xenorat | 02b05f38602f3f153a01bc5585e7a7482852bfb964cc8865905b584e62eb71b6

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\Control Panel\International\Geo\Nation	Mt5_Servers.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000\Control Panel\International\Geo\Nation	Mt5_Servers.exe

Executes dropped EXE 4 IoCs

pid	Process
1488	Mt5_Servers.exe
2020	Mt5_Servers.exe
964	Mt5_Servers.exe
5900	Mt5_Servers.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Enumerates connected drives 3 TTPs 1 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

Peripheral Device Discovery

T1120

System Information Discovery

description	ioc	Process
File opened (read-only)	\??\E:	Mt5_Servers.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shutdown.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mt5_Servers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mt5_Servers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mt5_Servers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mt5_Servers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmstp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Mt5_Servers.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	WINWORD.EXE

Enumerates system info in registry 2 TTPs 12 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	WINWORD.EXE
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	WINWORD.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	WINWORD.EXE

Kills process with taskkill 1 IoCs

defense_evasion

pid	Process
1840	taskkill.exe

Modifies data under HKEY_USERS 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133866842261109577"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "75"	LogonUI.exe

Modifies registry class 10 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\ms-settings	Mt5_Servers.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\ms-settings\Shell\Open	Mt5_Servers.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\ms-settings\Shell\Open\command	Mt5_Servers.exe
Key created	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\ms-settings\Shell	Mt5_Servers.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\ms-settings\Shell\Open\command\DelegateExecute	Mt5_Servers.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\ms-settings\Shell\Open\command\ = "\"C:\\Users\\Admin\\AppData\\Roaming\\XenoManager\\Mt5_Servers.exe\""	Mt5_Servers.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\ms-settings\Shell\Open\command	Mt5_Servers.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\ms-settings\Shell\Open	Mt5_Servers.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\ms-settings\Shell	Mt5_Servers.exe
Key deleted	\REGISTRY\USER\S-1-5-21-2123103809-19148277-2527443841-1000_Classes\ms-settings	Mt5_Servers.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 4 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
5952	schtasks.exe
4288	schtasks.exe
4352	schtasks.exe
5644	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
6104	WINWORD.EXE
6104	WINWORD.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe

Suspicious behavior: GetForegroundWindowSpam 4 IoCs

pid	Process
1488	Mt5_Servers.exe
2020	Mt5_Servers.exe
964	Mt5_Servers.exe
5900	Mt5_Servers.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1488	Mt5_Servers.exe
Token: SeDebugPrivilege	2020	Mt5_Servers.exe
Token: SeDebugPrivilege	1840	taskkill.exe
Token: SeDebugPrivilege	964	Mt5_Servers.exe
Token: SeDebugPrivilege	5900	Mt5_Servers.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeCreatePagefilePrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeCreatePagefilePrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeCreatePagefilePrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeCreatePagefilePrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeCreatePagefilePrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeCreatePagefilePrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	2912	chrome.exe
Token: SeCreatePagefilePrivilege	2912	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe
Token: SeCreatePagefilePrivilege	4276	chrome.exe
Token: SeShutdownPrivilege	4276	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
2912	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
4276	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe
3004	chrome.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
1488	Mt5_Servers.exe
6104	WINWORD.EXE
6104	WINWORD.EXE
6104	WINWORD.EXE
6104	WINWORD.EXE
6104	WINWORD.EXE
6104	WINWORD.EXE
6104	WINWORD.EXE
6104	WINWORD.EXE
188	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3360 wrote to memory of 1488	3360	Mt5_Servers.exe	83
PID 3360 wrote to memory of 1488	3360	Mt5_Servers.exe	83
PID 3360 wrote to memory of 1488	3360	Mt5_Servers.exe	83
PID 1488 wrote to memory of 5644	1488	Mt5_Servers.exe	84
PID 1488 wrote to memory of 5644	1488	Mt5_Servers.exe	84
PID 1488 wrote to memory of 5644	1488	Mt5_Servers.exe	84
PID 1488 wrote to memory of 2796	1488	Mt5_Servers.exe	88
PID 1488 wrote to memory of 2796	1488	Mt5_Servers.exe	88
PID 2796 wrote to memory of 1572	2796	cmd.exe	90
PID 2796 wrote to memory of 1572	2796	cmd.exe	90
PID 1572 wrote to memory of 2020	1572	fodhelper.exe	91
PID 1572 wrote to memory of 2020	1572	fodhelper.exe	91
PID 1572 wrote to memory of 2020	1572	fodhelper.exe	91
PID 2020 wrote to memory of 5952	2020	Mt5_Servers.exe	92
PID 2020 wrote to memory of 5952	2020	Mt5_Servers.exe	92
PID 2020 wrote to memory of 5952	2020	Mt5_Servers.exe	92
PID 1488 wrote to memory of 3468	1488	Mt5_Servers.exe	94
PID 1488 wrote to memory of 3468	1488	Mt5_Servers.exe	94
PID 1488 wrote to memory of 3468	1488	Mt5_Servers.exe	94
PID 728 wrote to memory of 4484	728	DllHost.exe	97
PID 728 wrote to memory of 4484	728	DllHost.exe	97
PID 728 wrote to memory of 4484	728	DllHost.exe	97
PID 4484 wrote to memory of 964	4484	cmd.exe	99
PID 4484 wrote to memory of 964	4484	cmd.exe	99
PID 4484 wrote to memory of 964	4484	cmd.exe	99
PID 728 wrote to memory of 1840	728	DllHost.exe	100
PID 728 wrote to memory of 1840	728	DllHost.exe	100
PID 728 wrote to memory of 1840	728	DllHost.exe	100
PID 964 wrote to memory of 4288	964	Mt5_Servers.exe	102
PID 964 wrote to memory of 4288	964	Mt5_Servers.exe	102
PID 964 wrote to memory of 4288	964	Mt5_Servers.exe	102
PID 5900 wrote to memory of 4352	5900	Mt5_Servers.exe	108
PID 5900 wrote to memory of 4352	5900	Mt5_Servers.exe	108
PID 5900 wrote to memory of 4352	5900	Mt5_Servers.exe	108
PID 1488 wrote to memory of 2912	1488	Mt5_Servers.exe	116
PID 1488 wrote to memory of 2912	1488	Mt5_Servers.exe	116
PID 2912 wrote to memory of 4628	2912	chrome.exe	117
PID 2912 wrote to memory of 4628	2912	chrome.exe	117
PID 2912 wrote to memory of 3876	2912	chrome.exe	118
PID 2912 wrote to memory of 3876	2912	chrome.exe	118
PID 2912 wrote to memory of 4044	2912	chrome.exe	119
PID 2912 wrote to memory of 4044	2912	chrome.exe	119
PID 2912 wrote to memory of 3076	2912	chrome.exe	120
PID 2912 wrote to memory of 3076	2912	chrome.exe	120
PID 2912 wrote to memory of 2264	2912	chrome.exe	121
PID 2912 wrote to memory of 2264	2912	chrome.exe	121
PID 2912 wrote to memory of 6108	2912	chrome.exe	122
PID 2912 wrote to memory of 6108	2912	chrome.exe	122
PID 2912 wrote to memory of 2388	2912	chrome.exe	123
PID 2912 wrote to memory of 2388	2912	chrome.exe	123
PID 2912 wrote to memory of 3144	2912	chrome.exe	125
PID 2912 wrote to memory of 3144	2912	chrome.exe	125
PID 2912 wrote to memory of 5244	2912	chrome.exe	126
PID 2912 wrote to memory of 5244	2912	chrome.exe	126
PID 2912 wrote to memory of 2016	2912	chrome.exe	127
PID 2912 wrote to memory of 2016	2912	chrome.exe	127
PID 2912 wrote to memory of 4416	2912	chrome.exe	128
PID 2912 wrote to memory of 4416	2912	chrome.exe	128
PID 2912 wrote to memory of 5580	2912	chrome.exe	129
PID 2912 wrote to memory of 5580	2912	chrome.exe	129
PID 1488 wrote to memory of 4276	1488	Mt5_Servers.exe	134
PID 1488 wrote to memory of 4276	1488	Mt5_Servers.exe	134
PID 4276 wrote to memory of 3784	4276	chrome.exe	135
PID 4276 wrote to memory of 3784	4276	chrome.exe	135

C:\Users\Admin\AppData\Local\Temp\Mt5_Servers.exe
"C:\Users\Admin\AppData\Local\Temp\Mt5_Servers.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3360
- C:\Users\Admin\AppData\Roaming\XenoManager\Mt5_Servers.exe
  "C:\Users\Admin\AppData\Roaming\XenoManager\Mt5_Servers.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "Mt5 Servers" /XML "C:\Users\Admin\AppData\Local\Temp\tmpA1CE.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:5644
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c start "" "%windir%\system32\fodhelper.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2796
  - - C:\Windows\system32\fodhelper.exe
      "C:\Windows\system32\fodhelper.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1572
    - - C:\Users\Admin\AppData\Roaming\XenoManager\Mt5_Servers.exe
        
        "C:\Users\Admin\AppData\Roaming\XenoManager\Mt5_Servers.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2020
      - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /Create /TN "Mt5 Servers" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2264.tmp" /F
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:5952
      - C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-sandbox --allow-no-sandbox-job --disable-gpu --user-data-dir=C:\ChromeAutomationData
        6⤵
        Drops file in Windows directory
        Checks processor information in registry
        Enumerates system info in registry
        Modifies data under HKEY_USERS
        Suspicious use of FindShellTrayWindow
        
        PID:3004
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\ChromeAutomationData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\ChromeAutomationData\Crashpad --metrics-dir=C:\ChromeAutomationData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffb83c5dcf8,0x7ffb83c5dd04,0x7ffb83c5dd10
        7⤵
        
        PID:928
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --string-annotations --user-data-dir="C:\ChromeAutomationData" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=2108,i,16546835972617493342,13477520718094796767,262144 --variations-seed-version=20250316-180048.776000 --mojo-platform-channel-handle=2104 /prefetch:2
        7⤵
        
        PID:5808
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --string-annotations --user-data-dir="C:\ChromeAutomationData" --field-trial-handle=1900,i,16546835972617493342,13477520718094796767,262144 --variations-seed-version=20250316-180048.776000 --mojo-platform-channel-handle=2540 /prefetch:3
        7⤵
        
        PID:3624
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --string-annotations --user-data-dir="C:\ChromeAutomationData" --field-trial-handle=2112,i,16546835972617493342,13477520718094796767,262144 --variations-seed-version=20250316-180048.776000 --mojo-platform-channel-handle=1880 /prefetch:8
        7⤵
        
        PID:3848
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --user-data-dir="C:\ChromeAutomationData" --enable-dinosaur-easter-egg-alt-images --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2868,i,16546835972617493342,13477520718094796767,262144 --variations-seed-version=20250316-180048.776000 --mojo-platform-channel-handle=2924 /prefetch:1
        7⤵
        
        PID:5804
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --user-data-dir="C:\ChromeAutomationData" --enable-dinosaur-easter-egg-alt-images --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2876,i,16546835972617493342,13477520718094796767,262144 --variations-seed-version=20250316-180048.776000 --mojo-platform-channel-handle=2936 /prefetch:1
        7⤵
        
        PID:2228
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-sandbox --string-annotations --user-data-dir="C:\ChromeAutomationData" --field-trial-handle=3964,i,16546835972617493342,13477520718094796767,262144 --variations-seed-version=20250316-180048.776000 --mojo-platform-channel-handle=3976 /prefetch:8
        7⤵
        
        PID:4652
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --user-data-dir="C:\ChromeAutomationData" --enable-dinosaur-easter-egg-alt-images --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=2836,i,16546835972617493342,13477520718094796767,262144 --variations-seed-version=20250316-180048.776000 --mojo-platform-channel-handle=4032 /prefetch:1
        7⤵
        
        PID:3876
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-sandbox --string-annotations --user-data-dir="C:\ChromeAutomationData" --field-trial-handle=3960,i,16546835972617493342,13477520718094796767,262144 --variations-seed-version=20250316-180048.776000 --mojo-platform-channel-handle=2860 /prefetch:8
        7⤵
        
        PID:708
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-sandbox --string-annotations --user-data-dir="C:\ChromeAutomationData" --field-trial-handle=3988,i,16546835972617493342,13477520718094796767,262144 --variations-seed-version=20250316-180048.776000 --mojo-platform-channel-handle=3984 /prefetch:8
        7⤵
        
        PID:1308
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-sandbox --string-annotations --user-data-dir="C:\ChromeAutomationData" --field-trial-handle=4608,i,16546835972617493342,13477520718094796767,262144 --variations-seed-version=20250316-180048.776000 --mojo-platform-channel-handle=4620 /prefetch:8
        7⤵
        
        PID:3076
      - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3316
      - C:\Windows\SysWOW64\shutdown.exe
        
        "C:\Windows\System32\shutdown.exe" /s /t 0
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:5052
- - \??\c:\windows\SysWOW64\cmstp.exe
    "c:\windows\system32\cmstp.exe" /au C:\windows\temp\cd3vo5s0.inf
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3468
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-sandbox --allow-no-sandbox-job --disable-gpu --user-data-dir=C:\ChromeAutomationData
    3⤵
    - Drops file in Windows directory
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2912
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\ChromeAutomationData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\ChromeAutomationData\Crashpad --metrics-dir=C:\ChromeAutomationData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffb83c5dcf8,0x7ffb83c5dd04,0x7ffb83c5dd10
      4⤵
      PID:4628
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --string-annotations --user-data-dir="C:\ChromeAutomationData" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=1880,i,10223212956724422955,11559428816599201862,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=508 /prefetch:2
      4⤵
      PID:3876
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --string-annotations --user-data-dir="C:\ChromeAutomationData" --field-trial-handle=1604,i,10223212956724422955,11559428816599201862,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=1920 /prefetch:3
      4⤵
      PID:4044
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --string-annotations --user-data-dir="C:\ChromeAutomationData" --field-trial-handle=2124,i,10223212956724422955,11559428816599201862,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2144 /prefetch:8
      4⤵
      PID:3076
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --user-data-dir="C:\ChromeAutomationData" --enable-dinosaur-easter-egg-alt-images --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2896,i,10223212956724422955,11559428816599201862,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2908 /prefetch:1
      4⤵
      PID:2264
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --user-data-dir="C:\ChromeAutomationData" --enable-dinosaur-easter-egg-alt-images --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2912,i,10223212956724422955,11559428816599201862,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=2920 /prefetch:1
      4⤵
      PID:6108
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --user-data-dir="C:\ChromeAutomationData" --extension-process --enable-dinosaur-easter-egg-alt-images --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3432,i,10223212956724422955,11559428816599201862,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=3712 /prefetch:2
      4⤵
      PID:2388
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --user-data-dir="C:\ChromeAutomationData" --enable-dinosaur-easter-egg-alt-images --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4032,i,10223212956724422955,11559428816599201862,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4056 /prefetch:1
      4⤵
      PID:3144
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-sandbox --string-annotations --user-data-dir="C:\ChromeAutomationData" --field-trial-handle=4132,i,10223212956724422955,11559428816599201862,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4140 /prefetch:8
      4⤵
      PID:5244
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-sandbox --string-annotations --user-data-dir="C:\ChromeAutomationData" --field-trial-handle=4172,i,10223212956724422955,11559428816599201862,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4184 /prefetch:8
      4⤵
      PID:2016
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-sandbox --string-annotations --user-data-dir="C:\ChromeAutomationData" --field-trial-handle=4144,i,10223212956724422955,11559428816599201862,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4328 /prefetch:8
      4⤵
      PID:4416
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-sandbox --string-annotations --user-data-dir="C:\ChromeAutomationData" --field-trial-handle=4672,i,10223212956724422955,11559428816599201862,262144 --variations-seed-version=20250313-182214.581000 --mojo-platform-channel-handle=4684 /prefetch:8
      4⤵
      PID:5580
- - C:\Program Files\Google\Chrome\Application\chrome.exe
    "C:\Program Files\Google\Chrome\Application\chrome.exe" --no-sandbox --allow-no-sandbox-job --disable-gpu --user-data-dir=C:\ChromeAutomationData
    3⤵
    - Drops file in Windows directory
    - Checks processor information in registry
    - Enumerates system info in registry
    - Modifies data under HKEY_USERS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:4276
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler --user-data-dir=C:\ChromeAutomationData /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\ChromeAutomationData\Crashpad --metrics-dir=C:\ChromeAutomationData --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffb83c5dcf8,0x7ffb83c5dd04,0x7ffb83c5dd10
      4⤵
      PID:3784
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-sandbox --string-annotations --user-data-dir="C:\ChromeAutomationData" --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAAAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --use-gl=angle --use-angle=swiftshader-webgl --field-trial-handle=2356,i,8103543952476679287,18380769222170591623,262144 --variations-seed-version=20250316-180048.776000 --mojo-platform-channel-handle=2352 /prefetch:2
      4⤵
      PID:5020
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-sandbox --string-annotations --user-data-dir="C:\ChromeAutomationData" --field-trial-handle=1872,i,8103543952476679287,18380769222170591623,262144 --variations-seed-version=20250316-180048.776000 --mojo-platform-channel-handle=2388 /prefetch:3
      4⤵
      PID:2368
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-sandbox --string-annotations --user-data-dir="C:\ChromeAutomationData" --field-trial-handle=2016,i,8103543952476679287,18380769222170591623,262144 --variations-seed-version=20250316-180048.776000 --mojo-platform-channel-handle=2424 /prefetch:8
      4⤵
      PID:1148
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --user-data-dir="C:\ChromeAutomationData" --enable-dinosaur-easter-egg-alt-images --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=2844,i,8103543952476679287,18380769222170591623,262144 --variations-seed-version=20250316-180048.776000 --mojo-platform-channel-handle=2856 /prefetch:1
      4⤵
      PID:5164
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --user-data-dir="C:\ChromeAutomationData" --enable-dinosaur-easter-egg-alt-images --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2860,i,8103543952476679287,18380769222170591623,262144 --variations-seed-version=20250316-180048.776000 --mojo-platform-channel-handle=2888 /prefetch:1
      4⤵
      PID:1156
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-sandbox --string-annotations --user-data-dir="C:\ChromeAutomationData" --field-trial-handle=3900,i,8103543952476679287,18380769222170591623,262144 --variations-seed-version=20250316-180048.776000 --mojo-platform-channel-handle=3884 /prefetch:8
      4⤵
      PID:3164
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --user-data-dir="C:\ChromeAutomationData" --enable-dinosaur-easter-egg-alt-images --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=3936,i,8103543952476679287,18380769222170591623,262144 --variations-seed-version=20250316-180048.776000 --mojo-platform-channel-handle=3956 /prefetch:1
      4⤵
      PID:648
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-sandbox --string-annotations --user-data-dir="C:\ChromeAutomationData" --field-trial-handle=4008,i,8103543952476679287,18380769222170591623,262144 --variations-seed-version=20250316-180048.776000 --mojo-platform-channel-handle=3992 /prefetch:8
      4⤵
      PID:1868
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-sandbox --string-annotations --user-data-dir="C:\ChromeAutomationData" --field-trial-handle=4384,i,8103543952476679287,18380769222170591623,262144 --variations-seed-version=20250316-180048.776000 --mojo-platform-channel-handle=4396 /prefetch:8
      4⤵
      PID:1172
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-sandbox --string-annotations --user-data-dir="C:\ChromeAutomationData" --field-trial-handle=4568,i,8103543952476679287,18380769222170591623,262144 --variations-seed-version=20250316-180048.776000 --mojo-platform-channel-handle=4608 /prefetch:8
      4⤵
      PID:4996
  - - C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --user-data-dir="C:\ChromeAutomationData" --enable-dinosaur-easter-egg-alt-images --no-sandbox --disable-gpu-compositing --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4900,i,8103543952476679287,18380769222170591623,262144 --variations-seed-version=20250316-180048.776000 --mojo-platform-channel-handle=4924 /prefetch:1
      4⤵
      PID:5644

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{3E5FC7F9-9A51-4367-9063-A120244FBEC7}
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c start "" "C:\Users\Admin\AppData\Roaming\XenoManager\Mt5_Servers.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Users\Admin\AppData\Roaming\XenoManager\Mt5_Servers.exe
    "C:\Users\Admin\AppData\Roaming\XenoManager\Mt5_Servers.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:964
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /Create /TN "Mt5 Servers" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6624.tmp" /F
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:4288
- C:\Windows\SysWOW64\taskkill.exe
  taskkill /IM cmstp.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1840

C:\Users\Admin\AppData\Roaming\XenoManager\Mt5_Servers.exe
"C:\Users\Admin\AppData\Roaming\XenoManager\Mt5_Servers.exe"
1⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5900
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /Create /TN "Mt5 Servers" /XML "C:\Users\Admin\AppData\Local\Temp\tmp8D53.tmp" /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:4352

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:1636

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5604

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc
1⤵
PID:4588

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:5104

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:4776

C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE
"C:\Program Files\Microsoft Office\Root\Office16\WINWORD.EXE" /n "C:\Users\Admin\Desktop\OptimizeClear.docx" /o ""
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:6104

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x2fc 0x2ec
1⤵
PID:3532

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39fc855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:188

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Peripheral Device Discovery

T1120

Query Registry

System Information Discovery