xenorat | 8c50b01988e0e4134e623d602f82c33c22add9e337cf403a590288ad95711031

Analysis

max time kernel
199s
max time network
317s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
01-09-2024 10:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Fixer/Fixer.exe
Size

45KB
MD5

5ef7344600895b2f13d5d8e44537d946
SHA1

bdf05e86b0c923a0c1edead40cc50819b185d4c0
SHA256

50866224673bc35d89ba701eaf3e794f452fecf308e9fab36be21fe8c486a9d0
SHA512

9563e4b2c98e3ccc8b47c9739a9a74680c9782f1bd18d67c80fb5f85e6bc667df72978b3d7858ddb30ba522d574215b720a2792b7e9e6d34759d0cdc2eb43c69
SSDEEP

768:OdhO/poiiUcjlJInMzH9Xqk5nWEZ5SbTDadWI7CPW5h:Yw+jjgnuH9XqcnW85SbTMWI5

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

127.0.0.1

Mutex

Xeno_rat_nd8912d

Attributes

delay
1
install_path
appdata
port
69
startup_name
System-33

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Executes dropped EXE 1 IoCs

pid	Process
2036	Fixer.exe

Loads dropped DLL 1 IoCs

pid	Process
2136	Fixer.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fixer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Fixer.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2808	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2680	taskmgr.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2680	taskmgr.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe
Token: SeShutdownPrivilege	2092	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2680	taskmgr.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe
2092	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 2036	2136	Fixer.exe	30
PID 2136 wrote to memory of 2036	2136	Fixer.exe	30
PID 2136 wrote to memory of 2036	2136	Fixer.exe	30
PID 2136 wrote to memory of 2036	2136	Fixer.exe	30
PID 2036 wrote to memory of 2808	2036	Fixer.exe	31
PID 2036 wrote to memory of 2808	2036	Fixer.exe	31
PID 2036 wrote to memory of 2808	2036	Fixer.exe	31
PID 2036 wrote to memory of 2808	2036	Fixer.exe	31
PID 2092 wrote to memory of 2696	2092	chrome.exe	37
PID 2092 wrote to memory of 2696	2092	chrome.exe	37
PID 2092 wrote to memory of 2696	2092	chrome.exe	37
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 2916	2092	chrome.exe	39
PID 2092 wrote to memory of 3032	2092	chrome.exe	40
PID 2092 wrote to memory of 3032	2092	chrome.exe	40
PID 2092 wrote to memory of 3032	2092	chrome.exe	40
PID 2092 wrote to memory of 272	2092	chrome.exe	41
PID 2092 wrote to memory of 272	2092	chrome.exe	41
PID 2092 wrote to memory of 272	2092	chrome.exe	41
PID 2092 wrote to memory of 272	2092	chrome.exe	41
PID 2092 wrote to memory of 272	2092	chrome.exe	41
PID 2092 wrote to memory of 272	2092	chrome.exe	41
PID 2092 wrote to memory of 272	2092	chrome.exe	41
PID 2092 wrote to memory of 272	2092	chrome.exe	41
PID 2092 wrote to memory of 272	2092	chrome.exe	41
PID 2092 wrote to memory of 272	2092	chrome.exe	41
PID 2092 wrote to memory of 272	2092	chrome.exe	41

C:\Users\Admin\AppData\Local\Temp\Fixer\Fixer.exe
"C:\Users\Admin\AppData\Local\Temp\Fixer\Fixer.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Roaming\XenoManager\Fixer.exe
  "C:\Users\Admin\AppData\Roaming\XenoManager\Fixer.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2036
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "System-33" /XML "C:\Users\Admin\AppData\Local\Temp\tmpAFDF.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2808

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2812

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2680

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef6fb9758,0x7fef6fb9768,0x7fef6fb9778
  2⤵
  PID:2696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1204 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:2
  2⤵
  PID:2916
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1540 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:8
  2⤵
  PID:3032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1636 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:8
  2⤵
  PID:272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2320 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1
  2⤵
  PID:2256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2328 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=2792 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:2
  2⤵
  PID:1520
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1464 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1
  2⤵
  PID:2236
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3636 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:8
  2⤵
  PID:1556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3644 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:8
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3252 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:8
  2⤵
  PID:2796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2108 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1
  2⤵
  PID:1928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1772 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:8
  2⤵
  PID:2136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=1032 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:8
  2⤵
  PID:1804
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=1036 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1
  2⤵
  PID:2176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=2636 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1
  2⤵
  PID:2996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=2084 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1
  2⤵
  PID:436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=3596 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1
  2⤵
  PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=3548 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1
  2⤵
  PID:1176
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=3432 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1
  2⤵
  PID:532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=3484 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1
  2⤵
  PID:972
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=2728 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:1
  2⤵
  PID:844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1408 --field-trial-handle=1412,i,12073265509654420836,12547933118831811854,131072 /prefetch:8
  2⤵
  PID:2396

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:2640

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4bb35cd0cc1a1514ec16831e9e143498

SHA1
ba49f9d485c111c32a333eb14e146ea730496c22

SHA256
212b307b6f70768cba939f1c0acacfaf726f261d30fd53220f490c61e3db11df

SHA512
8d89340cb23f9983853a4c7ad64568083a8b35af142470480e7603c23c2514278a96bf1243d59549b81e87ff09316330ddcdceedcc2c8004e64d8a3156ca0b50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\441d58b4-7d81-4a22-82fc-3bfc5ac021fc.tmp

Filesize
350KB

MD5
5e4e772c27b3b8f17384d664d3f90135

SHA1
84902dcdf39810594f2db0d9d51df2cbb70befdf

SHA256
b743ddaf2fe264965e9bd363df6504ecb1b1797b5a9da4ac202835ce7d994bb9

SHA512
e1d1882e6f9481c378ca94a73311b9cc3ba7d1012d5ab979fdc13604a9fcd1061c2281e34dffd259ff3fce3b250c715204186aff84667108d468ab90a86a4af9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
828B

MD5
7846d5f5a4c13dcec215d8d27eac98e3

SHA1
0fd729afb1c5eafef3d63731a758aff102aef355

SHA256
d9cb8546190623662b87d952078d23b2509515367225d9aef06ba5dff7dcde58

SHA512
3b94b983485ced3bb4e1006b65fd7d45ac92009034aaf9f796f262069cbcaf094ef83f498dad849e251e145d87dd66cb9db1e3eb43235079c18c4d1206db9580

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
632B

MD5
e97a79d27b6c848d47a057300484a961

SHA1
c9964c521d4030fe8252f144d73d8e3fcc3a19fd

SHA256
787519af7f15d9e16b7873792304b912fcecaf9199fb5998bbb9ca267bf0a6fe

SHA512
77b26469b79f05b419ef734ee825878908fc5b961ed7b704043cc3f58f74c1a57235710526ed3cd9983c71f6ec1b399a2d7a7cb9eb3ad427def7ef9e6c9e8062

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
361B

MD5
a2a0760058608e7667c64973f5c6213a

SHA1
7ad39c67347bea72e94e0d74c30364d1917d1c81

SHA256
dda6e4ec24214051e3241cfefc5f30430070d2ed1209d33effc00e17580060ca

SHA512
72a7ecf0d12e793fdd74a12420c1c13995bb2d7d24374555cb0aa8685ba1d0969b8663562b55529b7666dd98e88670e3b48718586b0e17ca47840d47acf266dc

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
363B

MD5
715bde5af4dbd15b46825ebf6988ed26

SHA1
db1c72d954ba4cf51af068af1908658150b4a944

SHA256
b58ff602bc5a69b895690822cd46595f5f70e08d68171b305c38defecdd846a9

SHA512
106d1edd41a13777f1a7b76d60a20b98fd9715c955599a8b9087917e3849a839edb508635c0cc5f8dd25a1d0f5ffb6b8e358c608c9aba49ce2ba162ad84f1dec

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
0524ed74bc29de3b44a1a736b39af1d6

SHA1
3e76be7865e90cda6214951a1729c39ed519ae3a

SHA256
2fad702775fb4521d9dbb2e45f62b8df5249a54cc8ae06b114eb5d96cf9cf50c

SHA512
9be602d71e5241f259d520d52d47fc03b4e0778d33889497cb0a795607f19d1c8747994b0312bfac2cc50bbdae65c9312488785a3441f6166654ee3e0a3f05b5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
6fe27b1fd96525a4a6d500672c063121

SHA1
fa5c21998b643b4c3239bd092d41292b662518ca

SHA256
fe39c4e9b259d95ef7ed3858217d1ca0ff768e5a8640be62c47a5820dbbdbccc

SHA512
b9afae11cb06df21bfe6ac9fe280d61b6bc97281432f8d75c48dc323ce2f495bf12f81fea7c04c62537d041e39dfdbd3069e19f5c6ca1cfca6600aea04f4295a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
a44858dd1695b04d7f9f6db6ba26307e

SHA1
dfee5a431e0267e2f5353609e483389588f82cbe

SHA256
b338328967ee25ae3e7b5602dbd4d2478b4843a56679d1dd72089b7c240f53fe

SHA512
7d32d68f704a153ff31bccfa08170044f0ac0329c925c86d60154d9512d49835c9d7f28779e0368dd6b8b2d366157c72b70221be129629ec5a2b5816637c1b99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
cc66a04559056e5750827e417c20487a

SHA1
7830dbc46ec2044f39b07c62eb6e0314409919bc

SHA256
00d566ecaa85068fd69a5e449b225f270a391ec4eaaa9ab53f86ccf3e3202b64

SHA512
8bb661dc71c0d935b92caf8c2e3513d9a65c1f840964b506f7ab048a60928478936d4f28ab14fd6eb9ba40501ce046266dc576775a86e77a664490d7ce0eb368

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
9dbc5398e9eede809143c515101d34d2

SHA1
d75ae74a23b3993379ef8795230f1cebc517bac3

SHA256
3164e42f2f6c7b3e833e980eb0b8767a32196d963a68f6abe573d4e11ca6d448

SHA512
45068f24bc3d6fecfbe589a99ce66bde1c26d95781427d056469f9e8d47bf4a9cb91f61786c63fb365e4b558a085a848a3b25b8d91ab42f7e43775483403f43b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ef98b4831e8354fe4224cce10f830501

SHA1
8ab05cec0b56e9b7b5c4ee39978894954754d841

SHA256
c7447bb475834c43473b0565b9543cbd63d179d688a01a5a12f427decfd1c555

SHA512
5b717055f2092142e1abf568551da6cfe81e9319f49d3762000c9fd77943842d6d06f671fedba78f904690bd75c4a7c007b761770282d8a239bf333c2042fe8d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
329KB

MD5
658c0a9bfcbe4b310288ea4afec1b1b2

SHA1
e89505906433a3813d6f70f49f9361a0b82daca9

SHA256
7b0580168f11c656722ac6f482b9e231000fa713a2c8e05e4367bc8ffd0d15eb

SHA512
a5e476bbd499d87e8cbe23224c8fc629c00da6898409e96b192430d42e2ecfd40ebf827e1eff1ad552c33c077340c2f4035a448dd578dbc51e81125db75b8221

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
319KB

MD5
913e4def61d919c48868f4a343d8ca85

SHA1
da6d9e7c8b861cce579b4836057bb604918fd884

SHA256
076d3788d57af46f43cb3f0f62081d604e98310273b950511c0b889ae8deec08

SHA512
08eb25423d0a99b108ba1a0648b47b06ed56f4b83e012d49affe79282b41dba80aea9f9489578925cbd2e92152662ec6dce33f85f244ec399f2109947bbabea4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
329KB

MD5
1aab5eeddec5a0435b8b622669860e2b

SHA1
f0b3026e115110067cc87cc87c93464420cebfa3

SHA256
7ac36da87e86d2a0e74cbadd546ad762142e22b486fdf56906fc3df9e5cde9de

SHA512
8ec8b5202eb9f3ea6e5d0aab04c1b745e3f6d44020b413f143bb19825c94b62c5368a3faab6486663ed355285257e22a9089929d38d88777f63d122037a9004d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
347KB

MD5
a7adbaa390a08c4f0acbc31eafe05108

SHA1
d60ee3951ecec41c475be6623f3b835785d496d1

SHA256
64544d5e2b79957f1b05a4f6aecb4216dbe6b1ebbd10a8d3e0b169a8ec509d47

SHA512
f65e2a00ca4f3727ce4974e9cad535caf4ed1ace64e7ab9410bdfc0f2704dbcc4315d032a3d881fc670107c0f961a5725f25282a1bec89c8bb69df1bddf92929

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
329KB

MD5
ab5273f4bcab5d981fa808ff61652423

SHA1
f0e778475363bb55e416f0a9989e3375651be28f

SHA256
09b5c606b2b80e75e3df3f0d0dbce79bc914f74b968a369f7daf2cc27991c5e4

SHA512
a1637c30ff4e4b2262fc6023f914432050e354e1c903922deaa7c0590fde8388e4d8111145db763a86537ccba93a5fe66645ba37b073ebb5601009b392b3f964

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
76KB

MD5
644b3f19c7752240b386aca3aae19e96

SHA1
6abaa9206d8753ff79ad8a446be74f588408ec32

SHA256
3a74f19bd540bbf5d7a9234ea1dacd5cb4801f63f6ebb4e8cd4a18f522783f0c

SHA512
2829b1c425f088ab160b527cab8212e921063760bed4aac56b714cd9ddf7649adae8236e9f43dbcab9fa542d2185495af4e95f8b6cf232cab45921c60a7c1123

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\fc8d8cd1-90d4-4b93-9145-bdfbc0b4bd39.tmp

Filesize
330KB

MD5
77ba4ca0a41e32a12b32e94e35c1a0bb

SHA1
f51e2cdeade3e3d0af57eb4bdbd18b914405c8d6

SHA256
5e5f8babfaf081ce7838732fa4f95669c0b141ebf2667d47a0813b388df02370

SHA512
d20184a51a45015fde18a6ff4cfc3268e7ef5101b38ffaec4d89cb48aaba68667ed4ff9e33c430ab38ca5ffc1833a5cc16e63c40f0afdde3d4c6c7818b517779

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab252F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD58D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAFDF.tmp

Filesize
1KB

MD5
2ab093f77a33e7004e362f78c87763a8

SHA1
2a4dcef9285dd583a33c1c5195cac7a37daee193

SHA256
4691f336ef4ce21e9f11416ab10393a8d4760db2025cfc0bd59acc25e018e234

SHA512
343b32e2048b259717e04dd98ef8900f3951ca79169947f1ed642b76965d95d517bd5a7878897aee21bd4350ac96aa1240e9d7e86e0fb53b05e28da716e95d3f

Download Submit
C:\Users\Admin\AppData\Roaming\XenoManager\Fixer.exe

Filesize
45KB

MD5
5ef7344600895b2f13d5d8e44537d946

SHA1
bdf05e86b0c923a0c1edead40cc50819b185d4c0

SHA256
50866224673bc35d89ba701eaf3e794f452fecf308e9fab36be21fe8c486a9d0

SHA512
9563e4b2c98e3ccc8b47c9739a9a74680c9782f1bd18d67c80fb5f85e6bc667df72978b3d7858ddb30ba522d574215b720a2792b7e9e6d34759d0cdc2eb43c69

Download Submit
memory/2036-10-0x0000000000130000-0x0000000000142000-memory.dmp

Filesize
72KB

Download
memory/2036-13-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/2036-14-0x0000000074020000-0x000000007470E000-memory.dmp

Filesize
6.9MB

Download
memory/2036-9-0x000000007402E000-0x000000007402F000-memory.dmp

Filesize
4KB

Download
memory/2136-0-0x000000007471E000-0x000000007471F000-memory.dmp

Filesize
4KB

Download
memory/2136-1-0x0000000000930000-0x0000000000942000-memory.dmp

Filesize
72KB

Download
memory/2680-17-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2680-16-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2680-15-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2680-18-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download