xenorat | hxxps://mega[.]nz/file/HQoBUDqa#xtCONJ15LjdMxSyRHwOM6jJKHahXNiWzr4oTKgXU4Xs

Analysis

max time kernel
95s
max time network
98s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/HQoBUDqa#xtCONJ15LjdMxSyRHwOM6jJKHahXNiWzr4oTKgXU4Xs

Score

10^/10

xenorat discovery execution rat trojan

Malware Config

Extracted

Family

xenorat

127.0.0.1

Mutex

Aphrobyte

Attributes

delay
5000
install_path
appdata
port
4444
startup_name
Windows Updater

Signatures

Detect XenoRat Payload 2 IoCs

resource	yara_rule
behavioral1/memory/6140-231-0x0000000000CA0000-0x0000000000CB2000-memory.dmp	family_xenorat
behavioral1/files/0x0009000000023e3e-236.dat	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

Executes dropped EXE 1 IoCs

pid	Process
3516	Aphrobyte.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs

Start PowerShell.

execution

PowerShell

T1059.001

pid	Process
6020	powershell.exe
5480	powershell.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aphrobyte.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aphrobyte.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aphrobyte.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aphrobyte.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aphrobyte.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aphrobyte.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aphrobyte.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Aphrobyte.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
5944	PING.EXE
3952	PING.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	msedge.exe

Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery

T1018

pid	Process
5944	PING.EXE
3952	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 3 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4788	schtasks.exe
3040	schtasks.exe
6024	schtasks.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
936	msedge.exe
936	msedge.exe
3852	msedge.exe
3852	msedge.exe
3424	identity_helper.exe
3424	identity_helper.exe
2616	msedge.exe
2616	msedge.exe
6020	powershell.exe
6020	powershell.exe
6020	powershell.exe
5480	powershell.exe
5480	powershell.exe
5480	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
5136	OpenWith.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: 33	4976	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4976	AUDIODG.EXE
Token: SeDebugPrivilege	6020	powershell.exe
Token: SeDebugPrivilege	5480	powershell.exe

Suspicious use of FindShellTrayWindow 33 IoCs

pid	Process
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
5136	OpenWith.exe
5136	OpenWith.exe
5136	OpenWith.exe
5136	OpenWith.exe
5136	OpenWith.exe
5136	OpenWith.exe
5136	OpenWith.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3852 wrote to memory of 3080	3852	msedge.exe	82
PID 3852 wrote to memory of 3080	3852	msedge.exe	82
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 1468	3852	msedge.exe	83
PID 3852 wrote to memory of 936	3852	msedge.exe	84
PID 3852 wrote to memory of 936	3852	msedge.exe	84
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85
PID 3852 wrote to memory of 1952	3852	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/HQoBUDqa#xtCONJ15LjdMxSyRHwOM6jJKHahXNiWzr4oTKgXU4Xs
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffb171446f8,0x7ffb17144708,0x7ffb17144718
  2⤵
  PID:3080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,8009619070164893624,14979422627052525348,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2000 /prefetch:2
  2⤵
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,8009619070164893624,14979422627052525348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,8009619070164893624,14979422627052525348,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
  2⤵
  PID:1952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,8009619070164893624,14979422627052525348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
  2⤵
  PID:3200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,8009619070164893624,14979422627052525348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
  2⤵
  PID:2080
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,8009619070164893624,14979422627052525348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  PID:2848
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,8009619070164893624,14979422627052525348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5140 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,8009619070164893624,14979422627052525348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5204 /prefetch:1
  2⤵
  PID:3648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,8009619070164893624,14979422627052525348,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:8
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,8009619070164893624,14979422627052525348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:2148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,8009619070164893624,14979422627052525348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:3408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,8009619070164893624,14979422627052525348,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6016 /prefetch:1
  2⤵
  PID:1776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2028,8009619070164893624,14979422627052525348,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5304 /prefetch:8
  2⤵
  PID:852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2028,8009619070164893624,14979422627052525348,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5580 /prefetch:8
  2⤵
  PID:208
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,8009619070164893624,14979422627052525348,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5596 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2028,8009619070164893624,14979422627052525348,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5712 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2616

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4336

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2004

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x324 0x4a4
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4976

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5368

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\Aphrobyte Installation\Aphrobyte updater.bat" "
1⤵
PID:5840
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 6
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:5944
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Start-Process Aphrobyte.exe -Verb RunAs
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:6020
- - C:\Users\Admin\Desktop\Aphrobyte Installation\Aphrobyte.exe
    "C:\Users\Admin\Desktop\Aphrobyte Installation\Aphrobyte.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:6140
  - - C:\Users\Admin\AppData\Roaming\XenoManager\Aphrobyte.exe
      "C:\Users\Admin\AppData\Roaming\XenoManager\Aphrobyte.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3516
    - - C:\Windows\SysWOW64\schtasks.exe
        
        "schtasks.exe" /Create /TN "Windows Updater" /XML "C:\Users\Admin\AppData\Local\Temp\tmp3459.tmp" /F
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4788

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\Desktop\Aphrobyte Installation\Aphrobyte updater.bat"
1⤵
PID:5384
- C:\Windows\system32\PING.EXE
  ping 127.0.0.1 -n 6
  2⤵
  - System Network Configuration Discovery: Internet Connection Discovery
  - Runs ping.exe
  PID:3952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell Start-Process Aphrobyte.exe -Verb RunAs
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:5480
- - C:\Users\Admin\Desktop\Aphrobyte Installation\Aphrobyte.exe
    "C:\Users\Admin\Desktop\Aphrobyte Installation\Aphrobyte.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:5636
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /Create /TN "Windows Updater" /XML "C:\Users\Admin\AppData\Local\Temp\tmp5B89.tmp" /F
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:3040

C:\Users\Admin\Desktop\Aphrobyte Installation\Aphrobyte.exe
"C:\Users\Admin\Desktop\Aphrobyte Installation\Aphrobyte.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5432

C:\Users\Admin\Desktop\Aphrobyte Installation\Aphrobyte.exe
"C:\Users\Admin\Desktop\Aphrobyte Installation\Aphrobyte.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:644

C:\Users\Admin\Desktop\Aphrobyte Installation\Aphrobyte.exe
"C:\Users\Admin\Desktop\Aphrobyte Installation\Aphrobyte.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:1640
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /Create /TN "Windows Updater" /XML "C:\Users\Admin\AppData\Local\Temp\tmp9805.tmp" /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:6024

C:\Users\Admin\Desktop\Aphrobyte Installation\Aphrobyte.exe
"C:\Users\Admin\Desktop\Aphrobyte Installation\Aphrobyte.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:6092

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:5136

C:\Users\Admin\Desktop\Aphrobyte Installation\Aphrobyte.exe
"C:\Users\Admin\Desktop\Aphrobyte Installation\Aphrobyte.exe"
1⤵
- System Location Discovery: System Language Discovery
PID:5004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
6cf293cb4d80be23433eecf74ddb5503

SHA1
24fe4752df102c2ef492954d6b046cb5512ad408

SHA256
b1f292b6199aa29c7fafbca007e5f9e3f68edcbbca1965bc828cc92dc0f18bb8

SHA512
0f91e2da0da8794b9797c7b50eb5dfd27bde4546ceb6902a776664ce887dd6f12a0dd8773d612ccc76dfd029cd280778a0f0ae17ce679b3d2ffd968dd7e94a00

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Aphrobyte.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6960857d16aadfa79d36df8ebbf0e423

SHA1
e1db43bd478274366621a8c6497e270d46c6ed4f

SHA256
f40b812ce44e391423eb66602ac0af138a1e948aa8c4116045fef671ef21cd32

SHA512
6deb2a63055a643759dd0ae125fb2f68ec04a443dbf8b066a812b42352bbcfa4517382ed0910c190c986a864559c3453c772e153ee2e9432fb2de2e1e49ca7fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f426165d1e5f7df1b7a3758c306cd4ae

SHA1
59ef728fbbb5c4197600f61daec48556fec651c1

SHA256
b68dfc21866d0abe5c75d70acc54670421fa9b26baf98af852768676a901b841

SHA512
8d437fcb85acb0705bf080141e7a021740901248985a76299ea8c43e46ad78fb88c738322cf302f6a550caa5e79d85b36827e9b329b1094521b17cf638c015b6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
beade14b0b210d3e3a8c59684c2268ce

SHA1
009e51f41387df5417ea12aa634b30aa428e4f81

SHA256
cf25a27e6fe551840fa50c6587cc951c1ecc398c0bc5edfe9f7681e02d82b43e

SHA512
827d96b204334170a7669e06b40e7d20906f9d1acfd488c6916a5671f0f7be1d5a5ba082cc9fb03fe1de31ea9674da574270d9b9135725b5ff4fbec0ee770a36

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
257B

MD5
ba4e2003fe7d847c86a7514b27c21c5f

SHA1
7dc5189fa073797ff6cec15cf7921146f4fa0ab5

SHA256
16d31950c2af414b5028501c261a72b6f7f125e5e35a62ad274ea4b1bd7de92a

SHA512
079550c3eed1641c8de52f55d9967e4862465835d9899fad9439580c1e66fb7cd56326be1088a8ecc10f648bcc603957c5979885909b42485733ff37b079ce5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
af5284e761c2c2214222f22ba59cfb68

SHA1
5341d87b017ccb9aae3e61dbaa1382108ee50fff

SHA256
14d06d3be411e707e76e9b8d182be5d1edf09b24a287a71a01d7315ecc3d9cfb

SHA512
a96c5d24b227947ebea05f991d2b296f28a2d87e6f97be96d9eb2e93739da952f26719a892d83acf5e6f45eddabb8c85d55b146e882b0de9c12c5d03659e46f9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
41f81399fe47dcdee0931bf054ee96f9

SHA1
dfef5224d360b5c60b991ef6b0f6969c228d1a86

SHA256
8fc2b77efcce2b263a2af22c5de8bf606592486f80f18972230f1602ae34279f

SHA512
56566db1294df52ac9139268a7b1d12f6d25b54d22afbc7e682e598231516a17343e7434950d319212d27718056b7f1ff2f06cb06e9e6a2add64a38fb080dac2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e2b3a2631cf462f1e710780b8403d2d7

SHA1
1418c8610d8cd5f77c3ec8e3b9354d4615880599

SHA256
58b5242d4b4fc7fb979a056f8a531918272c56efd6763c0f8f65286e759fe433

SHA512
8db7f35fbf85e592860c2f6fe4ddb11f45b96fbbad3727b40cb28aed6cd0d4adbf3997efe4bfc100cf216bacc660459b8e063a8e68914d692012b69712c7b593

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
6664d43d6f1b9cd6f48793648d2cb0c8

SHA1
f2b0a84f700e71afec67aabd4202917fc39a5e71

SHA256
14a2094f4e1f53d0b1d8b455b58932c163d7fb30ff5cdb930fb3fcff2e38756a

SHA512
5fe7a9460ef4bd7d70faac65dc086e65d5d4f15d74fdd35632636f1c60476a8a6ba7adc224c1d03845de8881478faa7a7e309acc4914f433bd6ad41b4ece2afc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57ea21.TMP

Filesize
48B

MD5
5c88a04f382c3db6070380f2d4287c65

SHA1
b37b1682a81f2a9e4ed75ca5e1be959c83e8917e

SHA256
a745554684d0d856e57d28bd8a1dfa8fa969ae6cb98670d64d675caac35459c5

SHA512
194c942232b45ce5d94cf8d7de855a894fca5ebe5837a8fd5439eb30f4d4bd83ca9a510530995a824c9b900d273a3077587e077024006c80a895bef6c5dd2efc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
25ec9cc4ff4a3c352bc944bec1d8ec16

SHA1
c7e1261648e46867a0f77e5ed6dd724ae52c68db

SHA256
bcb327b78f71f036d643197f85eebbde4f72f6263671ae425a398dc6e604ad23

SHA512
e3d7c59ee5b30c3736b443546eacf1b8606e7c9c8c55845400b391bbd902d6992a3ad53a101b1f529dae8c12553b8cd753ca82c376c7f7594785e74ecddd95b5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c3a7ca0ab675904f2f00bd37ee474ceb

SHA1
a00d526d60bc609591c2b4a3aaae176fbb4d316e

SHA256
e85681da2793436830b8ea7eb68306bd30af6d8a9e910621a6dbf9b99370dc31

SHA512
77656ad786ef4e2e25a0e740d88fc38069c1130746bc44072e7cc23a07afc8c202e185b8fec9edfd8a95ab71ba89df4dbaec98e167e3865dc681d618d8922937

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
1a11402783a8686e08f8fa987dd07bca

SHA1
580df3865059f4e2d8be10644590317336d146ce

SHA256
9b1d1b468932a2d88548dc18504ac3066f8248079ecb083e919460bdb88398c0

SHA512
5f7f9f76d9d12a25fdc5b8d193391fb42c37515c657250fe01a9bfd9fe4cc4eab9d5ec254b2596ac1b9005f12511905f19fdae41f057062261d75bd83254b510

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yqtsrzq1.ppt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp3459.tmp

Filesize
1KB

MD5
e98eaaf50b88fc1c14ac0f903e7a8ca3

SHA1
585fe1959322fbfeb1dc07e397741fecad00a5f8

SHA256
8824b2c9e314591ffdd34fb1f777f18bc2fb4d395334c346922dc36197e4151e

SHA512
3917469df8819a5555e3815542c3dea9a3cf178d882e92ee80711d912e17f17c2e5fbeab7d3e2115908501c37f7738de4a44e4825b23f8d252b57203ca063482

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5B89.tmp

Filesize
1KB

MD5
e615980f8a5425466edf4838044240cc

SHA1
9dd3ff85a6e932d6fd7141b2c0e176b1fe513455

SHA256
4ccf242a0ec528a3605184e3ae6ff061203504608905fa1d785086d1c2e031a3

SHA512
ceb0c8216ad4ab497574c6c9a8379c24e4c7b3a31cad22cdcf24010cfd05c66dcdc15ed9760ac6c7589d636c25e2e37b09395a08a7e59d0945c0ed035c408eba

Download Submit
C:\Users\Admin\AppData\Roaming\XenoManager\Aphrobyte.exe

Filesize
45KB

MD5
ecb665743eff6b3c7242289a8e536c40

SHA1
fcd29038c0252a97f4486bdd33f1cb1fd3795c82

SHA256
56b800d8d486486617b143ecd79ffc81594b6c994aff5affc5ca3d6d33a5d563

SHA512
4b0da5de7736f1424a3d7a9ca8be932acd3a728c32ff9de4e7c2e235abfb7794a1718d873f6daf5fa8ec06b8350020cee31d12d838b09dcf258cce3e22fb24b1

Download Submit
C:\Users\Admin\Downloads\Aphrobyte Installations.zip

Filesize
3.3MB

MD5
2373daff625ed550a370148d085e4a39

SHA1
1b65a9291d09444032307dd63dddfacb4fec9c9f

SHA256
8938f161f4413d407897e29b9921d55bc3e75bf3dba26d506c60e105e9b1bfb0

SHA512
b9e434f928434b058e069de5bca445f5b3ca4a6b59017c740a3c0454abca902233eb54b764a6cd05e3b65629893d13965b9d88d508a67ab78e256fb0a9f9aafd

Download Submit
memory/6020-224-0x0000020078C20000-0x0000020078C42000-memory.dmp

Filesize
136KB

Download
memory/6140-231-0x0000000000CA0000-0x0000000000CB2000-memory.dmp

Filesize
72KB

Download