xworm | hxxps://bitbucket[.]org/vasoyeti/compu/downloads/No_00014052024_COBRO_JUR%C3%8DDICO_VIGENTE_FECHA_5_DE_DICIEMBRE_DE_2024[.]tar

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-es
resource tags

arch:x64arch:x86image:win10v2004-20241007-eslocale:es-esos:windows10-2004-x64systemwindows
submitted
20-01-2025 12:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://bitbucket.org/vasoyeti/compu/downloads/No_00014052024_COBRO_JUR%C3%8DDICO_VIGENTE_FECHA_5_DE_DICIEMBRE_DE_2024.tar

Score

10^/10

xworm discovery persistence rat trojan

Malware Config

Extracted

Family

xworm

Version

5.0

87.120.116.179:1300

Mutex

3K4hxUJ98OMO2ygA

Attributes

install_file
USB.exe

aes.plain

Signatures

Detect Xworm Payload 3 IoCs

resource	yara_rule
behavioral1/memory/4016-153-0x0000000000400000-0x0000000000552000-memory.dmp	family_xworm
behavioral1/memory/4016-152-0x0000000000400000-0x0000000000552000-memory.dmp	family_xworm
behavioral1/memory/396-151-0x00000000014A0000-0x00000000014B0000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Executes dropped EXE 1 IoCs

pid	Process
4016	No 00014052024 COBRO JURÍDICO VIGENTE FECHA 5 DE DICIEMBRE DE 2024.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ReduceMemory = "C:\\Users\\Admin\\Documents\\ReduceMemory\\Bin\\ReduceMemory.exe"	No 00014052024 COBRO JURÍDICO VIGENTE FECHA 5 DE DICIEMBRE DE 2024.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
3	bitbucket.org
6	bitbucket.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 4016 set thread context of 396	4016	No 00014052024 COBRO JURÍDICO VIGENTE FECHA 5 DE DICIEMBRE DE 2024.exe	119

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\INF\display.PNF	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	No 00014052024 COBRO JURÍDICO VIGENTE FECHA 5 DE DICIEMBRE DE 2024.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	csc.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133818514678149623"	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
3976	chrome.exe
3976	chrome.exe
748	chrome.exe
748	chrome.exe
748	chrome.exe
748	chrome.exe
3600	7zFM.exe
3600	7zFM.exe
396	csc.exe
396	csc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
3976	chrome.exe
3976	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3976	chrome.exe
Token: SeCreatePagefilePrivilege	3976	chrome.exe
Token: SeShutdownPrivilege	3976	chrome.exe
Token: SeCreatePagefilePrivilege	3976	chrome.exe
Token: SeShutdownPrivilege	3976	chrome.exe
Token: SeCreatePagefilePrivilege	3976	chrome.exe
Token: SeShutdownPrivilege	3976	chrome.exe
Token: SeCreatePagefilePrivilege	3976	chrome.exe
Token: SeShutdownPrivilege	3976	chrome.exe
Token: SeCreatePagefilePrivilege	3976	chrome.exe
Token: SeShutdownPrivilege	3976	chrome.exe
Token: SeCreatePagefilePrivilege	3976	chrome.exe
Token: SeShutdownPrivilege	3976	chrome.exe
Token: SeCreatePagefilePrivilege	3976	chrome.exe
Token: SeShutdownPrivilege	3976	chrome.exe
Token: SeCreatePagefilePrivilege	3976	chrome.exe
Token: SeShutdownPrivilege	3976	chrome.exe
Token: SeCreatePagefilePrivilege	3976	chrome.exe
Token: SeShutdownPrivilege	3976	chrome.exe
Token: SeCreatePagefilePrivilege	3976	chrome.exe
Token: SeShutdownPrivilege	3976	chrome.exe
Token: SeCreatePagefilePrivilege	3976	chrome.exe
Token: SeShutdownPrivilege	3976	chrome.exe
Token: SeCreatePagefilePrivilege	3976	chrome.exe
Token: SeShutdownPrivilege	3976	chrome.exe
Token: SeCreatePagefilePrivilege	3976	chrome.exe
Token: SeShutdownPrivilege	3976	chrome.exe
Token: SeCreatePagefilePrivilege	3976	chrome.exe
Token: SeShutdownPrivilege	3976	chrome.exe
Token: SeCreatePagefilePrivilege	3976	chrome.exe
Token: SeShutdownPrivilege	3976	chrome.exe
Token: SeCreatePagefilePrivilege	3976	chrome.exe
Token: SeShutdownPrivilege	3976	chrome.exe
Token: SeCreatePagefilePrivilege	3976	chrome.exe
Token: SeShutdownPrivilege	3976	chrome.exe
Token: SeCreatePagefilePrivilege	3976	chrome.exe
Token: SeShutdownPrivilege	3976	chrome.exe
Token: SeCreatePagefilePrivilege	3976	chrome.exe
Token: SeShutdownPrivilege	3976	chrome.exe
Token: SeCreatePagefilePrivilege	3976	chrome.exe
Token: SeShutdownPrivilege	3976	chrome.exe
Token: SeCreatePagefilePrivilege	3976	chrome.exe
Token: SeShutdownPrivilege	3976	chrome.exe
Token: SeCreatePagefilePrivilege	3976	chrome.exe
Token: SeShutdownPrivilege	3976	chrome.exe
Token: SeCreatePagefilePrivilege	3976	chrome.exe
Token: SeShutdownPrivilege	3976	chrome.exe
Token: SeCreatePagefilePrivilege	3976	chrome.exe
Token: SeShutdownPrivilege	3976	chrome.exe
Token: SeCreatePagefilePrivilege	3976	chrome.exe
Token: SeShutdownPrivilege	3976	chrome.exe
Token: SeCreatePagefilePrivilege	3976	chrome.exe
Token: SeShutdownPrivilege	3976	chrome.exe
Token: SeCreatePagefilePrivilege	3976	chrome.exe
Token: SeShutdownPrivilege	3976	chrome.exe
Token: SeCreatePagefilePrivilege	3976	chrome.exe
Token: SeShutdownPrivilege	3976	chrome.exe
Token: SeCreatePagefilePrivilege	3976	chrome.exe
Token: SeShutdownPrivilege	3976	chrome.exe
Token: SeCreatePagefilePrivilege	3976	chrome.exe
Token: SeShutdownPrivilege	3976	chrome.exe
Token: SeCreatePagefilePrivilege	3976	chrome.exe
Token: SeShutdownPrivilege	3976	chrome.exe
Token: SeCreatePagefilePrivilege	3976	chrome.exe

Suspicious use of FindShellTrayWindow 36 IoCs

pid	Process
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3600	7zFM.exe
3600	7zFM.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe
3976	chrome.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
4212	OpenWith.exe
396	csc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3976 wrote to memory of 212	3976	chrome.exe	83
PID 3976 wrote to memory of 212	3976	chrome.exe	83
PID 3976 wrote to memory of 4032	3976	chrome.exe	84
PID 3976 wrote to memory of 4032	3976	chrome.exe	84
PID 3976 wrote to memory of 4032	3976	chrome.exe	84
PID 3976 wrote to memory of 4032	3976	chrome.exe	84
PID 3976 wrote to memory of 4032	3976	chrome.exe	84
PID 3976 wrote to memory of 4032	3976	chrome.exe	84
PID 3976 wrote to memory of 4032	3976	chrome.exe	84
PID 3976 wrote to memory of 4032	3976	chrome.exe	84
PID 3976 wrote to memory of 4032	3976	chrome.exe	84
PID 3976 wrote to memory of 4032	3976	chrome.exe	84
PID 3976 wrote to memory of 4032	3976	chrome.exe	84
PID 3976 wrote to memory of 4032	3976	chrome.exe	84
PID 3976 wrote to memory of 4032	3976	chrome.exe	84
PID 3976 wrote to memory of 4032	3976	chrome.exe	84
PID 3976 wrote to memory of 4032	3976	chrome.exe	84
PID 3976 wrote to memory of 4032	3976	chrome.exe	84
PID 3976 wrote to memory of 4032	3976	chrome.exe	84
PID 3976 wrote to memory of 4032	3976	chrome.exe	84
PID 3976 wrote to memory of 4032	3976	chrome.exe	84
PID 3976 wrote to memory of 4032	3976	chrome.exe	84
PID 3976 wrote to memory of 4032	3976	chrome.exe	84
PID 3976 wrote to memory of 4032	3976	chrome.exe	84
PID 3976 wrote to memory of 4032	3976	chrome.exe	84
PID 3976 wrote to memory of 4032	3976	chrome.exe	84
PID 3976 wrote to memory of 4032	3976	chrome.exe	84
PID 3976 wrote to memory of 4032	3976	chrome.exe	84
PID 3976 wrote to memory of 4032	3976	chrome.exe	84
PID 3976 wrote to memory of 4032	3976	chrome.exe	84
PID 3976 wrote to memory of 4032	3976	chrome.exe	84
PID 3976 wrote to memory of 4032	3976	chrome.exe	84
PID 3976 wrote to memory of 4944	3976	chrome.exe	85
PID 3976 wrote to memory of 4944	3976	chrome.exe	85
PID 3976 wrote to memory of 64	3976	chrome.exe	86
PID 3976 wrote to memory of 64	3976	chrome.exe	86
PID 3976 wrote to memory of 64	3976	chrome.exe	86
PID 3976 wrote to memory of 64	3976	chrome.exe	86
PID 3976 wrote to memory of 64	3976	chrome.exe	86
PID 3976 wrote to memory of 64	3976	chrome.exe	86
PID 3976 wrote to memory of 64	3976	chrome.exe	86
PID 3976 wrote to memory of 64	3976	chrome.exe	86
PID 3976 wrote to memory of 64	3976	chrome.exe	86
PID 3976 wrote to memory of 64	3976	chrome.exe	86
PID 3976 wrote to memory of 64	3976	chrome.exe	86
PID 3976 wrote to memory of 64	3976	chrome.exe	86
PID 3976 wrote to memory of 64	3976	chrome.exe	86
PID 3976 wrote to memory of 64	3976	chrome.exe	86
PID 3976 wrote to memory of 64	3976	chrome.exe	86
PID 3976 wrote to memory of 64	3976	chrome.exe	86
PID 3976 wrote to memory of 64	3976	chrome.exe	86
PID 3976 wrote to memory of 64	3976	chrome.exe	86
PID 3976 wrote to memory of 64	3976	chrome.exe	86
PID 3976 wrote to memory of 64	3976	chrome.exe	86
PID 3976 wrote to memory of 64	3976	chrome.exe	86
PID 3976 wrote to memory of 64	3976	chrome.exe	86
PID 3976 wrote to memory of 64	3976	chrome.exe	86
PID 3976 wrote to memory of 64	3976	chrome.exe	86
PID 3976 wrote to memory of 64	3976	chrome.exe	86
PID 3976 wrote to memory of 64	3976	chrome.exe	86
PID 3976 wrote to memory of 64	3976	chrome.exe	86
PID 3976 wrote to memory of 64	3976	chrome.exe	86
PID 3976 wrote to memory of 64	3976	chrome.exe	86
PID 3976 wrote to memory of 64	3976	chrome.exe	86

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://bitbucket.org/vasoyeti/compu/downloads/No_00014052024_COBRO_JUR%C3%8DDICO_VIGENTE_FECHA_5_DE_DICIEMBRE_DE_2024.tar
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd804bcc40,0x7ffd804bcc4c,0x7ffd804bcc58
  2⤵
  PID:212
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1948,i,14946754811621408689,2467772199362613341,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1956 /prefetch:2
  2⤵
  PID:4032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1876,i,14946754811621408689,2467772199362613341,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2112 /prefetch:3
  2⤵
  PID:4944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2236,i,14946754811621408689,2467772199362613341,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2532 /prefetch:8
  2⤵
  PID:64
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,14946754811621408689,2467772199362613341,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3128 /prefetch:1
  2⤵
  PID:2596
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3116,i,14946754811621408689,2467772199362613341,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3172 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4320,i,14946754811621408689,2467772199362613341,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4356 /prefetch:8
  2⤵
  PID:1848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4932,i,14946754811621408689,2467772199362613341,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4972 /prefetch:8
  2⤵
  PID:2560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4988,i,14946754811621408689,2467772199362613341,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3832 /prefetch:8
  2⤵
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:748

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2004

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4504

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1264

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4212

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\No_00014052024_COBRO_JURÍDICO_VIGENTE_FECHA_5_DE_DICIEMBRE_DE_2024.tar"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
PID:3600
- C:\Users\Admin\AppData\Local\Temp\7zO01E9FB89\No 00014052024 COBRO JURÍDICO VIGENTE FECHA 5 DE DICIEMBRE DE 2024.exe
  "C:\Users\Admin\AppData\Local\Temp\7zO01E9FB89\No 00014052024 COBRO JURÍDICO VIGENTE FECHA 5 DE DICIEMBRE DE 2024.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  PID:4016
- - C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:396

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
a5cfb52cf1ce69106bb3c4f484936e0c

SHA1
19fd7a7123d72ddee4f93b1433ee0392f1168323

SHA256
d59f555a8c9fe5c25cb6eccec6884533532d69c35794d666c5b92252e79c49ae

SHA512
13c63bf2f245f9ba7a6b0085e483ab537ca799e198f379b801bd297e058b3204bcb97d0032c4692c4c357d86bb5f9505171c8e52726a4e327da343c5b78ab348

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
982ca11ca09362f5156619290d8aca41

SHA1
43a0f471d2adfee4cbe303564f7d69d17ee6467b

SHA256
457c18822bfa48ea8126e64b239e58c9d92c86575c991176ed25ad3fa691c16d

SHA512
efe3f732ef993bece23bae8c56d1eb02058d92085d18a3a29a0a4c5efb545ac105539b6116e7daba6ae494e9e61be0328c3acad727175dc531adb87628ad7363

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
523B

MD5
a91af9bbf50f880bc9f9030a17c55595

SHA1
126e72ebbfa6faf704a57995e10337fcac3bab04

SHA256
49b44fcba670e4717edb581263858f827925fb25b56e1a501d46d5c1acb9a0ab

SHA512
f10b5bfb33f158d857ff3973f1178d4ac1bf87766b25bb63f4603e02ff88eb1ea731530702c47f4ba470e99e3a04b7c381b3705effce8700b18b1f1133e43a4f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1d863d8a660b80d6484e1dd15e21586c

SHA1
62ad082ccb5781cf577b0cae2e3d0539bfeb7cbc

SHA256
2b9eee66820b12de3d7afc175d2b7e18f8726b3a5a42cef70c3334a7b77ab8e9

SHA512
baa52aefd6fae0505754547860451b6c9e848540e8d7bbfb27b0670e5241a3411e12fabeea126054ad6d93049cb60fcb39d011ad3856dd212aacd1fe9c25acab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
7215e13c7f94bdbdf7d642e03474b217

SHA1
9e2c1b4927aa28d38a69334759bac65cef760dbf

SHA256
d977be8f6cb2ed4c0623fb60b4fbe4a46ee9bbe5ca58373ac1ece9db61f990cc

SHA512
63ad7a7e17c76f7f3f9de6d1713a46f79b7a0569985e483d8483723ff81b942904fcc12b1a7b08366084029c92683d7221ca1106cb09689662430f6765f30c02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
9ad672729bc4a8a86236dd3db7950d3f

SHA1
4b4e5d21cc325253d2886024e2e49e5ee30fd94f

SHA256
f5c922b2c0746753b1206b450896b06ee7ddfb49b4127253379d32fa42ed512d

SHA512
84b6d0223e16fd5738a82040e2fa8aa97b1225f2147fe825f90ed4eeaf254119d79fbe44ca93de7a6971ec87a68211b23a3e539987181ad8ab4e0d7fcfb33d89

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
e611083ac5fad054b78d5e4910e9a479

SHA1
c735f18c916cf4913c88b183cf90c75ea71db0d1

SHA256
186136caea5cc878c65113580f471b33a08ead32c206e2fe4205c677cf106522

SHA512
fcdde44b258c92408db85f0c965467421415cc1cb1c61e1d41b143952b84710281951ce0bc1438f2c77ed94ec50d0e5153d53649fcd95eaf6aa538c57aba4b6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
024830024d1d78166c7ec7342dd246dc

SHA1
894d8c43b964b6fcf838e280420ed67dd3a4e3d5

SHA256
1a85271aa06b1304b6a98fcbad0f2504f3eed75db09590c703d5ab01d9a8e1ea

SHA512
b6dc5273c429dc1af7db0383855c97b15d322822807f2fbda62a2327b33d767e91903d3624972e86e59bab7f5aa95bab19200425f66045b37d92e28748479f17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f088b884f9c6d3f3999c732d0bca18e0

SHA1
d8fc2e37117497183038ec6268dc5a65038ae99c

SHA256
c0a6a9605320685ef27cf470cd0926ba86283cd44acd0c87b93953e8bf4afec7

SHA512
1ea5486495213334b699e32415aceae37484a9a1b36183a035f6a2f593ea126887ba0fa1a745d934333cfaa80ab0abb8eaf331243172392732e43399bb507d1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
a47ea09febdb707979d78378ba535da3

SHA1
e074d3e95f3e9ce4808bc5947fd9aab6e49cf9c9

SHA256
f3ddc31099aacc3c56da0229bdf114d2146e8515f713f7e7431d0f3e77aa66a6

SHA512
865142bdea9195f02f23781337c8982f7579a14df430b6df3cc20b5abcfb2df42c176282dbb3e50c8041948421d7cee99e8594e893e428e4af1e35fb3fe40f91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
39b558f32751b0cd1d3be24136eaf6cf

SHA1
2406755d0d7bfa44fad2bca5ac23746a48ca70f1

SHA256
a6be21136aa5755257146456eb5ec85da7e54957ea41ca726f9e7ce47ad9bc11

SHA512
6b86e66f19f66f46f2747a654a07e5c1ab912f6cf5252e1b927cb029b9667f144ffc1a760b7c6c268042605a0c960f8c320e06bd817327e1fffe5e0142e2dbae

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO01E9FB89\No 00014052024 COBRO JURÍDICO VIGENTE FECHA 5 DE DICIEMBRE DE 2024.exe

Filesize
1.2MB

MD5
b1b327d8db2794004adbf646f7677d62

SHA1
03c179b5453dbc6f4a5ec5068f0450ac7e9948ed

SHA256
3869769b65124bdb2c6060d240dc17b9c5852c3f0d372bea0ebc2289313cbcc7

SHA512
5f59b1cdf066068b7d51a8df11f7b5daf1ea3e33093ff4107d69574b90a29f2cf4edd207b307f0c1bd7f12a8d5d58a5d93032c58cf386f9215e775dd7105c65c

Download Submit
C:\Users\Admin\Downloads\No_00014052024_COBRO_JURÍDICO_VIGENTE_FECHA_5_DE_DICIEMBRE_DE_2024.tar.crdownload

Filesize
577KB

MD5
ab73fd37a2122dc5e6da6ebd1dbcaa17

SHA1
f20de8614891490cf6e9eddbdf46062fec5fab1e

SHA256
6061cb58c47d1e730ae469cd09caa4c5fdcf27197244c6e2f2665d483c4d0968

SHA512
0db17afc86d134dad582304d24cd9dbf20668ef5191d817904b26e00cc98b6c637bdd88be289376633e2d7d4526af559cce365144ef293ca96ce7d47124518af

Download Submit
memory/396-151-0x00000000014A0000-0x00000000014B0000-memory.dmp

Filesize
64KB

Download
memory/396-166-0x0000000006A10000-0x0000000006A1A000-memory.dmp

Filesize
40KB

Download
memory/396-156-0x0000000007010000-0x00000000070A2000-memory.dmp

Filesize
584KB

Download
memory/396-155-0x0000000006A60000-0x0000000007004000-memory.dmp

Filesize
5.6MB

Download
memory/396-154-0x0000000005CE0000-0x0000000005D7C000-memory.dmp

Filesize
624KB

Download
memory/4016-150-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/4016-152-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/4016-153-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/4016-148-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/4016-149-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download
memory/4016-147-0x0000000000400000-0x0000000000552000-memory.dmp

Filesize
1.3MB

Download