xenorat | hxxps://github[.]com/Mikeykorby/Educational-Purposes[.]/raw/refs/heads/main/BootstrapperNew1[.]exe

Analysis

max time kernel
145s
max time network
154s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250207-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250207-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
15-02-2025 17:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Mikeykorby/Educational-Purposes./raw/refs/heads/main/BootstrapperNew1.exe

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

193.161.193.99

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
appdata
port
4444
startup_name
Solara Bootstrapper Dependinces

Signatures

Detect XenoRat Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x000c000000027e70-52.dat	family_xenorat
behavioral1/memory/3080-111-0x0000000000330000-0x0000000000342000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

Downloads MZ/PE file 1 IoCs

flow	pid	Process
17	4944	msedge.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-67687450-2252871228-2016797368-1000\Control Panel\International\Geo\Nation	BootstrapperNew1.exe

Executes dropped EXE 7 IoCs

pid	Process
3080	BootstrapperNew1.exe
1756	BootstrapperNew1.exe
468	BootstrapperNew1.exe
216	BootstrapperNew1.exe
4700	BootstrapperNew1.exe
2332	BootstrapperNew1.exe
4500	BootstrapperNew1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
14	raw.githubusercontent.com
15	raw.githubusercontent.com
17	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 8 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew1.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 335261.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\XenoManager\BootstrapperNew1.exe\:SmartScreen:$DATA	BootstrapperNew1.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
4944	msedge.exe
4944	msedge.exe
4452	msedge.exe
4452	msedge.exe
2408	identity_helper.exe
2408	identity_helper.exe
64	msedge.exe
64	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe
3200	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe

Suspicious use of FindShellTrayWindow 37 IoCs

pid	Process
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe

Suspicious use of SendNotifyMessage 26 IoCs

pid	Process
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe
4452	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 4140	4452	msedge.exe	90
PID 4452 wrote to memory of 4140	4452	msedge.exe	90
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 2640	4452	msedge.exe	91
PID 4452 wrote to memory of 4944	4452	msedge.exe	92
PID 4452 wrote to memory of 4944	4452	msedge.exe	92
PID 4452 wrote to memory of 60	4452	msedge.exe	93
PID 4452 wrote to memory of 60	4452	msedge.exe	93
PID 4452 wrote to memory of 60	4452	msedge.exe	93
PID 4452 wrote to memory of 60	4452	msedge.exe	93
PID 4452 wrote to memory of 60	4452	msedge.exe	93
PID 4452 wrote to memory of 60	4452	msedge.exe	93
PID 4452 wrote to memory of 60	4452	msedge.exe	93
PID 4452 wrote to memory of 60	4452	msedge.exe	93
PID 4452 wrote to memory of 60	4452	msedge.exe	93
PID 4452 wrote to memory of 60	4452	msedge.exe	93
PID 4452 wrote to memory of 60	4452	msedge.exe	93
PID 4452 wrote to memory of 60	4452	msedge.exe	93
PID 4452 wrote to memory of 60	4452	msedge.exe	93
PID 4452 wrote to memory of 60	4452	msedge.exe	93
PID 4452 wrote to memory of 60	4452	msedge.exe	93
PID 4452 wrote to memory of 60	4452	msedge.exe	93
PID 4452 wrote to memory of 60	4452	msedge.exe	93
PID 4452 wrote to memory of 60	4452	msedge.exe	93
PID 4452 wrote to memory of 60	4452	msedge.exe	93
PID 4452 wrote to memory of 60	4452	msedge.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Mikeykorby/Educational-Purposes./raw/refs/heads/main/BootstrapperNew1.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffbd40c46f8,0x7ffbd40c4708,0x7ffbd40c4718
  2⤵
  PID:4140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1780,6553247082258164547,12397816451282782038,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2096 /prefetch:2
  2⤵
  PID:2640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1780,6553247082258164547,12397816451282782038,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2184 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:4944
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1780,6553247082258164547,12397816451282782038,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2756 /prefetch:8
  2⤵
  PID:60
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,6553247082258164547,12397816451282782038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:3956
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,6553247082258164547,12397816451282782038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:1052
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1780,6553247082258164547,12397816451282782038,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 /prefetch:8
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1780,6553247082258164547,12397816451282782038,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5084 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,6553247082258164547,12397816451282782038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5116 /prefetch:1
  2⤵
  PID:3028
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,6553247082258164547,12397816451282782038,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5184 /prefetch:1
  2⤵
  PID:4056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,6553247082258164547,12397816451282782038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5796 /prefetch:1
  2⤵
  PID:2444
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,6553247082258164547,12397816451282782038,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4304 /prefetch:1
  2⤵
  PID:4112
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=1780,6553247082258164547,12397816451282782038,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5264 /prefetch:8
  2⤵
  PID:3576
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1780,6553247082258164547,12397816451282782038,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3460 /prefetch:1
  2⤵
  PID:2032
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1780,6553247082258164547,12397816451282782038,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6272 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:64
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=1780,6553247082258164547,12397816451282782038,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6380 /prefetch:8
  2⤵
  PID:3108
- C:\Users\Admin\Downloads\BootstrapperNew1.exe
  "C:\Users\Admin\Downloads\BootstrapperNew1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:3080
- - C:\Users\Admin\AppData\Roaming\XenoManager\BootstrapperNew1.exe
    "C:\Users\Admin\AppData\Roaming\XenoManager\BootstrapperNew1.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1756
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /Create /TN "Solara Bootstrapper Dependinces" /XML "C:\Users\Admin\AppData\Local\Temp\tmp2824.tmp" /F
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:2760
    - - C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        5⤵
        
        PID:216
- C:\Users\Admin\Downloads\BootstrapperNew1.exe
  "C:\Users\Admin\Downloads\BootstrapperNew1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:468
- C:\Users\Admin\Downloads\BootstrapperNew1.exe
  "C:\Users\Admin\Downloads\BootstrapperNew1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:216
- C:\Users\Admin\Downloads\BootstrapperNew1.exe
  "C:\Users\Admin\Downloads\BootstrapperNew1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4700
- C:\Users\Admin\Downloads\BootstrapperNew1.exe
  "C:\Users\Admin\Downloads\BootstrapperNew1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2332
- C:\Users\Admin\Downloads\BootstrapperNew1.exe
  "C:\Users\Admin\Downloads\BootstrapperNew1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4500
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1780,6553247082258164547,12397816451282782038,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=3188 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3200

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:552

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BootstrapperNew1.exe.log

Filesize
226B

MD5
66aea5e724c4a224d092067c3381783b

SHA1
ee3cc64c4370a255391bdfeef2883d5b7a6e6230

SHA256
04b17cab961f973464bba8924f764edef6451d1774f2405d27ef33d164296923

SHA512
5d719e303f491d1443cb7c7e8946481e90532522a422c98f82466e1eddcd1ef24a4505dcbf75f2191fbb66825d3550566d7f408a3854edeb4c1a192c8c9a6d06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e34c3c87fc826bdccbe8f4c376fb131b

SHA1
47ca51ad4ceaaf6bbe5fed44d80f2706836288ee

SHA256
4e99e96853d05a8d49974838f557da5567efa08ba34a0759373ab538e67d912c

SHA512
cddb3b8f64c4d5717ef876b02aede044c5bc322b71c93446f1d1bc3cc4092cc31aa1057165e6857c19891d2e4e8cf40aa8d9282a81f4bbf87debe94c72b14003

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
261B

MD5
2c2e6472d05e3832905f0ad4a04d21c3

SHA1
007edbf35759af62a5b847ab09055e7d9b86ffcc

SHA256
283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03

SHA512
8c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e91fa4b3a7a43eef5c572f9e899002a1

SHA1
eb316ff5b3b2f735eb4333b30dbf32671db7b538

SHA256
3ab502eefccba6aa15776ca5225c7abbfddd2b6b256f6bb1a63ace6bda16b2e7

SHA512
891c458c691937f818370f4310764c8445fca7f04bace8f97b218963d36173f9a2217be0e234f5b116f4ff543e06586b16bcf7144a89e8af1e027f4c24598e9f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
ac312d0035f1ac9363a9648a46479b39

SHA1
a4e1e62f9a3069f34c72aeab95b11ef7398ec0ba

SHA256
793826c291ac363ffd35782f11e43572db29c089db700d08d96b71ec22f0ab68

SHA512
4063b52137e440e8f78f4b85318e714a8bcfc9ceb2e8f6e572478a09afc3e2fe09e41410967b7e0d1fa747219af38780bfb5be0c5c9837465977fd209edcdee4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
a4440f13aa5b7ebd4cba35de5b2cb950

SHA1
ea371a8d667ba14dc28d850b275b4f939fa0807d

SHA256
2b4e05d6899356b3d0a960ba943aff262d56b59dd2d69a3f68c5654d712efc4c

SHA512
7f66be4b5ff62739a1bc92b8396853a57d602f416d8f5f3c760e75b6734aaa78e454b0fa9418f67da75e81df9c47eaea2688a42195db94755a594a2fbf7a2bb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c3820efbacd42c4defd878cc8742274c

SHA1
45a99434b0f0049d774650e7a7050a5dd3aaac13

SHA256
cb9e6e74e4138393e5046acf4e4c8cd7bcc342cd9bf99506eeb6b32e766542b8

SHA512
624bd3303fc3319a41a584478dd146f07055afccf0213ae72b05580f6149244550cba25b4f04d36146917bbaa1a7d48a95adbbac06f5bb7169c7cab857646422

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2824.tmp

Filesize
1KB

MD5
4f1a3f65c726a5d1b6738fc85f4a9925

SHA1
e207b950c2f65eb9e4f59967afefa139748f4a6f

SHA256
4820306e4bbf03801fb906ef2fcdd956b9d8a5949870ece25ac21244e3285d93

SHA512
fc836daa24cf6245f3fb6261c06e6735925a17149e7297ea4c24b297ea91eb4d9f17d8b090f0e24e970d58ba797498c390735192c5352e32ac88b1312e665339

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 335261.crdownload

Filesize
50KB

MD5
2db839a013bb2742e80cdcf4edc63f39

SHA1
8b94a91e13f1ff30a3ca2627d3b43affacbb66b0

SHA256
47497f110de244113679de02a3eefc50a9831c13e7c86b45ea3e0ce8d0072f7d

SHA512
3f0210b4a1245d67c96f563a191b4c11455137afee436ec2b41d2b672a93aed4ebeb5ac0814217ef9fc3c1706c371028670583876d829bccc244206af34e324a

Download Submit
memory/3080-111-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download