xenorat | hxxps://mega[.]nz/file/jVVllYDT#Zs7oGXsu1geIpVKSN8QsFiIYy4g8_2dtIqN7Vqcg7Oc

Analysis

max time kernel
300s
max time network
287s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
14/01/2025, 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/jVVllYDT#Zs7oGXsu1geIpVKSN8QsFiIYy4g8_2dtIqN7Vqcg7Oc

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

127.0.0.1

Mutex

Image Logger Core

Attributes

delay
5000
install_path
appdata
port
4782
startup_name
nothingset

Signatures

Detect XenoRat Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00280000000462ba-329.dat	family_xenorat
behavioral1/memory/1984-338-0x0000000000740000-0x0000000000762000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000\Control Panel\International\Geo\Nation	Image Logger.exe

Executes dropped EXE 2 IoCs

pid	Process
1984	Image Logger.exe
2484	Image Logger.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\a83dd27f-5447-40a3-8dc4-f0821cbdb604.tmp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250114142453.pma	setup.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Image Logger.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Image Logger.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1576956541-1869783662-2981982442-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 394649.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\XenoManager\Image Logger.exe\:SmartScreen:$DATA	Image Logger.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5176	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1468	msedge.exe
1468	msedge.exe
752	msedge.exe
752	msedge.exe
4136	identity_helper.exe
4136	identity_helper.exe
2564	msedge.exe
2564	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe
5632	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: 33	2384	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2384	AUDIODG.EXE

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe
752	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 752 wrote to memory of 740	752	msedge.exe	81
PID 752 wrote to memory of 740	752	msedge.exe	81
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1652	752	msedge.exe	82
PID 752 wrote to memory of 1468	752	msedge.exe	83
PID 752 wrote to memory of 1468	752	msedge.exe	83
PID 752 wrote to memory of 760	752	msedge.exe	84
PID 752 wrote to memory of 760	752	msedge.exe	84
PID 752 wrote to memory of 760	752	msedge.exe	84
PID 752 wrote to memory of 760	752	msedge.exe	84
PID 752 wrote to memory of 760	752	msedge.exe	84
PID 752 wrote to memory of 760	752	msedge.exe	84
PID 752 wrote to memory of 760	752	msedge.exe	84
PID 752 wrote to memory of 760	752	msedge.exe	84
PID 752 wrote to memory of 760	752	msedge.exe	84
PID 752 wrote to memory of 760	752	msedge.exe	84
PID 752 wrote to memory of 760	752	msedge.exe	84
PID 752 wrote to memory of 760	752	msedge.exe	84
PID 752 wrote to memory of 760	752	msedge.exe	84
PID 752 wrote to memory of 760	752	msedge.exe	84
PID 752 wrote to memory of 760	752	msedge.exe	84
PID 752 wrote to memory of 760	752	msedge.exe	84
PID 752 wrote to memory of 760	752	msedge.exe	84
PID 752 wrote to memory of 760	752	msedge.exe	84
PID 752 wrote to memory of 760	752	msedge.exe	84
PID 752 wrote to memory of 760	752	msedge.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://mega.nz/file/jVVllYDT#Zs7oGXsu1geIpVKSN8QsFiIYy4g8_2dtIqN7Vqcg7Oc
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:752
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7fffe57b46f8,0x7fffe57b4708,0x7fffe57b4718
  2⤵
  PID:740
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,6599311074124844081,11526878599375897661,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2060 /prefetch:2
  2⤵
  PID:1652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2032,6599311074124844081,11526878599375897661,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2424 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2032,6599311074124844081,11526878599375897661,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2900 /prefetch:8
  2⤵
  PID:760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6599311074124844081,11526878599375897661,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3420 /prefetch:1
  2⤵
  PID:820
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6599311074124844081,11526878599375897661,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:2904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6599311074124844081,11526878599375897661,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4948 /prefetch:1
  2⤵
  PID:1664
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,6599311074124844081,11526878599375897661,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6212 /prefetch:8
  2⤵
  PID:2628
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings
  2⤵
  - Drops file in Program Files directory
  PID:2984
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6c9f95460,0x7ff6c9f95470,0x7ff6c9f95480
    3⤵
    PID:4948
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2032,6599311074124844081,11526878599375897661,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6212 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4136
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6599311074124844081,11526878599375897661,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:4772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6599311074124844081,11526878599375897661,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4120 /prefetch:1
  2⤵
  PID:1292
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6599311074124844081,11526878599375897661,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:3080
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6599311074124844081,11526878599375897661,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5484 /prefetch:1
  2⤵
  PID:412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2032,6599311074124844081,11526878599375897661,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6320 /prefetch:8
  2⤵
  PID:4768
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2032,6599311074124844081,11526878599375897661,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6580 /prefetch:8
  2⤵
  PID:5072
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2032,6599311074124844081,11526878599375897661,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2032,6599311074124844081,11526878599375897661,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6288 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2564
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2032,6599311074124844081,11526878599375897661,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=7036 /prefetch:8
  2⤵
  PID:4652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2032,6599311074124844081,11526878599375897661,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1832 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:5632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4876

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2928

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x508 0x50c
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2384

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:1624

C:\Users\Admin\Downloads\Image Logger.exe
"C:\Users\Admin\Downloads\Image Logger.exe"
1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:1984
- C:\Users\Admin\AppData\Roaming\XenoManager\Image Logger.exe
  "C:\Users\Admin\AppData\Roaming\XenoManager\Image Logger.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2484
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "XenoUpdateManager" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBC3.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:5176

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Image Logger.exe.log

Filesize
226B

MD5
66aea5e724c4a224d092067c3381783b

SHA1
ee3cc64c4370a255391bdfeef2883d5b7a6e6230

SHA256
04b17cab961f973464bba8924f764edef6451d1774f2405d27ef33d164296923

SHA512
5d719e303f491d1443cb7c7e8946481e90532522a422c98f82466e1eddcd1ef24a4505dcbf75f2191fbb66825d3550566d7f408a3854edeb4c1a192c8c9a6d06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b1afd1f3bb6d3cc095633dfb658f7f9d

SHA1
469412bedd41b363cd6de9c835a98ffaa3c2a096

SHA256
a324e5e9948e4a401b870f5cfd777cce3dbd7c21e4d323f1ae59619eb5b6c77e

SHA512
d4a1827dff204d427f066b7418ad0f416331b639afd3bd94d37cb452570693357a000f4748d7a6bd98807e47d493caa662f8362bea244245903327b6f05edc78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
471bd212cd35f2fa298b584246672896

SHA1
e12bc178ca9e9f02ee72df03a15ae8fcb519eb83

SHA256
4cf2497882fdba2b918efeb86d82491d35e5d8bc557f0ae60fe0169797aa3c89

SHA512
1d0f0f9338c9fcdc6a2066a1d0217fd235da732526cf503cb7d7d7604e0e0a6defb77e2143b0bdac1fae9d211670440d2492507291cdb7c67a5decf603c6d084

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
48B

MD5
b4354e72222bc9837250c1300669e3fa

SHA1
63f3f12fa0a3b50020bd0341ccad6738845fed6b

SHA256
ae46208df8ecd743e4e29d65ada7132f02b444062946c7c4cc8ca27a32c3de8c

SHA512
31c0f850daa722fc72ba681e3c2b593aff3f369ab4d1156ced6ff2425208bd13c7319ebd3ef215fb99059f37fb8fe9f7c053ebb5aa8e0746d16d36e3430305c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
f05b34756f6bb043fa1c936dba622215

SHA1
684d9ee1df6e2b2a10ca9196f7119f4cab0c6da1

SHA256
4a1143de418732ac3aad1f8cb2d81e3a6a3de2c0939bb4f335f00f59671ba7eb

SHA512
a92068009b1a15afa917318e69af875c67867eace80c69ebba9bf02134481c121281f5fd34e1adc161fff15795665bd158206f503d8c618b6d39ebd19a9f1191

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Edge Profile.ico

Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
257B

MD5
ba4e2003fe7d847c86a7514b27c21c5f

SHA1
7dc5189fa073797ff6cec15cf7921146f4fa0ab5

SHA256
16d31950c2af414b5028501c261a72b6f7f125e5e35a62ad274ea4b1bd7de92a

SHA512
079550c3eed1641c8de52f55d9967e4862465835d9899fad9439580c1e66fb7cd56326be1088a8ecc10f648bcc603957c5979885909b42485733ff37b079ce5e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State~RFe58919c.TMP

Filesize
59B

MD5
2800881c775077e1c4b6e06bf4676de4

SHA1
2873631068c8b3b9495638c865915be822442c8b

SHA256
226eec4486509917aa336afebd6ff65777b75b65f1fb06891d2a857a9421a974

SHA512
e342407ab65cc68f1b3fd706cd0a37680a0864ffd30a6539730180ede2cdcd732cc97ae0b9ef7db12da5c0f83e429df0840dbf7596aca859a0301665e517377b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
519e081800e59b1b0ef3d3633e0926c3

SHA1
3c2439135c6c72871b6b01b09efd112e16717a8a

SHA256
05e7d4cb0e1c40a8206d2a02cd7aeda389092d53fab9b93b025c59ace8206074

SHA512
1a85c9003e147b23313961b671d9566ad9e188e712842046caa1d538fdfc070b83eda7185d3082412faa27eb06f47b61195859dd6d6b804b79bc4467fae3bea3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b20d741d8bc28953c0a15b3a499c4ac5

SHA1
91c90e94a59341bcbd8682a0fbe8128f07b80bdb

SHA256
37c0cfc8d33cfb5368e9460b45bc01882be7053cfde1a27f7710f7c7819b5e0b

SHA512
ac96737b052e33e1f5fed97bb957695fa7ab36b3bf6d27c523f167b4aaf15f5ed2979d5d699b3e64c9658aea7920d22ac1d868bd6bea15645c34f015766705db

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f4dd108e1c69e33262f8bb106629fce6

SHA1
073ae1cddf380b1ccab571e45a3ac07e525b2c92

SHA256
1e0b804b9cc08c8944398afba7650362244989e39678154dcfb73495474e7aa0

SHA512
cd8dc93fbbf4e8978a6228c2ded7d39fa86b9a74f6b6d284b20f68b965407a5922c5dd243a9df1618c45f7aca06701d9c960edba6bec6ffc130b08767448e658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
ee09e9ed5bea3b88cdf2c8a7152629c7

SHA1
81af46cdc5528a7e046fe3d29f9148d530216b96

SHA256
1aacb22be4601a731ef428ea51dd438b1543243998ea5666201b5f2d47c83183

SHA512
edbae717968525dbaef599670724bcd5f36fd0964429471084e6d6a9fa964931bb7fa90ab12783e7876c372a89c8e18bf8a180d94871db0e9a91bec15f809244

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
3a097c21c04d45f282202d0133201f4b

SHA1
d236053493daa634b6d56db6f76ed57de869299a

SHA256
da422ac15271b8367827e5fd56e8536bd94f63b963bb12e941f55ac03d9fb8f3

SHA512
99c74bd2215156a329e9b73441e1cda4b6c38fc9d6cca3830413118f2df24a112048e871cd48e0e42216e1787e2ad1f1db84ebd8744398059934f5ec318798ab

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
9985ff2e2c24e3b7122a125896d1d4de

SHA1
054e895d104e759019e4efe1b771746e8fe360d8

SHA256
d00f117b2bc70c9d44fd39ef50bc93e25faef0f4c852d18387328e6a57150ced

SHA512
ae749a844ca1ce55424a8926735db208913406f4719e26bcdf6e6eb37ef2918bca47ef5d5a4df3c24442e3feb18089e45da198eb624aff40ea93dd81edbd1bb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe57d84f.TMP

Filesize
48B

MD5
0e45e6773230aafc4c5364f061ddac0e

SHA1
7d9d1984cf27ce26d08ba9fbb21a1dd38889eba5

SHA256
9d8d043676d7fc45e65b2fed9443eef88a246c4a0233db9fb5d17e403aaa19bc

SHA512
50c62ede9d2877b9533cf8e8c3b85959d5c19c2ee5f2806b9e71e2f3ae8b322b30e966f177e687868c3df5b695847182a718c1c8f97da21578ef05ea6ad5770d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
59b45ce4ee173ff6206453398773c74d

SHA1
f39d7623749f8b2ce7b1746c3cad6ebc25a2fed6

SHA256
dc81bff6d44984cdfb0ad6395fcbda0c6ed2fc0f93245a72a5975a22ddf531e5

SHA512
db4c47924fc5cfe0e4692386c1350a90dc0e206850462bd8fe662e7bb42457d71307310558b978b6b74e55801e7005366e9876099903bc90a277c741091d122a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
fb44c8a218350dd571af21cf53b723ad

SHA1
d2b44ed1d18d56750828e15a2e6596d4402ce0f1

SHA256
0e2d58dd40c4969155b63df20ae1aa2c299a96b8e4eee80016a23ce8608a860a

SHA512
e479e59915332d7a3b1647bfc87da0ed48fe8483a899c0812c5201731fd9ae7f3bfd7b270ab5aa2530a5238e43c472914fa2cb858219d721d8218ab27093a7fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBC3.tmp

Filesize
1KB

MD5
046923f59e5cd4a8ed46681b81dacaa4

SHA1
332e10f615e209295c99f4af1faf87685479f886

SHA256
6deba1794637fe30056199fc8207d1c372790719981642539e62c39096de5142

SHA512
27a55f3a3670afdebd003e8cc1355e0ba2164a1a87a68f2271100ee26f7567b0ee48bd8546aa0b75abe26d942784a42987f48569f9d28a85244269ef9de836c9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
7b7a3fd11d24a12bbcea5c8fdca74286

SHA1
9f56e6a10013fc6a5fd8879a5eebf51ac38a65b5

SHA256
3a769f83f6a8ad8718ac739a48b07ad45d44e70e89b2e7ffcdc1dc10bc692729

SHA512
ddd891a38a417e91aee12d6e95b6128d6e7076a470896f04e109ba0dbc4ec5e6f02cef71e483f047f7bfe6107d5a4e20f59c96e819258ebe7ea182fc5c3bc3b6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms

Filesize
3KB

MD5
49c0dea087cfbe578dbccacb3e562858

SHA1
195c714deff8907975d643144ad93a679a144f62

SHA256
4279cfa1f946258bb3b0bbbe28fd41c18cdb792c74bd61490f6570325b3a2431

SHA512
f5d79cebdfe68c4d285225c00e5f85130a58d6ba421218c13b65a1c402829ba96df37e1e51fe62118288e382074239ccfb027cd1c35daa072b6b6a128eadf1e0

Download Submit
C:\Users\Admin\Downloads\Image Logger.exe

Filesize
112KB

MD5
72968eee77037455d75418ae36b9b2b4

SHA1
d9862a615c22808780348556692e6bb660a8ce8b

SHA256
1ccbdbd7a7b2bf6ac46d4cd4a7f11e255e32d532027ae5f5eb4c005b185e07c0

SHA512
92144e7df3ea636b580ea3cb8fb814030117c191ea17ed7f26720886e5681c59d53a82f428b9c26d81086eaafc14e78b00c3f48ab6eeef0d9aab918d0f208f85

Download Submit
memory/1984-338-0x0000000000740000-0x0000000000762000-memory.dmp

Filesize
136KB

Download