xenorat | hxxps://gofile[.]io/d/ZbAu20

Analysis

max time kernel
145s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2025, 18:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/ZbAu20

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

127.0.0.1

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
temp
port
5555
startup_name
Nvidia

Signatures

Detect XenoRat Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0012000000020363-66.dat	family_xenorat
behavioral1/memory/1472-101-0x0000000000E50000-0x0000000000E62000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	Asmodeus.exe

Executes dropped EXE 3 IoCs

pid	Process
1472	Asmodeus.exe
1164	Asmodeus.exe
2372	Asmodeus.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Asmodeus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Asmodeus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Asmodeus.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 170231.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Local\Temp\XenoManager\Asmodeus.exe\:SmartScreen:$DATA	Asmodeus.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
732	schtasks.exe
432	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2344	msedge.exe
2344	msedge.exe
2844	msedge.exe
2844	msedge.exe
2528	identity_helper.exe
2528	identity_helper.exe
3172	msedge.exe
3172	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe
4272	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe
2844	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 1052	2844	msedge.exe	82
PID 2844 wrote to memory of 1052	2844	msedge.exe	82
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 5040	2844	msedge.exe	83
PID 2844 wrote to memory of 2344	2844	msedge.exe	84
PID 2844 wrote to memory of 2344	2844	msedge.exe	84
PID 2844 wrote to memory of 3624	2844	msedge.exe	85
PID 2844 wrote to memory of 3624	2844	msedge.exe	85
PID 2844 wrote to memory of 3624	2844	msedge.exe	85
PID 2844 wrote to memory of 3624	2844	msedge.exe	85
PID 2844 wrote to memory of 3624	2844	msedge.exe	85
PID 2844 wrote to memory of 3624	2844	msedge.exe	85
PID 2844 wrote to memory of 3624	2844	msedge.exe	85
PID 2844 wrote to memory of 3624	2844	msedge.exe	85
PID 2844 wrote to memory of 3624	2844	msedge.exe	85
PID 2844 wrote to memory of 3624	2844	msedge.exe	85
PID 2844 wrote to memory of 3624	2844	msedge.exe	85
PID 2844 wrote to memory of 3624	2844	msedge.exe	85
PID 2844 wrote to memory of 3624	2844	msedge.exe	85
PID 2844 wrote to memory of 3624	2844	msedge.exe	85
PID 2844 wrote to memory of 3624	2844	msedge.exe	85
PID 2844 wrote to memory of 3624	2844	msedge.exe	85
PID 2844 wrote to memory of 3624	2844	msedge.exe	85
PID 2844 wrote to memory of 3624	2844	msedge.exe	85
PID 2844 wrote to memory of 3624	2844	msedge.exe	85
PID 2844 wrote to memory of 3624	2844	msedge.exe	85

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/ZbAu20
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff7a3846f8,0x7fff7a384708,0x7fff7a384718
  2⤵
  PID:1052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,11080111609562710779,9565767145453736119,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:5040
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2080,11080111609562710779,9565767145453736119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2208 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2344
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2080,11080111609562710779,9565767145453736119,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2844 /prefetch:8
  2⤵
  PID:3624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,11080111609562710779,9565767145453736119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
  2⤵
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,11080111609562710779,9565767145453736119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:1004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,11080111609562710779,9565767145453736119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:1
  2⤵
  PID:3568
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,11080111609562710779,9565767145453736119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 /prefetch:8
  2⤵
  PID:2540
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2080,11080111609562710779,9565767145453736119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5040 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2528
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,11080111609562710779,9565767145453736119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5064 /prefetch:1
  2⤵
  PID:4432
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2080,11080111609562710779,9565767145453736119,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=4784 /prefetch:8
  2⤵
  PID:2940
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,11080111609562710779,9565767145453736119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4812 /prefetch:1
  2⤵
  PID:3420
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2080,11080111609562710779,9565767145453736119,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6000 /prefetch:8
  2⤵
  PID:2856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2080,11080111609562710779,9565767145453736119,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5856 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3172
- C:\Users\Admin\Downloads\Asmodeus.exe
  "C:\Users\Admin\Downloads\Asmodeus.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:1472
- - C:\Users\Admin\AppData\Local\Temp\XenoManager\Asmodeus.exe
    "C:\Users\Admin\AppData\Local\Temp\XenoManager\Asmodeus.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1164
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /Create /TN "Nvidia" /XML "C:\Users\Admin\AppData\Local\Temp\tmpCC29.tmp" /F
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:732
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,11080111609562710779,9565767145453736119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4056 /prefetch:1
  2⤵
  PID:1828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,11080111609562710779,9565767145453736119,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5608 /prefetch:1
  2⤵
  PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,11080111609562710779,9565767145453736119,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4792 /prefetch:1
  2⤵
  PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2080,11080111609562710779,9565767145453736119,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6136 /prefetch:1
  2⤵
  PID:2424
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2080,11080111609562710779,9565767145453736119,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5648 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4272

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3960

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5052

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5064

C:\Users\Admin\Downloads\Asmodeus.exe
"C:\Users\Admin\Downloads\Asmodeus.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2372
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /Create /TN "Nvidia" /XML "C:\Users\Admin\AppData\Local\Temp\tmp299B.tmp" /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Asmodeus.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fab8d8d865e33fe195732aa7dcb91c30

SHA1
2637e832f38acc70af3e511f5eba80fbd7461f2c

SHA256
1b034ffe38e534e2b7a21be7c1f207ff84a1d5f3893207d0b4bb1a509b4185ea

SHA512
39a3d43ef7e28fea2cb247a5d09576a4904a43680db8c32139f22a03d80f6ede98708a2452f3f82232b868501340f79c0b3f810f597bcaf5267c3ccfb1704b43

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
36988ca14952e1848e81a959880ea217

SHA1
a0482ef725657760502c2d1a5abe0bb37aebaadb

SHA256
d7e96088b37cec1bde202ae8ec2d2f3c3aafc368b6ebd91b3e2985846facf2e6

SHA512
d04b2f5afec92eb3d9f9cdc148a3eddd1b615e0dfb270566a7969576f50881d1f8572bccb8b9fd7993724bdfe36fc7633a33381d43e0b96c4e9bbd53fc010173

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
14208a6e34262a1586da1963ae9536be

SHA1
c007280eafbb8cd69f2427219f0e5e34bbd1b037

SHA256
e185079b6d5d31b236af2c2b121265f815bc5b2fa248a292538b406758a42933

SHA512
eeeec24e208bc8f35cc8044a96d153bdb9ca9a587b06453c453b14fda6934756a87da96b1987a592b0b98837d80fcc958ccd41d1c72f14a602cc58e6903dfe98

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
391B

MD5
0f6d48d28f3398c4f70388657884288f

SHA1
296a46a341d8fa303970053f713b27277ba0f139

SHA256
023d03a2f36fac62c6a15b3cbb3c419a1299f32446831e615eefd08303674cf6

SHA512
a26af5692fa87154e2e2cbb15b307eb1a9cf4f11ef0881d55a3bb36da4c19d85917887098c3b801d61f0fae9e5731aa56d339a44397a8a0299ec4811d8e94f64

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
afe7fa6b2575bf2e9776d634cc74c626

SHA1
f51510ed9a0ed0087071818ba693b9320b2120bc

SHA256
20be36d404c20b4ccde72a5fa5571f79ee4862a532ce557dc3e47733972bfb2b

SHA512
b7265df9dbe9306026022ca6cb11f610e4fe720b03c7257beba65939aee680af237c6364c99a7752f604f8e54f053ed1efb0391b3981459faa30110af4974178

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
041689b42f5d780b92fd0dcb0b0f284c

SHA1
8544410e8d3108bce6f5fa5820d0b73bf8b7a1c3

SHA256
5f9eea5295db51795c1ac8b818439b9154825333645e06eb78500c2d83fe3c78

SHA512
a477bc27d8fe811d0555fff85d207de58b210462c58016c3b86ba8bdcb23b03f65fe76e3468a0a2a67f17956fbc24dce23df429625bacbca6782000eb135cc67

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
ef5fe89f54c5681eebfd5a87a9a441b5

SHA1
c66117886b081eaffd49386a67d5a1fd0736fec1

SHA256
f6019c9aea8ead69dd64fefdc3485fcd3a75fc61a5944f15ea3f90a20a068242

SHA512
ffa161761a0400a889fd5a4b045a8b09f9dcfae7641540dfdaa69b73d219ce84b7f4f889a2cb1dd2356a3b6253f2a1dadd7e7d1919118506465e9048bd3dfc7f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c3f5dff1e922195713b0458196e2206c

SHA1
3f141ca1360bad15823120aa726a010a7be310f7

SHA256
36c7d7bbd32e7912d2bc3cd0cf7a9452e91bf619c17b7f69efb5b1db37a34348

SHA512
bf6e14c5f0e92a2ab348103b60adbef8ae2e9d5b63375253ff5f7aac4fb9a3dee1703a7df9f13a55dfca7395ca3f37b4997d224569bbc694e1be68659899286d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp299B.tmp

Filesize
1KB

MD5
48a424510dcd7475dea74503f9c1f38e

SHA1
d1c5cc6e538cb36deee999e8592508be6a22fe56

SHA256
2957e0bd582ea1266ec27190ba28c29e96917ddde70063a5cd573c64947a0bc0

SHA512
fd34e61c31e3e02c0981b7a5f3b85d3a65d855314db4f56aaa4a7c7da8b58631934c643278c0ff6713ea3903f62377e36fb5a0c670d681000f873d8515e6b054

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCC29.tmp

Filesize
1KB

MD5
68a58fd7b82e3ba662be6b8e1748aaf0

SHA1
50327e81d3ed870646e4d0dedb2b7b13837d0e7e

SHA256
6789ec30e576f220054bbc7346f2ea3e8cdb2febea211748ce1771ff0778e7a0

SHA512
ee9e2f3e5ffddd398b1729c93911ec288228c4a5eb91ad7bdc8f8dbe5397793282bc8fda9eb2cfc1510629bfcd44b26542027ae8572b37546a7a00d38f65d9ca

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 170231.crdownload

Filesize
45KB

MD5
36d4e31f204328765cc90479120ffc67

SHA1
93db5095a6d7cab9e7f81cf8688bd82814690b1a

SHA256
3c154f0957fabb42e2d87b02497e006ffe2d0ee4701f7ca05b57d9c6ccc9f1a8

SHA512
8a5e7b2f335ef4ff58dad0eb1fe9cad83f3d26ae1ce633353aa4d3a6d1ef82b9108c8a1deaafb431b9ba5ff9975162f09cd2528208a96cccace0bd2548bed9bf

Download Submit
memory/1472-101-0x0000000000E50000-0x0000000000E62000-memory.dmp

Filesize
72KB

Download