2af9725559beb603eeab6daa046b65b8e80cbaa09c097aabb7fb774e63373268

Analysis

max time kernel
145s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
30-01-2025 22:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Xeno-v1.1.4-x64/Xeno-v1.1.4-x64/bin/Monaco/index.html
Size

164KB
MD5

001dcbb8f41cdcbf9b4d1e3a0ed4b2d2
SHA1

982a05814546017c40771e59e7677b53d84787e9
SHA256

f1d2c52f2803c29585b81d2eff74c56242d27e9619ee6d38081d5604c5bb1951
SHA512

9a4eba2a9314b6f5851997e1db0ecfae8e40da3443d8a5f9df933ccf6a4d75fc330888c8d14818326e15b3dec9ae2f5f7e73cd08c3822dd7eb0b2d753c8cd8fa
SSDEEP

3072:Nk4J09UmmJv8kBpZaFD48VOAGUWYPjDZlLJbRBiPEP8yKUz2Ojmjr8zM3KP7pblM:64J09BA3pZaFD48VOAGUWYPjdlLJbRBS

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
6	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4256	msedge.exe
4256	msedge.exe
4480	msedge.exe
4480	msedge.exe
3380	identity_helper.exe
3380	identity_helper.exe
832	msedge.exe
832	msedge.exe
832	msedge.exe
832	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 6 IoCs

pid	Process
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe
4480	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4480 wrote to memory of 400	4480	msedge.exe	84
PID 4480 wrote to memory of 400	4480	msedge.exe	84
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4196	4480	msedge.exe	86
PID 4480 wrote to memory of 4256	4480	msedge.exe	87
PID 4480 wrote to memory of 4256	4480	msedge.exe	87
PID 4480 wrote to memory of 2696	4480	msedge.exe	88
PID 4480 wrote to memory of 2696	4480	msedge.exe	88
PID 4480 wrote to memory of 2696	4480	msedge.exe	88
PID 4480 wrote to memory of 2696	4480	msedge.exe	88
PID 4480 wrote to memory of 2696	4480	msedge.exe	88
PID 4480 wrote to memory of 2696	4480	msedge.exe	88
PID 4480 wrote to memory of 2696	4480	msedge.exe	88
PID 4480 wrote to memory of 2696	4480	msedge.exe	88
PID 4480 wrote to memory of 2696	4480	msedge.exe	88
PID 4480 wrote to memory of 2696	4480	msedge.exe	88
PID 4480 wrote to memory of 2696	4480	msedge.exe	88
PID 4480 wrote to memory of 2696	4480	msedge.exe	88
PID 4480 wrote to memory of 2696	4480	msedge.exe	88
PID 4480 wrote to memory of 2696	4480	msedge.exe	88
PID 4480 wrote to memory of 2696	4480	msedge.exe	88
PID 4480 wrote to memory of 2696	4480	msedge.exe	88
PID 4480 wrote to memory of 2696	4480	msedge.exe	88
PID 4480 wrote to memory of 2696	4480	msedge.exe	88
PID 4480 wrote to memory of 2696	4480	msedge.exe	88
PID 4480 wrote to memory of 2696	4480	msedge.exe	88

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument C:\Users\Admin\AppData\Local\Temp\Xeno-v1.1.4-x64\Xeno-v1.1.4-x64\bin\Monaco\index.html
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffdefe446f8,0x7ffdefe44708,0x7ffdefe44718
  2⤵
  PID:400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,5674055180917352989,13905422022336578267,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2192 /prefetch:2
  2⤵
  PID:4196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,5674055180917352989,13905422022336578267,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2280 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,5674055180917352989,13905422022336578267,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
  2⤵
  PID:2696
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,5674055180917352989,13905422022336578267,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3240 /prefetch:1
  2⤵
  PID:2840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,5674055180917352989,13905422022336578267,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3260 /prefetch:1
  2⤵
  PID:1740
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,5674055180917352989,13905422022336578267,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 /prefetch:8
  2⤵
  PID:3656
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,5674055180917352989,13905422022336578267,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4704 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3380
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,5674055180917352989,13905422022336578267,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=180 /prefetch:1
  2⤵
  PID:1556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,5674055180917352989,13905422022336578267,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5180 /prefetch:1
  2⤵
  PID:4036
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,5674055180917352989,13905422022336578267,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5440 /prefetch:1
  2⤵
  PID:2120
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,5674055180917352989,13905422022336578267,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5432 /prefetch:1
  2⤵
  PID:3520
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,5674055180917352989,13905422022336578267,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4820 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:832

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3824

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4516

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
b9013b8bea41aa2c8fa7f4763168069e

SHA1
349be86bde65cc0c3a15b2b21b6eaf2db452e92d

SHA256
6245436fe808740cde15c227fcda465a37a52f17f3642a71f0abbc466ce5b466

SHA512
d23bc18adb6acf9eb36fea85becb7b1a004bed034ef443acc3d442d1364f2ffa17f57e8eb6eeb1702dc459c5c16763b4e72249e6a326c9c36800d3f395fdd326

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
908f9c2c703e0a6f81afb07a882b3e30

SHA1
53ed94a3145691e806e7dd8c160f5b459a2d16ef

SHA256
4436bec398522c5119d3a7b9c41356048c19d9c476246c76d7a4c1ee28160b52

SHA512
7af7116a91c8e3dfc23db8a78d7aff9a8df8e3b67df7f4ee66f9380dba4d1e66d980afaefc5dc2d9034ab5c0b7c6934400feb32645373f3ff4f8816414ae6ff4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
193B

MD5
62fc8758c85fb0d08cd24eeddafeda2c

SHA1
320fc202790b0ca6f65ff67e9397440c7d97eb20

SHA256
ee0d15dce841e092ad1a2d4346a612410f8f950fdb019bc7b768f6346f2b5248

SHA512
ca97e615bdcac137a936c10104a702e1529ed3470828f2c3a2f783345ebbef04cac8c051df636c714151671efea53a9b8912b6b0d0b5eafdac5fae1dfdc8f85d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
feca0125680667b274d16204b1f56198

SHA1
d2bdd8da4617f8945de65fb2acb999834eeb1c87

SHA256
b095f84d6b52ac20d9a53a21945b672139c00c488f967d552d26d1e10379e6b1

SHA512
693ca28157dea2cb0ba7dc0128a8142c8c4fa4a207a32aaaea0b5cddfcecf72faeefe46477aac52efbceb51171fa76b4f199021755ff21e4a816dd172b3fcedb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d9fbf6abc3d872f57b2f940bb1a78370

SHA1
2a13349b2fabeb51b038deb80657b79f33df0842

SHA256
064202256d26178a289cb4f12b60e3648ac1d7b77fabd50a2d3418ad549e6e7d

SHA512
7cdddf703cd378deba899c7686668788bcff82f733705c2c78561f307d89951f02da78d4c6ff0046d3b7b90b984237e6c64cb4a72b13c74c16a60a9797a79264

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
945b76f4ea0e9bcb342a6dec2b1f0d0b

SHA1
d4b8ce8e69164b9091682d5701194c1dc0af881b

SHA256
8b959f3575d6d5cd7a06a2a95d47c615e3b13992f737b15f93e10b7526921f6a

SHA512
46b4a10c661e434a719019cc6c7515bb6cac51f534b0c18518ca8b7348c8b7c8ed5a2faa746fe4387d634373fcec8f6dded6515c228105460d1a52cb7aa5c56c

Download Submit