xenorat | hxxps://gofile[.]io/d/iy6mqn

Analysis

max time kernel
145s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
15-01-2025 17:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://gofile.io/d/iy6mqn

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

127.0.0.1

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
appdata
port
4444
startup_name
Waze

Signatures

Detect XenoRat Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x00090000000006f5-66.dat	family_xenorat
behavioral1/memory/3084-101-0x0000000000310000-0x0000000000334000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat
Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	Waze.exe

Executes dropped EXE 4 IoCs

pid	Process
3084	Waze.exe
1912	Waze.exe
5532	Waze.exe
5800	Waze.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Waze.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Waze.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Waze.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Waze.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 124373.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\XenoManager\Waze.exe\:SmartScreen:$DATA	Waze.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1840	schtasks.exe
5728	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1152	msedge.exe
1152	msedge.exe
4908	msedge.exe
4908	msedge.exe
1132	identity_helper.exe
1132	identity_helper.exe
1576	msedge.exe
1576	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe
1288	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe
4908	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 1324	4908	msedge.exe	84
PID 4908 wrote to memory of 1324	4908	msedge.exe	84
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 2328	4908	msedge.exe	85
PID 4908 wrote to memory of 1152	4908	msedge.exe	86
PID 4908 wrote to memory of 1152	4908	msedge.exe	86
PID 4908 wrote to memory of 2932	4908	msedge.exe	87
PID 4908 wrote to memory of 2932	4908	msedge.exe	87
PID 4908 wrote to memory of 2932	4908	msedge.exe	87
PID 4908 wrote to memory of 2932	4908	msedge.exe	87
PID 4908 wrote to memory of 2932	4908	msedge.exe	87
PID 4908 wrote to memory of 2932	4908	msedge.exe	87
PID 4908 wrote to memory of 2932	4908	msedge.exe	87
PID 4908 wrote to memory of 2932	4908	msedge.exe	87
PID 4908 wrote to memory of 2932	4908	msedge.exe	87
PID 4908 wrote to memory of 2932	4908	msedge.exe	87
PID 4908 wrote to memory of 2932	4908	msedge.exe	87
PID 4908 wrote to memory of 2932	4908	msedge.exe	87
PID 4908 wrote to memory of 2932	4908	msedge.exe	87
PID 4908 wrote to memory of 2932	4908	msedge.exe	87
PID 4908 wrote to memory of 2932	4908	msedge.exe	87
PID 4908 wrote to memory of 2932	4908	msedge.exe	87
PID 4908 wrote to memory of 2932	4908	msedge.exe	87
PID 4908 wrote to memory of 2932	4908	msedge.exe	87
PID 4908 wrote to memory of 2932	4908	msedge.exe	87
PID 4908 wrote to memory of 2932	4908	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/iy6mqn
1⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffce3ba46f8,0x7ffce3ba4708,0x7ffce3ba4718
  2⤵
  PID:1324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,1920463114281216965,845252056719950984,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2168 /prefetch:2
  2⤵
  PID:2328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2144,1920463114281216965,845252056719950984,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2336 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2144,1920463114281216965,845252056719950984,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2728 /prefetch:8
  2⤵
  PID:2932
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,1920463114281216965,845252056719950984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:4128
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,1920463114281216965,845252056719950984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,1920463114281216965,845252056719950984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4668 /prefetch:1
  2⤵
  PID:1576
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,1920463114281216965,845252056719950984,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 /prefetch:8
  2⤵
  PID:912
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2144,1920463114281216965,845252056719950984,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4892 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,1920463114281216965,845252056719950984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5080 /prefetch:1
  2⤵
  PID:3660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2144,1920463114281216965,845252056719950984,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5224 /prefetch:8
  2⤵
  PID:1328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,1920463114281216965,845252056719950984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4768 /prefetch:1
  2⤵
  PID:4904
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2144,1920463114281216965,845252056719950984,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5192 /prefetch:8
  2⤵
  PID:4616
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2144,1920463114281216965,845252056719950984,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6064 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1576
- C:\Users\Admin\Downloads\Waze.exe
  "C:\Users\Admin\Downloads\Waze.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:3084
- - C:\Users\Admin\AppData\Roaming\XenoManager\Waze.exe
    "C:\Users\Admin\AppData\Roaming\XenoManager\Waze.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1912
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /Create /TN "Waze" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4419.tmp" /F
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,1920463114281216965,845252056719950984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5192 /prefetch:1
  2⤵
  PID:2152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,1920463114281216965,845252056719950984,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6212 /prefetch:1
  2⤵
  PID:216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,1920463114281216965,845252056719950984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:3100
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,1920463114281216965,845252056719950984,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4744 /prefetch:1
  2⤵
  PID:4088
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2144,1920463114281216965,845252056719950984,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2700 /prefetch:1
  2⤵
  PID:5436
- C:\Users\Admin\Downloads\Waze.exe
  "C:\Users\Admin\Downloads\Waze.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:5532
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "Waze" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBDAE.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:5728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2144,1920463114281216965,845252056719950984,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5220 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1288

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4632

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3652

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:5656

C:\Users\Admin\Downloads\Waze.exe
"C:\Users\Admin\Downloads\Waze.exe"
1⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Waze.exe.log

Filesize
226B

MD5
916851e072fbabc4796d8916c5131092

SHA1
d48a602229a690c512d5fdaf4c8d77547a88e7a2

SHA256
7e750c904c43d27c89e55af809a679a96c0bb63fc511006ffbceffc2c7f6fb7d

SHA512
07ce4c881d6c411cac0b62364377e77950797c486804fb10d00555458716e3c47b1efc0d1f37e4cc3b7e6565bb402ca01c7ea8c963f9f9ace941a6e3883d2521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
99afa4934d1e3c56bbce114b356e8a99

SHA1
3f0e7a1a28d9d9c06b6663df5d83a65c84d52581

SHA256
08e098bb97fd91d815469cdfd5568607a3feca61f18b6b5b9c11b531fde206c8

SHA512
76686f30ed68144cf943b80ac10b52c74eee84f197cee3c24ef7845ef44bdb5586b6e530824543deeed59417205ac0e2559808bcb46450504106ac8f4c95b9da

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
443a627d539ca4eab732bad0cbe7332b

SHA1
86b18b906a1acd2a22f4b2c78ac3564c394a9569

SHA256
1e1ad9dce141f5f17ea07c7e9c2a65e707c9943f172b9134b0daf9eef25f0dc9

SHA512
923b86d75a565c91250110162ce13dd3ef3f6bdde1a83f7af235ed302d4a96b8c9ed722e2152781e699dfcb26bb98afc73f5adb298f8fd673f14c9f28b5f764d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
144B

MD5
b14801f2c9c2f0b625057e094fbaeac6

SHA1
cec639fbd3cf7d278d6f46c37f50a224cf2b7f38

SHA256
25fd385f8169ee8912ebb7f8fbd9a6493f285d8f433bd44d67521e6122a3b693

SHA512
2b0ae2a226ae8586a7bf8e0ca448accc9f4bab09c6f86338cffdaa035479ca076e33c5d2e362f1ebf7a0fa94a6ddc09bbde044d3dd1e346b893a1dca9323a62a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
399B

MD5
d30838c1fb27edd999f89880a1247ecc

SHA1
aa6fa7e48abe4f2b24722c0e564ac7f65c5d00da

SHA256
021e64627445e078484686401ac14192217350049ce02b65bf9273644749c33b

SHA512
0ec57b4dea0705a10fde0bd8a463e18594de6d89d850988428b2f47ad4c9e8fa8470dcae3237dddfd7d39966ece5fb8c816db49912e539c8d7c05d8e43f1bc06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
290a6e57ee04933a909c973cee4e0892

SHA1
f2a3c55c101e36ef8fb0fdc6ed37deea603f1d09

SHA256
70d766e6650f31182f56a9101a0bf720b9edf207fe2b0e0303008f00b67816f0

SHA512
ce1fc463da450895ec7af24be17e6b9bcc284791bc0c3545ce7dab7cb664774657cd99bc4dfb5a0301f358232a80b0b4d896e64f244fd668ff0de93c96dd9cd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
59389990a65ac994dd29b571f7fe4c22

SHA1
c004f18a6e203edd3cd8e6fce17d42774abde5c0

SHA256
62491bbab1a63b6b5cc979151a5fa35290c50b8d85906aa95659827a2b904b64

SHA512
b09378937de2935c0310da7855127d671e837bf9be41d9ded16bfa2a12d73436dd47a976ae7ba755e6802a9874b315d724361a9e4d31bfb4b7f63a3be96b6cb2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
045b9a041be2d87be378527a94e50354

SHA1
07f702734a7fcccd8c51f3e0a0556f57fb43baee

SHA256
a8fc276f95b02f52ee9d766a804cc1b39124f43edfe79bfea7db3692c84abbe8

SHA512
5bca86958b5465d0443887e0c99bcd592ce46e12ad793c864001dba3debf546ca661f8c57c24a7f28150d65479a1ac21ddada861b42590267ac973b11d8a2c6a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
89c1645ef105b3e308f3587ec9833010

SHA1
842c4c398fb3e04f5eaa7dbe3083b4e86ac44f05

SHA256
f6e870833b449ee0aec9746ea382753e370cb80cad39cf32db0cff8a2b39808c

SHA512
b63f9388e7eaf6098dfe014ab52e711d27c2642ac35fe3c9db198f726f6bf9e3e471bb03bb1a132e5c89c18e0d09f23f2d72cfd4764e8c18e9ac217cec705931

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4419.tmp

Filesize
1KB

MD5
ad7538fd8a74bf367fb471ae9caa18a2

SHA1
6e6b7eecc5a8eff92e17c8a1749fe95e17f53cd8

SHA256
3793e7d9d4ccd1f7dd481e11026e613cdc4563603441831c2a12da1cc7755a2b

SHA512
cdd74bd0053cf2808aec8d3dee88294f6de304ca6265dd60955f114181452128913621be1ce64aa7680bbf0805ebbd609e417cf7e9a0f3e844ffa627a32b6dfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBDAE.tmp

Filesize
1KB

MD5
1071bbe68c73b3d88484cf47faa4d918

SHA1
8e04e75d4d28923fe2d0c813013eaabfba8726b3

SHA256
a0c9a02b0ed18df95cac09968197917eb478761557c863f4e1d20469cc55fdd8

SHA512
fad3898453e51961c0b2411946cfdf4b79baa669bc7ee550c391b7b6ae5e506540cf8ad0bc269c34ac48a82a636b1078d0e36f1351e4b79458ff7af423952ea5

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 124373.crdownload

Filesize
121KB

MD5
348cfc9d86efbd17c1cd586fe71cb702

SHA1
b485ff6f2ea41792dcf0ddf7582759edc6472a23

SHA256
bcbaa9a73ca5d2b7b4a545d9dc2ab27f6b512818a580e10ea3b95de81c9b779b

SHA512
84dec4e5129e829867c7cdfed2ed637b0cd9109c897737f6fa972a8a7c81e5ff4f377ef29d36d995dc70eec33d30f9be23c8fde61a4a986a20d1df65cbdfe6ed

Download Submit
memory/3084-101-0x0000000000310000-0x0000000000334000-memory.dmp

Filesize
144KB

Download