Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
56s -
max time network
57s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250113-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
25/01/2025, 18:46
Static task
static1
URLScan task
urlscan1
Malware Config
Extracted
xenorat
127.0.0.1
Xeno_rat_nd8912d
-
delay
5000
-
install_path
appdata
-
port
4444
-
startup_name
Security HELP
Signatures
-
Detect XenoRat Payload 2 IoCs
resource yara_rule behavioral1/files/0x0028000000046221-169.dat family_xenorat behavioral1/memory/3804-227-0x0000000000510000-0x0000000000522000-memory.dmp family_xenorat -
Xenorat family
-
Downloads MZ/PE file 1 IoCs
flow pid Process 43 2876 msedge.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000\Control Panel\International\Geo\Nation client.exe -
Executes dropped EXE 2 IoCs
pid Process 3804 client.exe 5300 client.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\e3392b3e-80f0-414a-be8f-80e550e590bc.tmp setup.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\20250125184707.pma setup.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language client.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language schtasks.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000_Classes\Local Settings msedge.exe Key created \REGISTRY\USER\S-1-5-21-3406519639-3774642266-3926631722-1000_Classes\Local Settings taskmgr.exe -
NTFS ADS 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Unconfirmed 908283.crdownload:SmartScreen msedge.exe File created C:\Users\Admin\AppData\Roaming\XenoManager\client.exe\:SmartScreen:$DATA client.exe -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 5380 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
pid Process 2876 msedge.exe 2876 msedge.exe 3592 msedge.exe 3592 msedge.exe 2552 identity_helper.exe 2552 identity_helper.exe 3000 msedge.exe 3000 msedge.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 5440 taskmgr.exe Token: SeSystemProfilePrivilege 5440 taskmgr.exe Token: SeCreateGlobalPrivilege 5440 taskmgr.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe -
Suspicious use of SendNotifyMessage 64 IoCs
pid Process 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 3592 msedge.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe 5440 taskmgr.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3592 wrote to memory of 4704 3592 msedge.exe 83 PID 3592 wrote to memory of 4704 3592 msedge.exe 83 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 4652 3592 msedge.exe 85 PID 3592 wrote to memory of 2876 3592 msedge.exe 86 PID 3592 wrote to memory of 2876 3592 msedge.exe 86 PID 3592 wrote to memory of 5040 3592 msedge.exe 87 PID 3592 wrote to memory of 5040 3592 msedge.exe 87 PID 3592 wrote to memory of 5040 3592 msedge.exe 87 PID 3592 wrote to memory of 5040 3592 msedge.exe 87 PID 3592 wrote to memory of 5040 3592 msedge.exe 87 PID 3592 wrote to memory of 5040 3592 msedge.exe 87 PID 3592 wrote to memory of 5040 3592 msedge.exe 87 PID 3592 wrote to memory of 5040 3592 msedge.exe 87 PID 3592 wrote to memory of 5040 3592 msedge.exe 87 PID 3592 wrote to memory of 5040 3592 msedge.exe 87 PID 3592 wrote to memory of 5040 3592 msedge.exe 87 PID 3592 wrote to memory of 5040 3592 msedge.exe 87 PID 3592 wrote to memory of 5040 3592 msedge.exe 87 PID 3592 wrote to memory of 5040 3592 msedge.exe 87 PID 3592 wrote to memory of 5040 3592 msedge.exe 87 PID 3592 wrote to memory of 5040 3592 msedge.exe 87 PID 3592 wrote to memory of 5040 3592 msedge.exe 87 PID 3592 wrote to memory of 5040 3592 msedge.exe 87 PID 3592 wrote to memory of 5040 3592 msedge.exe 87 PID 3592 wrote to memory of 5040 3592 msedge.exe 87 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
-
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://gofile.io/d/2y9gR81⤵
- Enumerates system info in registry
- Modifies registry class
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3592 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x124,0x128,0x12c,0x100,0x130,0x7fff11c546f8,0x7fff11c54708,0x7fff11c547182⤵PID:4704
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,16557039312995280060,95670865701996236,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2140 /prefetch:22⤵PID:4652
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,16557039312995280060,95670865701996236,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 /prefetch:32⤵
- Downloads MZ/PE file
- Suspicious behavior: EnumeratesProcesses
PID:2876
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,16557039312995280060,95670865701996236,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2796 /prefetch:82⤵PID:5040
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16557039312995280060,95670865701996236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3408 /prefetch:12⤵PID:3844
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16557039312995280060,95670865701996236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:12⤵PID:2304
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16557039312995280060,95670865701996236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4700 /prefetch:12⤵PID:2456
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,16557039312995280060,95670865701996236,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 /prefetch:82⤵PID:4428
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings2⤵
- Drops file in Program Files directory
PID:684 -
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff6b2965460,0x7ff6b2965470,0x7ff6b29654803⤵PID:1220
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,16557039312995280060,95670865701996236,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5840 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2552
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16557039312995280060,95670865701996236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:12⤵PID:4116
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16557039312995280060,95670865701996236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5060 /prefetch:12⤵PID:1852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,16557039312995280060,95670865701996236,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5376 /prefetch:82⤵PID:1996
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,16557039312995280060,95670865701996236,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4780 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,16557039312995280060,95670865701996236,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4840 /prefetch:82⤵PID:3792
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16557039312995280060,95670865701996236,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6524 /prefetch:12⤵PID:5948
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16557039312995280060,95670865701996236,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3160 /prefetch:12⤵PID:5956
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5076
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4412
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:1080
-
C:\Users\Admin\Downloads\client.exe"C:\Users\Admin\Downloads\client.exe"1⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- NTFS ADS
PID:3804 -
C:\Users\Admin\AppData\Roaming\XenoManager\client.exe"C:\Users\Admin\AppData\Roaming\XenoManager\client.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:5300 -
C:\Windows\SysWOW64\schtasks.exe"schtasks.exe" /Create /TN "Security HELP" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEF03.tmp" /F3⤵
- System Location Discovery: System Language Discovery
- Scheduled Task/Job: Scheduled Task
PID:5380
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:5440
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
226B
MD566aea5e724c4a224d092067c3381783b
SHA1ee3cc64c4370a255391bdfeef2883d5b7a6e6230
SHA25604b17cab961f973464bba8924f764edef6451d1774f2405d27ef33d164296923
SHA5125d719e303f491d1443cb7c7e8946481e90532522a422c98f82466e1eddcd1ef24a4505dcbf75f2191fbb66825d3550566d7f408a3854edeb4c1a192c8c9a6d06
-
Filesize
8KB
MD575c84f4d8853e0ed2dec0f1f33a51600
SHA182b48ac11a9a895b2df1034d82cea3933a84f802
SHA256154e0ba34ecab40daea62eca506ad0217ba209d34486359469c3630bb3a9de20
SHA512108459f454085f13b82be6a345bf8eedb0f13d5aaf09664099dd2fa53b99221106e31588ba9815d3673de9f1516160577b15a6a0e8047c4ba04ecd19b3c55ed2
-
Filesize
152B
MD5ce3b1f686fe1099f127abf8bb0a6ebd1
SHA10d73154910ba712114a54da4a70e1f2fd6af7911
SHA256ba6fb4f1587708c5b12d41d181d5c0bd794a0a0acdca7b70c7538398ed3f07df
SHA512aa39919330e2261df585ab526c1dee495a7404f361f0f8f6856c18d38cb5468d463d5135b339d379bfbe39e789a8d994064f845f690cd9ed2c29c780e4aab622
-
Filesize
152B
MD52dbb5524aa1aa51fb09065a1fffbc8eb
SHA1931698f70968b05802e3f1caf59ef833cb49717c
SHA25698be2d6ca5623fbc27ef9701448face11d39e85297489d63569b40f38ad07404
SHA5122e80c69ebdb363d3deb8ce8a36f4f582450e932b039f71fb1a2b0a94458add2c978e122b98633430db51125be2e60d746aa88e1fbd0be38434de0784cd685316
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize48B
MD504d8954fbd139d5eccff41fdd5c223e2
SHA19a9236533cf8e53f28bc2fde2cf4c286bd2adc1d
SHA256cecfbd9c9141f2449f8497343709e4b69ce21632085d4685dac7e2ea697badd9
SHA512865bb3ea6bae435f957127cd6ba61bf7c7d0f16a7a443bbe27c856234ab232eabccde48e83f39ec2b832069bd3435923486665e9485ff3dd223b121dd9d5219b
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize144B
MD50627edb39a4567730400bfd0cbfc98cc
SHA1d3634f2faba37eaa97d159cbf99219752e75f22a
SHA25658b05e6f2ded94ea91bdd0c5f8c9f7ac55d66e86e24aa4d147557675cd2aabe8
SHA512bdb5527050171173c4436b449800e9c58d1e50bd0076307521c6d7d70be6c0f2a8c2d4c398f4519261be6f663b60542b9d174e0cafd3d9d764cc30ace327619c
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
5KB
MD582837e230d1fbd319ba85960ef4c0ffb
SHA1d3691139b21f2404410e77738857ae5f3b15e21f
SHA256a04a4c11f1f0a8cfc51d5ad197996308d06362447e39e691e9256e7ef05f2073
SHA51211c05515ba984f02307093832452e02e3bcb013bebb70d2939d91d51e5d9b0442930b7b56cdd3584bf06c039828015c6c8c297252c9272cbec63a030d4fa0801
-
Filesize
5KB
MD5e6dfa77234b6c74988a8542de0c2a884
SHA19c2c1ff78d70289053d90c268bd13b277b37996b
SHA2566dedd10663f0eb536ed824f30f1dbc1331b4f18ff407b2ca2f0e9e70e1bb791d
SHA51222facb9e3d71bc65cca12374301f15197252b48f7294a436da08cf8aa1cf317503549ac753625b0edda662f71fd333b1b91e1ea972157387783fe3fe02b60c09
-
Filesize
5KB
MD5d7f72b93997ad332967f02305dc19872
SHA1ae4275f8a52690481783e3d3764cc47b74f312d4
SHA2568e35fb13d6ee82ddbc56990df8347ca3a693a173a5986ba71018b4750fe72408
SHA512b1dc85abbc19e19ca2e0f38f1115652402adf37ade17b3e3aebbba218e7e55661cffef6f39fb4969c2afe0488c7fe054bdc1eea91e27141b090cc2a81c0a37d4
-
Filesize
5KB
MD57c392d6afee9ba733f24ed68229d6a39
SHA129ee95f679d3fa97999a1c80e341d6ae8f63c2f7
SHA2569451d4f4f31b02ddb205e9ef50404630904cbaaeca748bdc62ba12cc97478d48
SHA5127ed2b4e846718049f0d43c2f9bcca0b46aa37dfb44111b450caf0ecb5949b676099ada360711f8c20d4571cfc768a204ad9e1331f1682ef60c46747ec4283fd5
-
Filesize
24KB
MD5b34b4baff340a3f6eefe8505fc27e7e7
SHA14d1b936588dd1eb659511606f7ae37b4b788bd8d
SHA256333804cf5fe67abc2dcbfc59e065200af4843e64bf4e6b2cd3fe0ec93fff182d
SHA5124821914745f500999afc00a979cb251ee9bb08b96501ab8eade9f75565565d568b24422661c81a1b136017151ded5192fc5575990215d1c8f7783e1a9be45257
-
Filesize
24KB
MD55614b3ff8da92c0262de324b43eb81b9
SHA1d313dd6760e336a522ba05f3918e9aa4d8bb0a11
SHA2564f9380552bf22ef4ed93687f44b76aee52c56dcb373c6c3fe5613f6370100275
SHA51261957fa440c545bc3c83e2579f14fbc4945377c2df935bfb1ff2a71361ca8effd821418b3d6a64005038741837ed4fbf0a55101d9d1f69ed0881d9ed28a57954
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\metadata\MANIFEST-000001
Filesize41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
10KB
MD53c95598c9d435814dc424f0158c6261f
SHA135016f34d5b6181be61a64c12a1a565ed58e7276
SHA256290c12ddc68a123e2334645e9e786fe1364529b1d99d893576e6643135d4a3ed
SHA5127057d038966c208ee8793bc498e521f161d19d55357c268745555f6c1cffbb47151c643ba96168b7f03e57e860b3639e7a86653f3bf6883ad2183a88c0285ce6
-
Filesize
10KB
MD5e14ac05e33f049871621f9c895bd7b8e
SHA17ca793780d0cc7d1cbcf9cd9ff1564fe09430276
SHA25664a19e625a0376b0716a9171240f1c8e83fc7327fabd9697c753053be7f2a016
SHA51281c9e2f1b84b075e1577727b163bc9e87e11facc863753204fa71b7eeb9cacbfddf7b89ebe5b32f673a2af9ecadae838fdf6359926efa8b0dc64c59edaacc8dc
-
Filesize
1KB
MD5fdd36139980f5cbfef3360123665b96c
SHA1faf5353ca339065426642578c3913906e892becf
SHA256ff95b1308fc4294f5d6dcb0c171633387d81b4f2efda617292eb784615b17bed
SHA5122ab91e7733c16300feda4efa61cc11baf21245f85c4cccd08e92c5fd61cfa03d206ba04939362733ce26385dfd66ab4524cd1a0da2c779a7e0ce9d00b4e5e31b
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD5fce41c71f8e8dc4116b07f720c18bcf5
SHA1cd25ced95922c12b7175729b7cb01cbfcbf7a2a9
SHA256795a3d2eac4d8b5833e8f983664bb67e414dbac782da1ee2315791ac367f7067
SHA5124246f447866851e0e60c49eed07aab16c313d3d7b6d29e5100a33a223db5817ddd1a73235388db92acdf9e95635ab99e0ead25b4ad7a39436553c8e5b6d32f5f
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\ccba5a5986c77e43.customDestinations-ms
Filesize3KB
MD5ae82aef4d2c5ce64d96d5dc6b047175c
SHA1d8f3ca5f930a5d9284798e7f50794a5ca618630a
SHA256c1ec3775ebcc5629cdcffaf5c21b169ea201f4f5301d825e10c478516f781467
SHA512e771050e1b39477bc8bacecc76e15653b637a43fa598d67e22f64bd8bd6a6bb189f5b39d8196dc4f276ed4e696499f52b40adadd8ecf414d0618e673e57fe9b2
-
Filesize
45KB
MD5d4731e30c74730a52c53317e723d1f8f
SHA178abe02baab00478135fbb980cbb6c19d7d7120f
SHA2564e8445b92a76947f6dc52dfbe6dd77c2fe4cb32761de7c9b8e292a8c83930312
SHA512474bb63e8ccf353c68ca703630ab721899c6363b57cef296e1b3447f5761d85efc66886dbf79a050b40a8d0c57f4b880dc909fee73bcd3b2762c7066fb83eb60