xenorat | hxxps://raw[.]githubusercontent[.]com/IncsecRishie/wdwddwdw/main/something[.]exe

Analysis

max time kernel
113s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 10:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://raw.githubusercontent.com/IncsecRishie/wdwddwdw/main/something.exe

Score

10^/10

xenorat persistence rat trojan

Malware Config

Extracted

Family

xenorat

91.92.245.171

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
appdata
port
5764
startup_name
Chrome

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	pics.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation	xbbwz401u6.exe

Executes dropped EXE 6 IoCs

pid	Process
2836	something.exe
2316	pics.exe
4332	pics.exe
4804	man.exe
732	xbbwz401u6.exe
1208	xbbwz401u6.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	something.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	man.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
7	raw.githubusercontent.com
9	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 3 IoCs

evasion

pid	Process
3024	timeout.exe
1624	timeout.exe
1892	timeout.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133643047118904604"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Runs net.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2476	schtasks.exe
4620	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4644	chrome.exe
4644	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4644	chrome.exe
4644	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe
Token: SeShutdownPrivilege	4644	chrome.exe
Token: SeCreatePagefilePrivilege	4644	chrome.exe

Suspicious use of FindShellTrayWindow 49 IoCs

pid	Process
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe
4644	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4644 wrote to memory of 4516	4644	chrome.exe	82
PID 4644 wrote to memory of 4516	4644	chrome.exe	82
PID 4644 wrote to memory of 64	4644	chrome.exe	83
PID 4644 wrote to memory of 64	4644	chrome.exe	83
PID 4644 wrote to memory of 64	4644	chrome.exe	83
PID 4644 wrote to memory of 64	4644	chrome.exe	83
PID 4644 wrote to memory of 64	4644	chrome.exe	83
PID 4644 wrote to memory of 64	4644	chrome.exe	83
PID 4644 wrote to memory of 64	4644	chrome.exe	83
PID 4644 wrote to memory of 64	4644	chrome.exe	83
PID 4644 wrote to memory of 64	4644	chrome.exe	83
PID 4644 wrote to memory of 64	4644	chrome.exe	83
PID 4644 wrote to memory of 64	4644	chrome.exe	83
PID 4644 wrote to memory of 64	4644	chrome.exe	83
PID 4644 wrote to memory of 64	4644	chrome.exe	83
PID 4644 wrote to memory of 64	4644	chrome.exe	83
PID 4644 wrote to memory of 64	4644	chrome.exe	83
PID 4644 wrote to memory of 64	4644	chrome.exe	83
PID 4644 wrote to memory of 64	4644	chrome.exe	83
PID 4644 wrote to memory of 64	4644	chrome.exe	83
PID 4644 wrote to memory of 64	4644	chrome.exe	83
PID 4644 wrote to memory of 64	4644	chrome.exe	83
PID 4644 wrote to memory of 64	4644	chrome.exe	83
PID 4644 wrote to memory of 64	4644	chrome.exe	83
PID 4644 wrote to memory of 64	4644	chrome.exe	83
PID 4644 wrote to memory of 64	4644	chrome.exe	83
PID 4644 wrote to memory of 64	4644	chrome.exe	83
PID 4644 wrote to memory of 64	4644	chrome.exe	83
PID 4644 wrote to memory of 64	4644	chrome.exe	83
PID 4644 wrote to memory of 64	4644	chrome.exe	83
PID 4644 wrote to memory of 64	4644	chrome.exe	83
PID 4644 wrote to memory of 64	4644	chrome.exe	83
PID 4644 wrote to memory of 64	4644	chrome.exe	83
PID 4644 wrote to memory of 1144	4644	chrome.exe	84
PID 4644 wrote to memory of 1144	4644	chrome.exe	84
PID 4644 wrote to memory of 4132	4644	chrome.exe	85
PID 4644 wrote to memory of 4132	4644	chrome.exe	85
PID 4644 wrote to memory of 4132	4644	chrome.exe	85
PID 4644 wrote to memory of 4132	4644	chrome.exe	85
PID 4644 wrote to memory of 4132	4644	chrome.exe	85
PID 4644 wrote to memory of 4132	4644	chrome.exe	85
PID 4644 wrote to memory of 4132	4644	chrome.exe	85
PID 4644 wrote to memory of 4132	4644	chrome.exe	85
PID 4644 wrote to memory of 4132	4644	chrome.exe	85
PID 4644 wrote to memory of 4132	4644	chrome.exe	85
PID 4644 wrote to memory of 4132	4644	chrome.exe	85
PID 4644 wrote to memory of 4132	4644	chrome.exe	85
PID 4644 wrote to memory of 4132	4644	chrome.exe	85
PID 4644 wrote to memory of 4132	4644	chrome.exe	85
PID 4644 wrote to memory of 4132	4644	chrome.exe	85
PID 4644 wrote to memory of 4132	4644	chrome.exe	85
PID 4644 wrote to memory of 4132	4644	chrome.exe	85
PID 4644 wrote to memory of 4132	4644	chrome.exe	85
PID 4644 wrote to memory of 4132	4644	chrome.exe	85
PID 4644 wrote to memory of 4132	4644	chrome.exe	85
PID 4644 wrote to memory of 4132	4644	chrome.exe	85
PID 4644 wrote to memory of 4132	4644	chrome.exe	85
PID 4644 wrote to memory of 4132	4644	chrome.exe	85
PID 4644 wrote to memory of 4132	4644	chrome.exe	85
PID 4644 wrote to memory of 4132	4644	chrome.exe	85
PID 4644 wrote to memory of 4132	4644	chrome.exe	85
PID 4644 wrote to memory of 4132	4644	chrome.exe	85
PID 4644 wrote to memory of 4132	4644	chrome.exe	85
PID 4644 wrote to memory of 4132	4644	chrome.exe	85

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://raw.githubusercontent.com/IncsecRishie/wdwddwdw/main/something.exe
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4644
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=110.0.5481.104 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcdc47ab58,0x7ffcdc47ab68,0x7ffcdc47ab78
  2⤵
  PID:4516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1700 --field-trial-handle=1876,i,16973052674775539889,4816589415538777647,131072 /prefetch:2
  2⤵
  PID:64
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 --field-trial-handle=1876,i,16973052674775539889,4816589415538777647,131072 /prefetch:8
  2⤵
  PID:1144
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=2212 --field-trial-handle=1876,i,16973052674775539889,4816589415538777647,131072 /prefetch:8
  2⤵
  PID:4132
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2972 --field-trial-handle=1876,i,16973052674775539889,4816589415538777647,131072 /prefetch:1
  2⤵
  PID:3976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2980 --field-trial-handle=1876,i,16973052674775539889,4816589415538777647,131072 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4696 --field-trial-handle=1876,i,16973052674775539889,4816589415538777647,131072 /prefetch:8
  2⤵
  PID:4748
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4732 --field-trial-handle=1876,i,16973052674775539889,4816589415538777647,131072 /prefetch:8
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5020 --field-trial-handle=1876,i,16973052674775539889,4816589415538777647,131072 /prefetch:8
  2⤵
  PID:696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5176 --field-trial-handle=1876,i,16973052674775539889,4816589415538777647,131072 /prefetch:8
  2⤵
  PID:4416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4748 --field-trial-handle=1876,i,16973052674775539889,4816589415538777647,131072 /prefetch:8
  2⤵
  PID:3924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5016 --field-trial-handle=1876,i,16973052674775539889,4816589415538777647,131072 /prefetch:8
  2⤵
  PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5180 --field-trial-handle=1876,i,16973052674775539889,4816589415538777647,131072 /prefetch:8
  2⤵
  PID:696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4784 --field-trial-handle=1876,i,16973052674775539889,4816589415538777647,131072 /prefetch:8
  2⤵
  PID:688
- C:\Users\Admin\Downloads\something.exe
  "C:\Users\Admin\Downloads\something.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:2836
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c "something.bat"
    3⤵
    PID:4072
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      PID:1412
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:1832
  - - C:\Windows\system32\timeout.exe
      timeout /t 5 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:3024
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      PID:1916
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:2396
  - - C:\Windows\system32\timeout.exe
      timeout /t 5 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1624
  - - C:\Windows\system32\net.exe
      net session
      4⤵
      PID:4304
    - - C:\Windows\system32\net1.exe
        
        C:\Windows\system32\net1 session
        5⤵
        
        PID:3268
  - - C:\Windows\system32\timeout.exe
      timeout /t 5 /nobreak
      4⤵
      Delays execution with timeout.exe
      PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5372 --field-trial-handle=1876,i,16973052674775539889,4816589415538777647,131072 /prefetch:8
  2⤵
  PID:4036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5392 --field-trial-handle=1876,i,16973052674775539889,4816589415538777647,131072 /prefetch:8
  2⤵
  PID:1856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5324 --field-trial-handle=1876,i,16973052674775539889,4816589415538777647,131072 /prefetch:8
  2⤵
  PID:3528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5424 --field-trial-handle=1876,i,16973052674775539889,4816589415538777647,131072 /prefetch:8
  2⤵
  PID:3836
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5508 --field-trial-handle=1876,i,16973052674775539889,4816589415538777647,131072 /prefetch:8
  2⤵
  PID:4116
- C:\Users\Admin\Downloads\pics.exe
  "C:\Users\Admin\Downloads\pics.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:2316
- - C:\Users\Admin\AppData\Roaming\XenoManager\pics.exe
    "C:\Users\Admin\AppData\Roaming\XenoManager\pics.exe"
    3⤵
    - Executes dropped EXE
    PID:4332
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /Create /TN "Chrome" /XML "C:\Users\Admin\AppData\Local\Temp\tmp1057.tmp" /F
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5980 --field-trial-handle=1876,i,16973052674775539889,4816589415538777647,131072 /prefetch:8
  2⤵
  PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6116 --field-trial-handle=1876,i,16973052674775539889,4816589415538777647,131072 /prefetch:8
  2⤵
  PID:1972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6128 --field-trial-handle=1876,i,16973052674775539889,4816589415538777647,131072 /prefetch:8
  2⤵
  PID:2456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5700 --field-trial-handle=1876,i,16973052674775539889,4816589415538777647,131072 /prefetch:8
  2⤵
  PID:3172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6080 --field-trial-handle=1876,i,16973052674775539889,4816589415538777647,131072 /prefetch:8
  2⤵
  PID:4976
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5396 --field-trial-handle=1876,i,16973052674775539889,4816589415538777647,131072 /prefetch:8
  2⤵
  PID:2332
- C:\Users\Admin\Downloads\man.exe
  "C:\Users\Admin\Downloads\man.exe"
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  PID:4804
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c "man.bat"
    3⤵
    PID:972
  - - C:\Windows\system32\certutil.exe
      certutil -decode C:\Users\Admin\AppData\Local\Temp\xbbwz401u6.txt C:\Users\Admin\AppData\Local\Temp\xbbwz401u6.exe
      4⤵
      PID:4636
  - - C:\Users\Admin\AppData\Local\Temp\xbbwz401u6.exe
      C:\Users\Admin\AppData\Local\Temp\xbbwz401u6.exe
      4⤵
      Checks computer location settings
      Executes dropped EXE
      PID:732
    - - C:\Users\Admin\AppData\Roaming\XenoManager\xbbwz401u6.exe
        
        "C:\Users\Admin\AppData\Roaming\XenoManager\xbbwz401u6.exe"
        5⤵
        Executes dropped EXE
        
        PID:1208
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /Create /TN "Chrome" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA2C3.tmp" /F
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4620

C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
1⤵
PID:2412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9b49a09b30721d9dc2265601ad3a4686

SHA1
7125ace69166935fb3d838c4cc19634e6ff117d7

SHA256
b926d57ce9381ed484dc27656797e707d62c3ff8b4968fb480a6ae31776d58a6

SHA512
e89cf2d99f38d6a710651b0c06420b28041dd63a9e9c03be0a695bafc0ceb82ac4c6ce3c41a6eb31417d60cea047a2b3b6dc03dd054f8470c1159a336dd5c990

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
522B

MD5
f8b42bb71f28ec70ed0a86b11b4a6cf3

SHA1
696b5c0aba67d63ef7e5dcee563e7e9429490fa3

SHA256
6750788a8e04ba8494a8f208151ca7dd973c67e257124f0c8653f4f69f5f4332

SHA512
06f1ecbe285346ff7c81748acc975f55461dbd952487074f5735d0c5d10b5fe515121fcd895d28597dd542366181078142a9a18c10d9d6a73d3cae7108482c6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
522B

MD5
1f6dfad690cf5bb9c9e82d666325edb9

SHA1
17d3c38c5813a92f8cf49180fc80a5127bd7e36b

SHA256
c8e8244939943b8f493cb85c6673ef714f3a6b2a7b028d92a4ce08d945c741b3

SHA512
55627a83cf7f2fd8d9be9a47701c53f55ad4b2278866f1311938045d71e858593020a56bccb8675c43ba157192173a5b565322f79cbc3765d2d310af6c7df08d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
522B

MD5
4b89dfed5a6939f9d0b41de036f2e9f2

SHA1
ae65258c4bfd73933247997ddccd62ff46e7eca0

SHA256
8ac23c87f1542bd70afa753e610e35b0356d04ef032b3419cf8254ca010cce0d

SHA512
dec696cbaa03845ee1a544843f35527649a86d3d3ac15255d6594bafbc4f5be1b878e9752d6fd2971b118bd0abe0c47d594ea6a8ab0940ae35a206292dd52529

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
8c6abb7e88108e0e3d5bbc4f2bfb5328

SHA1
35f45c8d3ad5005346c906fc9188aac21c51c4ed

SHA256
566c43e0ee545c8bd51ffb47a6ab8ce04ca57d166d8fa270d9c46d33f448eeaa

SHA512
4d5b9df47be36851c1e92de1f72bb8be81c32eb0312b00dc7f335ba5f332832b22f7126f89edccb3210f11e077ed8ec06dd3bef9a578a0f626fab17fda1c010c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f4ac13ac115bf3b600109e9f05fb2b6b

SHA1
94842899189ca72fc2e8eea75780b22f884fa105

SHA256
c759717cac75d04b6d50554cc7563d444aece52639bc5992550b40194b24ccea

SHA512
5885448016787fceeac10fd3719ddb5a310df6e44fa9847e49757bee0a0384b58b81550d5904fc816d48def49fc5bbd95c6e06e30970acec3c4235c41d667d01

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
bec72d1225e04947100ec294de963634

SHA1
1ae5f36d90018995d3d68996db94ce125e733a67

SHA256
33a39cbf94d611c75b0081e8f590c112cc2eb0b35e2b357a0c57700101cc8f8b

SHA512
a1395e35532e794a2a2355164371787ebdb5b7fc3118499d542a5fee37d810ad4f1b0703c980670a5de028a64d65132555032f94775a123814c23264f494ff62

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
d6575c16b7789abe900e98a82e433cc3

SHA1
9c9dbfb88a15f8e73abe25569404ab1179fff5db

SHA256
6f01ba98b50f49722785e96fb29eab22f50b61b24e97cbac1ca056b6781efc42

SHA512
90185a14fb919f177496f928d87a10aab3f00a0858858d608e18012fdea4e688eaf24a7d3d6ecac4e0a743780fd3cdff7d3045e4f08e37c2a54483351bc8045f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
1850884f3b42640a012555e48cde43aa

SHA1
24d85662b4e2c91c259734545bb3e6e75cc2ff96

SHA256
b3c5b400268d09a1a0c77921dfa2de192f075d462dd86bc2995ded02d0db5c2c

SHA512
b9918eabf5ab1743f4b8d0712b12ddec0d2535e35dc96b51811b834687604f93689e0d15b1595ccc850ef42cc5ea1b1da1e011d0e8a7dd228a2f928c7e9ccce6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
138KB

MD5
be03402d6bb9afa303e3f0f65079e6e6

SHA1
0aba7dd8d73179f4b26558415b70dd8eb41df5fc

SHA256
5c73e132ce8a2305849fda77c683afa19119e9ab8fcc0f758c3eedf0729655b5

SHA512
63a267bec3977ee9e385e22743d2c835e91acfb85fe56475decf7f84a61f0f733a6bde6d4e777d6851d03fc0694664825697bcc0e610a5f06c60d97274b076a2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
100KB

MD5
a04feedcc8183214b6d528694cf4d233

SHA1
3f4cb03467389540812188eb757343eeceb966de

SHA256
923ca979ecf054f01137f06fb6032e8a65e223e9a3fa1a3e4d0156435f8649d2

SHA512
09cede8b49d58125e8d7c00072088503cc220e45bcb96b263d73b9c3d91f96b46fe2848ab3a9cf87357cfa7a73c59678c251a86e758581622acf54d3b1194ab3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
101KB

MD5
0cfdd24fe31748402ba90f5218fa4690

SHA1
323d81488c3459e7edeb8e384b8c94801aa1c861

SHA256
8144249b0897fad78f8f078d3c0de12ae210ce5737883abb64eaa8f1895569db

SHA512
e8a435695c7ae32566b3e1358b797d79723bb4d9aef4b0ff2856dd92f28df0e23b51374f17d1757a2c25c176007b8528bdf236ab86334e70427df9f9c081b11e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe57973f.TMP

Filesize
94KB

MD5
fc9ac2b2f1e9846b348fb23da1d0ccc8

SHA1
be2c6a3653b5dd051020f0063944d8d3ec13ea1d

SHA256
8603e1708893c19afd91f8dd0cf83bd055d6ae0a461efc7818c475bda576a507

SHA512
3081edfa869c71241506331015cfd31cadc652ad23d77e0f9d74faa92805a618add0fb7888c10a3b41912ac62bb633acd64bdc4b76672d78647700fc92209d6b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
ed54734acd949da0d0b659ec9f71dc0f

SHA1
bfaa933bb6ff1cca555d52e04082c51276a816c7

SHA256
32d14e97f78a6f89ec56e3ba330e202dda9fd920e0532f4a76ec093a6559ccf5

SHA512
fefac5d2e6e897410d3b1a0b108a79c266dabbeff0a668aaa0f1fff8d292a7783ed8b6a3848844a8500b5e8e6de32f3f23d4563deef02616e721c76fc062037c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\pics.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\something.bat

Filesize
270B

MD5
1afe03ea8170f5eacbe2106bef00722b

SHA1
f957f6e435f0741458a05d10226939f7baab68b5

SHA256
87d3fc8a117d46fa6c58f40fa7711affea75c4b67a74f20ffd4dd649b7194cee

SHA512
59d611164d1eca2fc15f8964cdc1a6e448bd0147afc0bd44839ed053803b316bd603ddb2207a0e33b9c34671d962bb39961dd46115cde5e8548a7283487da797

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\man.bat

Filesize
62KB

MD5
7d78c3eabc42e1a89c1936f032286977

SHA1
7eee938120f623c000caaf2a499cfde522835e67

SHA256
46de1da9ea5372ce4b6d5a7252bc2160bed21d348ef537eafbd3b70e6a90ddcb

SHA512
394f36c63ac023a1c9a777ccdf68ee0142faacb33be8b0402fedd3e70b65a758d0d69e7c50009fdf1e68a83965558eea08f9b7bfcec5d7cd4209421c73c163ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1057.tmp

Filesize
1KB

MD5
161ba12614199f010311ae403ee3cb15

SHA1
0a517dea47f339d1a0007eed7e8605336fb30a50

SHA256
8859b03b98668fb99b7ff032939baa1f629cdbe794a355297c01f279c4fa012d

SHA512
2d26ae231aeae9127e767c8c19b30270103e994bebf8651caca38fa8fde69f0bc3dd10a04be609356ee4032c768e70488bacdfc8708ac68702e026e95781cd78

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA2C3.tmp

Filesize
1KB

MD5
fbb03ce259a0eeb94dcf06f9e271638e

SHA1
8d2574236e0fa6b15f6e7b226e333e4e3d7e8de1

SHA256
81b8ce02c477b0014626ee6023591f367fd0369887ed3d1e935a9ecac9612a2d

SHA512
91a2438d4b8cde81f66758ccaba84fb163974f1ee57456e35801980b12eb139c1f5d6f6ef9862238c790d834acd99125ad03a2e3964b4ba6f81ac7cae4212705

Download Submit
C:\Users\Admin\AppData\Local\Temp\xbbwz401u6.txt

Filesize
7KB

MD5
3ea07e0b9eef74c0ec87ea477afbfea6

SHA1
a8c5252c9d45611fb6fbd56279c9966a44d6354f

SHA256
f6e3a5b5b5d566beb9a1d00da4726520c105424c7b580a9333e2c4c5c0ac8d40

SHA512
35f24164068d997045b7bfd6f73b74297cabcf14e25dac2050f3fc73e95849c2c99760f494e04a4f9609d904e03e8195cef77e18bc5339a67e9cea01787f948a

Download Submit
C:\Users\Admin\AppData\Local\Temp\xbbwz401u6.txt

Filesize
60KB

MD5
d2d356dc9a643a52eaf1c75d4d7b9e0b

SHA1
df47945e40353a311f0c8425a571b3363c02daf8

SHA256
232207e84e48bad8a9d0ef2ef9feb745e0bcc315fb5240266cca993dea06b875

SHA512
c240b4ec2579e6cca68640d7b141ccae2153a5abe1c0a85b7824aec8d27872ba1c49b21998b0b07422572095b1039012e23210ef01a7ba281b46e708813481b0

Download Submit
C:\Users\Admin\Downloads\man.exe

Filesize
204KB

MD5
1268743be22b8e86fd133bedbbafce73

SHA1
4f22a9363f5e07d307a594555233f5ce38c6412e

SHA256
f60bc836779c9371dfbb897506c0e74c3985e3b246ad53924b63cc80a9910de4

SHA512
ddf9415783536e941e811e4ad3bc36fb2a91cc650f47d473bca85ddbb70cad2c7f7bc0be31b18ad74ee91278db5da833a7ad51b54abbe552744ab38347ff5d8f

Download Submit
C:\Users\Admin\Downloads\pics.exe

Filesize
45KB

MD5
a02107a30c960620ce21bd2030442feb

SHA1
51ff3d68754c8b39479649691d5fcc1179fa07b6

SHA256
3e85bcf513c45d1d4ff742714cdde33230115c4a64a74d46770b3f62ad7a1c7d

SHA512
ed16c4048c255dbf80770f9fedbac6d8e4604d64cc7040a8d69a314c68313eed04bf1683dd14f9619e3b0d81756b3ed044f7a4768c0c0588f7d4b893f8ff2299

Download Submit
C:\Users\Admin\Downloads\something.exe

Filesize
180KB

MD5
ef27c04fd27ff6ced209a5d87aa80875

SHA1
d6cd18130f6a988477ec2a01bfb0556910287d93

SHA256
a8f4f303f7fa7ad96207fcc5943c93c4e54c53fd07e42caae9af16e2360f7e0f

SHA512
63312bc9aab3430a59d169ca4d1222aac44b430faa7dfb4498de4ddb966c25b98046abf11dec021a2f69aeb7d4d0537e1a3850449288535989a6d642b4e4d374

Download Submit
memory/2316-134-0x0000000000600000-0x0000000000612000-memory.dmp

Filesize
72KB

Download