xenorat | 1e1544521f5edd419e91a79e6ba9f210cb0ac4eb1eab24c1bd76e48f72835312

Resubmissions

24/03/2025, 03:37

250324-d61nwsyrv9 10

Analysis

max time kernel
215s
max time network
216s
platform
windows11-21h2_x64
resource
win11-20250314-en
resource tags

arch:x64arch:x86image:win11-20250314-enlocale:en-usos:windows11-21h2-x64system
submitted
24/03/2025, 03:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Bruter.exe
Size

45KB
MD5

b5b33c70e1d697300ecdf91890578b81
SHA1

0114e3e5c45e627aa81041a5b0209caaeb52b300
SHA256

1e1544521f5edd419e91a79e6ba9f210cb0ac4eb1eab24c1bd76e48f72835312
SHA512

b67552c461bfe3219986fbc559e0ef7d9453406fff5a9abe4240a12d10152973ba19a575a6b0c632456213a24ce2c8dcadd8ba29578cf0d91406c3a023a6b4c2
SSDEEP

768:NdhO/poiiUcjlJIn8aH9Xqk5nWEZ5SbTDaAuI7CPW5c:Dw+jjgnjH9XqcnW85SbTtuIk

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

147.185.221.25

Mutex

Xeno_rat_nd8912d

Attributes

install_path
appdata
port
36426
startup_name
Windows_Host_Proccess

Signatures

Detect XenoRat Payload 3 IoCs

resource	yara_rule
behavioral1/memory/5764-1-0x00000000008C0000-0x00000000008D2000-memory.dmp	family_xenorat
behavioral1/files/0x001b00000002b31c-7.dat	family_xenorat
behavioral1/memory/5996-114-0x0000000005940000-0x0000000005952000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

Executes dropped EXE 1 IoCs

pid	Process
5996	Bruter.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bruter.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Bruter.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133872611637785174"	chrome.exe

Modifies registry class 4 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Moniker = "cr.sb.odm3E4D1A088C1F6D498C84F3C86DE73CE49F82A104"	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\Children	chrome.exe
Key created	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3920535620-1286624088-2946613906-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-620072444-2846605723-1118207114-1642104096-81213792-2370344205-2712285428\DisplayName = "Chrome Sandbox"	chrome.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5072	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
676	chrome.exe
676	chrome.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe
5996	Bruter.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 4 IoCs

pid	Process
676	chrome.exe
676	chrome.exe
676	chrome.exe
676	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5996	Bruter.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe
Token: SeCreatePagefilePrivilege	676	chrome.exe
Token: SeShutdownPrivilege	676	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
676	chrome.exe
676	chrome.exe
676	chrome.exe
676	chrome.exe
676	chrome.exe
676	chrome.exe
676	chrome.exe
676	chrome.exe
676	chrome.exe
676	chrome.exe
676	chrome.exe
676	chrome.exe
676	chrome.exe
676	chrome.exe
676	chrome.exe
676	chrome.exe
676	chrome.exe
676	chrome.exe
676	chrome.exe
676	chrome.exe
676	chrome.exe
676	chrome.exe
676	chrome.exe
676	chrome.exe
676	chrome.exe
676	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
676	chrome.exe
676	chrome.exe
676	chrome.exe
676	chrome.exe
676	chrome.exe
676	chrome.exe
676	chrome.exe
676	chrome.exe
676	chrome.exe
676	chrome.exe
676	chrome.exe
676	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5764 wrote to memory of 5996	5764	Bruter.exe	78
PID 5764 wrote to memory of 5996	5764	Bruter.exe	78
PID 5764 wrote to memory of 5996	5764	Bruter.exe	78
PID 5996 wrote to memory of 5072	5996	Bruter.exe	79
PID 5996 wrote to memory of 5072	5996	Bruter.exe	79
PID 5996 wrote to memory of 5072	5996	Bruter.exe	79
PID 676 wrote to memory of 5368	676	chrome.exe	85
PID 676 wrote to memory of 5368	676	chrome.exe	85
PID 676 wrote to memory of 1992	676	chrome.exe	86
PID 676 wrote to memory of 1992	676	chrome.exe	86
PID 676 wrote to memory of 1992	676	chrome.exe	86
PID 676 wrote to memory of 1992	676	chrome.exe	86
PID 676 wrote to memory of 1992	676	chrome.exe	86
PID 676 wrote to memory of 1992	676	chrome.exe	86
PID 676 wrote to memory of 1992	676	chrome.exe	86
PID 676 wrote to memory of 1992	676	chrome.exe	86
PID 676 wrote to memory of 1992	676	chrome.exe	86
PID 676 wrote to memory of 1992	676	chrome.exe	86
PID 676 wrote to memory of 1992	676	chrome.exe	86
PID 676 wrote to memory of 1992	676	chrome.exe	86
PID 676 wrote to memory of 1992	676	chrome.exe	86
PID 676 wrote to memory of 1992	676	chrome.exe	86
PID 676 wrote to memory of 1992	676	chrome.exe	86
PID 676 wrote to memory of 1992	676	chrome.exe	86
PID 676 wrote to memory of 1992	676	chrome.exe	86
PID 676 wrote to memory of 1992	676	chrome.exe	86
PID 676 wrote to memory of 1992	676	chrome.exe	86
PID 676 wrote to memory of 1992	676	chrome.exe	86
PID 676 wrote to memory of 1992	676	chrome.exe	86
PID 676 wrote to memory of 1992	676	chrome.exe	86
PID 676 wrote to memory of 1992	676	chrome.exe	86
PID 676 wrote to memory of 1992	676	chrome.exe	86
PID 676 wrote to memory of 1992	676	chrome.exe	86
PID 676 wrote to memory of 1992	676	chrome.exe	86
PID 676 wrote to memory of 1992	676	chrome.exe	86
PID 676 wrote to memory of 1992	676	chrome.exe	86
PID 676 wrote to memory of 1992	676	chrome.exe	86
PID 676 wrote to memory of 1992	676	chrome.exe	86
PID 676 wrote to memory of 3440	676	chrome.exe	87
PID 676 wrote to memory of 3440	676	chrome.exe	87
PID 676 wrote to memory of 5136	676	chrome.exe	88
PID 676 wrote to memory of 5136	676	chrome.exe	88
PID 676 wrote to memory of 5136	676	chrome.exe	88
PID 676 wrote to memory of 5136	676	chrome.exe	88
PID 676 wrote to memory of 5136	676	chrome.exe	88
PID 676 wrote to memory of 5136	676	chrome.exe	88
PID 676 wrote to memory of 5136	676	chrome.exe	88
PID 676 wrote to memory of 5136	676	chrome.exe	88
PID 676 wrote to memory of 5136	676	chrome.exe	88
PID 676 wrote to memory of 5136	676	chrome.exe	88
PID 676 wrote to memory of 5136	676	chrome.exe	88
PID 676 wrote to memory of 5136	676	chrome.exe	88
PID 676 wrote to memory of 5136	676	chrome.exe	88
PID 676 wrote to memory of 5136	676	chrome.exe	88
PID 676 wrote to memory of 5136	676	chrome.exe	88
PID 676 wrote to memory of 5136	676	chrome.exe	88
PID 676 wrote to memory of 5136	676	chrome.exe	88
PID 676 wrote to memory of 5136	676	chrome.exe	88
PID 676 wrote to memory of 5136	676	chrome.exe	88
PID 676 wrote to memory of 5136	676	chrome.exe	88
PID 676 wrote to memory of 5136	676	chrome.exe	88
PID 676 wrote to memory of 5136	676	chrome.exe	88
PID 676 wrote to memory of 5136	676	chrome.exe	88
PID 676 wrote to memory of 5136	676	chrome.exe	88

C:\Users\Admin\AppData\Local\Temp\Bruter.exe
"C:\Users\Admin\AppData\Local\Temp\Bruter.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:5764
- C:\Users\Admin\AppData\Roaming\XenoManager\Bruter.exe
  "C:\Users\Admin\AppData\Roaming\XenoManager\Bruter.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5996
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "Windows_Host_Proccess" /XML "C:\Users\Admin\AppData\Local\Temp\tmp7177.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:5072

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:676
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=133.0.6943.60 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdb0e6dcf8,0x7ffdb0e6dd04,0x7ffdb0e6dd10
  2⤵
  PID:5368
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --string-annotations --gpu-preferences=UAAAAAAAAADgAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAAACAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=1904,i,5381579744664391697,15114954668442113887,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=1900 /prefetch:2
  2⤵
  PID:1992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --string-annotations --field-trial-handle=1440,i,5381579744664391697,15114954668442113887,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2220 /prefetch:11
  2⤵
  PID:3440
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --string-annotations --field-trial-handle=2360,i,5381579744664391697,15114954668442113887,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=2372 /prefetch:13
  2⤵
  PID:5136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3196,i,5381579744664391697,15114954668442113887,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3340 /prefetch:1
  2⤵
  PID:5032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=2364,i,5381579744664391697,15114954668442113887,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:2472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --extension-process --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3288,i,5381579744664391697,15114954668442113887,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4336 /prefetch:9
  2⤵
  PID:3724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --string-annotations --enable-dinosaur-easter-egg-alt-images --video-capture-use-gpu-memory-buffer --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4660,i,5381579744664391697,15114954668442113887,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4632 /prefetch:1
  2⤵
  PID:2476
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4808,i,5381579744664391697,15114954668442113887,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4696 /prefetch:14
  2⤵
  PID:4404
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=4948,i,5381579744664391697,15114954668442113887,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4956 /prefetch:14
  2⤵
  PID:3792
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5332,i,5381579744664391697,15114954668442113887,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5344 /prefetch:14
  2⤵
  PID:5708
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5520,i,5381579744664391697,15114954668442113887,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5560 /prefetch:14
  2⤵
  PID:3264
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5688,i,5381579744664391697,15114954668442113887,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5584 /prefetch:14
  2⤵
  PID:328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5824,i,5381579744664391697,15114954668442113887,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5804 /prefetch:14
  2⤵
  PID:4800
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --message-loop-type-ui --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5640,i,5381579744664391697,15114954668442113887,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5652 /prefetch:14
  2⤵
  PID:1996
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --string-annotations --gpu-preferences=UAAAAAAAAADoAAAEAAAAAAAAAAAAAAAAAABgAAEAAAAAAAAAAAAAAAAAAABCAAAAAAAAAAAAAAAAAAAAAAAAABAAAAAAAAAAEAAAAAAAAAAIAAAAAAAAAAgAAAAAAAAA --field-trial-handle=5528,i,5381579744664391697,15114954668442113887,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=5648 /prefetch:10
  2⤵
  PID:5944
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=on_device_model.mojom.OnDeviceModelService --lang=en-US --service-sandbox-type=on_device_model_execution --video-capture-use-gpu-memory-buffer --string-annotations --field-trial-handle=5648,i,5381579744664391697,15114954668442113887,262144 --variations-seed-version=20250314-050508.937000 --mojo-platform-channel-handle=4384 /prefetch:14
  2⤵
  PID:4556

C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\133.0.6943.60\elevation_service.exe"
1⤵
PID:3544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
83a39ea144e4a45a12352d34eccaf4d6

SHA1
4e5a8f3c6e670e5cbf6149f2f2601d10762a9368

SHA256
88caf3e94d23b5d7dab8c793f857d0e4a1ae0fd5c0e54cc72882dfbe7a860fec

SHA512
671b4b30fe77f96793c89b2622124e12696a77bf2690159a5601637d10c4b019bb06e66f46ad0c4231643759124f814c19d74109ee4b3c90561e6c7b898f041d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
2KB

MD5
783f82985af3f940acaf9bc7ee37e78c

SHA1
385b99d8bd249a0cf754ef5ec220fe715395b4f4

SHA256
42a32f06f4a9e6086ba9f26409e05db0eaf7a8cc4a319909da3033821df20d91

SHA512
40afa0435deb35c5fb02f06c33ecff6d847cd135e6db1ca852d2689d544064caf81d0590b539488ec2343d108c4e226d9ec09263b067009987d8e28cf8e064ca

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
76755221cca0526ac622426c6443f546

SHA1
ffe014688b8da7bfa15e29d1085c2e792c6f77f9

SHA256
5154edd670ee964c944ecad226a81dd49a9b389c97498dbd0b0c96ee5eb716c4

SHA512
d0a0b723551011480b657038312e9b88d03d288ed7461aaadc3dfe3481cdea98429d00446b62ec3b3575912bdebdcc0e64ad5d41c0d411d9040e816b02c70925

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
52d7086ca300dbbc3322e916b21ee282

SHA1
5ebc6f042ba53d3dee70c70413a765f68a9f1018

SHA256
d28a94d64ffb0cf5f866609cf239343756c0d03401dd76f74106141e12a497d9

SHA512
3a48a42b6fbada11c081727812215c656ff65a970e97fd3a87d160bfb2c85c1d285b1dca9afad0b7747872d9e417bdeb6fad8fa7fdecaec24d40e4c6508b914b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
8bb95c038ebb98b20b6450c9cdf31bd1

SHA1
66835fc27e2353330109e3df70d4330033670169

SHA256
68e999c9b27dd67ec5c19cc95fc17adb60e444550b7bc9ee0143df1a53079045

SHA512
d3d5c2a963e2c94a7e66fb3af8ab51eb98fafb5aadd1e8e1d9c1a317d6ecd5726df47b81697153964ad64c10ba4b04a3ba4777b6965d64bea219dd7a44578c74

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
147bcec7869230b0500ba32e45a3b26b

SHA1
a4e36349debf530797aad051d197ab5b3c44fe63

SHA256
9935ceb4f6c30de99c5d6876d5c244e0a67556bb97c2db3c32e2c808fbfa3d79

SHA512
090b38599f3008f5b00c7a748746917c867391ec45dfaffbf013346e32075535247527b80b0c2863f9e00be09492d2b5f334a7c6aeb11400c727c473cac159da

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe582ad4.TMP

Filesize
48B

MD5
cebde69eb7fddb7834ebc0efc09e0c2c

SHA1
dd5bdf1204c35c9d6d17ff2f5f815ba58b6811b4

SHA256
2d6fa49d815edf095b1b7e7c8950875329f0350948a4ef79a04b9c9d58a5bde4

SHA512
c60e52b140e2e0492e5098ecd362d82435b54ec3a6aa238437fb311f845b65facf4a847e61df9ee14261b9f0f206bcc22204c3c14df547181ddf274d33a98164

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
155KB

MD5
34adbe5c3791a48e9bead97f5819ffd9

SHA1
be7828fe1b67452c209a55028b3a8e6bf8d64643

SHA256
bf165140706befdd19b12fdd53ad2365eb8625050ca18a9da61346d66e237532

SHA512
91b65757e69b0b60d9877f8a87a236ba065733b5f5fe5a47fd426ca62c3b474674b105683f035e5da01332ae3104865c0986b7c5a5e598389f0ebab3afc37dc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
80KB

MD5
6dd29b84038534a446a8480415d8dc52

SHA1
42d33ad0560a2cde06dc2eb103f4947f01cce75c

SHA256
683d0465ae0917f3d524f2500b3e4290e55de8dda7a04506631ebc18e60b459e

SHA512
a37732d50f0b8bdef887ae5ebf7dbceed04b351fd9019b07c1a339c574106f6ba1e5e35bee2a5f91d8eeb93eb84e4a1e4c2529de202b0d07d5905dc1b5122a4c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Bruter.exe.log

Filesize
226B

MD5
1294de804ea5400409324a82fdc7ec59

SHA1
9a39506bc6cadf99c1f2129265b610c69d1518f7

SHA256
494398ec6108c68573c366c96aae23d35e7f9bdbb440a4aab96e86fcad5871d0

SHA512
033905cc5b4d0c0ffab2138da47e3223765146fa751c9f84b199284b653a04874c32a23aae577d2e06ce6c6b34fec62331b5fc928e3baf68dc53263ecdfa10c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7177.tmp

Filesize
1KB

MD5
cd54f5aa043f13b23cb5ec297bf62ed0

SHA1
cf958f023483135332850a73ed1c1e8c3007a018

SHA256
d951072ac739f6b8025d956b79e165e5fe5daf785643b6f3c6f888d3c3013fe4

SHA512
8a74beadd7b30de89f0658fb3b6f4360fecfb76f92e860936732b0b16d576df9f7dea4287d6943e87c3895769f12148b73a5b5ede74701b80d7982789c3550d1

Download Submit
C:\Users\Admin\AppData\Roaming\XenoManager\Bruter.exe

Filesize
45KB

MD5
b5b33c70e1d697300ecdf91890578b81

SHA1
0114e3e5c45e627aa81041a5b0209caaeb52b300

SHA256
1e1544521f5edd419e91a79e6ba9f210cb0ac4eb1eab24c1bd76e48f72835312

SHA512
b67552c461bfe3219986fbc559e0ef7d9453406fff5a9abe4240a12d10152973ba19a575a6b0c632456213a24ce2c8dcadd8ba29578cf0d91406c3a023a6b4c2

Download Submit
memory/5764-0-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

Filesize
4KB

Download
memory/5764-1-0x00000000008C0000-0x00000000008D2000-memory.dmp

Filesize
72KB

Download
memory/5996-21-0x0000000074D90000-0x0000000075541000-memory.dmp

Filesize
7.7MB

Download
memory/5996-20-0x0000000074D90000-0x0000000075541000-memory.dmp

Filesize
7.7MB

Download
memory/5996-19-0x0000000005960000-0x00000000059C6000-memory.dmp

Filesize
408KB

Download
memory/5996-18-0x0000000074D90000-0x0000000075541000-memory.dmp

Filesize
7.7MB

Download
memory/5996-16-0x0000000074D90000-0x0000000075541000-memory.dmp

Filesize
7.7MB

Download
memory/5996-114-0x0000000005940000-0x0000000005952000-memory.dmp

Filesize
72KB

Download