xenorat | 2b503e1b5b94615ac804982d65236744d21d64c47ce9a0447d6d45624fedf462

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-10-2024 01:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JavaTest1.exe
Size

50KB
MD5

bf0dfd236ce52a5b1878da042162db3a
SHA1

fdd3a9ea08cdd4aceea09d3d20bf8dfa1711dcc7
SHA256

2b503e1b5b94615ac804982d65236744d21d64c47ce9a0447d6d45624fedf462
SHA512

19a4b6e097979b043edb3714776d9a538462c19cb74cd578d6dead98cf1ee0b5ada7613a2ecc1188e7b838a3dbba39fd8189841c02fbc681c81370543b23abf1
SSDEEP

768:wdhO/poiiUcjlJInIFH9Xqk5nWEZ5SbTDaxlWI7CPW5uidj:iw+jjgn4H9XqcnW85SbTMlWIWiB

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

127.0.0.1

Mutex

JAVACORELESX

Attributes

delay
5000
install_path
appdata
port
4444
startup_name
nothingset

Signatures

Detect XenoRat Payload 2 IoCs

resource	yara_rule
behavioral2/memory/5112-1-0x0000000000F80000-0x0000000000F92000-memory.dmp	family_xenorat
behavioral2/files/0x0008000000023c69-6.dat	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	JavaTest1.exe

Executes dropped EXE 1 IoCs

pid	Process
1412	JavaTest1.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JavaTest1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JavaTest1.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133729108516112616"	chrome.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-2437139445-1151884604-3026847218-1000\{50E41F78-8EB5-4CE1-82F6-A6A57F4D5944}	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4924	chrome.exe
4924	chrome.exe

Suspicious behavior: LoadsDriver 6 IoCs

pid	Process
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
4	Process not Found
664	Process not Found

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe
Token: SeShutdownPrivilege	4924	chrome.exe
Token: SeCreatePagefilePrivilege	4924	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe
4924	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5112 wrote to memory of 1412	5112	JavaTest1.exe	85
PID 5112 wrote to memory of 1412	5112	JavaTest1.exe	85
PID 5112 wrote to memory of 1412	5112	JavaTest1.exe	85
PID 4924 wrote to memory of 4828	4924	chrome.exe	96
PID 4924 wrote to memory of 4828	4924	chrome.exe	96
PID 4924 wrote to memory of 3436	4924	chrome.exe	97
PID 4924 wrote to memory of 3436	4924	chrome.exe	97
PID 4924 wrote to memory of 3436	4924	chrome.exe	97
PID 4924 wrote to memory of 3436	4924	chrome.exe	97
PID 4924 wrote to memory of 3436	4924	chrome.exe	97
PID 4924 wrote to memory of 3436	4924	chrome.exe	97
PID 4924 wrote to memory of 3436	4924	chrome.exe	97
PID 4924 wrote to memory of 3436	4924	chrome.exe	97
PID 4924 wrote to memory of 3436	4924	chrome.exe	97
PID 4924 wrote to memory of 3436	4924	chrome.exe	97
PID 4924 wrote to memory of 3436	4924	chrome.exe	97
PID 4924 wrote to memory of 3436	4924	chrome.exe	97
PID 4924 wrote to memory of 3436	4924	chrome.exe	97
PID 4924 wrote to memory of 3436	4924	chrome.exe	97
PID 4924 wrote to memory of 3436	4924	chrome.exe	97
PID 4924 wrote to memory of 3436	4924	chrome.exe	97
PID 4924 wrote to memory of 3436	4924	chrome.exe	97
PID 4924 wrote to memory of 3436	4924	chrome.exe	97
PID 4924 wrote to memory of 3436	4924	chrome.exe	97
PID 4924 wrote to memory of 3436	4924	chrome.exe	97
PID 4924 wrote to memory of 3436	4924	chrome.exe	97
PID 4924 wrote to memory of 3436	4924	chrome.exe	97
PID 4924 wrote to memory of 3436	4924	chrome.exe	97
PID 4924 wrote to memory of 3436	4924	chrome.exe	97
PID 4924 wrote to memory of 3436	4924	chrome.exe	97
PID 4924 wrote to memory of 3436	4924	chrome.exe	97
PID 4924 wrote to memory of 3436	4924	chrome.exe	97
PID 4924 wrote to memory of 3436	4924	chrome.exe	97
PID 4924 wrote to memory of 3436	4924	chrome.exe	97
PID 4924 wrote to memory of 3436	4924	chrome.exe	97
PID 4924 wrote to memory of 1928	4924	chrome.exe	98
PID 4924 wrote to memory of 1928	4924	chrome.exe	98
PID 4924 wrote to memory of 1524	4924	chrome.exe	99
PID 4924 wrote to memory of 1524	4924	chrome.exe	99
PID 4924 wrote to memory of 1524	4924	chrome.exe	99
PID 4924 wrote to memory of 1524	4924	chrome.exe	99
PID 4924 wrote to memory of 1524	4924	chrome.exe	99
PID 4924 wrote to memory of 1524	4924	chrome.exe	99
PID 4924 wrote to memory of 1524	4924	chrome.exe	99
PID 4924 wrote to memory of 1524	4924	chrome.exe	99
PID 4924 wrote to memory of 1524	4924	chrome.exe	99
PID 4924 wrote to memory of 1524	4924	chrome.exe	99
PID 4924 wrote to memory of 1524	4924	chrome.exe	99
PID 4924 wrote to memory of 1524	4924	chrome.exe	99
PID 4924 wrote to memory of 1524	4924	chrome.exe	99
PID 4924 wrote to memory of 1524	4924	chrome.exe	99
PID 4924 wrote to memory of 1524	4924	chrome.exe	99
PID 4924 wrote to memory of 1524	4924	chrome.exe	99
PID 4924 wrote to memory of 1524	4924	chrome.exe	99
PID 4924 wrote to memory of 1524	4924	chrome.exe	99
PID 4924 wrote to memory of 1524	4924	chrome.exe	99
PID 4924 wrote to memory of 1524	4924	chrome.exe	99
PID 4924 wrote to memory of 1524	4924	chrome.exe	99
PID 4924 wrote to memory of 1524	4924	chrome.exe	99
PID 4924 wrote to memory of 1524	4924	chrome.exe	99
PID 4924 wrote to memory of 1524	4924	chrome.exe	99
PID 4924 wrote to memory of 1524	4924	chrome.exe	99
PID 4924 wrote to memory of 1524	4924	chrome.exe	99
PID 4924 wrote to memory of 1524	4924	chrome.exe	99

C:\Users\Admin\AppData\Local\Temp\JavaTest1.exe
"C:\Users\Admin\AppData\Local\Temp\JavaTest1.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5112
- C:\Users\Admin\AppData\Roaming\XenoManager\JavaTest1.exe
  "C:\Users\Admin\AppData\Roaming\XenoManager\JavaTest1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1412

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x118,0x11c,0x120,0xf4,0x124,0x7ffdefe9cc40,0x7ffdefe9cc4c,0x7ffdefe9cc58
  2⤵
  PID:4828
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1976,i,3139082544202372121,5491354279065568656,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1972 /prefetch:2
  2⤵
  PID:3436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2232,i,3139082544202372121,5491354279065568656,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2244 /prefetch:3
  2⤵
  PID:1928
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2320,i,3139082544202372121,5491354279065568656,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2524 /prefetch:8
  2⤵
  PID:1524
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3172,i,3139082544202372121,5491354279065568656,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:1040
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3228,i,3139082544202372121,5491354279065568656,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3288 /prefetch:1
  2⤵
  PID:1348
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3744,i,3139082544202372121,5491354279065568656,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4584 /prefetch:1
  2⤵
  PID:3624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4060,i,3139082544202372121,5491354279065568656,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4548 /prefetch:8
  2⤵
  PID:3500
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4876,i,3139082544202372121,5491354279065568656,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4888 /prefetch:8
  2⤵
  PID:4424
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4976,i,3139082544202372121,5491354279065568656,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4912 /prefetch:8
  2⤵
  PID:1400
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=3176,i,3139082544202372121,5491354279065568656,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5160 /prefetch:8
  2⤵
  PID:3256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5148,i,3139082544202372121,5491354279065568656,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4968 /prefetch:8
  2⤵
  PID:1384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5196,i,3139082544202372121,5491354279065568656,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5272 /prefetch:8
  2⤵
  PID:3020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5232,i,3139082544202372121,5491354279065568656,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4492 /prefetch:1
  2⤵
  PID:3724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5088,i,3139082544202372121,5491354279065568656,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5136 /prefetch:1
  2⤵
  PID:4224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=4068,i,3139082544202372121,5491354279065568656,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:4308
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=3592,i,3139082544202372121,5491354279065568656,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3512 /prefetch:8
  2⤵
  PID:4892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4616,i,3139082544202372121,5491354279065568656,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5468 /prefetch:8
  2⤵
  - Modifies registry class
  PID:4416

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4416

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\temp-index

Filesize
504B

MD5
ba150c46d6b81e0793efb8ec7130a71c

SHA1
29733bc734bc9a83f500c895cdcd707c710579e3

SHA256
d61be40f72b1c6460ec88081a6e550b83aeefb9ca40687ab0df3d0cbe7e51282

SHA512
3545e6fd3bf46625fc8a21656141aafcf17b4c676700716435c2df11b9bff5fcad0ca2dce2cbedfbdcafcf97eca33618c0f15dda14fc159752c0c66110435426

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
4KB

MD5
fa2fc31f9c1f038d2138a742ba945444

SHA1
1e0c866658d63466dcc24bbf9affd305e580d419

SHA256
d1c3bfff61e163f0785ac7b243b024caf3ce3c42590671cdf23048ec3af5c345

SHA512
e4d675529f722c8358eeb09c97d7a70a897754a9b00e261c194807f1c4d5e85ddd0e8200f8f095443a5c20a245bf89dfd6b39d0bcfd62db115d56856c8243fb3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
70a058e08386340ba1423300f2ce6099

SHA1
bc51953f2bc05886794cc130f75f9e2407198fc3

SHA256
a2f18a28349f8c971e21c683dbe7b8792895a5aa3246cb8331833386b1f9928a

SHA512
79268d4ee91a5efed6f1028bba7e39ff6ebb9eee04e286a1732d6f61982acef7c032bd0ace31425d246bd1e365030fb08a84f711f357199642c30d8bcd4b0f15

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
691B

MD5
a3239da624c7add731276aacad47aa4e

SHA1
37ae9f7e76763c9bda8d03b02fb6723c7ab5030f

SHA256
7ac29556cbb5a6a7a2be24e905c1f8dafde885ceb3b72698d838f342262a750a

SHA512
3b87a1b98e770a28ba9edd89af8543334c5e1db32df0f54b41878abd52884ced67cbd530ddafe9913c0e81473db15bdf24c0fa8dd16bd27e90e48b0e2d374332

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
efc0f6cdf997763a8afd3abca59503e8

SHA1
fbeb77ce4fc30659fbdd67a7a9be4fc4a5425f8f

SHA256
3d4fad284e0807d28905682de4d63a9e949efd29492321963e19e8d5ac93eb23

SHA512
7c67e800699e1a23f712fb5cf5d359817590042583d46cc52a71b38d01f30cfdf5eb2060eadc1596750d449ecab3e93bd9d5fccf2dae041a1cdcc26fefb9f17e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4548bf88609a382ff5ef4e6629adb726

SHA1
962e0f93b11ea5029d6576b38934d63ab2765666

SHA256
ad29a2f93564d09e6df0a04b1d7845cdb1f10f99351c6aabd2b13fc619467d89

SHA512
2e932ec2d2d38453e69ed53f6f8f208b9f362453713ba5fffbe8df3c8ad491f7f7b52860fa93192e146fc0faefc2f54627f30e16b5e4a1b91c17c7e5955483c6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
d81e43de586f29900f0fc85e17b626e1

SHA1
5e082f952c1afdc43f4e61822ce230ec705ba33b

SHA256
07d63cd337a6f9930bb2bf2d26490e10f4a8390919eb7a6dce4e0822d0673043

SHA512
20d3f77bf09ba0fad41dd5cd26796e46f56670f0791aa677b9172ba718d24558e36b7757f945b0532cca1939241730a7ae18afe9ee3a11c83b064fc7d4b65db3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e423c11c88b08457ca06a06377618099

SHA1
d0b245bc3f9600cb344663a5ab70fedfdb0c2eec

SHA256
56e9a0a99e414b94dc821f92e077b0b139a92e999b1f204531eca4e8a32b15f6

SHA512
946cb8fa73e88019dd58aa6ffe689fd8c7f5cccf9c7cee7db7c19b0330f0a2364afb9d0832d7959aa7c6db1549ae60e1b945bb15a8fb542112e80126f6f93588

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
17a59f9fb1646e35fe45a22f24b1f9b6

SHA1
494a78729ff054403710efbe65ba6c328e06d361

SHA256
ef02309d38d1e6e3b084046e2722f352edb9d0517291e3391aeb24051eef4ce8

SHA512
474233924977c628f3f420af9f0b2f15bda95d3e7a50b354c0def8202a7c26ce3e0c20d00928c7402e9b74fc55d516eea6e77278b384d5688b6a5cc8437563eb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
227KB

MD5
8ca8fb54db36ed3da6d25383a07affb7

SHA1
da8add049634f495ead5839e1ec736822f4330a8

SHA256
355f4347587501118ed8cdf4442a3631055b2cd7414f7e4a2a321d7d70a2ebaa

SHA512
a9ced65740488ad890527914f99a55194512fb483337c35af61b479293f5670baa3a5fde2e8345422d73e0255ccf16b2549cb0900193b618ee0c06fbbb7ba827

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
227KB

MD5
a0304005f2e834933b65eb7c13036f4d

SHA1
1ca9c12ac54df69c1be8057a8989434e761f9c93

SHA256
ac66729c5dd532dadff4eb9e338a2ab352aa02f27c7d46ec99a723074ca9e55f

SHA512
6744bd865a397528fdab68607c6de46253cfceb5f2f4d2b1a79a1d280bd9ee05ac9fe6d83c51595ee3797d6128baa062b06a4294ccf6e9d9b740ca148a48bade

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\JavaTest1.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Roaming\XenoManager\JavaTest1.exe

Filesize
50KB

MD5
bf0dfd236ce52a5b1878da042162db3a

SHA1
fdd3a9ea08cdd4aceea09d3d20bf8dfa1711dcc7

SHA256
2b503e1b5b94615ac804982d65236744d21d64c47ce9a0447d6d45624fedf462

SHA512
19a4b6e097979b043edb3714776d9a538462c19cb74cd578d6dead98cf1ee0b5ada7613a2ecc1188e7b838a3dbba39fd8189841c02fbc681c81370543b23abf1

Download Submit
memory/1412-17-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/1412-16-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/1412-15-0x0000000074CA0000-0x0000000075450000-memory.dmp

Filesize
7.7MB

Download
memory/5112-0-0x0000000074CAE000-0x0000000074CAF000-memory.dmp

Filesize
4KB

Download
memory/5112-1-0x0000000000F80000-0x0000000000F92000-memory.dmp

Filesize
72KB

Download