xenorat | 6958e71ec05520b33c77de4fdfca9fb56c41699a0b47af066fca79e5df70eb73

Analysis

max time kernel
149s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04-10-2024 19:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MinecraftModPackBedrock.exe
Size

447KB
MD5

7ffb057756968e3f079a8495fcdf3f29
SHA1

12f35b1e806a0246fb3d6bb7d43a86903f319a41
SHA256

6958e71ec05520b33c77de4fdfca9fb56c41699a0b47af066fca79e5df70eb73
SHA512

77c069eda9de18f967666e9ddc1daa5e3a8f14dfd01c2c5e4756b981ae879d87b8cf02fb7029f5d451ecffc951ab78e5474196d90a52c2057f2c733527ab821c
SSDEEP

1536:Rw+jjgnaoH9XqcnW85SbT+uIDMCLsYaZ69ImcWxoGhvvvjtTTTEKY55aaaaaaaaJ:Rw+jqa691UbT+BMrKImcWnTTT4v

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

127.0.0.1

Mutex

Minecrafr_Mod

Attributes

delay
5000
install_path
appdata
port
4782
startup_name
MinecraftIsCool

Signatures

Detect XenoRat Payload 2 IoCs

resource	yara_rule
behavioral1/memory/1112-1-0x0000000000DC0000-0x0000000000E36000-memory.dmp	family_xenorat
behavioral1/files/0x000700000002347d-6.dat	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation	MinecraftModPackBedrock.exe

Executes dropped EXE 1 IoCs

pid	Process
988	MinecraftModPackBedrock.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MinecraftModPackBedrock.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MinecraftModPackBedrock.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133725451385151420"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4028	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4708	chrome.exe
4708	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe
Token: SeShutdownPrivilege	4708	chrome.exe
Token: SeCreatePagefilePrivilege	4708	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe
4708	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1112 wrote to memory of 988	1112	MinecraftModPackBedrock.exe	82
PID 1112 wrote to memory of 988	1112	MinecraftModPackBedrock.exe	82
PID 1112 wrote to memory of 988	1112	MinecraftModPackBedrock.exe	82
PID 988 wrote to memory of 4028	988	MinecraftModPackBedrock.exe	84
PID 988 wrote to memory of 4028	988	MinecraftModPackBedrock.exe	84
PID 988 wrote to memory of 4028	988	MinecraftModPackBedrock.exe	84
PID 4708 wrote to memory of 3148	4708	chrome.exe	99
PID 4708 wrote to memory of 3148	4708	chrome.exe	99
PID 4708 wrote to memory of 3708	4708	chrome.exe	100
PID 4708 wrote to memory of 3708	4708	chrome.exe	100
PID 4708 wrote to memory of 3708	4708	chrome.exe	100
PID 4708 wrote to memory of 3708	4708	chrome.exe	100
PID 4708 wrote to memory of 3708	4708	chrome.exe	100
PID 4708 wrote to memory of 3708	4708	chrome.exe	100
PID 4708 wrote to memory of 3708	4708	chrome.exe	100
PID 4708 wrote to memory of 3708	4708	chrome.exe	100
PID 4708 wrote to memory of 3708	4708	chrome.exe	100
PID 4708 wrote to memory of 3708	4708	chrome.exe	100
PID 4708 wrote to memory of 3708	4708	chrome.exe	100
PID 4708 wrote to memory of 3708	4708	chrome.exe	100
PID 4708 wrote to memory of 3708	4708	chrome.exe	100
PID 4708 wrote to memory of 3708	4708	chrome.exe	100
PID 4708 wrote to memory of 3708	4708	chrome.exe	100
PID 4708 wrote to memory of 3708	4708	chrome.exe	100
PID 4708 wrote to memory of 3708	4708	chrome.exe	100
PID 4708 wrote to memory of 3708	4708	chrome.exe	100
PID 4708 wrote to memory of 3708	4708	chrome.exe	100
PID 4708 wrote to memory of 3708	4708	chrome.exe	100
PID 4708 wrote to memory of 3708	4708	chrome.exe	100
PID 4708 wrote to memory of 3708	4708	chrome.exe	100
PID 4708 wrote to memory of 3708	4708	chrome.exe	100
PID 4708 wrote to memory of 3708	4708	chrome.exe	100
PID 4708 wrote to memory of 3708	4708	chrome.exe	100
PID 4708 wrote to memory of 3708	4708	chrome.exe	100
PID 4708 wrote to memory of 3708	4708	chrome.exe	100
PID 4708 wrote to memory of 3708	4708	chrome.exe	100
PID 4708 wrote to memory of 3708	4708	chrome.exe	100
PID 4708 wrote to memory of 3708	4708	chrome.exe	100
PID 4708 wrote to memory of 864	4708	chrome.exe	101
PID 4708 wrote to memory of 864	4708	chrome.exe	101
PID 4708 wrote to memory of 1372	4708	chrome.exe	102
PID 4708 wrote to memory of 1372	4708	chrome.exe	102
PID 4708 wrote to memory of 1372	4708	chrome.exe	102
PID 4708 wrote to memory of 1372	4708	chrome.exe	102
PID 4708 wrote to memory of 1372	4708	chrome.exe	102
PID 4708 wrote to memory of 1372	4708	chrome.exe	102
PID 4708 wrote to memory of 1372	4708	chrome.exe	102
PID 4708 wrote to memory of 1372	4708	chrome.exe	102
PID 4708 wrote to memory of 1372	4708	chrome.exe	102
PID 4708 wrote to memory of 1372	4708	chrome.exe	102
PID 4708 wrote to memory of 1372	4708	chrome.exe	102
PID 4708 wrote to memory of 1372	4708	chrome.exe	102
PID 4708 wrote to memory of 1372	4708	chrome.exe	102
PID 4708 wrote to memory of 1372	4708	chrome.exe	102
PID 4708 wrote to memory of 1372	4708	chrome.exe	102
PID 4708 wrote to memory of 1372	4708	chrome.exe	102
PID 4708 wrote to memory of 1372	4708	chrome.exe	102
PID 4708 wrote to memory of 1372	4708	chrome.exe	102
PID 4708 wrote to memory of 1372	4708	chrome.exe	102
PID 4708 wrote to memory of 1372	4708	chrome.exe	102
PID 4708 wrote to memory of 1372	4708	chrome.exe	102
PID 4708 wrote to memory of 1372	4708	chrome.exe	102
PID 4708 wrote to memory of 1372	4708	chrome.exe	102
PID 4708 wrote to memory of 1372	4708	chrome.exe	102

C:\Users\Admin\AppData\Local\Temp\MinecraftModPackBedrock.exe
"C:\Users\Admin\AppData\Local\Temp\MinecraftModPackBedrock.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1112
- C:\Users\Admin\AppData\Roaming\XenoManager\MinecraftModPackBedrock.exe
  "C:\Users\Admin\AppData\Roaming\XenoManager\MinecraftModPackBedrock.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:988
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "MinecraftIsCool" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9A7B.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4028

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3188

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ff84349cc40,0x7ff84349cc4c,0x7ff84349cc58
  2⤵
  PID:3148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=2132,i,1190527075891290782,14708869141237186488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:3708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2040,i,1190527075891290782,14708869141237186488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2256 /prefetch:3
  2⤵
  PID:864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=1772,i,1190527075891290782,14708869141237186488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=2440 /prefetch:8
  2⤵
  PID:1372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3160,i,1190527075891290782,14708869141237186488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:4124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3320,i,1190527075891290782,14708869141237186488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3704,i,1190527075891290782,14708869141237186488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4568 /prefetch:1
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4708,i,1190527075891290782,14708869141237186488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4712 /prefetch:8
  2⤵
  PID:3972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4696,i,1190527075891290782,14708869141237186488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4692 /prefetch:8
  2⤵
  PID:3000
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4692,i,1190527075891290782,14708869141237186488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4732 /prefetch:8
  2⤵
  PID:1608
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4760,i,1190527075891290782,14708869141237186488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4804 /prefetch:8
  2⤵
  PID:3936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4404,i,1190527075891290782,14708869141237186488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=5152 /prefetch:1
  2⤵
  PID:2968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=5232,i,1190527075891290782,14708869141237186488,262144 --variations-seed-version=20240802-050153.822000 --mojo-platform-channel-handle=4804 /prefetch:1
  2⤵
  PID:4948

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1640

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:2732

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
34989cf2dbf15ae6e1063f73e978b5ac

SHA1
5aaf161974621bcc695e7d419725bcf3f890b414

SHA256
b4e37ba853c60d13c414f10b2b0becb8c06e9deac4d98f626530171b56121aa8

SHA512
ddde12d0d5b8770b952e76f320655bbb514df3f0750c424c2023ea34154a17b4c0c765c02296a0f0760731e6caed9d5570ce0cc1b93dc84ba28d4bda13b3cf1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
216B

MD5
0da0f54a154f151d8db9bb0489b2a51d

SHA1
19447934fdfc5fef1e39b4089450a8410fbaf697

SHA256
106225305ed36664b452a974dc8612d28bb23b845f48e82a088d77218938a075

SHA512
9c6567b519fac0fa0bb9f4615d1f499035503c06668214690b1384d76916c8b06326a9477bb55566ae9955b59b77545ca51b98120f33b710748d9fa9d26e3f3b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
384B

MD5
c1d85fce0d90afe588af4dd0419c6da0

SHA1
5bb3ba2511431eb243194f41f7e7c8249487067b

SHA256
01664a5a28b574261327be5409835a99bfe454f19786717ebf6947236d829b4f

SHA512
9eaa19d10990be88e516c8e3cefea5ac138e171072712718d7baa46e7689f2e519ca666897bd3e86af7d5e1720099c4a4119f39272e5c134eac64f40c326ff5d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
5e0ff376d5aaa67bfcb81dccab7ef2bb

SHA1
5402d60e99d10712a8a871fefe14e93e9e0a0ad5

SHA256
b13ed5c0b643ae084518f38d4700f42166b1aca9546592c12ae22372f259c79e

SHA512
596c9a4b247dace0d1d798f5074269133f5185d226dfb83dd201db529176cf2165bba4517ea8f5753a343ff836e6146121bd95477126df63aac8dfa2f6a25577

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
522B

MD5
d0733d994f7f80d84768bc8e64889f8f

SHA1
87df89cc9a9d13ae701121563de9e543f9f2e54d

SHA256
fedd737b7bc418ac56abf1d090aa0b9a5106cc20d6c0770e29184aa953dd49c5

SHA512
39df57879ab76864751f61d6b3a2c131193d3e48952c1213dfb837834e6e8e28f75fcf02b34c656ba1948db137c4a54ad0854778dba1ecd170844724691c8330

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
687B

MD5
8e225c8387482a8f8f4e2dbd47788e08

SHA1
aae097aad9d6c00a4507a1a90505fdc9ad5c6a04

SHA256
2cfdc0cf2933bf3d0807ded10d9ba61bd1c944c60d8943c486e28935e940e74b

SHA512
e96bdc275b314ccc32a406bcd3d792c55e37f05dbe5ea650d824847e41c7a215d58d62f4aa07d8189cbeb01129d83afe18c2337ee9107f11002232278545b6ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
689B

MD5
9ca2d473f8e8001d4b3a593ebacf1ba1

SHA1
4397815f0001d1182e45b63f56fa03755d1579ba

SHA256
0f458f178810618bbc9a394f2381d83bfc7fdb5da2121a7af13c013304dbace6

SHA512
d00563c7672937e3101d27134d889ed499eafa61c19736e2823f3131ff532ba7235a50f269ab13ba4c64c504c23f4d3783ae78c7b0802eee554c607e02b876cc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
412bfd5c5ea1a6644986bb45ddfe2d89

SHA1
710801399d059bd4404864e250db6a684eaf1554

SHA256
b9a62f9504f153d416c7ba2639dea1a667477af398394d34f7a502e8b227c723

SHA512
da4648e861c4859481dbf75c025e4861a0bb88468bec09799e8875984ff57fe1f72c6a03f57f97f874f294ee6c6db1e61af2b329d5469e829a1921d4504508ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
c1fae15cfb5f6e9added347063f112b8

SHA1
13d3f7cf43b8e8c63980eb74ef0edd0c6e8e1688

SHA256
6b881ef403ce6fc0d60f75a5ab28c00cc70d0fc8502b3c3fa4ee447bb6c7a20d

SHA512
f89aed0e28605d3005a2579c9d47f88afb2b6a3d44e18ba47549f2f5b35e5406b92b87bb79a521d847eee07f81c4ba4ca3f20790da5e04cea86d435789b7b3cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
b2be71075783c63d6f6349dd7e31e917

SHA1
b3f9971e4af15cf8c4f3faa2ea014b728ffb8eda

SHA256
53c3f6ddbfce770bb6c179a0b22aa2e618816171f9a5c60319525807381e195b

SHA512
8f62f9c4c9632ff1a130a2135984c68e603b1fba5f1ffd53d1eda79cd7f7bb235b448b304ffd77b69c7055210e711f8b240cbd383ce4173a7b2aed84930bcd41

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
1dceca9598554e9dd73604c0b662b703

SHA1
272558615d5e2670c2c2affbef62ef2fd04095e4

SHA256
f26fc69327a5e9cef42a672c6209172d56be73bdad8886d9d79cc97c0e4c42e5

SHA512
283f10efd09603fbc989153e96ee7eb31298a2b8f8d6d274413398a94b33e7c1906f2abff5d665d2fe4ed6b1488c02d3b8fe5e15eb95f2b695d7336f4e4b91bb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
511ecded311debf8ba3efd6ffee888b1

SHA1
60e0a2ec34b60e89fd6368a710d3d018aea944ae

SHA256
f70af1c4487057ef2dd363ab7e704e7691b86162422db41d189328b8155d1bed

SHA512
9a00a357cdee1449bfbd6a783a4789012e8f11ef36c27ea8e90941f037fe524356a749a3de8e05b79f4e65f1d95a551cae03f3d24703f09ca9f2352aa1e888d2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
918c271aa590c6d99ba33998d3e475c8

SHA1
59695fd171f983bd15fd751e8a6e1744b9eef99c

SHA256
821bf56af950bf147d3d6ace7e9e52104a4ec0be59dca80dda1cc24caff56d6b

SHA512
53ba117c072d932586c84feba201b79b74ee9afb282c172a5746f061389d1881bd4f55b8c6edf028b34156da68b5fd3b49c24defe63ec48b518bb3718c116009

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
847821e1629b6315d0209ff983e17de6

SHA1
4aad513d2a41b7af7ae82aa486c9e0eb375442b3

SHA256
660880011abd805b333d7b38969a54b4b85747874cf1236c096772f71dd0e3f2

SHA512
ea14c9e927596c852c8a3b7fa693c8f7708a6629c0c4cd2c212d77a56af4064194cabb12cf6f914e8a002d6464a1ec2e1944adc2393124488de93beac474dd91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
0d03b9902373d9cc48c4e9e6c6ab8813

SHA1
3684c1c44f42ce8529f6e577db2dfa48851ec0d9

SHA256
9eaf33bdb4e4def02ac0c6106606ee9a255510087a30d6a376ee10d8db45e655

SHA512
c22aa7e3c468d577e804405870a4dc9493a70e26be55253f8229bc05e3370f307c57fc54da6c4c2d84088584313a7cdf42a702d03839e4ce277161f1dcbdffe5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
3ab3ede1b3725ad7dd9f2986b3db5602

SHA1
cdda1b76a020b5b79c24143d8390cb1d90908e69

SHA256
1910d1c6e0773e8034975a279c5c7bdf709b19332ad0f4b19b0d4a81bfdf881a

SHA512
d1771ad56ff19d7c6b86ada86b729ee02ed9cf9efb31676e465889b5d9e54531383331988846132ae379b59fe61a448880719ec974c722d7e7f28a2b614bface

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
211KB

MD5
c1fee53c190fe8cd06e6eceee8efc526

SHA1
1f4af899a986d3b9ef73e3145ce9f7ab690fb4f0

SHA256
232ace043c9d98222c4e13d09eae1f126944971e0f74a8de776f1e99387fc547

SHA512
fef0a2fd65bdb98d0b804ac35324e333468b501e8c1819cb7c637d3326ea4eda626bb88b7cb3d15f46fddf09ecca7c761a7a9bc632a4445424f49c3e803efb2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9A7B.tmp

Filesize
1KB

MD5
f5f470e2965b765e7c01ea26fe92674e

SHA1
3eb9a3518ae95beb592ad893575de7dd50964e7c

SHA256
31f19df246c4b2abf6e11a2d3ea489b2838373a67b935c290995a196133e5f3b

SHA512
a1438093fcd68693532fc81a1be84002761aa85c6f0095cd7d9cf918008adca7ea4868fe4d47639fe0cddbda598b2db56539712e3417f7a3a48dd24d879e5891

Download Submit
C:\Users\Admin\AppData\Roaming\XenoManager\MinecraftModPackBedrock.exe

Filesize
447KB

MD5
7ffb057756968e3f079a8495fcdf3f29

SHA1
12f35b1e806a0246fb3d6bb7d43a86903f319a41

SHA256
6958e71ec05520b33c77de4fdfca9fb56c41699a0b47af066fca79e5df70eb73

SHA512
77c069eda9de18f967666e9ddc1daa5e3a8f14dfd01c2c5e4756b981ae879d87b8cf02fb7029f5d451ecffc951ab78e5474196d90a52c2057f2c733527ab821c

Download Submit
memory/988-17-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/988-14-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/988-18-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/1112-0-0x00000000749AE000-0x00000000749AF000-memory.dmp

Filesize
4KB

Download
memory/1112-1-0x0000000000DC0000-0x0000000000E36000-memory.dmp

Filesize
472KB

Download