xenorat | hxxps://file[.]io/CvXNt2ZDzqBV

Analysis

max time kernel
569s
max time network
570s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
23-06-2024 09:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://file.io/CvXNt2ZDzqBV

Score

10^/10

xenorat rat spyware stealer trojan

Malware Config

Extracted

Family

xenorat

127.0.0.1

Mutex

Fn_external

Attributes

delay
5000
install_path
appdata
port
4444
startup_name
svhost

Signatures

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Fn_external.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation	Fn_external.exe

Executes dropped EXE 3 IoCs

pid	Process
6488	Fn_external.exe
3604	Fn_external.exe
6296	Fn_external.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 45 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = 00000000ffffffff	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\FFlags = "1092616257"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 0100000000000000ffffffff	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Mode = "4"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02020202020202	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupView = "0"	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 19002f433a5c000000000000000000000000000000000000000000	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0 = 5000310000000000a858985a100041646d696e003c0009000400efbea858bc53d758444f2e00000076e1010000000100000000000000000000000000000043dd8100410064006d0069006e00000014000000	xeno rat server.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\LogicalViewMode = "1"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 000000000200000001000000ffffffff	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\MRUListEx = 00000000ffffffff	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0 = 7800310000000000a858bc531100557365727300640009000400efbe874f7748d758444f2e000000c70500000000010000000000000000003a0000000000070de60055007300650072007300000040007300680065006c006c00330032002e0064006c006c002c002d0032003100380031003300000014000000	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\IconSize = "16"	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\MRUListEx = 00000000ffffffff	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByDirection = "1"	xeno rat server.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Generic"	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\ComDlg\{5C4F28B5-F869-4E84-8E60-F11DB97C5CC7}\GroupByKey:PID = "0"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	xeno rat server.exe
Key created	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0 = 7e00310000000000d758594f11004465736b746f7000680009000400efbea858bc53d758594f2e00000080e101000000010000000000000000003e0000000000255257004400650073006b0074006f007000000040007300680065006c006c00330032002e0064006c006c002c002d0032003100370036003900000016000000	xeno rat server.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\NodeSlot = "3"	xeno rat server.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\0\0\0\MRUListEx = ffffffff	xeno rat server.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5376	schtasks.exe
1308	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4440	msedge.exe
4440	msedge.exe
1140	msedge.exe
1140	msedge.exe
5680	identity_helper.exe
5680	identity_helper.exe
6240	msedge.exe
6240	msedge.exe
6456	msedge.exe
6456	msedge.exe
6456	msedge.exe
6456	msedge.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe
3604	Fn_external.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
6568	xeno rat server.exe
3604	Fn_external.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 29 IoCs

pid	Process
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	3604	Fn_external.exe
Token: SeDebugPrivilege	6296	Fn_external.exe

Suspicious use of FindShellTrayWindow 57 IoCs

pid	Process
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
6568	xeno rat server.exe
6568	xeno rat server.exe
6568	xeno rat server.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe
1140	msedge.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
6568	xeno rat server.exe
6568	xeno rat server.exe
3604	Fn_external.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1140 wrote to memory of 700	1140	msedge.exe	80
PID 1140 wrote to memory of 700	1140	msedge.exe	80
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 2036	1140	msedge.exe	81
PID 1140 wrote to memory of 4440	1140	msedge.exe	82
PID 1140 wrote to memory of 4440	1140	msedge.exe	82
PID 1140 wrote to memory of 2488	1140	msedge.exe	83
PID 1140 wrote to memory of 2488	1140	msedge.exe	83
PID 1140 wrote to memory of 2488	1140	msedge.exe	83
PID 1140 wrote to memory of 2488	1140	msedge.exe	83
PID 1140 wrote to memory of 2488	1140	msedge.exe	83
PID 1140 wrote to memory of 2488	1140	msedge.exe	83
PID 1140 wrote to memory of 2488	1140	msedge.exe	83
PID 1140 wrote to memory of 2488	1140	msedge.exe	83
PID 1140 wrote to memory of 2488	1140	msedge.exe	83
PID 1140 wrote to memory of 2488	1140	msedge.exe	83
PID 1140 wrote to memory of 2488	1140	msedge.exe	83
PID 1140 wrote to memory of 2488	1140	msedge.exe	83
PID 1140 wrote to memory of 2488	1140	msedge.exe	83
PID 1140 wrote to memory of 2488	1140	msedge.exe	83
PID 1140 wrote to memory of 2488	1140	msedge.exe	83
PID 1140 wrote to memory of 2488	1140	msedge.exe	83
PID 1140 wrote to memory of 2488	1140	msedge.exe	83
PID 1140 wrote to memory of 2488	1140	msedge.exe	83
PID 1140 wrote to memory of 2488	1140	msedge.exe	83
PID 1140 wrote to memory of 2488	1140	msedge.exe	83

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://file.io/CvXNt2ZDzqBV
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff9cb046f8,0x7fff9cb04708,0x7fff9cb04718
  2⤵
  PID:700
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,14472286735251931522,5456086560849977899,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
  2⤵
  PID:2036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2176,14472286735251931522,5456086560849977899,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4440
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2176,14472286735251931522,5456086560849977899,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2620 /prefetch:8
  2⤵
  PID:2488
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14472286735251931522,5456086560849977899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3312 /prefetch:1
  2⤵
  PID:2072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14472286735251931522,5456086560849977899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
  2⤵
  PID:3720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14472286735251931522,5456086560849977899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:1484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14472286735251931522,5456086560849977899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4660 /prefetch:1
  2⤵
  PID:556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14472286735251931522,5456086560849977899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14472286735251931522,5456086560849977899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
  2⤵
  PID:1520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14472286735251931522,5456086560849977899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4076 /prefetch:1
  2⤵
  PID:3688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14472286735251931522,5456086560849977899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5888 /prefetch:1
  2⤵
  PID:3892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14472286735251931522,5456086560849977899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5376 /prefetch:1
  2⤵
  PID:2364
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14472286735251931522,5456086560849977899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5780 /prefetch:1
  2⤵
  PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14472286735251931522,5456086560849977899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6204 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14472286735251931522,5456086560849977899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6248 /prefetch:1
  2⤵
  PID:544
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14472286735251931522,5456086560849977899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6504 /prefetch:1
  2⤵
  PID:1128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14472286735251931522,5456086560849977899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6636 /prefetch:1
  2⤵
  PID:3528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14472286735251931522,5456086560849977899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6980 /prefetch:1
  2⤵
  PID:5144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14472286735251931522,5456086560849977899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
  2⤵
  PID:5176
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14472286735251931522,5456086560849977899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6328 /prefetch:1
  2⤵
  PID:5252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14472286735251931522,5456086560849977899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7512 /prefetch:1
  2⤵
  PID:5372
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14472286735251931522,5456086560849977899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6336 /prefetch:1
  2⤵
  PID:5484
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14472286735251931522,5456086560849977899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7708 /prefetch:1
  2⤵
  PID:5560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14472286735251931522,5456086560849977899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8012 /prefetch:1
  2⤵
  PID:5808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14472286735251931522,5456086560849977899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=26 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8056 /prefetch:1
  2⤵
  PID:5880
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,14472286735251931522,5456086560849977899,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8688 /prefetch:8
  2⤵
  PID:5332
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2176,14472286735251931522,5456086560849977899,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=8688 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2176,14472286735251931522,5456086560849977899,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4980 /prefetch:8
  2⤵
  PID:2808
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14472286735251931522,5456086560849977899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=30 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8400 /prefetch:1
  2⤵
  PID:1996
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2176,14472286735251931522,5456086560849977899,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5632 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14472286735251931522,5456086560849977899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=32 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5948 /prefetch:1
  2⤵
  PID:6556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14472286735251931522,5456086560849977899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=34 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:6604
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14472286735251931522,5456086560849977899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=35 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=8428 /prefetch:1
  2⤵
  PID:6812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14472286735251931522,5456086560849977899,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=36 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
  2⤵
  PID:6800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14472286735251931522,5456086560849977899,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=37 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7296 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2176,14472286735251931522,5456086560849977899,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=38 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=7516 /prefetch:1
  2⤵
  PID:6944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2176,14472286735251931522,5456086560849977899,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=7196 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:6456

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1996

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService
1⤵
PID:5968

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:6876

C:\Users\Admin\Desktop\1\xeno rat server.exe
"C:\Users\Admin\Desktop\1\xeno rat server.exe"
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:6568

C:\Users\Admin\Desktop\Fn_external.exe
"C:\Users\Admin\Desktop\Fn_external.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
PID:6488
- C:\Users\Admin\AppData\Roaming\XenoManager\Fn_external.exe
  "C:\Users\Admin\AppData\Roaming\XenoManager\Fn_external.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  PID:3604
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "svhost" /XML "C:\Users\Admin\AppData\Local\Temp\tmpB185.tmp" /F
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:5376
- - C:\Users\Admin\AppData\Roaming\XenoManager\Fn_external.exe
    "C:\Users\Admin\AppData\Roaming\XenoManager\Fn_external.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:6296
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /Create /TN "svhost" /XML "C:\Users\Admin\AppData\Local\Temp\tmp36CD.tmp" /F
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:1308

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Fn_external.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
4b4f91fa1b362ba5341ecb2836438dea

SHA1
9561f5aabed742404d455da735259a2c6781fa07

SHA256
d824b742eace197ddc8b6ed5d918f390fde4b0fbf0e371b8e1f2ed40a3b6455c

SHA512
fef22217dcdd8000bc193e25129699d4b8f7a103ca4fe1613baf73ccf67090d9fbae27eb93e4bb8747455853a0a4326f2d0c38df41c8d42351cdcd4132418dac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
eaa3db555ab5bc0cb364826204aad3f0

SHA1
a4cdfaac8de49e6e6e88b335cfeaa7c9e3c563ca

SHA256
ef7baeb1b2ab05ff3c5fbb76c2759db49294654548706c7c8e87f0cde855b86b

SHA512
e13981da51b52c15261ecabb98af32f9b920651b46b10ce0cc823c5878b22eb1420258c80deef204070d1e0bdd3a64d875ac2522e3713a3cf11657aa55aeccd4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
8a002cc23ef461fd6330e835baa31f1e

SHA1
534e5f65bf64e0feae366e72f29a67e573ed6cc6

SHA256
819567fcfb0996c30dea7eaaf7d3a8944425cda147b959aeea9591cc4c7a27df

SHA512
87e49bb5b412f88f4b3eb9e44ccce1d32a6de63de775e6381b2b5f1fe3d1b2181995e2cc987dedcdb0e1a947a03ee23b3149ad12f85170c8ded6509527e35df9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
10KB

MD5
4fa00d4b04e9db10859ff96067071dce

SHA1
67387c35a02174287bcb3bdca734249d35f3a29a

SHA256
08a93ad5aee3a8b022ad308e5b9f8559f9afe5cdfe804ee42b94d8b5c91fb060

SHA512
92176f11d4cad0b81c41e7d5fa99be57031a668be754a2f2545c4cca697ddda6131ab061f7d5366fc6b2fecb128afafb15c843a1386d997f9a660fa3b7960f68

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
16KB

MD5
52ba583ae8619698ff603445dd636998

SHA1
560970fe60e337fa96627839ea4f224841c4912f

SHA256
cdc52562aa51e0cc254faa8eb81600b98372f24f2ac761328766febdf8177691

SHA512
b387aa9ee0b49f6d1f0865a44578f26795fb6b13d56af71e2f62b56159391c59364099bff5157630c4c4c62bdf86d45be03d32f34babe05558ace2da4d4f5f05

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
7fc61f4dde064716dc8fe935b6e92234

SHA1
b9270d2f303c7476c0bdef23325e4c3654db0c26

SHA256
6236a9641c7489c49c42714df3ac1a0b952b1e1fceec132d7f6e341d138b233b

SHA512
b510abdd2016adedc94a396746542dc05ba20d2e914df120d1fc5d5fe34f82bd75090506eda83f2a34c647af9ddedd0edc4c4953c99654fbf7de9af3bfb2ca61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
12KB

MD5
bf7779376216e44fbdd01eb2a7b0ef87

SHA1
27b850411225ab0fc86b78a57fb43f17291b2ee3

SHA256
e24324505add2670c13caf4f34f5281311dfdc1d72d3d8d1919ff8af3e4984de

SHA512
45047dda489ca870afe0d3103bc52219ed3d248532ec427e40a26b64c5747eca999905b17405568b35902dcb9497b140df2a41d2b754d55fda6af22c39bf2108

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
15KB

MD5
21fd502cb0613affd25aed00cee293e1

SHA1
12271858c5105e018e49ec7fcaa5e507de78683e

SHA256
f6bc7adfa96adad6997367c4d1859d41df7e2f9d1430e862edca03d88d4740b3

SHA512
4aecfd3a62236092a8ee191492d20c5b06cf73ce814d72fe5475cfa2db32b4cae917729a8a54f2c6e8ae83030ad2bfc12a1b81d2aebd2c3e3295524f7633e41c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
4KB

MD5
0545f25289971994725e5996222d99d1

SHA1
dedee5131ba56425865db737bf43e4b5da2ed1f7

SHA256
d3924f24095f6240b54480e3d49c9804a45e662813b7e5856ce9a2d30b7d6879

SHA512
429a7d21944b568c281075733eac7a51d9e3a49324c20a50fc1cd7ff6221b78b9c08e3cdcd9426a56643dc2e3c441476dcad7ef25a3a503d1eabb49b7237ea0b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
3KB

MD5
c1dab6d8104130ff1d6c7e6b8f93a0fa

SHA1
0dd0d3d28df490c0836f8d243c52171bc7751958

SHA256
84e07697f291ab6096c4749e6d879ac48a8bb13a13106403293c5c8b65b29885

SHA512
ace8c40830622f12c9c45387ec88e093ab24502df9c969e11409dd4d8921ad1e7852b388a62fc54ca1706982780e8dddadab81e837bd7eb2ddef941feda58c42

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c1f8.TMP

Filesize
3KB

MD5
8b771628ac47ebc55806c817198cad73

SHA1
26dd21467f211ad5ed1e4b6fa5ddcf834a1ac4d2

SHA256
6bf47344fc27e74cd00a166f82c3afcdf6ff5523c7582265f5437ba1eb4b5970

SHA512
acec1c756ec013d4af843d0ceb60280142e1b8f8d7f94591d6508f92f860df6eb44c846bb31c7e2beea329f818dbca492b23905c996ebfcc72221638ab249cb3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
664e74a71e829c27cf5880809868e07f

SHA1
e4a28deaa5dd81a659ab7d3ba3aeedb04d4e1af0

SHA256
fe4fa4443c34a13618cb5c9fd64c7cd51c2373bbc52eb049b36cbf82e2828e39

SHA512
b15b94a3c25ac78d3da1e0577f1a94643902d207b6884493116ddbf035c715ffcc19657ce9d9ccd9b59e0508ac7ad1b62a6dde3c6942caf52db7c5c2a0e15fbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
5dc12dd7dbed1ea2fc623a2e9d3dc5ca

SHA1
508ac075fcf68634454d50ca763275782d465aef

SHA256
c28b25106e057ffe7193e8b193d5f2d4d897b6376d2948bcb30af2f63bf47b4d

SHA512
6cfae4c0d64e5bc0d48bc8cb85f6dcd22ce05bc84770e778c0bdf31b25b6a76abbdf42c2bee23dd276e09fb2a0439f75fea5d69e9446db7f3e6ba3a03c19ba26

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
dd58322e487d5a0906427bfeba63d847

SHA1
26af4450e036d1b65e7366730c8f4adbb98b1550

SHA256
ae04008f1d2bf0acd98e7a2ba7550fdeea48a3e0a2fd2705c7b1735335e8aaca

SHA512
fedb1f601fe529d9b20710167cb7bb9ea2b4cc25a19e1ce6a20575cddb1fede17f185e3dbd852763a7ed42aa9f33a03ed90e4c352a835e44d5638c0b894bea59

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
e307d8db94f6b331ed7af77b15e5c894

SHA1
9c712a9fabcb02e1464ef67adf56f55cd8fcb147

SHA256
3612f7b43340ecf29c8346f0d1cc2f2c688efb3081624234208927825ab4ab10

SHA512
548c81da7c43f9ef33fef3f3ff7d664ad31bb653a12c6b7d368ac224079f3e876c61f26cd9a139ec1fa0ad843ee366cfb59cbae9963b8bca4eeb965913a9ace7

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB185.tmp

Filesize
1KB

MD5
04dce4057e5ae45a8b1fed6597599e37

SHA1
d293cd66c2e1a33398ead7197af43b52693fd59e

SHA256
ea23d2136d781f34823740903be7830e80bdff971e0720c15c98bb4dac960b5a

SHA512
9c4489f53a2607e5132242f83b8b6ed4342e57e456c41e45a80510fe03280bc404d0e8d26b648f22df3062d3b4f0b7aee10e3300c482fe9d47cb7fc6d08186cd

Download Submit
C:\Users\Admin\Desktop\Fn_external.exe

Filesize
45KB

MD5
270d021669c690f3fabb5ea0f6a56708

SHA1
468bfd1567d662555496fe3b2f150c37085b83e5

SHA256
81a930e51300872f737fa46b95ca34f5bc81a87f4ba19cbcf4d45947e7229960

SHA512
81f0c12fef3261f3b38d19ad02067496492a47b418ad93bc01ed07f2253fcce3ab7010bc858b51d3ac4db148a3c68fc735877da35ef749706ea4b9e17befcbc6

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 107236.crdownload

Filesize
6.4MB

MD5
dd9b0d0432b4d536edca205b80910cae

SHA1
2b5b16fd916029c5956f5bca9d5b50c0c157f8a3

SHA256
66183f9ade19371ec4146b09ef35bd524c9e3fb1304fe39a9bf087a0b7f05368

SHA512
4d38589c00e28a17af6463f4f1e6a94f1b5504af06d75c2f4f66fcc11c02439742c383d366d7d7f1d83ac7f9c5082b5f3ccd788bba4828d6a8e686c13b47eded

Download Submit
memory/3604-425-0x0000000005CE0000-0x0000000005EA2000-memory.dmp

Filesize
1.8MB

Download
memory/3604-429-0x0000000005F20000-0x0000000005F3E000-memory.dmp

Filesize
120KB

Download
memory/3604-424-0x0000000005A10000-0x0000000005B0A000-memory.dmp

Filesize
1000KB

Download
memory/3604-427-0x0000000005C50000-0x0000000005CC6000-memory.dmp

Filesize
472KB

Download
memory/3604-422-0x0000000005420000-0x0000000005486000-memory.dmp

Filesize
408KB

Download
memory/3604-449-0x00000000008F0000-0x00000000008FC000-memory.dmp

Filesize
48KB

Download
memory/3604-448-0x0000000004CD0000-0x0000000004CDA000-memory.dmp

Filesize
40KB

Download
memory/3604-447-0x0000000005790000-0x000000000579A000-memory.dmp

Filesize
40KB

Download
memory/3604-431-0x0000000005FE0000-0x000000000607C000-memory.dmp

Filesize
624KB

Download
memory/3604-428-0x00000000063E0000-0x000000000690C000-memory.dmp

Filesize
5.2MB

Download
memory/3604-426-0x0000000005B80000-0x0000000005BD0000-memory.dmp

Filesize
320KB

Download
memory/6296-453-0x0000000005D10000-0x0000000005D1A000-memory.dmp

Filesize
40KB

Download
memory/6296-454-0x0000000006000000-0x000000000600A000-memory.dmp

Filesize
40KB

Download
memory/6296-455-0x0000000004E00000-0x0000000004E0A000-memory.dmp

Filesize
40KB

Download
memory/6488-406-0x0000000000D40000-0x0000000000D52000-memory.dmp

Filesize
72KB

Download
memory/6568-392-0x0000000001420000-0x000000000143A000-memory.dmp

Filesize
104KB

Download
memory/6568-309-0x0000000005DE0000-0x0000000006384000-memory.dmp

Filesize
5.6MB

Download
memory/6568-423-0x0000000009680000-0x0000000009692000-memory.dmp

Filesize
72KB

Download
memory/6568-310-0x0000000005830000-0x00000000058C2000-memory.dmp

Filesize
584KB

Download
memory/6568-311-0x00000000057F0000-0x00000000057FA000-memory.dmp

Filesize
40KB

Download
memory/6568-312-0x00000000081E0000-0x00000000081F4000-memory.dmp

Filesize
80KB

Download
memory/6568-308-0x0000000000BD0000-0x0000000000DD2000-memory.dmp

Filesize
2.0MB

Download
memory/6568-314-0x00000000082D0000-0x00000000082E2000-memory.dmp

Filesize
72KB

Download
memory/6568-391-0x00000000012E0000-0x0000000001404000-memory.dmp

Filesize
1.1MB

Download
memory/6568-313-0x00000000082A0000-0x00000000082BA000-memory.dmp

Filesize
104KB

Download
memory/6568-331-0x0000000008400000-0x0000000008754000-memory.dmp

Filesize
3.3MB

Download
memory/6568-330-0x0000000008330000-0x00000000083E2000-memory.dmp

Filesize
712KB

Download
memory/6568-315-0x000000000A1D0000-0x000000000A1F2000-memory.dmp

Filesize
136KB

Download