xenorat | hxxps://gofile[.]io/d/UR7sW9

Analysis

max time kernel
599s
max time network
486s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
17/11/2024, 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/UR7sW9

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

Mutex

pythons

Attributes

delay
5000
install_path
appdata
port
4444
startup_name
nothingset

Signatures

Detect XenoRat Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000a000000023ba0-94.dat	family_xenorat
behavioral1/memory/3060-97-0x0000000000820000-0x0000000000832000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	yes.exe

Executes dropped EXE 6 IoCs

pid	Process
3060	yes.exe
3488	yes.exe
3840	yes.exe
3684	yes.exe
1956	yes.exe
2144	yes.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yes.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yes.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133763463224259609"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1272	chrome.exe
1272	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe
4116	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1272	chrome.exe
Token: SeCreatePagefilePrivilege	1272	chrome.exe
Token: SeShutdownPrivilege	1272	chrome.exe
Token: SeCreatePagefilePrivilege	1272	chrome.exe
Token: SeShutdownPrivilege	1272	chrome.exe
Token: SeCreatePagefilePrivilege	1272	chrome.exe
Token: SeShutdownPrivilege	1272	chrome.exe
Token: SeCreatePagefilePrivilege	1272	chrome.exe
Token: SeShutdownPrivilege	1272	chrome.exe
Token: SeCreatePagefilePrivilege	1272	chrome.exe
Token: SeShutdownPrivilege	1272	chrome.exe
Token: SeCreatePagefilePrivilege	1272	chrome.exe
Token: SeShutdownPrivilege	1272	chrome.exe
Token: SeCreatePagefilePrivilege	1272	chrome.exe
Token: SeShutdownPrivilege	1272	chrome.exe
Token: SeCreatePagefilePrivilege	1272	chrome.exe
Token: SeShutdownPrivilege	1272	chrome.exe
Token: SeCreatePagefilePrivilege	1272	chrome.exe
Token: SeShutdownPrivilege	1272	chrome.exe
Token: SeCreatePagefilePrivilege	1272	chrome.exe
Token: SeShutdownPrivilege	1272	chrome.exe
Token: SeCreatePagefilePrivilege	1272	chrome.exe
Token: SeShutdownPrivilege	1272	chrome.exe
Token: SeCreatePagefilePrivilege	1272	chrome.exe
Token: SeShutdownPrivilege	1272	chrome.exe
Token: SeCreatePagefilePrivilege	1272	chrome.exe
Token: SeShutdownPrivilege	1272	chrome.exe
Token: SeCreatePagefilePrivilege	1272	chrome.exe
Token: SeShutdownPrivilege	1272	chrome.exe
Token: SeCreatePagefilePrivilege	1272	chrome.exe
Token: SeShutdownPrivilege	1272	chrome.exe
Token: SeCreatePagefilePrivilege	1272	chrome.exe
Token: SeShutdownPrivilege	1272	chrome.exe
Token: SeCreatePagefilePrivilege	1272	chrome.exe
Token: SeShutdownPrivilege	1272	chrome.exe
Token: SeCreatePagefilePrivilege	1272	chrome.exe
Token: SeShutdownPrivilege	1272	chrome.exe
Token: SeCreatePagefilePrivilege	1272	chrome.exe
Token: SeShutdownPrivilege	1272	chrome.exe
Token: SeCreatePagefilePrivilege	1272	chrome.exe
Token: SeShutdownPrivilege	1272	chrome.exe
Token: SeCreatePagefilePrivilege	1272	chrome.exe
Token: SeShutdownPrivilege	1272	chrome.exe
Token: SeCreatePagefilePrivilege	1272	chrome.exe
Token: SeShutdownPrivilege	1272	chrome.exe
Token: SeCreatePagefilePrivilege	1272	chrome.exe
Token: SeShutdownPrivilege	1272	chrome.exe
Token: SeCreatePagefilePrivilege	1272	chrome.exe
Token: SeShutdownPrivilege	1272	chrome.exe
Token: SeCreatePagefilePrivilege	1272	chrome.exe
Token: SeShutdownPrivilege	1272	chrome.exe
Token: SeCreatePagefilePrivilege	1272	chrome.exe
Token: SeShutdownPrivilege	1272	chrome.exe
Token: SeCreatePagefilePrivilege	1272	chrome.exe
Token: SeShutdownPrivilege	1272	chrome.exe
Token: SeCreatePagefilePrivilege	1272	chrome.exe
Token: SeShutdownPrivilege	1272	chrome.exe
Token: SeCreatePagefilePrivilege	1272	chrome.exe
Token: SeShutdownPrivilege	1272	chrome.exe
Token: SeCreatePagefilePrivilege	1272	chrome.exe
Token: SeShutdownPrivilege	1272	chrome.exe
Token: SeCreatePagefilePrivilege	1272	chrome.exe
Token: SeShutdownPrivilege	1272	chrome.exe
Token: SeCreatePagefilePrivilege	1272	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe
1272	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 3424	1272	chrome.exe	84
PID 1272 wrote to memory of 3424	1272	chrome.exe	84
PID 1272 wrote to memory of 432	1272	chrome.exe	85
PID 1272 wrote to memory of 432	1272	chrome.exe	85
PID 1272 wrote to memory of 432	1272	chrome.exe	85
PID 1272 wrote to memory of 432	1272	chrome.exe	85
PID 1272 wrote to memory of 432	1272	chrome.exe	85
PID 1272 wrote to memory of 432	1272	chrome.exe	85
PID 1272 wrote to memory of 432	1272	chrome.exe	85
PID 1272 wrote to memory of 432	1272	chrome.exe	85
PID 1272 wrote to memory of 432	1272	chrome.exe	85
PID 1272 wrote to memory of 432	1272	chrome.exe	85
PID 1272 wrote to memory of 432	1272	chrome.exe	85
PID 1272 wrote to memory of 432	1272	chrome.exe	85
PID 1272 wrote to memory of 432	1272	chrome.exe	85
PID 1272 wrote to memory of 432	1272	chrome.exe	85
PID 1272 wrote to memory of 432	1272	chrome.exe	85
PID 1272 wrote to memory of 432	1272	chrome.exe	85
PID 1272 wrote to memory of 432	1272	chrome.exe	85
PID 1272 wrote to memory of 432	1272	chrome.exe	85
PID 1272 wrote to memory of 432	1272	chrome.exe	85
PID 1272 wrote to memory of 432	1272	chrome.exe	85
PID 1272 wrote to memory of 432	1272	chrome.exe	85
PID 1272 wrote to memory of 432	1272	chrome.exe	85
PID 1272 wrote to memory of 432	1272	chrome.exe	85
PID 1272 wrote to memory of 432	1272	chrome.exe	85
PID 1272 wrote to memory of 432	1272	chrome.exe	85
PID 1272 wrote to memory of 432	1272	chrome.exe	85
PID 1272 wrote to memory of 432	1272	chrome.exe	85
PID 1272 wrote to memory of 432	1272	chrome.exe	85
PID 1272 wrote to memory of 432	1272	chrome.exe	85
PID 1272 wrote to memory of 432	1272	chrome.exe	85
PID 1272 wrote to memory of 1564	1272	chrome.exe	86
PID 1272 wrote to memory of 1564	1272	chrome.exe	86
PID 1272 wrote to memory of 1760	1272	chrome.exe	87
PID 1272 wrote to memory of 1760	1272	chrome.exe	87
PID 1272 wrote to memory of 1760	1272	chrome.exe	87
PID 1272 wrote to memory of 1760	1272	chrome.exe	87
PID 1272 wrote to memory of 1760	1272	chrome.exe	87
PID 1272 wrote to memory of 1760	1272	chrome.exe	87
PID 1272 wrote to memory of 1760	1272	chrome.exe	87
PID 1272 wrote to memory of 1760	1272	chrome.exe	87
PID 1272 wrote to memory of 1760	1272	chrome.exe	87
PID 1272 wrote to memory of 1760	1272	chrome.exe	87
PID 1272 wrote to memory of 1760	1272	chrome.exe	87
PID 1272 wrote to memory of 1760	1272	chrome.exe	87
PID 1272 wrote to memory of 1760	1272	chrome.exe	87
PID 1272 wrote to memory of 1760	1272	chrome.exe	87
PID 1272 wrote to memory of 1760	1272	chrome.exe	87
PID 1272 wrote to memory of 1760	1272	chrome.exe	87
PID 1272 wrote to memory of 1760	1272	chrome.exe	87
PID 1272 wrote to memory of 1760	1272	chrome.exe	87
PID 1272 wrote to memory of 1760	1272	chrome.exe	87
PID 1272 wrote to memory of 1760	1272	chrome.exe	87
PID 1272 wrote to memory of 1760	1272	chrome.exe	87
PID 1272 wrote to memory of 1760	1272	chrome.exe	87
PID 1272 wrote to memory of 1760	1272	chrome.exe	87
PID 1272 wrote to memory of 1760	1272	chrome.exe	87
PID 1272 wrote to memory of 1760	1272	chrome.exe	87
PID 1272 wrote to memory of 1760	1272	chrome.exe	87
PID 1272 wrote to memory of 1760	1272	chrome.exe	87
PID 1272 wrote to memory of 1760	1272	chrome.exe	87
PID 1272 wrote to memory of 1760	1272	chrome.exe	87
PID 1272 wrote to memory of 1760	1272	chrome.exe	87

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/UR7sW9
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffd4fe5cc40,0x7ffd4fe5cc4c,0x7ffd4fe5cc58
  2⤵
  PID:3424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1840,i,2700231792950923296,2644371973917413902,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1596 /prefetch:2
  2⤵
  PID:432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2136,i,2700231792950923296,2644371973917413902,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2148 /prefetch:3
  2⤵
  PID:1564
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2216,i,2700231792950923296,2644371973917413902,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2240 /prefetch:8
  2⤵
  PID:1760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3148,i,2700231792950923296,2644371973917413902,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3144 /prefetch:1
  2⤵
  PID:4148
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,2700231792950923296,2644371973917413902,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3168 /prefetch:1
  2⤵
  PID:1732
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3636,i,2700231792950923296,2644371973917413902,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4468 /prefetch:1
  2⤵
  PID:3396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4840,i,2700231792950923296,2644371973917413902,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4852 /prefetch:8
  2⤵
  PID:2644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4892,i,2700231792950923296,2644371973917413902,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4604 /prefetch:1
  2⤵
  PID:3124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5136,i,2700231792950923296,2644371973917413902,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  PID:4560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5112,i,2700231792950923296,2644371973917413902,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5272 /prefetch:8
  2⤵
  PID:5004
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5384,i,2700231792950923296,2644371973917413902,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  PID:532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --no-appcompat-clear --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAACEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=4584,i,2700231792950923296,2644371973917413902,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4708 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4116

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:1600

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5072

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3840

C:\Users\Admin\Downloads\yes.exe
"C:\Users\Admin\Downloads\yes.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3060
- C:\Users\Admin\AppData\Roaming\XenoManager\yes.exe
  "C:\Users\Admin\AppData\Roaming\XenoManager\yes.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3488

C:\Users\Admin\Downloads\yes.exe
"C:\Users\Admin\Downloads\yes.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3840

C:\Users\Admin\Downloads\yes.exe
"C:\Users\Admin\Downloads\yes.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3684

C:\Users\Admin\Downloads\yes.exe
"C:\Users\Admin\Downloads\yes.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1956

C:\Users\Admin\Downloads\yes.exe
"C:\Users\Admin\Downloads\yes.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2144

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
c0393b37584fcd7f83f51422ea03a493

SHA1
d7d7f593566b4efb2cae46abf239ae7134901f77

SHA256
f2928f60099d8bb70f28d38a68d1aa9e77208adac9d64c8dda8fca3308fb61e3

SHA512
db92f3603025370bd62d1309aba508087262c03fddd2f3d557b1d58c9b0031594242cad183f9c4cfeab33a92133ba6c3900aa13c0676e526003244c683334e8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
d626109fd392f81f34812fe044adbdd8

SHA1
790b84127884e420f40ec71ea3f85722ebf93501

SHA256
58d1dc5fc7afe22c886b5f1959a048fe7aac1835bf4f84dfedc2bf57dd127b44

SHA512
5ab248693f66cfbaf181870199da663e6da920a759098b7e810a37d908230c584fbd307eb4af2fb4f3f849cd152ab761dfd2db21916500520b596e6b5608aa02

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
3377755f1699f40bb4a8078aa2a8dca4

SHA1
e04909454aaf169012cef1667aced2b4a870e410

SHA256
e9f0224c0ed447600a0434752520a2d256d37ba62acb455858ee3eb35abb2d8f

SHA512
7049937397968ed9644afd7a8ecdb1485ff8632fd6e5e9cafa89d2a49793225612aea761fa92a68f6ec132d394488407c270b6af359d8c1c2e11e29bbb9e28e6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
688B

MD5
f4986960be8fa63ca361cd2c228f9b1e

SHA1
b0cdc4e7dcdfee8a95d1e18e14814f58e4196deb

SHA256
3c051c2941366ef485d1c4f126400edecac03cc3a66458350f39a43b095a2ba2

SHA512
478061d678d6c346a5bfd3e0c2aa9ec08ab2f72dbc14ac6bb0c855460779d088092f36b08008ee551c8de222e4ae1e2679a17777b3df471715a09560378afde8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
840893126a92904bc73df094c0ecbb28

SHA1
3b3cbed4eb75169a8a991303ffa4315e21bf5985

SHA256
c22f0074fe5e5587509624f35dc2dce9cef3beab707402a02be2c0ddaf6df9f3

SHA512
c2f1fb3725632301112b8205cca26c6c9cca17cd76e6ee06e3a78fead454d82542d64e3374faf919f2427183305bd704bf76ee016a269a515480c989e28efdb9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
0199cc5d08f5e00069a2bc0381f3e1e5

SHA1
e9ed3ea92cfced7a12fae94743a3b38894f13e99

SHA256
1c772ffa49db50e84f2895eabe2d03cdc4862a08483af45c5dd96bfe00a6d09f

SHA512
392e6f5217416e8ae48071ab6c1a6fb12be689136cb450d1808eac6255ba835c2ba59733fe0cef5f23c413e754f7b5c16de2b4ea26c3e9fb70eb79ce8caf2748

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2e8d778c7ce44f2ba2bb8a8fee26e935

SHA1
f41f1ad27abda8002f0a32c5fb131e3a929963b8

SHA256
ae67854150dc33e6d707b428ec0037cae349149b5c854549c310c0bd5665330e

SHA512
0afa7eae8fa68b5d9f1516bb51fdf6544ef5ec7467d555b198aaa97f1b87d2690d47bedacf06f47c897cf07cbdfc45c4e7f0a2d24e8a7b8fec9dac5b415ad3f7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
3066cf6978363fd2edc1886e6e86e908

SHA1
87c723b8b8fcc97da517b1a5deeea5a94caa1259

SHA256
01e90191a949bbe76570cc39298dde1a8e3f5dea1479a66b0fd84550b997aeac

SHA512
d4fd7720d9ca061102b923d8e786cc098b999e388f4c7b5cc905cd0e32b048b9f465cfe509c41ce650dfa9a3e25781421646ea6f71f9417d35cf9031c91a8b94

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f8fb065cb83440ccdb04574baa53db38

SHA1
cce0b7e476674b1a018838b87993985a206ce68c

SHA256
efe1c8bab5e534d9fedcedff0bac6d957024275fbe2603993f82605719667e1e

SHA512
99d8b6ff2f36df5a3df75161a5b22040e73bbfdc5f5b00c25924fbac8cf61edb40e775fa9e205aa76d503800e406385196544dc2ef268a557b72aeec9915ca9b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
bcc14b0ca9f38efe7575c1e20c48ee8c

SHA1
0444bf43ac5c932ac49973103aaaf56851f775fe

SHA256
2d7788f2e6a5a0a53004ba19a93551d801824c4306f034836a8857f97af7ac80

SHA512
27cd027fc9b250dc18dadb3fb5f5dbd6bb22ad5aed42a217e882860e35a8fa6ace50dee99a7fd3ac74fd7334529d2c879933dae46b1432c4020928f4d4c74c21

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c4c2af2f660ef1814e21bf6c8d0d4265

SHA1
e6b0e396ead784d5ab4b830fc7b0d98d76a52335

SHA256
fbd4b28788878367d1b9883fd68dabaf5c10ff817e264988bd1dee220e76a863

SHA512
7983b5cd9141ee050fc22d869c4a5dedcffca46cd9876d9a23f0784c7c3590a3ea89b9e41d90cc2718b2f6204059521b548102e1739bce606890b9b1af4b9a08

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
877775495c4e72c4eb81b044a48e4b63

SHA1
ed856ff725c93b146c763a26c81d702180abe46c

SHA256
4f1945c5dd486757b58211da4a2a79040d3de1d73d54e88382fe396a27890acc

SHA512
7858aa274661b133238eeb0bde3572767d4d414193dbb93fdcb8f96eacde31cb7bacc17965c0cbf6e7098faece2a8aeb08899c27019286f8d4dacdd94461e080

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b433d2c69200cd5b58c5cb166e6088fa

SHA1
312641ad859e7351d1e68496cc4462f754bf73b7

SHA256
89121e3d7b01864473a911e0415a55e928ea1cca15ddf5b44c5b4ba03988097f

SHA512
00df29bf2079e7624c3368468a527d90656eb10e4a762e209b876a9b7f86fa45e8a35d67c37a2319f565bc90b72811982f050daba77633c510b2f89b61383e54

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4bec49f8aa008445aa041d5b25851509

SHA1
edbbb3664e50f5ad2d53666734a8a267e36297f4

SHA256
ad8a749836a4aebbac6cad83e021afb3784e288b69ed0fbd9e12a0536fe8413c

SHA512
62e76c30a69a63ec2a2da8cd11e276438882271d3e817a06f92a717648a446c1a7b1ea4a39429760e0aa0a832683409d0af6fa268e5ab5cecf619343498b6c1f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c26247eaf97284497183a723d8407d5e

SHA1
0f06c61fd41e4389f9835b80f4f47f126acd4ec0

SHA256
69ce39821e9234fbbd86843c2e960e9e48c538ba62428bae8247e68d60a0b4b8

SHA512
c8f30d86ee13440c0e7f4e1ae0db49c09e8de21a131cad61ec2a23d22c630adcbc50f685abb730f46f2b735df3fd5e868a8e4410fff25129a238877fd46616ce

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b65d84635d413395979d0dc45e7e0841

SHA1
eb23c91cf396937b413cd2cbe8dc85fb0706053d

SHA256
7d20d0e6756111aae5ca82f30639f893027c3f26cac16c9f468c523d81e5ad24

SHA512
dda73f98a18c5a10fda71392e51a64c0b331ddacd7b7a3811c41555cc33943bad0f885b431825111d4b2f7204a970a99d23b9baabd1198ac5c3a66c676667031

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
1649b4e4c319e502226346d4813a9867

SHA1
015d1c2afbf468c36f94b85d2b19cdfae36615c7

SHA256
64103faa139979f11aa892d495a26139c5a49111fc1380dee7412fb3136918e2

SHA512
84c620a2d408345acda96582691c6932472051b2054c0f72bc117ccbc9d559d6800f1022d1e2ecab8c80ff6fef8d3652c7479db3807a21b809ec07835745bc2c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
11f9f3ee4eafd5e4187e5296ebd9fd97

SHA1
88d22949ca4e7bf89241102390611c224a2ce166

SHA256
864e9458fd6bb50363e500715b417a77f1cc445b2e1ddb4df616b52766aca450

SHA512
035e337d6c025606f13e2ab8af7d45189be9d6c4d4e4a8d59b0fbc0628e8be03f42f946723552ee552f678dcf77349e85b98ccf1eeaf6004ab2a1877eda58321

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
2165725838df20e1f40bea902714442d

SHA1
d92a940fbd5786baed81496179b16bf41680ecf6

SHA256
2a681e20d8e0a0d36615db12e9fc38ee75aa95d846023c8ee3a2a01ed02c5534

SHA512
f902518e41d4be67ba35bb8abf5c85309212a4d51d3bd3ec0d7df7791c9db2ad039a3b524d8958b349241edf963cbe5f86c288a9ddf2737167a6b9c00e2549a8

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
718532281d34a96bfc8df713c2eba28d

SHA1
20f37e0cc415b079f18d8ad0ff8228a0ad72a21e

SHA256
b70761bb6683fdf1ef423841b36695c748bbd65b627c73fb6f1ab5cb4eb2e781

SHA512
fd55b7b6bf69a2bd7532c6d6e15645139768e0a26699429f46bd42a1c4143ca364d0cf2f9efe3c1c43a8ef21b411d3efd965894a814763118b7e20178bfe98bc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ceea3f27e895e41e8c3d2151bbba7ee1

SHA1
e210d75f6dda8c468f0cc5cb54bca5b75c61dc6a

SHA256
29d59abf0651761a6def03250f605da4e69eeecfa0cf7b3dea59453be1571514

SHA512
a2a35b6a2dcc73e3859fba540ad7d69021d5f3893c20791d245a03f84a30bbb3543b78196777ca8bf54757ea99bee5745753a7f263dbd64a777508c425ac94b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b67aeb475f3b1f1ea10fd40c95ee6049

SHA1
557fb39b2c87108bd1afd81649c4a4952e8e9d08

SHA256
257e4ebd1029ff3026eba4982700747b2f1c61be38c53478eff5f8f65a2a52ed

SHA512
34c3715793376b277e1a56e5508da1550add5b160840b8b41a46edf5599d530bf7236359b9a50de85b407a5ca5cd23ca1d72b9fda35404fd4e0a8c5a27785a4c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
72002e148774dfb135e100b149877725

SHA1
463d9b1d23d481a7ae1c6ac99e05c1425492213e

SHA256
09ed33649004c3d3cd405aea5c612668b23c95accd6ce9d7881a3806ee6b4768

SHA512
80881a834940b63a7bcbaea42a0f6b119b689ae3fd4708dc4d4c6b262b14f072216c051a63321b8a3ad8d19a4235b5d475499ba7c76a696d9e9c7663539457c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
edcced2ab8b51bd3369f50ca0e5406a4

SHA1
69c7b09610e3ad9e6ef44c209885d376f58ab579

SHA256
e071e1aa4ac95c681432958ed484d3bfe117ff2882d13418f80dc300923086ac

SHA512
eac7835693a98987406d8354452958d952d6d37f3132fecd460c114dfea110319a705587d500fd4d49a1fa7a317d73006b776d29ab2bb8b4aadd179df0a0e8fe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c33980e0ea3470cb83477ded929a54cb

SHA1
c59a996cbb08eb48ab2df20aeff1bbb8231a06e7

SHA256
410023285f85616fa95356b5b4a57ad6b84c01613a127f8fa89142d4cd5df766

SHA512
0fe1bdd5dbdc87a789583472fa2e7436f9cb4473264fadb716205b305bd963538cb0f534d12dc0813789db75ab20080d036831cd34a50d5c9cc1b514b61e0c50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
f1cdd8e4e8a911b3ba32dd0d91d0ad94

SHA1
584ccea5e9a2d0f5d3b389dd7b325865bc231d43

SHA256
3c343718b7a2ce0a1125657eb79beccf5e78cf3f60ed585184aeaf6be69be901

SHA512
f4ab2c2b90360c275ab1558064405bfb30105f4ce0692a113c20f1ffe5b6c263b0a0d4840fac96689f28a3819694bd284c2de056bdbc7ea35625f9102babf233

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
37221d770d59ae1a5692b321881c0ba8

SHA1
e2f794bbac10731287f6f0de067cb26a8e02d35c

SHA256
9de83d8835d5a90b0995f51efb7620f0bfd90e0c4f55a9f52ec58fe52168dfa9

SHA512
c8b26ca95aeffd63220bf56bda4ec1e8d937211d6d6dabfc21913a41621142caea66d7726b2544fb28bee6ba533690b5bcf5ac8ade467245f928adec3b41cc3e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
860de4e4c279a3f8bef27eba33d96523

SHA1
2737fcde8b11cc83871c5e266ce68a7ba2ccabff

SHA256
62643b1c3c96531e8c3166c7034d6c424f34abcc9cbe532fafe2ef0cb1b385c8

SHA512
2f2101463f59af7d4b581b834bb8f8f2e976467a76fa4fd3fd75083744099f1d44f8bf0d43f692172f1c3bc1ec9e649161bd8c944dda103d4d2218e7a4a6c33e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
b0a643d67b55d642a68c71a860af95c5

SHA1
8cff451621d4eb470f447d858006707b02033987

SHA256
fbfe65436ff1a5adc06b40e64deef944859e8a90c09d129c6c546ccbc59041ca

SHA512
1e5a9b71dc2e39bf5524b0fad01e195bb12fc9c7c3be6f1603c0a4fa09373ad8093867dbbe3f1ba5d5e88158efbab9aae98b8afc880d24c0988ada8134f75ce9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
8935177b39bcefeddd3faa0342ee0114

SHA1
9b6078cf67d9f1406bc97ab8d3efd7cf5711d852

SHA256
7bfd03aadae9585a031671d0be5ff61af1504afec28d36cc0bb9b5b8c4584918

SHA512
2102dc8130f1564391757b7837ba8b9e65a1a0d14a68720b443fc00a03d8896058b3d2596be1612b909ad2c56d8ed98088f54bbec6015246131e0ca0ff972a86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
cd40f0300a84292e276c64181d8199b6

SHA1
9f48366ddf099cf1c32897b2b3a93fcd011d30cc

SHA256
d70c41f01242279a5ef03474f3835ea8b4929c54e96a9e1d9233ad0f9360e174

SHA512
85a90b1e543ec4b512dde4b252d2664d7f9a92e549447b76dc598fc0723b8c3f4a249fd39c2d0699fb6fdc9b834622e9867a6a9d26ed00c641c4d6895181ac6c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
07262e01d9f3b5fff2934a52b08fa16b

SHA1
74f924c9bf5ffbf6b9845b0b08a9365485919d77

SHA256
f23286f930aee0083eea022507f5004690f8ee5ffa9b130e0b51be67d2414cb5

SHA512
b77dc2f94317b7acc37db13b34c7f1b873f37b1daa703c36e2b5a2cb5fd582ecf64bb2f194e387199de2f4605a2165160adfe82cfacc5b9e63e75e5e4b60fb83

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
344bb3f29cacb6af39e7644a3c1c6ed0

SHA1
628f94993e800acc437c5fb07e0cf889e244c3b3

SHA256
1cb743a104aaf76e7dd3a89a3838eaef9c1442342b348ee3c745e733c3d3403c

SHA512
1548fcc221056cdde2966e4ff99ffd135a82f62e0faaf649803eb1d8d901f585fc18565e7d95159b5602f6aa0aad469ac2ab6b8f6cb4bb0bad38bc367992ced9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
9bfdeb2eb6aad59bd3f8118cb5a0e32e

SHA1
083b19443b94a77111c2f4f110711fca3f41563d

SHA256
9deb70090cbecf7ad0fb91ec54357e3aedfb31fad30d3a61b9690dbb90069ad8

SHA512
cf312ccb043b855d92ada5cc0af26f390c6f198973dd6c27d0d4afbc4b70da54a76d414f243f3d29ee04541b787d7223f664ee34a564bba80ffd576494327826

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
116KB

MD5
3f781d954fcd842e0075c77d5e70eae3

SHA1
4ea483c572a07914400a378834d09d545c79b4b4

SHA256
733808bf65a1422e0b4d51cecc0e4202230a202e3aedd4f01b68ebd49e2ba074

SHA512
1c9649695538cd97962ca174dea8e51069a0e02bcb0dc144666b0ed631ff9276ee9f37b5f6265a26ff09f9674e7b31918ee05db9040af59e263050bc22603e4f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\yes.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\Downloads\yes.exe

Filesize
45KB

MD5
60a1c77eda63066861b41b99fa791e9f

SHA1
861810b547a8da033d11604f2ed498f880edc411

SHA256
b192c978d7def95f065f5da053863b603370684c8df3e4a54051d955ec0806d8

SHA512
2c715ff0385defb9f6b6d92d3848a819382a9213418609947460515b9c340477169dac99ad83010439ead24c04970c6f68386772be3a06e0cb6df3de724282a3

Download Submit
memory/3060-97-0x0000000000820000-0x0000000000832000-memory.dmp

Filesize
72KB

Download
memory/3060-96-0x0000000074C5E000-0x0000000074C5F000-memory.dmp

Filesize
4KB

Download