xenorat | b9e61bef0d3bbe426ef78c71f18141967f2622d048fe0f24ccb80cdef75bb27f

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
02-06-2024 08:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

incognitobeta.exe
Size

45KB
MD5

e9fc233c0a49d897c3d5d86350986f19
SHA1

fa122e95d3b34518aff46efac9e7f56926b64e40
SHA256

b9e61bef0d3bbe426ef78c71f18141967f2622d048fe0f24ccb80cdef75bb27f
SHA512

de06a67f60959efb9bd89066b81e3ad788b1b49ae10ac19269914470fa7605bea95e3f98e348d2df67baf0efe310b6c2333c29e1d0ca2e6071db185aafecebd4
SSDEEP

768:hdhO/poiiUcjlJIn8tUH9Xqk5nWEZ5SbTDaaWI7CPW5Z:fw+jjgn6UH9XqcnW85SbTjWIh

Score

10^/10

xenorat rat trojan

Malware Config

Extracted

Family

xenorat

127.0.0.1

Mutex

incognito

Attributes

delay
5000
install_path
temp
port
4444
startup_name
USBsupervisor

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

incognitobeta.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	incognitobeta.exe

Executes dropped EXE 2 IoCs

Processes:

incognitobeta.exeincognitobeta.exe

pid process

744 incognitobeta.exe
2768 incognitobeta.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Creates scheduled task(s) 1 TTPs 2 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exeschtasks.exe

pid process

404 schtasks.exe
2804 schtasks.exe

pid	process
744	incognitobeta.exe
2768	incognitobeta.exe

pid	process
404	schtasks.exe
2804	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133617918086206828"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

chrome.exe

pid process

3956 chrome.exe
3956 chrome.exe
3956 chrome.exe
3956 chrome.exe
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

Processes:

chrome.exe

pid process

3956 chrome.exe
3956 chrome.exe
3956 chrome.exe
3956 chrome.exe
3956 chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

chrome.exe

description	pid	process
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe
Token: SeShutdownPrivilege	3956	chrome.exe
Token: SeCreatePagefilePrivilege	3956	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

Processes:

chrome.exe

pid	process
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

Processes:

chrome.exe

pid	process
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe
3956	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

incognitobeta.exeincognitobeta.exechrome.exe

description	pid	process	target process
PID 3168 wrote to memory of 744	3168	incognitobeta.exe	incognitobeta.exe
PID 3168 wrote to memory of 744	3168	incognitobeta.exe	incognitobeta.exe
PID 3168 wrote to memory of 744	3168	incognitobeta.exe	incognitobeta.exe
PID 744 wrote to memory of 404	744	incognitobeta.exe	schtasks.exe
PID 744 wrote to memory of 404	744	incognitobeta.exe	schtasks.exe
PID 744 wrote to memory of 404	744	incognitobeta.exe	schtasks.exe
PID 3956 wrote to memory of 2156	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 2156	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 2204	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 2204	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 2204	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 2204	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 2204	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 2204	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 2204	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 2204	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 2204	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 2204	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 2204	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 2204	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 2204	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 2204	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 2204	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 2204	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 2204	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 2204	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 2204	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 2204	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 2204	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 2204	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 2204	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 2204	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 2204	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 2204	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 2204	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 2204	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 2204	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 2204	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 2204	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 1004	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 1004	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 3728	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 3728	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 3728	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 3728	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 3728	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 3728	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 3728	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 3728	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 3728	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 3728	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 3728	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 3728	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 3728	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 3728	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 3728	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 3728	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 3728	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 3728	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 3728	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 3728	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 3728	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 3728	3956	chrome.exe	chrome.exe
PID 3956 wrote to memory of 3728	3956	chrome.exe	chrome.exe

C:\Users\Admin\AppData\Local\Temp\incognitobeta.exe
"C:\Users\Admin\AppData\Local\Temp\incognitobeta.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3168

C:\Users\Admin\AppData\Local\Temp\XenoManager\incognitobeta.exe
"C:\Users\Admin\AppData\Local\Temp\XenoManager\incognitobeta.exe"
2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:744

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "USBsupervisor" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5C58.tmp" /F
3⤵
- Creates scheduled task(s)
PID:404

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3956

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff8405cab58,0x7ff8405cab68,0x7ff8405cab78
2⤵
PID:2156

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1728 --field-trial-handle=2008,i,2212754895078040190,6912981107324669225,131072 /prefetch:2
2⤵
PID:2204

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1968 --field-trial-handle=2008,i,2212754895078040190,6912981107324669225,131072 /prefetch:8
2⤵
PID:1004

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2320 --field-trial-handle=2008,i,2212754895078040190,6912981107324669225,131072 /prefetch:8
2⤵
PID:3728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3040 --field-trial-handle=2008,i,2212754895078040190,6912981107324669225,131072 /prefetch:1
2⤵
PID:2272

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3064 --field-trial-handle=2008,i,2212754895078040190,6912981107324669225,131072 /prefetch:1
2⤵
PID:2960

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4348 --field-trial-handle=2008,i,2212754895078040190,6912981107324669225,131072 /prefetch:1
2⤵
PID:4728

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3648 --field-trial-handle=2008,i,2212754895078040190,6912981107324669225,131072 /prefetch:8
2⤵
PID:3676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4620 --field-trial-handle=2008,i,2212754895078040190,6912981107324669225,131072 /prefetch:8
2⤵
PID:4384

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4576 --field-trial-handle=2008,i,2212754895078040190,6912981107324669225,131072 /prefetch:8
2⤵
PID:3460

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4528 --field-trial-handle=2008,i,2212754895078040190,6912981107324669225,131072 /prefetch:8
2⤵
PID:4212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4592 --field-trial-handle=2008,i,2212754895078040190,6912981107324669225,131072 /prefetch:8
2⤵
PID:3924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4912 --field-trial-handle=2008,i,2212754895078040190,6912981107324669225,131072 /prefetch:8
2⤵
PID:4536

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4988 --field-trial-handle=2008,i,2212754895078040190,6912981107324669225,131072 /prefetch:8
2⤵
PID:2916

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4652 --field-trial-handle=2008,i,2212754895078040190,6912981107324669225,131072 /prefetch:8
2⤵
PID:4932

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=5012 --field-trial-handle=2008,i,2212754895078040190,6912981107324669225,131072 /prefetch:1
2⤵
PID:1808

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=5040 --field-trial-handle=2008,i,2212754895078040190,6912981107324669225,131072 /prefetch:1
2⤵
PID:4036

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4448 --field-trial-handle=2008,i,2212754895078040190,6912981107324669225,131072 /prefetch:8
2⤵
PID:3676

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 --field-trial-handle=2008,i,2212754895078040190,6912981107324669225,131072 /prefetch:8
2⤵
PID:4032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4736 --field-trial-handle=2008,i,2212754895078040190,6912981107324669225,131072 /prefetch:8
2⤵
PID:1500

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5136 --field-trial-handle=2008,i,2212754895078040190,6912981107324669225,131072 /prefetch:8
2⤵
PID:4592

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4368 --field-trial-handle=2008,i,2212754895078040190,6912981107324669225,131072 /prefetch:8
2⤵
PID:3604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3084 --field-trial-handle=2008,i,2212754895078040190,6912981107324669225,131072 /prefetch:8
2⤵
PID:2252

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5540 --field-trial-handle=2008,i,2212754895078040190,6912981107324669225,131072 /prefetch:8
2⤵
PID:2400

C:\Users\Admin\Downloads\incognitobeta.exe
"C:\Users\Admin\Downloads\incognitobeta.exe"
2⤵
- Executes dropped EXE
PID:2768

C:\Windows\SysWOW64\schtasks.exe
"schtasks.exe" /Create /TN "USBsupervisor" /XML "C:\Users\Admin\AppData\Local\Temp\tmpD685.tmp" /F
3⤵
- Creates scheduled task(s)
PID:2804

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:424

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x490 0x508
1⤵
PID:3912

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
72B

MD5
a80b2ae7ec59a0e54fea8f02239e56fb

SHA1
bfc3f0ef11cac7d0dd79788a284f3da88974c05a

SHA256
9ab94c029a5c276967297225f660b5afa889d6f7283914ffc88ded3a98ddb42a

SHA512
fe891f720bca2bb4221e8f5cd30805d52dc1d841093a9d4c002090c9d1ef7fe4571a0e83a38a1dd19f338a595af11e224693ed79b8f6ee2ace703223680cd0e9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State
Filesize
2KB

MD5
d9d85aad1c441f545ec4b70d29aa641d

SHA1
0a82e2ea176b1883f230eadec7a184f6ca90d485

SHA256
44e62a200ed57cfbba2c04a1eb1a8efc3a440ee5e46df0b284e91eb27e596859

SHA512
57bcbfee39500556b57ed0c8ee04a0cf275c8f215366ecf4c1413e26c5ac5beeb11f0491ccb0c70c4445dd653b1d14fdf7e795fa92aa3fa739b3ed16fb3a11d6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports
Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
356B

MD5
099b8e83b58c07ddf913c5a5a649cc89

SHA1
380a49167e9baa546717c516b31a2ebc5ac3792c

SHA256
4f452828d9fd37d56a45611581eea7d530dde8ab4b348c61b296bd402d4fe275

SHA512
31f2d39a36b499142ab80934c52a9b00d8e6e76d91547085e2865ce61b020105c0f3a92510705755c17b389ccde6c0f38b2546f2e67457ec3d81c102a759a574

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity
Filesize
523B

MD5
b2eb07d8992f5cb33316e0845699f1d2

SHA1
885be3875bcdbdcf8584a9e3ad6c96dfd2024b3e

SHA256
a5a0fb2283249d3bffd308ec29de0184bdbfa84892770d43efb0b8861342260c

SHA512
7c2fe4a9cd30a3ed3fe32796397efc2df34637b41d71e75cd5c29a1d419221cd17046d2a5799c6ff9c0cf41f0927b0b6b41301b70260488bc679e0ec3a4ccd5c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
6KB

MD5
c9bd6114c3a059e0673198b4b3c47e80

SHA1
e6f099328ecd3bd389bc3275387a8e1f1b19b5b6

SHA256
a7a3e8fd1b9f95dbc94531505f04d88fb2c866ea67b15066aea668a6d07df7c1

SHA512
1dcae6295d3f54aed71ae25964ebd7ba2ba54f6c3d4d7e04d58acfd03a0c241babe686778eab4ed39b936a934192806fa50b058ce0a371411d5fda86c37abedd

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
c0a1deca35e05a798076375e038bc2b0

SHA1
4cefd1c69d7ae5ab5e08c5ee9343108542278f70

SHA256
3296f5b76992b2f1a24eaf9eaf0363370678251441a3517cb08f86dc65b5f3b7

SHA512
3c75e89d90b7d83ca7934200b8ac465aeb155335a35e3a3006741694061a3e660069489d2466aa19d6708ef9c0c46a19b0253211441b383966984953ee85d638

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences
Filesize
7KB

MD5
a43f5fc0c5adcfe53b5c401a360d78b3

SHA1
1384e5e5a9266f8f6755faf98a674d8b752cb455

SHA256
b0d7c6c194f07cba30960a45f5cc8ff76ab9108cec0e611240921ce369824463

SHA512
69cdb5c7b0619c7b75a974e0a28d6438fbe096ef787586f006a0ae78329329387e522002418cfd885d483f6da0972f88b46ec565b84beb38e10dcd21eb2dd466

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences
Filesize
16KB

MD5
a8d375b2a8752a0fb5bfbbfde35c7c1f

SHA1
6f8b1ecd8fc917528861af5684b5f2a93101f7ce

SHA256
7defa96ca83b72ea2d6ccbb1ff01c105fb311b0d3ac37932726623d237191e21

SHA512
0a7d0df8f94566f7abd1890da08ac508c6e3b3a99b2482f67cf3553a16edc2e7e9854b60af6c47d8b768d698ae7ec3432f4f3d59d1afa14b3f91dfa4142819e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\Database\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index
Filesize
72B

MD5
17cb37d92f6f70a3bb5c4d7d66ed311f

SHA1
cc276b0a904d80df59f1c888116ac5f7b9e63da2

SHA256
7de4b1f1ac333b0a415a86d67bca73716082c310da4fab0087ba7f2336607256

SHA512
4504fd962526e95aac4f5acad6fb9ca394abe3ec4870635502c0ea287ebff2884166efaaabfd5c144ad753570c9c2d0432a7fcb024e7a5a95ed918beab012aab

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe58cc25.TMP
Filesize
48B

MD5
2c10194e8920b5cfc2e9ed702ca98d4c

SHA1
9bec05ea74c527c15d84bd38f7f675033d8290d5

SHA256
0f12ca54277b32b985e533fe27f388c7fe165b9a0abdadd5b938740719073e04

SHA512
58837174eaf18abac5c67e71e43053f6bc989c04c657b16c95c2fbda0e65b4eb29af837133783ac1c3682ff6ba4ec2c5cb3d1508571677e5de2b07109000ef50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
263KB

MD5
12a1a7244d1509c0201f44af7005cda3

SHA1
36049f9309fc5cfa89b577e61ae5f094f4e2e3a0

SHA256
387a42194ea9441dc5e49198b2df292800d6a08b278b9a7446c568d0bb61f14a

SHA512
6574d28793ac80c39126ffed002caa4a0916123e97152d6ddd4e9f6aaab26b8cba7b30d27eb4a99a4027dfa780220f012e30692265163efd688e094e61903d6f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
257KB

MD5
52f2750e004f694c74a470786710790b

SHA1
ab203f682835bea5d982f42d197090870ac49fd4

SHA256
6423c839b9b6438634df9980ceee5e85175e3807e0212f9d8dfbe0f3f8a557f0

SHA512
2f60966b30dfd9362d7273bcfb4305fcb07303e369a0660c640d65e488ffab75ade83e38f3db478a1a2dc1033ab582204b608c1c19824e6a9796735abd2b5498

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
282KB

MD5
224cfe0820fc717cb501b911d244175e

SHA1
eea37c9dc688b12a07ca65eb1e1779872c235b39

SHA256
17e0a04b528b2c233323e739d19fcbe08901258ed67cddc015d7c18bebd1e7d8

SHA512
0b3a17a6c9c7f810614b53fef904fd3757d3b27ddc25a3dd16026bb21c88d2037e09b0d24b653a126524307709eccbdde36418e5995b0099f83f5cffc04aeac3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State
Filesize
262KB

MD5
89ffefa9bd54af6f12ce99869431057c

SHA1
a82a3c4da85cdd02bdde6189fa15c6090d6d4629

SHA256
36f8079469c495995de6919ec9f5818ba55161a2a11097d8edd9848fcde8cfba

SHA512
edf414cf2494eb72cdb1782301c6f8f26fb625aaeb3b9fffc0e3e0a9a7cac0974195ca707c7ab107c8402c482e8ca4bc16baf6370630a28f50e9a62aca23241d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
92KB

MD5
9456b678e4cb98ddc1dfc4da3adb4e8a

SHA1
5fea987436dc5755c61e725ba0987374e218a7e2

SHA256
00a4a5e2405c757113d78da3adaa23fa99ed11b20a757f24e2d665732c0a3ac7

SHA512
6cdb898e4fb51f0dd503094638f62ab8b1b19b87cf9d64db9ce83464cadb522f67eba22681b8b1d4b14a45fa5a2c2df6638954ca5d097e61095618f2218da906

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache
Filesize
104KB

MD5
fa03028c152a0b06429ccb157d4e05cc

SHA1
68581eecc7accc025d9a9354ae2355916ba230f9

SHA256
2a8a10d28177e5e044e836aa56b8325769f96146b2be2b0ecf5273114cff3d1a

SHA512
525249e4a10bd9d441dc97e0eb16420d20aeb3a87ee941e995305006286087f37770d18ffd0da61ee75ceff924bee78324a4d2815ebbaea39d212382901ca0f0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5881be.TMP
Filesize
89KB

MD5
3efee9240f32b5d141ab93e5902f5b40

SHA1
4dd8bbc084fea7d13f5916351f424f6b5994e15c

SHA256
02aa4d5e363119890bbf28628ac32a0122fcb5232dd97d59658058fb07418aca

SHA512
3c6434faa60d213e058ad0ada612281068190b5dc8c04833e991e6d80be28be0b1cc6bebf964ed7732ce905312eb51601bd0a6e8694de05fd6812f7b1f8d2af3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\incognitobeta.exe.log
Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\XenoManager\incognitobeta.exe
Filesize
45KB

MD5
e9fc233c0a49d897c3d5d86350986f19

SHA1
fa122e95d3b34518aff46efac9e7f56926b64e40

SHA256
b9e61bef0d3bbe426ef78c71f18141967f2622d048fe0f24ccb80cdef75bb27f

SHA512
de06a67f60959efb9bd89066b81e3ad788b1b49ae10ac19269914470fa7605bea95e3f98e348d2df67baf0efe310b6c2333c29e1d0ca2e6071db185aafecebd4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5C58.tmp
Filesize
1KB

MD5
0ee58773051bcc7078f9f29474b1eadd

SHA1
7f49e6cfd836b54c08f966e32c9f1f5670fe3dfb

SHA256
ebc60f1db998381cbe8a1a62ff1fef0516f8ba2b03ca61883de1238581b48338

SHA512
3e68474c21230eae6197f5dbd2aa35fe7208fa9fa2f3687cdd5e2f7c3b75272552a85e3979617c00c58a97e2660a3eaee183c8f0c9599f7da2de23ddd72f328c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD685.tmp
Filesize
1KB

MD5
ca4ca40491a93a911b17bc514c823008

SHA1
01a1a262d989ebedcea1adb2759cc777c693cc4b

SHA256
ae114e800e7c731cc2df421131355d9144dbf560f9717e57f30607fd465d0d76

SHA512
bc6fd439ea0defc06454a85b2a6302690901a5d3e4c8b64fab5f099d596412653fe061f0090daefceb62d334a64f33660beccdfc622bf76e6aa1b675b0083f51

Download Submit
\??\pipe\crashpad_3956_DONGRPVALJBRBGBS
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/744-20-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/744-19-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/744-16-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/744-15-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/3168-0-0x00000000746DE000-0x00000000746DF000-memory.dmp

Filesize
4KB

Download
memory/3168-1-0x0000000000F10000-0x0000000000F22000-memory.dmp

Filesize
72KB

Download