xenorat | hxxps://gofile[.]io/d/oOpyqm

Analysis

max time kernel
118s
max time network
119s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
25-11-2024 02:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/oOpyqm

Score

10^/10

xenorat defense_evasion discovery rat trojan

Malware Config

Extracted

Family

xenorat

162.33.179.3

Mutex

Lethal_cheats

Attributes

delay
5000
install_path
temp
port
4444
startup_name
nothingset

Signatures

Detect XenoRat Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x001e00000002aaba-89.dat	family_xenorat
behavioral1/memory/492-128-0x00000000001B0000-0x000000000022C000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat
Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
492	client.exe
1816	client.exe
3720	client.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\client.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	client.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133769740238308949"	chrome.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2410826464-2353372766-2364966905-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\client.exe:Zone.Identifier	chrome.exe
File created	C:\Users\Admin\AppData\Local\Temp\XenoManager\client.exe\:Zone.Identifier:$DATA	client.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4956	chrome.exe
4956	chrome.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
1816	client.exe
3720	client.exe
3720	client.exe
3720	client.exe
3720	client.exe
1816	client.exe
1816	client.exe
1816	client.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe
Token: SeShutdownPrivilege	4956	chrome.exe
Token: SeCreatePagefilePrivilege	4956	chrome.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe
4956	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3136	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4956 wrote to memory of 2108	4956	chrome.exe	77
PID 4956 wrote to memory of 2108	4956	chrome.exe	77
PID 4956 wrote to memory of 3856	4956	chrome.exe	78
PID 4956 wrote to memory of 3856	4956	chrome.exe	78
PID 4956 wrote to memory of 3856	4956	chrome.exe	78
PID 4956 wrote to memory of 3856	4956	chrome.exe	78
PID 4956 wrote to memory of 3856	4956	chrome.exe	78
PID 4956 wrote to memory of 3856	4956	chrome.exe	78
PID 4956 wrote to memory of 3856	4956	chrome.exe	78
PID 4956 wrote to memory of 3856	4956	chrome.exe	78
PID 4956 wrote to memory of 3856	4956	chrome.exe	78
PID 4956 wrote to memory of 3856	4956	chrome.exe	78
PID 4956 wrote to memory of 3856	4956	chrome.exe	78
PID 4956 wrote to memory of 3856	4956	chrome.exe	78
PID 4956 wrote to memory of 3856	4956	chrome.exe	78
PID 4956 wrote to memory of 3856	4956	chrome.exe	78
PID 4956 wrote to memory of 3856	4956	chrome.exe	78
PID 4956 wrote to memory of 3856	4956	chrome.exe	78
PID 4956 wrote to memory of 3856	4956	chrome.exe	78
PID 4956 wrote to memory of 3856	4956	chrome.exe	78
PID 4956 wrote to memory of 3856	4956	chrome.exe	78
PID 4956 wrote to memory of 3856	4956	chrome.exe	78
PID 4956 wrote to memory of 3856	4956	chrome.exe	78
PID 4956 wrote to memory of 3856	4956	chrome.exe	78
PID 4956 wrote to memory of 3856	4956	chrome.exe	78
PID 4956 wrote to memory of 3856	4956	chrome.exe	78
PID 4956 wrote to memory of 3856	4956	chrome.exe	78
PID 4956 wrote to memory of 3856	4956	chrome.exe	78
PID 4956 wrote to memory of 3856	4956	chrome.exe	78
PID 4956 wrote to memory of 3856	4956	chrome.exe	78
PID 4956 wrote to memory of 3856	4956	chrome.exe	78
PID 4956 wrote to memory of 3856	4956	chrome.exe	78
PID 4956 wrote to memory of 336	4956	chrome.exe	79
PID 4956 wrote to memory of 336	4956	chrome.exe	79
PID 4956 wrote to memory of 4896	4956	chrome.exe	80
PID 4956 wrote to memory of 4896	4956	chrome.exe	80
PID 4956 wrote to memory of 4896	4956	chrome.exe	80
PID 4956 wrote to memory of 4896	4956	chrome.exe	80
PID 4956 wrote to memory of 4896	4956	chrome.exe	80
PID 4956 wrote to memory of 4896	4956	chrome.exe	80
PID 4956 wrote to memory of 4896	4956	chrome.exe	80
PID 4956 wrote to memory of 4896	4956	chrome.exe	80
PID 4956 wrote to memory of 4896	4956	chrome.exe	80
PID 4956 wrote to memory of 4896	4956	chrome.exe	80
PID 4956 wrote to memory of 4896	4956	chrome.exe	80
PID 4956 wrote to memory of 4896	4956	chrome.exe	80
PID 4956 wrote to memory of 4896	4956	chrome.exe	80
PID 4956 wrote to memory of 4896	4956	chrome.exe	80
PID 4956 wrote to memory of 4896	4956	chrome.exe	80
PID 4956 wrote to memory of 4896	4956	chrome.exe	80
PID 4956 wrote to memory of 4896	4956	chrome.exe	80
PID 4956 wrote to memory of 4896	4956	chrome.exe	80
PID 4956 wrote to memory of 4896	4956	chrome.exe	80
PID 4956 wrote to memory of 4896	4956	chrome.exe	80
PID 4956 wrote to memory of 4896	4956	chrome.exe	80
PID 4956 wrote to memory of 4896	4956	chrome.exe	80
PID 4956 wrote to memory of 4896	4956	chrome.exe	80
PID 4956 wrote to memory of 4896	4956	chrome.exe	80
PID 4956 wrote to memory of 4896	4956	chrome.exe	80
PID 4956 wrote to memory of 4896	4956	chrome.exe	80
PID 4956 wrote to memory of 4896	4956	chrome.exe	80
PID 4956 wrote to memory of 4896	4956	chrome.exe	80
PID 4956 wrote to memory of 4896	4956	chrome.exe	80
PID 4956 wrote to memory of 4896	4956	chrome.exe	80

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://gofile.io/d/oOpyqm
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9e3d9cc40,0x7ff9e3d9cc4c,0x7ff9e3d9cc58
  2⤵
  PID:2108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1848,i,1810680223791090945,9234617722116431953,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=1844 /prefetch:2
  2⤵
  PID:3856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1924,i,1810680223791090945,9234617722116431953,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:336
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2168,i,1810680223791090945,9234617722116431953,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=2344 /prefetch:8
  2⤵
  PID:4896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3076,i,1810680223791090945,9234617722116431953,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3120 /prefetch:1
  2⤵
  PID:4304
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3084,i,1810680223791090945,9234617722116431953,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=3268 /prefetch:1
  2⤵
  PID:428
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4308,i,1810680223791090945,9234617722116431953,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4108 /prefetch:1
  2⤵
  PID:1220
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4568,i,1810680223791090945,9234617722116431953,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4560 /prefetch:8
  2⤵
  PID:1668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4648,i,1810680223791090945,9234617722116431953,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4408 /prefetch:1
  2⤵
  PID:1612
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5076,i,1810680223791090945,9234617722116431953,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5092 /prefetch:8
  2⤵
  PID:2788
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5084,i,1810680223791090945,9234617722116431953,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  PID:2868
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=3280,i,1810680223791090945,9234617722116431953,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4296 /prefetch:1
  2⤵
  PID:704
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=4844,i,1810680223791090945,9234617722116431953,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4840 /prefetch:8
  2⤵
  PID:3192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5344,i,1810680223791090945,9234617722116431953,262144 --variations-seed-version=20241006-180150.222000 --mojo-platform-channel-handle=4816 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:2068
- C:\Users\Admin\Downloads\client.exe
  "C:\Users\Admin\Downloads\client.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:492
- - C:\Users\Admin\AppData\Local\Temp\XenoManager\client.exe
    "C:\Users\Admin\AppData\Local\Temp\XenoManager\client.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    PID:1816
- C:\Users\Admin\Downloads\client.exe
  "C:\Users\Admin\Downloads\client.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:3720

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2504

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:3944

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:4848

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:3136

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:3384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\29907401-167f-4c2d-8270-6ebdc1dfa3fa.tmp

Filesize
228KB

MD5
1a52803a95f2c6e5630637b13a127972

SHA1
622dec26b49a467250d499290809b207aca98747

SHA256
67c1d2d5634af49c817de756bb25a346ce132eeadba054f0c7e768b40cf93832

SHA512
463826f49ec3186af18128b1b4a7adfae518f4d23024168258d3a56045c3e8dd2bfcfc164b68c3efdbdd07bb5682a7be1a018c3d6bae108fd2c0af2c95ec4b43

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
de1b0c647d6c6f72fa5975f92256ad6f

SHA1
dff1bd3fc3e801ae071c89523d47db855d2304c0

SHA256
2425ff1764b4e7289deb4dc324ef87bbe751107d7c0f8f3cb940902f220e3580

SHA512
2f00d6cee06e91710f1f173683158fc98631494cec923985d6a01de212fe66d1718313cb8d72307f2ac9b7059a673b2f6d283644710999fad5d32fcf03bc788b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_00000c

Filesize
468KB

MD5
a6efab91f87192c47ea1b6f2fdf2ef0b

SHA1
b6a4d6f63a4f1e9cc58cb6b810579b497ad83593

SHA256
f03ec00fce64678b9a57153740172d32e2c126ff06b5af68f111a75d92a2d238

SHA512
f99b6fa8c709cff61d05d61726291eeb655a00873988333ffe1e1db42946bfa3037a0d16f4917b2b9c88f1a32bdaebb366b190dd02f979ef537cc3fd09788b4d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
336B

MD5
28e87c7b2a09be691bcc8922c78e15fa

SHA1
2ab94942bc8b5240a23775266f60a52cae42b18b

SHA256
da94ddf7e101b793252f2b23de4fd272dc5673bde08abfabc2ad5eb904a2bf83

SHA512
4b5b9fd2b9ec7efdf15dc9d756a067f00eedbde27661e99ca468f7de2471b9f1eb7b2705c181f4c368e4555dd46377cc60b3342c5d3e46af90f158bf96bf1d91

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
f5d727fa231e147dd1f33d4b54908bb9

SHA1
ba4b37308e3006a9e033e42ae6b68a2c34758e08

SHA256
1910efbba085ed6d6741629f7d0cc568f847d0c5ccf45b12e31fbc6ed0fa57b8

SHA512
9be2b60577c5794d91f2eb494102163d8730df80162b39601f59984619aa67c6b9ded39644fed2c0e1a7f8aae1e7ad2efe9b642792e4780bd1aadeb4ae2cdbfe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
a562fe854021013c2622d42d15c53d32

SHA1
e8339c659cb59b8a350de176e9d70fe6e8e2bedf

SHA256
4ea217835729679be3e3fd98d25460751932afa61379042021a6cd3e38c5631c

SHA512
3f162085cbabbb56bbd6f0b910439b5888c9c22c2c4805a1490b91d1e34630e6ac88d87ae38ed2d0c06d72c4e6d9d89e2386273940ccdd42773977bd71dc20ee

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
688B

MD5
8c5f1803c69c60c31288e5dc5795ea36

SHA1
8b779c4d47fe63a948196940b6210fcfd44b0794

SHA256
7b3c679641f4872aad23b92372ba3f177eeaf7e0dae86d31a42b7b1bd6250720

SHA512
5fd3680b1d48324a12c0dd77b696a5df9c4d1b089986429db5c2e1157e84f7a0692460e8544771d1362ac3cd5af6f49af30802a5e4f04b40dabd19d3d4da8c05

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
08904edd1ff4af37bedeab4e303cf1d6

SHA1
1112937dd90559da1688fe523025d1907f9bd49b

SHA256
a2a4aa9fa18fd1ea469f509f4289fbdae26539572e073b4059ec26197c0ac1bf

SHA512
df54e771f7b5731fc44b259cec61550c66def75fb25dd5db79aaa5d77fa8ab589ec98004e028475a3a6cea95af7c0296cff55bb51d6409b01bb9c75badb4133c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
ddf37ef2880bf05bde8eb7a1bf8556f4

SHA1
217264064b95a876234979536c591fab665bbce3

SHA256
78cb743c1fbae79c0bcc7d7761acd2a6359938805edfe2884f174afa611c793d

SHA512
bb246b0e3509694eb1a37c37a59fab846d488dfcbab183068e188ba69e522deacea189a604f2e8456fe5533f22406897a82342b24986ab898046c89c67cd29a7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
302977653363f09aa776bb2beb70fdb8

SHA1
a5ff5780c5b6f7c866d7b146581dd2ba2c496c0a

SHA256
f2939800990a6e362b2cbf333bb8e1218bcacea3337a32176dd58bacab38d155

SHA512
46437fd25419d67bbb1993d69bf59f03c97f44ebb1b4176d63717b446e60cfa456139300771706902814e30044a17348a21e7fbc5126d787c1303f688c2985cf

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
c8df16d592057a73c76a3decda42737e

SHA1
267af86d70281b82fbe037bcc7cd6c3a5e653381

SHA256
18f59d0b0793512bb72e0b62d28cdef4766dc89769302cb035c08dcee214bbfc

SHA512
2ed763bee9ec1cdeb55a72da1cb589737d2f35991d30b49c6518bfa2c07e9fa4a6be75276c2a8a4e4a2afdba4311850d07e378ce292c61ec74dbccfd91f94606

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a6f881c075fd2fe41e7e89ed9c342f39

SHA1
ae045a4e4e3a9d3bc097652170ee59df78b90f53

SHA256
2a577b43381cd34f6d6236af763eda82e4f88043667919e8c8b6ade8462dac16

SHA512
9c352dfd7316da65281df4421995cc4b1c3b8c326b59403cfb934370739c5ae860afd5e3954cad637ccb8b5ba26386b0315f4612a82bcffae02f7e7e0873f1d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
d692f82e271babe338e72e64e925189a

SHA1
461c78b85d2f9f73676e53873f5fd5b7f1595d80

SHA256
3d754580ee30c73b31eadd171bb6a3d5c0e8e8b927d30d16916cd7ef9a490541

SHA512
989a71287460b723fedb00eacbc58acae74e99b8b351f2eb09fdfd0f2f26235db20ed6c93569de54385f486a1ee58fb21fa2b9b01802372d0b7c21a4f20877ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
4a7079c7da85de82f3880f4836abd16a

SHA1
b24276c6124d1952888e0ce7f767509a974ded3f

SHA256
d5b7a8fba02c58c42105e1da242dfccd317dcc74637d24736e0876bcee1e5531

SHA512
7bf04004a1b78125eafc27a0e32133fb5af34c518cc5ee21887001ea716b1d71e791446c091b4743af5f3710b3a47f8422d1fb8d3c24ba44a4bc02a22a7f297e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\e1c2f74c-dfb5-44b4-be30-d6187cf6af8e.tmp

Filesize
9KB

MD5
77a7077fe88af3863fefe56e029e910a

SHA1
c10ecc4915ec7c706f171019ecf9308f43efc589

SHA256
3e4b970845278dc1c07331d9ba57a9176b03ea4dfb4629a676b77a93d617b0e6

SHA512
f581498b44f26b0620f38cc004d2cbc747229322206ffc32e6929221a83d1fcb0552bd86f2577346f6d993423faa4e81e246b7d7fc1c7d58275ffcf08ffe3573

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
228KB

MD5
c4760a3b2bd0181e5c19dbed8d494911

SHA1
5abcf52b3113770572478d5c3b306e8792c37a19

SHA256
6e0a5f391de7ef7e7b5d8aad59411657e513d9e9d22446cf3fa965ef6a812329

SHA512
4fdd5f467f8721f85f9f6948ca37debf973b8e4934cb4d0059a15f8922fa4d11255c2811057c1750c3d4aa21fb1300738268b3ca5705443e6f82fb56b7691c63

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\client.exe.log

Filesize
226B

MD5
1294de804ea5400409324a82fdc7ec59

SHA1
9a39506bc6cadf99c1f2129265b610c69d1518f7

SHA256
494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0

SHA512
033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\457e4f66-7be6-442b-8cef-ed39f04dafa5.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
711f1a880c08e1f7867f1bdd117320b7

SHA1
50c2d0859f6fd41024d486e2ab537507b975991d

SHA256
f868e98aa21c341e365d73e301d87c006b557033d8d7b2808fed207734fe5143

SHA512
885c2abd9047727b33ea760836cbbe4eaf5fddc08375a8b37840c99332131f0f7164f87c0abeb4523f42262349ab12a1c22c12813a9d81d6955c7d20b41a9a0a

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TempState\SearchHoverUnifiedTileModelCache.dat

Filesize
10KB

MD5
99d3ecd709464e38b25be3ab947ad5c9

SHA1
f3753394a5fef90f29dca347abd40adf15e9a47d

SHA256
c87c395c07643e24dfa5b59915b602dea53bf7c7fa7db991af59b84a122c91a3

SHA512
a694c3c842ea72e34d654998cc38a98ec5f3b53727a377789ab10ca49845e7dc1334c945bafc659a489f5c0cd65180c08b13d69d0780a2855c95a1978c58c991

Download Submit
C:\Users\Admin\AppData\Local\Temp\XenoManager\client.exe:Zone.Identifier

Filesize
153B

MD5
ed5e3c99f86b13e9939b89d872d4c6b8

SHA1
10773866ab1bf68586c16bf17083790ff6d47c58

SHA256
df7c72298c0463b2ee58c9c689aec176964cd0863dc5582be45d1c9d60e787dd

SHA512
1e091c235eadc6d8ba8e882239a83799aee65a14c7e7437014209e9910d95f96720c339a05ff033db66b52fabf44575d099edc47ea3567831f57e9ee6de3d1ef

Download Submit
memory/492-127-0x000000007524E000-0x000000007524F000-memory.dmp

Filesize
4KB

Download
memory/492-128-0x00000000001B0000-0x000000000022C000-memory.dmp

Filesize
496KB

Download
memory/1816-171-0x0000000075240000-0x00000000759F1000-memory.dmp

Filesize
7.7MB

Download
memory/1816-170-0x0000000005BE0000-0x0000000005C46000-memory.dmp

Filesize
408KB

Download
memory/1816-160-0x0000000075240000-0x00000000759F1000-memory.dmp

Filesize
7.7MB

Download