xenorat | hxxps://mega[.]nz/file/3dk2XQDD#ysLgAdhZNxku156O72sit5xA9rysNz3tY5OcmdLfjUI

Analysis

max time kernel
292s
max time network
286s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
14/01/2025, 12:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/3dk2XQDD#ysLgAdhZNxku156O72sit5xA9rysNz3tY5OcmdLfjUI

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

127.0.0.1

Mutex

Image Logger Core

Attributes

delay
5000
install_path
appdata
port
4444
startup_name
nothingset

Signatures

Detect XenoRat Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0003000000023518-170.dat	family_xenorat
behavioral1/memory/5748-175-0x0000000000010000-0x0000000000022000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	Image Logger.exe

Executes dropped EXE 3 IoCs

pid	Process
5748	Image Logger.exe
5956	Image Logger.exe
5840	Image Logger.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Image Logger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Image Logger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Image Logger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 139051.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\XenoManager\Image Logger.exe\:SmartScreen:$DATA	Image Logger.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1280	schtasks.exe
5880	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
2100	msedge.exe
2100	msedge.exe
2624	msedge.exe
2624	msedge.exe
1596	identity_helper.exe
1596	identity_helper.exe
5320	msedge.exe
5320	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe
4964	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	4408	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	4408	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe
2624	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2624 wrote to memory of 960	2624	msedge.exe	83
PID 2624 wrote to memory of 960	2624	msedge.exe	83
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 5004	2624	msedge.exe	84
PID 2624 wrote to memory of 2100	2624	msedge.exe	85
PID 2624 wrote to memory of 2100	2624	msedge.exe	85
PID 2624 wrote to memory of 1844	2624	msedge.exe	86
PID 2624 wrote to memory of 1844	2624	msedge.exe	86
PID 2624 wrote to memory of 1844	2624	msedge.exe	86
PID 2624 wrote to memory of 1844	2624	msedge.exe	86
PID 2624 wrote to memory of 1844	2624	msedge.exe	86
PID 2624 wrote to memory of 1844	2624	msedge.exe	86
PID 2624 wrote to memory of 1844	2624	msedge.exe	86
PID 2624 wrote to memory of 1844	2624	msedge.exe	86
PID 2624 wrote to memory of 1844	2624	msedge.exe	86
PID 2624 wrote to memory of 1844	2624	msedge.exe	86
PID 2624 wrote to memory of 1844	2624	msedge.exe	86
PID 2624 wrote to memory of 1844	2624	msedge.exe	86
PID 2624 wrote to memory of 1844	2624	msedge.exe	86
PID 2624 wrote to memory of 1844	2624	msedge.exe	86
PID 2624 wrote to memory of 1844	2624	msedge.exe	86
PID 2624 wrote to memory of 1844	2624	msedge.exe	86
PID 2624 wrote to memory of 1844	2624	msedge.exe	86
PID 2624 wrote to memory of 1844	2624	msedge.exe	86
PID 2624 wrote to memory of 1844	2624	msedge.exe	86
PID 2624 wrote to memory of 1844	2624	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/3dk2XQDD#ysLgAdhZNxku156O72sit5xA9rysNz3tY5OcmdLfjUI
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2624
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd1b3f46f8,0x7ffd1b3f4708,0x7ffd1b3f4718
  2⤵
  PID:960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,4289832784751454117,9836811340241012513,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:2
  2⤵
  PID:5004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2084,4289832784751454117,9836811340241012513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2084,4289832784751454117,9836811340241012513,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2888 /prefetch:8
  2⤵
  PID:1844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4289832784751454117,9836811340241012513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
  2⤵
  PID:3916
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4289832784751454117,9836811340241012513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:4804
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4289832784751454117,9836811340241012513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4996 /prefetch:1
  2⤵
  PID:3960
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2084,4289832784751454117,9836811340241012513,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5452 /prefetch:8
  2⤵
  PID:4516
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,4289832784751454117,9836811340241012513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6120 /prefetch:8
  2⤵
  PID:1920
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2084,4289832784751454117,9836811340241012513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6120 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4289832784751454117,9836811340241012513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5788 /prefetch:1
  2⤵
  PID:948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4289832784751454117,9836811340241012513,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:1812
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2084,4289832784751454117,9836811340241012513,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5316 /prefetch:8
  2⤵
  PID:2944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4289832784751454117,9836811340241012513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5236 /prefetch:1
  2⤵
  PID:1280
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4289832784751454117,9836811340241012513,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6568 /prefetch:1
  2⤵
  PID:4684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2084,4289832784751454117,9836811340241012513,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6596 /prefetch:1
  2⤵
  PID:4596
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2084,4289832784751454117,9836811340241012513,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6952 /prefetch:8
  2⤵
  PID:4828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2084,4289832784751454117,9836811340241012513,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4000 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2084,4289832784751454117,9836811340241012513,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1776 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4964

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2572

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3528

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x33c 0x320
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4408

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5680

C:\Users\Admin\Downloads\Image Logger.exe
"C:\Users\Admin\Downloads\Image Logger.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:5748
- C:\Users\Admin\AppData\Roaming\XenoManager\Image Logger.exe
  "C:\Users\Admin\AppData\Roaming\XenoManager\Image Logger.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5956
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "XenoUpdateManager" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2FF4.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1280

C:\Users\Admin\Downloads\Image Logger.exe
"C:\Users\Admin\Downloads\Image Logger.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5840
- C:\Windows\SysWOW64\schtasks.exe
  "schtasks.exe" /Create /TN "XenoUpdateManager" /XML "C:\Users\Admin\AppData\Local\Temp\tmpE1C0.tmp" /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Scheduled Task/Job: Scheduled Task
  PID:5880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Image Logger.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d7cb450b1315c63b1d5d89d98ba22da5

SHA1
694005cd9e1a4c54e0b83d0598a8a0c089df1556

SHA256
38355fd694faf1223518e40bac1996bdceaf44191214b0a23c4334d5fb07d031

SHA512
df04d4f4b77bae447a940b28aeac345b21b299d8d26e28ecbb3c1c9e9a0e07c551e412d545c7dbb147a92c12bad7ae49ac35af021c34b88e2c6c5f7a0b65f6a8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
37f660dd4b6ddf23bc37f5c823d1c33a

SHA1
1c35538aa307a3e09d15519df6ace99674ae428b

SHA256
4e2510a1d5a50a94fe4ce0f74932ab780758a8cbdc6d176a9ce8ab92309f26f8

SHA512
807b8b8dc9109b6f78fc63655450bf12b9a006ff63e8f29ade8899d45fdf4a6c068c5c46a3efbc4232b9e1e35d6494f00ded5cdb3e235c8a25023bfbd823992d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
66437fff54c196029ed6b3d9043bbc23

SHA1
33d4e85bc5fa6f0a0e9584f857c487aacf34be9b

SHA256
597c76d4c3b780db8993d41be74f126057bb25dc40efbdca4aa3d467d31bec0f

SHA512
caf3d32517a9e08937c535b45bae2998aac4f1653a4f8a69736faf0765138e7eef459760dfdad7795e401b7c1cb3dee75a3c17206eec3a94f81eaa87a45b6ce8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
257B

MD5
ba4e2003fe7d847c86a7514b27c21c5f

SHA1
7dc5189fa073797ff6cec15cf7921146f4fa0ab5

SHA256
16d31950c2af414b5028501c261a72b6f7f125e5e35a62ad274ea4b1bd7de92a

SHA512
079550c3eed1641c8de52f55d9967e4862465835d9899fad9439580c1e66fb7cd56326be1088a8ecc10f648bcc603957c5979885909b42485733ff37b079ce5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
2490b740d07afd9a80914d321ed3fa56

SHA1
b1836377e06b12dd756c04f9187212a25fd0103a

SHA256
3491bfb3e9e1739013b7236e647636eb0a88f2edd714f02305aa779ea873dd8d

SHA512
18a7e1a2fff56a3296b19ab45117b8a3c850df358b8feffda566afbba42ac9a39b2e42f1994503ffc28b04b93f3f9835445e34d46a4763688fd4b42bf34a9bff

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6830c3ecfc688703cd29bcfd8d1d34a9

SHA1
9039055014347941ca2d104a9a9127626c6d8a97

SHA256
d81d67e3ca957b2b2b446d2203e820d9e2270da297ddd960ce2428f11246bbe8

SHA512
43b92ba4fa3e9e0813899c116ea75ad64e557483e8bd704c0887734f06caa8f07d7ae2c53656584ccbd4adad2cc370d489c6e79b773d918504b0b9e9d628ffdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\Database\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
d11300a186627e915a56e723c2ab1e1b

SHA1
6dd186a50e335027270d1f1aec3bf07aec287a4e

SHA256
c94f5f60cdf44ed8773abaa1f01776c1c3dc01f021a9e1fafa7483ce849598d3

SHA512
6415ba724dd83c1704177c2b1a6d8287cc5116ff4ea0aaadd2451ba66c0183ce71de67ff906ab48d53777c9129f6de45ba066d19aa69486dbfda03ade1750a6c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe582cc8.TMP

Filesize
48B

MD5
e6033a115d0a46e5c94872985b2b98ab

SHA1
1a654ebb0c518ae2972e12a14a291e70e48d7aaf

SHA256
21ebeef17ffc1a2e14b0a3326e316418f806c20d85cb73d216e8e2273c3b96e5

SHA512
c362bbc5ac053bbf58af071834262301d7064f0299f39f2ad37995ae6b7849157698ddfc8eced79c1916339dbf4a8324d09c48c6568ba30b58f6b294c1a6dc54

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e7cbb4a4903a519491ce492781e8b8da

SHA1
e57c646d086640231f14d55afa8c6fc6e7218a54

SHA256
9614ed21feb95be3944607df19e93b712a7073989cd4512fab176f7ec8b30923

SHA512
4d4a7b786c202e180cefcd4f023d734bed647e17caf8f7abf9e05a750412e37a86ff2f921438887ad00e7ca77261154cb31f8e5afd50cf8b9ad6843cfe2c3b2f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
cf99333b14059e3f53161094ed1a942e

SHA1
5dccd49b11d0980104b3dd4370d3fcfba075a1ec

SHA256
66f16b8d461381d2eb647090af964533fe8a4cccac914f682064f0bb5ee711cd

SHA512
e860e8395f916b51bb292d1bb412ab545f856aeab4867fc1bdff97939b5799485b9a97cfc31cf9b2d4e6a30788ff716f4e1e7ff5cc757320136acca1f19a93cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2FF4.tmp

Filesize
1KB

MD5
046923f59e5cd4a8ed46681b81dacaa4

SHA1
332e10f615e209295c99f4af1faf87685479f886

SHA256
6deba1794637fe30056199fc8207d1c372790719981642539e62c39096de5142

SHA512
27a55f3a3670afdebd003e8cc1355e0ba2164a1a87a68f2271100ee26f7567b0ee48bd8546aa0b75abe26d942784a42987f48569f9d28a85244269ef9de836c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE1C0.tmp

Filesize
1KB

MD5
cd52678278047419efa082ce7b991040

SHA1
5ebf870dabc3e320c0e73918f54eb9efdff41d5d

SHA256
ca5cbe1898c3eaa4f85055f70d1d4a1ea5ac1ed0cba9af93b2841a6a631b2af6

SHA512
f5d355a4be31f15fe4f4e10499657f6ca4299369edcc7c096f96fe4e56273ad27d2e3eb7f28da4c8e7217398b9140204a5e3d56f3e542e24e27315efada9aea6

Download Submit
C:\Users\Admin\Downloads\Image Logger.exe

Filesize
45KB

MD5
bd2e40aeb863ea177377a1cf67b6a626

SHA1
ac4193c0d36618c0cc28471034d6e7071aa79549

SHA256
d10b1b99492ee34d875187452c2b97fc4396b5d50755af8e9f9da0db312e4718

SHA512
05ad7445263ea5d7b095afc96ccf565c7055623fead360ca0cf0b3a5726158e389d338133c804fad3b2e5d81b7c1243cfcacb176922a75b714c6a0810d2e83fc

Download Submit
memory/5748-175-0x0000000000010000-0x0000000000022000-memory.dmp

Filesize
72KB

Download