xenorat | hxxps://gofile[.]io/d/XL0XKB

Analysis

max time kernel
86s
max time network
80s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/10/2024, 06:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/XL0XKB

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

127.0.0.1

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
nothingset
port
4444
startup_name
CriticalHost

Signatures

Detect XenoRat Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0007000000023c86-64.dat	family_xenorat
behavioral1/memory/2380-113-0x0000000000A00000-0x0000000000A12000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Downloads MZ/PE file

Executes dropped EXE 4 IoCs

pid	Process
2380	shitass.exe
3172	shitass.exe
4088	shitass.exe
2940	shitass.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shitass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shitass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shitass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	shitass.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 905099.crdownload:SmartScreen	msedge.exe
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 212767.crdownload:SmartScreen	msedge.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2328	schtasks.exe
764	schtasks.exe
1120	schtasks.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
1956	msedge.exe
1956	msedge.exe
2980	msedge.exe
2980	msedge.exe
1292	identity_helper.exe
1292	identity_helper.exe
1708	msedge.exe
1708	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe

Suspicious use of FindShellTrayWindow 42 IoCs

pid	Process
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe
2980	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2980 wrote to memory of 396	2980	msedge.exe	83
PID 2980 wrote to memory of 396	2980	msedge.exe	83
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 2164	2980	msedge.exe	85
PID 2980 wrote to memory of 1956	2980	msedge.exe	86
PID 2980 wrote to memory of 1956	2980	msedge.exe	86
PID 2980 wrote to memory of 2152	2980	msedge.exe	87
PID 2980 wrote to memory of 2152	2980	msedge.exe	87
PID 2980 wrote to memory of 2152	2980	msedge.exe	87
PID 2980 wrote to memory of 2152	2980	msedge.exe	87
PID 2980 wrote to memory of 2152	2980	msedge.exe	87
PID 2980 wrote to memory of 2152	2980	msedge.exe	87
PID 2980 wrote to memory of 2152	2980	msedge.exe	87
PID 2980 wrote to memory of 2152	2980	msedge.exe	87
PID 2980 wrote to memory of 2152	2980	msedge.exe	87
PID 2980 wrote to memory of 2152	2980	msedge.exe	87
PID 2980 wrote to memory of 2152	2980	msedge.exe	87
PID 2980 wrote to memory of 2152	2980	msedge.exe	87
PID 2980 wrote to memory of 2152	2980	msedge.exe	87
PID 2980 wrote to memory of 2152	2980	msedge.exe	87
PID 2980 wrote to memory of 2152	2980	msedge.exe	87
PID 2980 wrote to memory of 2152	2980	msedge.exe	87
PID 2980 wrote to memory of 2152	2980	msedge.exe	87
PID 2980 wrote to memory of 2152	2980	msedge.exe	87
PID 2980 wrote to memory of 2152	2980	msedge.exe	87
PID 2980 wrote to memory of 2152	2980	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://gofile.io/d/XL0XKB
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2980
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ff9a7b946f8,0x7ff9a7b94708,0x7ff9a7b94718
  2⤵
  PID:396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,15671007730314714597,14188085227164171303,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:2164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,15671007730314714597,14188085227164171303,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,15671007730314714597,14188085227164171303,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2716 /prefetch:8
  2⤵
  PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15671007730314714597,14188085227164171303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3304 /prefetch:1
  2⤵
  PID:4664
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15671007730314714597,14188085227164171303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3044 /prefetch:1
  2⤵
  PID:1032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15671007730314714597,14188085227164171303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3924 /prefetch:1
  2⤵
  PID:4032
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,15671007730314714597,14188085227164171303,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3956 /prefetch:8
  2⤵
  PID:940
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,15671007730314714597,14188085227164171303,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3956 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15671007730314714597,14188085227164171303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5200 /prefetch:1
  2⤵
  PID:2536
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,15671007730314714597,14188085227164171303,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4736 /prefetch:8
  2⤵
  PID:1196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15671007730314714597,14188085227164171303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:764
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15671007730314714597,14188085227164171303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5316 /prefetch:1
  2⤵
  PID:2960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15671007730314714597,14188085227164171303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5672 /prefetch:1
  2⤵
  PID:4852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,15671007730314714597,14188085227164171303,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6084 /prefetch:8
  2⤵
  PID:1728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2128,15671007730314714597,14188085227164171303,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5688 /prefetch:8
  2⤵
  PID:1400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,15671007730314714597,14188085227164171303,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5828 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1708
- C:\Users\Admin\Downloads\shitass.exe
  "C:\Users\Admin\Downloads\shitass.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2380
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "CriticalHost" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE975.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15671007730314714597,14188085227164171303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6116 /prefetch:1
  2⤵
  PID:4044
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15671007730314714597,14188085227164171303,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3988 /prefetch:1
  2⤵
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15671007730314714597,14188085227164171303,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
  2⤵
  PID:612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,15671007730314714597,14188085227164171303,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6228 /prefetch:1
  2⤵
  PID:4056

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:764

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2864

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1720

C:\Users\Admin\Downloads\shitass.exe
"C:\Users\Admin\Downloads\shitass.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3172
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /Create /TN "CriticalHost" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4253.tmp" /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:764

C:\Users\Admin\Downloads\shitass.exe
"C:\Users\Admin\Downloads\shitass.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4088

C:\Users\Admin\Downloads\shitass.exe
"C:\Users\Admin\Downloads\shitass.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2940
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /Create /TN "CriticalHost" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEDD6.tmp" /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:1120

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\shitass.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
85ba073d7015b6ce7da19235a275f6da

SHA1
a23c8c2125e45a0788bac14423ae1f3eab92cf00

SHA256
5ad04b8c19bf43b550ad725202f79086168ecccabe791100fba203d9aa27e617

SHA512
eb4fd72d7030ea1a25af2b59769b671a5760735fb95d18145f036a8d9e6f42c903b34a7e606046c740c644fab0bb9f5b7335c1869b098f121579e71f10f5a9c3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
7de1bbdc1f9cf1a58ae1de4951ce8cb9

SHA1
010da169e15457c25bd80ef02d76a940c1210301

SHA256
6e390bbc0d03a652516705775e8e9a7b7936312a8a5bea407f9d7d9fa99d957e

SHA512
e4a33f2128883e71ab41e803e8b55d0ac17cbc51be3bde42bed157df24f10f34ad264f74ef3254dbe30d253aca03158fde21518c2b78aaa05dae8308b1c5f30c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
288B

MD5
0c6aeb6b705a67fe06914ca822fb4758

SHA1
26f5a3dfd10fcfaf867b2fc09e56b95e1c816ee1

SHA256
26cb03872f50eebfdb38afff864e42397dfe2089e0da60486ddffa3e377bcb51

SHA512
c7aa2c31be1d89722d61cd0628184c834b2fc07069740b9228f90cbd4b95b11c87ac01a1a202e8423f72a4c1ed76e65a15e8525582083af0f310ab053fcbb3e8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
af70db1887381980b2e8b6cabbededc2

SHA1
b5259f04715316d365c733e90c8768a8f7aa68e6

SHA256
fbb070db6f3a8745c65d094352de10556b5fb45173b6aa56e5de9d016187b265

SHA512
67a439819258cc6e2bcdc3e9a75a3f270d411362094afd768301481c3e31c32e5200afd2ef06932eae855112ef08137d52e580ab3958f6ae71c2d1bca2889503

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
bef77b9de4b00904c8ca0678ea4b70e4

SHA1
27922b1853f93da1623e8a22c8e0f20fde05b03e

SHA256
eccab6566dfdc0641d4255fc7cb24b9cb4a5becfc24e1d0dc07ea847a1dbe231

SHA512
cf42a78bd2871df44291edf2e122ee06739468c2087931a903f7701bd3130cc5627904b1e5ad1d1cce7a9fa8bc61fe10b838e140bd7956a4b610e96205685e67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1020cd2b714ba777a9b925a4293e42cb

SHA1
da21237c40990f82b5ba29a80a946c58c37631b5

SHA256
09d0c5cf1691237fe994cfd5cb709b1f9d9d12f79e7be8a57cc563d6a3a71a23

SHA512
51c652766cff354a04626b5bccd3de24be5a441919e603d81cdb468a6d76eb250d8900ebaf24ac9ff38c2994800019af0328e2142c4e7218cda0c0dadb8c8564

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
27dd14f540550a01b0c90c4838c973bb

SHA1
0af2a06cb9bfdcd6531136526379eba8899357e9

SHA256
80af907beff4e2c13d79594fb0f6bb9bca02e7064f0c02888b932c5ac1831994

SHA512
88807238ac8d1ada6d231beb1f7d4e98878bbf1f074778360285e17fd9b1f6c2bb1f4ab0505be7ef96b3b425e3229134c134ecd4f927dade9f8190014c60d8c1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
75c2acdb14d2d9ae782bba1a29c61db4

SHA1
1b45d5ec9025f5844e9771edfd036da4fed40d3b

SHA256
92dc6c4a5b7c905edc257c91a017f7027441ad4f6e7350c320f8692573c7d029

SHA512
977d7cb4ed2f297c35246a59ebb1fab5b064b719f3e8a93f710281ef10d4c5842658e83a65c0a1a4461a11748143b3f80de767b79a1be074d41b6e6bbf3275b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE975.tmp

Filesize
1KB

MD5
af3c0620e1f66a3c48c121f693cf9a4d

SHA1
391560130967f8f8998290476ef847d279f1355c

SHA256
9157ec0ec97cb943dbe54f92d9fec29d74a63124f7219fc49cbcee86d40a26a3

SHA512
642cf40d64d066320e51812d4cc187e1542b5a1d83ef3b542584959f07f48a6d3f0085c1d3d39f4330237c606aa717ba9f37e15f92b489297a11c51f98206f63

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 905099.crdownload

Filesize
46KB

MD5
8942bbbd1c6cbc2c94830caaabd6f57f

SHA1
69149e6b5e728215c9b6afbd3feb2fa6d3c5749d

SHA256
e266980814ceec49f656316dc77904de6f716cfae161723a0c68a463aedf4e0e

SHA512
1c6b8774e4d4516e6976aaf281967a98ebb95bc1dc504e1bf8f42e09cae3ea278e03e1fdbe9f2516c121b0758f18c9394154cb23782fbbe0c04d434417e1aad2

Download Submit
memory/2380-113-0x0000000000A00000-0x0000000000A12000-memory.dmp

Filesize
72KB

Download