xenorat | e1b5a90f068ee75d794e62acb4386e49a2e48b37d58de79801b437218dc78765

Analysis

max time kernel
108s
max time network
217s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-01-2025 21:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Client-build.exe
Size

45KB
MD5

304d0e77da53af75ea9b70012a78348d
SHA1

2abfcf36150e5b19e90a2df133d5d5ccdc986b7b
SHA256

e1b5a90f068ee75d794e62acb4386e49a2e48b37d58de79801b437218dc78765
SHA512

0782a2840a73ae9459ba20e7ac9bd516efa55e65c2453b6d7bc7f68b39a63012d762c678e48c2fcaeb6418b31b6d2652fa7c4f33bd6ca0e53dbc018040fff054
SSDEEP

768:WdhO/poiiUcjlJInU9SH9Xqk5nWEZ5SbTDaauI7CPW5p:Aw+jjgnUoH9XqcnW85SbTfuIR

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

127.0.0.1

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
appdata
port
4444
startup_name
WindowsSys64

Signatures

Detect XenoRat Payload 3 IoCs

resource	yara_rule
behavioral1/memory/1532-1-0x0000000000D10000-0x0000000000D22000-memory.dmp	family_xenorat
behavioral1/files/0x0009000000016c58-4.dat	family_xenorat
behavioral1/memory/1424-9-0x0000000000B60000-0x0000000000B72000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

Executes dropped EXE 1 IoCs

pid	Process
1424	Client-build.exe

Loads dropped DLL 1 IoCs

pid	Process
1532	Client-build.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client-build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Client-build.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1704	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2364	chrome.exe
2364	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe
Token: SeShutdownPrivilege	2364	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe
2364	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1532 wrote to memory of 1424	1532	Client-build.exe	30
PID 1532 wrote to memory of 1424	1532	Client-build.exe	30
PID 1532 wrote to memory of 1424	1532	Client-build.exe	30
PID 1532 wrote to memory of 1424	1532	Client-build.exe	30
PID 1424 wrote to memory of 1704	1424	Client-build.exe	33
PID 1424 wrote to memory of 1704	1424	Client-build.exe	33
PID 1424 wrote to memory of 1704	1424	Client-build.exe	33
PID 1424 wrote to memory of 1704	1424	Client-build.exe	33
PID 2364 wrote to memory of 2028	2364	chrome.exe	38
PID 2364 wrote to memory of 2028	2364	chrome.exe	38
PID 2364 wrote to memory of 2028	2364	chrome.exe	38
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1652	2364	chrome.exe	40
PID 2364 wrote to memory of 1988	2364	chrome.exe	41
PID 2364 wrote to memory of 1988	2364	chrome.exe	41
PID 2364 wrote to memory of 1988	2364	chrome.exe	41
PID 2364 wrote to memory of 1688	2364	chrome.exe	42
PID 2364 wrote to memory of 1688	2364	chrome.exe	42
PID 2364 wrote to memory of 1688	2364	chrome.exe	42
PID 2364 wrote to memory of 1688	2364	chrome.exe	42
PID 2364 wrote to memory of 1688	2364	chrome.exe	42
PID 2364 wrote to memory of 1688	2364	chrome.exe	42
PID 2364 wrote to memory of 1688	2364	chrome.exe	42
PID 2364 wrote to memory of 1688	2364	chrome.exe	42
PID 2364 wrote to memory of 1688	2364	chrome.exe	42
PID 2364 wrote to memory of 1688	2364	chrome.exe	42
PID 2364 wrote to memory of 1688	2364	chrome.exe	42

C:\Users\Admin\AppData\Local\Temp\Client-build.exe
"C:\Users\Admin\AppData\Local\Temp\Client-build.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1532
- C:\Users\Admin\AppData\Roaming\XenoManager\Client-build.exe
  "C:\Users\Admin\AppData\Roaming\XenoManager\Client-build.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1424
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "WindowsSys64" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA4C7.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1704

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2756

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef5809758,0x7fef5809768,0x7fef5809778
  2⤵
  PID:2028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1176 --field-trial-handle=1360,i,13697301402400498764,3546583805181549623,131072 /prefetch:2
  2⤵
  PID:1652
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1380 --field-trial-handle=1360,i,13697301402400498764,3546583805181549623,131072 /prefetch:8
  2⤵
  PID:1988
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1648 --field-trial-handle=1360,i,13697301402400498764,3546583805181549623,131072 /prefetch:8
  2⤵
  PID:1688
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2328 --field-trial-handle=1360,i,13697301402400498764,3546583805181549623,131072 /prefetch:1
  2⤵
  PID:1540
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2344 --field-trial-handle=1360,i,13697301402400498764,3546583805181549623,131072 /prefetch:1
  2⤵
  PID:1756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1576 --field-trial-handle=1360,i,13697301402400498764,3546583805181549623,131072 /prefetch:2
  2⤵
  PID:1600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1264 --field-trial-handle=1360,i,13697301402400498764,3546583805181549623,131072 /prefetch:1
  2⤵
  PID:2572
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3476 --field-trial-handle=1360,i,13697301402400498764,3546583805181549623,131072 /prefetch:8
  2⤵
  PID:2628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3588 --field-trial-handle=1360,i,13697301402400498764,3546583805181549623,131072 /prefetch:8
  2⤵
  PID:2672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3580 --field-trial-handle=1360,i,13697301402400498764,3546583805181549623,131072 /prefetch:8
  2⤵
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=2196 --field-trial-handle=1360,i,13697301402400498764,3546583805181549623,131072 /prefetch:1
  2⤵
  PID:2256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=1688 --field-trial-handle=1360,i,13697301402400498764,3546583805181549623,131072 /prefetch:1
  2⤵
  PID:2756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --mojo-platform-channel-handle=768 --field-trial-handle=1360,i,13697301402400498764,3546583805181549623,131072 /prefetch:1
  2⤵
  PID:2252
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=2452 --field-trial-handle=1360,i,13697301402400498764,3546583805181549623,131072 /prefetch:1
  2⤵
  PID:2436
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --mojo-platform-channel-handle=3780 --field-trial-handle=1360,i,13697301402400498764,3546583805181549623,131072 /prefetch:1
  2⤵
  PID:1944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --mojo-platform-channel-handle=804 --field-trial-handle=1360,i,13697301402400498764,3546583805181549623,131072 /prefetch:1
  2⤵
  PID:1496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --mojo-platform-channel-handle=1136 --field-trial-handle=1360,i,13697301402400498764,3546583805181549623,131072 /prefetch:1
  2⤵
  PID:1020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --mojo-platform-channel-handle=2492 --field-trial-handle=1360,i,13697301402400498764,3546583805181549623,131072 /prefetch:1
  2⤵
  PID:2172
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --mojo-platform-channel-handle=3000 --field-trial-handle=1360,i,13697301402400498764,3546583805181549623,131072 /prefetch:1
  2⤵
  PID:796
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --mojo-platform-channel-handle=2796 --field-trial-handle=1360,i,13697301402400498764,3546583805181549623,131072 /prefetch:1
  2⤵
  PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --mojo-platform-channel-handle=3832 --field-trial-handle=1360,i,13697301402400498764,3546583805181549623,131072 /prefetch:1
  2⤵
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --mojo-platform-channel-handle=2988 --field-trial-handle=1360,i,13697301402400498764,3546583805181549623,131072 /prefetch:1
  2⤵
  PID:1116

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1544

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe"
1⤵
PID:2860
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2860 CREDAT:275457 /prefetch:2
  2⤵
  PID:1060

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2672

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GCM Store\Encryption\000006.dbtmp

Filesize
16B

MD5
aefd77f47fb84fae5ea194496b44c67a

SHA1
dcfbb6a5b8d05662c4858664f81693bb7f803b82

SHA256
4166bf17b2da789b0d0cc5c74203041d98005f5d4ef88c27e8281e00148cd611

SHA512
b733d502138821948267a8b27401d7c0751e590e1298fda1428e663ccd02f55d0d2446ff4bc265bdcdc61f952d13c01524a5341bc86afc3c2cde1d8589b2e1c3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
0cae1d801242ed80938fa212ddb29595

SHA1
46b4e3ed9025b1d8d74ecd9233344da9bc1dfce8

SHA256
0784415346977987851d02e5fc70a17d656d57766260f67d05bd0047a832ea0d

SHA512
0b9e91c5bbc0e508b7a650b6282f2b9f81840fe7352ae70a2299f5e1293d4f015c3f7ef4f22e582814bf5c728998e03e7f3240aaa3d7dc97e7a0d9d3ca93c142

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
359B

MD5
83590ecb66df7afe8f0bea6c6e163e5e

SHA1
7204f64ac409a2bbbc18a28de4442cc7b29aa226

SHA256
9b489cd7fce5073576895a77301671e617d0bedeab9169a02a4bc40391a814fb

SHA512
f5d405bac9cc20a7262f93915123deac29f1e04d7f91ce761521442eeb87c4835f6d74d8979024f58e33f2b55d0e7283d69f6779855eb1e4dddf76ee5b790046

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
8ea17b8f551ed29dcccf06cc9eedba80

SHA1
be8a8fc3e50df5db876a34f75d414506163bcffe

SHA256
01e6b7236f94c66a40e6d109fbceb5e535737aa8a76b2b607b09de97982b40df

SHA512
7a92382984a30f3c464b0ddc89b68c78ddebe0587c5b691fa92d0dbb7609a6aca25e8d03311305caf9415806cb50d602bf56ec17900a2bfa147eea3815e39508

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
fe79a4c85230f63680c4ebb972005e02

SHA1
a92f177d99bfa1ad9ff0683f059eec43b2e709fb

SHA256
5c22b18b70021189cb7a4a2be204f7e942e825f8c21fcb98bae2a3e1ca5a65eb

SHA512
c297007f00d4cdb3492e8ca690d92de40157f0b93084c3688515d8147248676bd08d4037a32cae1e651b760a8ef39fceb48e117d9b97073e6473caf084590810

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
958af49cc6638ac75d9961e00b569e6c

SHA1
14a6bb902dd48be22c05873bc146317cb47181eb

SHA256
0ec3c01682dccb7401b91e8ea7d648026a4d7ef2e5eeae264d51326453f4c598

SHA512
5036a6acb169a185450b5c0b79ee30fd227ae6258da49c9ec60ec08b31ab1724cba495043cc6c2604e9ece0b8c343a77fd77d2bfb8573fc3aa34bc23ed99cfd1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Sync Data\LevelDB\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
345KB

MD5
28b6c4b7273e1d48fe1c41396f2aa9c5

SHA1
5ef88da7db1c206ef0d64345f8f875607a3c735e

SHA256
85f5b6f9a6e88f624a2f1f10bbff5523bd00470d0d5b1114dc854c53071ed022

SHA512
465d70e6129599c5119f8c45656f62f30c8ee3ce553fa72d9d02bef19a61b98ec383edd9e1df4a0700e1fd317185243463d586c52259c6a8791e5c0c6d412745

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\ShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\a6b58b46-3083-4c09-82a5-0ef6876f3ef5.tmp

Filesize
345KB

MD5
388cf756d330c034282245e30afb3900

SHA1
e97766a8bd06f30a848cc54c64f1969b15f2e81b

SHA256
2a98c9cb8e3b12a3bd690c0986e1ff6ad1424333bec7ad1ffceb2450da362df7

SHA512
ec8657f07644ba701de0e536d76f5e771f71715cd6cdf23c21a573f2cd2cfe6726598c9d341c218e051128110155d7ec4b8581f7f702a41182476952791a5c70

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA4C7.tmp

Filesize
1KB

MD5
4e84065ba9714547e9524fc0cc9ea0bc

SHA1
5d559eda01716ae6b16406d6b29e6482d998d06d

SHA256
6da0fcb0257f15e2ed3947ceddb801a0622c40ce59cc47624d0e5ff2a5fc7d70

SHA512
e3397c846831bb66f847f0199d442413d9fb9a4146d34f5a11d04ebd19665c0ce00183d326bbbd24de4044c6124d5f48ae9fce524ff232d607299e0ca902aee6

Download Submit
\Users\Admin\AppData\Roaming\XenoManager\Client-build.exe

Filesize
45KB

MD5
304d0e77da53af75ea9b70012a78348d

SHA1
2abfcf36150e5b19e90a2df133d5d5ccdc986b7b

SHA256
e1b5a90f068ee75d794e62acb4386e49a2e48b37d58de79801b437218dc78765

SHA512
0782a2840a73ae9459ba20e7ac9bd516efa55e65c2453b6d7bc7f68b39a63012d762c678e48c2fcaeb6418b31b6d2652fa7c4f33bd6ca0e53dbc018040fff054

Download Submit
memory/1424-13-0x0000000074970000-0x000000007505E000-memory.dmp

Filesize
6.9MB

Download
memory/1424-10-0x0000000074970000-0x000000007505E000-memory.dmp

Filesize
6.9MB

Download
memory/1424-9-0x0000000000B60000-0x0000000000B72000-memory.dmp

Filesize
72KB

Download
memory/1424-14-0x0000000074970000-0x000000007505E000-memory.dmp

Filesize
6.9MB

Download
memory/1424-15-0x0000000074970000-0x000000007505E000-memory.dmp

Filesize
6.9MB

Download
memory/1424-292-0x0000000074970000-0x000000007505E000-memory.dmp

Filesize
6.9MB

Download
memory/1532-0-0x000000007497E000-0x000000007497F000-memory.dmp

Filesize
4KB

Download
memory/1532-1-0x0000000000D10000-0x0000000000D22000-memory.dmp

Filesize
72KB

Download