b6a23792940294f41ee2b5c4a51f19d172d6fdeefb1864cc43dedd15896c221c0d931fdc2bc273c1c790e3a0cd97aff9

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20250129092311_002_dotnet_host_8.0.2_win_x64.msi.log

Filesize
109KB

MD5
5b3d0d5ff9d13dc3fb2cee5ed4fef89c

SHA1
64d5756d507c4c5914b2d40d9f9db2ac2e87ba04

SHA256
ae16cca9dc99d100268acfdd9ff3394b39f4772c3a1cae57cebd4f11d461d6dd

SHA512
03c97ff9cd2b81abb8a894035fd09b00e1a9a83b54bab009897e3601474146c55e3e0ced3ed47703bf9588bf6184b5be79a7ac68798498126b09d68376d839d3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\Microsoft_Windows_Desktop_Runtime_-_8.0.2_(x64)_20250129092311_003_windowsdesktop_runtime_8.0.2_win_x64.msi.log

Filesize
846KB

MD5
b2b15a6331374a0dd347efeeaea5a1a2

SHA1
00acf4d0a391c3a7d627f04dcdb0b34c6681d9d0

SHA256
0e89c838b93277a4ee84a34413443995f421d185b74f510ba6f4ab86f004e87b

SHA512
2bd29db84e8f8e08339ec56340ad6e4e0f33a4810390d3c1bcb9f7969f91a2b36b2d7c41f2aa74e661dd6182c520ef81e53b134adb1d6d140fbe8ab37ce3ba97

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\PWIJICDD-20250129-0926.log

Filesize
57KB

MD5
0e28cdcafd4d5618ce67a6cf5b5ee250

SHA1
488f15121b48639c292a112a928375d27d431c21

SHA256
1fc4f20d811c81f89bbddc2f3f57fb11edd3f48cba62351cc4cf71418dc48668

SHA512
df2b7b0855477d273384410224f20a0997599e2b6adcb3edfaca13c381d75e37c55f4ffa4c6a7b9a9006e5de43c65fb948187051ae61a3633845da22783c2769

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\PWIJICDD-20250129-0926a.log

Filesize
181KB

MD5
1c0f87cb085127e5937c365e8e89186d

SHA1
35cf127a8c6f3bf71673559bd3d2089246b90a20

SHA256
d47f24f851b2948340ed68834c767e97db8d6868ceff12bbec26878ec29ba741

SHA512
b7a6849069ad735fdc4dd85ae5f5e191c5244ecd20eaa8b01fcce5353aeb1ab4d1cb086eae359bf1f8e91b9cae6d458a81d1cd7aaf7c073b405b296d2498e7df

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\StructuredQuery.log

Filesize
4KB

MD5
378788c433e4cd83d0c95a740a6412b7

SHA1
51392cb5b020dc9cb0d5875bebabdd71e1c397f7

SHA256
fd215500c208ec47331c385b5070336eba4f722d4361de8ef321e7d95b627ac1

SHA512
7b2f5ba4ef99a73cd1c808acc6425362180b9da3ce2d5af8fd6b40c9d35f27720c56cc1b2692eaf77b3c3073c107fdd2d7c8f1b35cf38a832cc66bf318bc8512

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\aria-debug-3108.log

Filesize
470B

MD5
2db4411723a3b166a9cccad35f753f8d

SHA1
5482f7a9d5fb5ce963a9b7fd496ad30a690de7da

SHA256
61644e3a36795fe6fbafcf6574e6de321dd7a7ceceb9a11c6709a8992e4ca027

SHA512
d09640d73141140b42742e494ee600149f3b189e6b4bcd6ac7eccfff4df66a74ea957db3689949c4255159c652483eade11bf946b7faf98cfd07687b81ac3b31

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\chrome_installer.log

Filesize
6KB

MD5
36180588e0e345fe968eeefb1142e34c

SHA1
6397dbff52eb71a25b560cbc254f65c693c5200a

SHA256
376eef83e7e98358f2cbc4cdab0dda5cb081b3df26f09ecf5092580351373cb1

SHA512
6a696694e558cffad6c9d587573a21b7d1a74ecc539c77e512ba52f9c6bd739879c3b584b74ca7294045de5546b455b1c0576b47808ba467227bf26868cd3061

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_NDP472-KB4054530-x86-x64-AllOS-ENU_decompression_log.txt

Filesize
1KB

MD5
582a860b54e7462a4729c438f183562e

SHA1
9c92312ae4c1d434ed0a8b6b979887e3ce5ce6b8

SHA256
0105cad6ab889d1fc9edc441883474183264377e16412c84d0933c75d2ba132a

SHA512
fe41b593a19b59067a862d5a4a026cac56e57abd0af7e62727f46876632477df5ac531b97c6b6aab6c579a2ec6b8cd62c28751de0d0a8dd58c58be85c03fd40e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistMSI06B3.txt

Filesize
426KB

MD5
a5ca2a9963c71c4db0d68adad8b79d48

SHA1
140fd7876eccd7167ac4090c3ccb7b123fc4ad97

SHA256
35220cafef49eeb4e0d55c963f87a99634696cde5e8462a4ce8b36d8c5c976f3

SHA512
ad42d40a7b5bf02383f69de91a561e340b25c64675eca18768ee0c67ef05624bd593f6ba53f88c0a603a6ae37971cdcbea63f06aed15acd32d9b55ee73d67fbd

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistMSI06D1.txt

Filesize
414KB

MD5
ad64422af42768af31c750307390c34b

SHA1
047da445dc04dc5e8783851316a3deb14d7bfc5c

SHA256
c645e2d9bb4933de98e7ceef5ddb5309ed5cd59fbcbc3fdf254f637e67313f67

SHA512
eac9654aa6b01fdd348200b61ba5a2fc1343bb8e49869465faa20aa94de1c993d774d066faba97f7185737c6bbccc4466906a6658440f14978d8999065ed9722

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistUI06B3.txt

Filesize
11KB

MD5
6bfb5e4049bd6f5246bab6843d3dd1ff

SHA1
70801207e10b4556a8e36a9cb56728d4aec3255e

SHA256
93a20a854cfbb67e64f182fa8452eca9d963b8729f5c0e49145a29bef543fb12

SHA512
9a08dfc1bfb4294b8ee8a25bc3ce22f972e06a7db544469504ff29e2be37457344de42bf8f526f45f2826e5047510f92ae56e7d547e1dbd543f64dfd0bb5e494

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\dd_vcredistUI06D1.txt

Filesize
11KB

MD5
00969ccf22580cbf3f1f66a5a3a3babb

SHA1
456da08cb40555842d5bdbcad678dde970dba70a

SHA256
f9368bb6b7d729d4398bbe2d47a616e862f835c30c72b3679491aecd26720fcf

SHA512
366a058fc18ccdf5f7a46011b2a9f4b587c2a75bf0321c89aa3636eaaae2468a4e7d56b7cfcf03bc73ed4713f2c1a09f3b177c3344759f96b54e41c411e98e98

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\jawshtml.html

Filesize
13B

MD5
b2a4bc176e9f29b0c439ef9a53a62a1a

SHA1
1ae520cbbf7e14af867232784194366b3d1c3f34

SHA256
7b4f72a40bd21934680f085afe8a30bf85acff1a8365af43102025c4ccf52b73

SHA512
e04b85d8d45d43479abbbe34f57265b64d1d325753ec3d2ecadb5f83fa5822b1d999b39571801ca39fa32e4a0a7caab073ccd003007e5b86dac7b1c892a5de3f

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\jusched.log

Filesize
163KB

MD5
f250a63484cefab4d6a372331e09af4f

SHA1
8650dbf286f45146b10071f709f28ac4ce0f3e6a

SHA256
0d91ee9f8f27ff57c57c71bb897bf19215abf6a69cc0709877f425c020c21bd8

SHA512
8b314d7179f9f646dc028b58bf243c8e6b2b356fb2a935cf3f7dd4e52a414bc213a1155eca56a9f3b34c71bcf31751a769f56f8ec8c5a328b4374ca169fc0251

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\mapping.csv

Filesize
120KB

MD5
d3186aada63877a1fe1c2ed4b2e2b77d

SHA1
f66d9307be6cbbb22941c724d2cf6954b41d7bb0

SHA256
2684d360ec473113d922a2738c5c6f6702975e6ac7ee4023258a12ed26c9fefe

SHA512
c94e8aa368a44f1df9f0318ca266f5a6a9140945d55a579dee2fd10aff3d4704a72a216718b35e44429012d68c2bb30a92d5179fbc9fb4b222456a017d8981c0

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\msedge_installer.log

Filesize
3KB

MD5
db09ea0964d9e580bfbbfa654ab4cb18

SHA1
2a3d1974cdf21390a836cabfe8ca2fae155c918f

SHA256
0f717182f9dcba7cf9a279712484d348b9c5b3d31f6c7aef6f471e6c9a3084cb

SHA512
3f80f77f3271f255d3eafb07a1ee610f4b4af938891c3a7822e2647199a737df597903911dcd0f183b089e75bace1ede1b2219a6627ef65e8e2a29bcce51066c

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\tier0_s64.dll

Filesize
410KB

MD5
328655e0f2611479a90db044ab130373

SHA1
d678fd28927f05bde277bc3dc5fc51e2b4dce8b8

SHA256
586a9c2a27e906a54182166ec63a02bb6a28eb4e2e7e53a799db928b76fd036d

SHA512
8849dbfa9406c94b9750a6771ba391be95d8b41c53f19f446be92f4f22633975aa7d11b999e9f25b93bc682173ad6e4993486a2ec51c7475046db8daf9b1ebc2

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\vcruntime210.dll

Filesize
26KB

MD5
6e9d70d69f6b5edabf77afd544f23cdc

SHA1
60fb31409c332d169e3902871e829a9727c0f7c4

SHA256
63b18b5492e5f53386557724f5e3fbcbe621ff3ee9468a5b1be96ef3aefa1def

SHA512
dbbb45fa0dcc02c5c9d75ebe78eaa664d4086134e2ad39731ab11ff30db6aa410d5b004778812680e0282fdc7114f5c3f7b7d6b7d033217caac7be195ecac707

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\vcruntime211.dll

Filesize
482KB

MD5
e020b99503a66ed0ffd3f097142b1acf

SHA1
af915e18622e38a6d36633bb735ca888c8963630

SHA256
d962edea5d135f3254ba1e9e886a343293b84c65d417411976c0e2bbf7b3932d

SHA512
e15dfa25884a8c801ef83fb9ac380005068a27c941806e12fba2b22e52a2e6cee9e88582faed3a633796e3a12fc339cbc6dbf63160f251cce4299b59368ee28e

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\vstdlib_s64.dll

Filesize
13.8MB

MD5
724018fc656d5524d57ec1500b267ff2

SHA1
d9a7f02b5d3286693491280fd98314c69c4fb25d

SHA256
6cde255c9081211f04f2aa0fa6c04dcc1575d52a93b78639585d48fc9fa86a3f

SHA512
232a799e61e9b360e8f3ee15f1b0f93f6810a70df2ca5b11abd1499301109346ee1a974a70b95069fef2e224d80d1c5d90400ff6931ddf1320d2e5322b2888f8

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\wct122B.tmp

Filesize
63KB

MD5
e516a60bc980095e8d156b1a99ab5eee

SHA1
238e243ffc12d4e012fd020c9822703109b987f6

SHA256
543796a1b343b4ebc0285d89cb8eb70667ac7b513da37495e38003704e9d88d7

SHA512
9b51e99ba20e9da56d1acc24a1cf9f9c9dbdeb742bec034e0ff2bc179a60f4aff249f40344f9ddd43229dcdefa1041940f65afb336d46c175ffeff725c638d58

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\wct786C.tmp

Filesize
35.3MB

MD5
4726f21bc2b22d81b19e400a17d23a0f

SHA1
89edf5aa2d332a239543821033d124725f9047d5

SHA256
192c2d0edce23111d1b03fba62bb4924d7a8467c428b9e5edcd8d34f90748242

SHA512
482d833e653f347912c9792ce05f9273e31b0ce3a553700d198c4c1ed725c7474ee62b2971b32f88bb6fe1e296c32af02159384726e8cd4fc46c588e45c630c3

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RootServices\wmsetup.log

Filesize
697B

MD5
98771b5e4080828e475e5205fd2fda92

SHA1
2b8723b73832ff7d1578a67c17a27f7470272ebe

SHA256
cea6021c8f7ba75b4a16347881058405f6b291e4509a554100d1b47bc49a2e1a

SHA512
33083a8baa3576f3e774998314f79fa7aa42f4753ba4759ca4a1110d001f9a9c3cee26748999a96fdb3d2fe2b9849728ec92d8f7ffa33d99b3b6de85f70adf0e

Download Submit
memory/464-583-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/556-1039-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1064-896-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1152-0-0x000001AFD7EC0000-0x000001AFD7ED0000-memory.dmp

Filesize
64KB

Download
memory/1212-111-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1356-193-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1652-849-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1728-1079-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/1904-942-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2056-152-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2248-1134-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2328-660-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2436-1172-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2684-388-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/2936-746-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3936-1209-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3936-838-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3936-1211-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3936-1213-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3936-1214-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3936-180-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3936-1215-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3936-95-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3936-93-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3936-45-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3936-884-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3936-1216-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3936-185-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3936-53-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3936-189-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3936-88-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/3936-92-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4240-806-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4420-311-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4520-477-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4724-433-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/4920-264-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5048-714-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download
memory/5104-350-0x0000000000400000-0x0000000000480000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads