xenorat | hxxps://github[.]com/Mikeykorby/Educational-Purposes[.]/raw/refs/heads/main/BootstrapperNew%201[.]exe

Analysis

max time kernel
167s
max time network
167s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250207-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250207-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
15-02-2025 21:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/Mikeykorby/Educational-Purposes./raw/refs/heads/main/BootstrapperNew%201.exe

Score

10^/10

xenorat discovery rat trojan

Malware Config

Extracted

Family

xenorat

192.168.1.236

Mutex

Xeno_rat_nd8912d

Attributes

delay
5000
install_path
appdata
port
4785
startup_name
Solara Bootstrapper Dependinces

Signatures

Detect XenoRat Payload 2 IoCs

resource	yara_rule
behavioral2/files/0x000a000000027e5d-56.dat	family_xenorat
behavioral2/memory/4528-120-0x0000000000DA0000-0x0000000000DB2000-memory.dmp	family_xenorat

XenorRat
XenorRat is a remote access trojan written in C#.
trojan rat xenorat
Xenorat family
xenorat

Downloads MZ/PE file 1 IoCs

flow	pid	Process
19	1256	msedge.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-67687450-2252871228-2016797368-1000\Control Panel\International\Geo\Nation	BootstrapperNew 1.exe

Executes dropped EXE 5 IoCs

pid	Process
4528	BootstrapperNew 1.exe
3896	BootstrapperNew 1.exe
4412	BootstrapperNew 1.exe
3508	BootstrapperNew 1.exe
3044	BootstrapperNew 1.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
18	raw.githubusercontent.com
19	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew 1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew 1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew 1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew 1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BootstrapperNew 1.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

NTFS ADS 2 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 122686.crdownload:SmartScreen	msedge.exe
File created	C:\Users\Admin\AppData\Roaming\XenoManager\BootstrapperNew 1.exe\:SmartScreen:$DATA	BootstrapperNew 1.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1292	schtasks.exe
4832	schtasks.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1256	msedge.exe
1256	msedge.exe
1572	msedge.exe
1572	msedge.exe
560	identity_helper.exe
560	identity_helper.exe
4844	msedge.exe
4844	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe
3972	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 8 IoCs

pid	Process
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe
1572	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1572 wrote to memory of 2524	1572	msedge.exe	89
PID 1572 wrote to memory of 2524	1572	msedge.exe	89
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 4332	1572	msedge.exe	91
PID 1572 wrote to memory of 1256	1572	msedge.exe	92
PID 1572 wrote to memory of 1256	1572	msedge.exe	92
PID 1572 wrote to memory of 1408	1572	msedge.exe	93
PID 1572 wrote to memory of 1408	1572	msedge.exe	93
PID 1572 wrote to memory of 1408	1572	msedge.exe	93
PID 1572 wrote to memory of 1408	1572	msedge.exe	93
PID 1572 wrote to memory of 1408	1572	msedge.exe	93
PID 1572 wrote to memory of 1408	1572	msedge.exe	93
PID 1572 wrote to memory of 1408	1572	msedge.exe	93
PID 1572 wrote to memory of 1408	1572	msedge.exe	93
PID 1572 wrote to memory of 1408	1572	msedge.exe	93
PID 1572 wrote to memory of 1408	1572	msedge.exe	93
PID 1572 wrote to memory of 1408	1572	msedge.exe	93
PID 1572 wrote to memory of 1408	1572	msedge.exe	93
PID 1572 wrote to memory of 1408	1572	msedge.exe	93
PID 1572 wrote to memory of 1408	1572	msedge.exe	93
PID 1572 wrote to memory of 1408	1572	msedge.exe	93
PID 1572 wrote to memory of 1408	1572	msedge.exe	93
PID 1572 wrote to memory of 1408	1572	msedge.exe	93
PID 1572 wrote to memory of 1408	1572	msedge.exe	93
PID 1572 wrote to memory of 1408	1572	msedge.exe	93
PID 1572 wrote to memory of 1408	1572	msedge.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/Mikeykorby/Educational-Purposes./raw/refs/heads/main/BootstrapperNew%201.exe
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x104,0x134,0x7ffc361446f8,0x7ffc36144708,0x7ffc36144718
  2⤵
  PID:2524
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,17977952241485675325,1179458502593453901,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2068 /prefetch:2
  2⤵
  PID:4332
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2056,17977952241485675325,1179458502593453901,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 /prefetch:3
  2⤵
  - Downloads MZ/PE file
  - Suspicious behavior: EnumeratesProcesses
  PID:1256
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2056,17977952241485675325,1179458502593453901,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
  2⤵
  PID:1408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17977952241485675325,1179458502593453901,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3392 /prefetch:1
  2⤵
  PID:4744
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17977952241485675325,1179458502593453901,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:2160
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,17977952241485675325,1179458502593453901,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
  2⤵
  PID:2992
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2056,17977952241485675325,1179458502593453901,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:560
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17977952241485675325,1179458502593453901,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5216 /prefetch:1
  2⤵
  PID:3728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17977952241485675325,1179458502593453901,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:4556
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17977952241485675325,1179458502593453901,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
  2⤵
  PID:4324
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17977952241485675325,1179458502593453901,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6032 /prefetch:1
  2⤵
  PID:4836
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2056,17977952241485675325,1179458502593453901,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5488 /prefetch:8
  2⤵
  PID:3336
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17977952241485675325,1179458502593453901,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5300 /prefetch:1
  2⤵
  PID:3460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2056,17977952241485675325,1179458502593453901,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6420 /prefetch:1
  2⤵
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2056,17977952241485675325,1179458502593453901,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4844
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2056,17977952241485675325,1179458502593453901,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6236 /prefetch:8
  2⤵
  PID:4988
- C:\Users\Admin\Downloads\BootstrapperNew 1.exe
  "C:\Users\Admin\Downloads\BootstrapperNew 1.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - NTFS ADS
  PID:4528
- - C:\Users\Admin\AppData\Roaming\XenoManager\BootstrapperNew 1.exe
    "C:\Users\Admin\AppData\Roaming\XenoManager\BootstrapperNew 1.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3896
  - - C:\Windows\SysWOW64\schtasks.exe
      "schtasks.exe" /Create /TN "Solara Bootstrapper Dependinces" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4BD9.tmp" /F
      4⤵
      System Location Discovery: System Language Discovery
      Scheduled Task/Job: Scheduled Task
      PID:1292
- C:\Users\Admin\Downloads\BootstrapperNew 1.exe
  "C:\Users\Admin\Downloads\BootstrapperNew 1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:4412
- C:\Users\Admin\Downloads\BootstrapperNew 1.exe
  "C:\Users\Admin\Downloads\BootstrapperNew 1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3508
- - C:\Windows\SysWOW64\schtasks.exe
    "schtasks.exe" /Create /TN "Solara Bootstrapper Dependinces" /XML "C:\Users\Admin\AppData\Local\Temp\tmp4D0D.tmp" /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:4832
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2056,17977952241485675325,1179458502593453901,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.4355 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5980 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3972
- C:\Users\Admin\Downloads\BootstrapperNew 1.exe
  "C:\Users\Admin\Downloads\BootstrapperNew 1.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3044

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1528

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\BootstrapperNew 1.exe.log

Filesize
226B

MD5
66aea5e724c4a224d092067c3381783b

SHA1
ee3cc64c4370a255391bdfeef2883d5b7a6e6230

SHA256
04b17cab961f973464bba8924f764edef6451d1774f2405d27ef33d164296923

SHA512
5d719e303f491d1443cb7c7e8946481e90532522a422c98f82466e1eddcd1ef24a4505dcbf75f2191fbb66825d3550566d7f408a3854edeb4c1a192c8c9a6d06

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
e34c3c87fc826bdccbe8f4c376fb131b

SHA1
47ca51ad4ceaaf6bbe5fed44d80f2706836288ee

SHA256
4e99e96853d05a8d49974838f557da5567efa08ba34a0759373ab538e67d912c

SHA512
cddb3b8f64c4d5717ef876b02aede044c5bc322b71c93446f1d1bc3cc4092cc31aa1057165e6857c19891d2e4e8cf40aa8d9282a81f4bbf87debe94c72b14003

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
261B

MD5
2c2e6472d05e3832905f0ad4a04d21c3

SHA1
007edbf35759af62a5b847ab09055e7d9b86ffcc

SHA256
283d954fa21caa1f3b4aba941b154fab3e626ff27e7b8029f5357872c48cbe03

SHA512
8c4ce1ea02da6ffb7e7041c50528da447d087d9ee3c9f4a8c525d2d856cf48e46f5dd9a1fedd23dd047634e719c8886457f7e7240aa3cc36f1a6216e4c00ee37

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
00e3c6a590d0f61e53da204adb19cc10

SHA1
bbfadfcea4ad50361c2a788fcbdb0e0936d6b41c

SHA256
1e38ef69ba0e30e69200e42df7512a0224486644ebe8eb8a5dad22b367b6f8e0

SHA512
17eb492f00bcb3a7fc7a8d032da6e7f9d585eb4a6b82b10be24850735364b8618e1c94e196f113d56fe1bc096bc67720e0ff58a3b46ea703347e4870e20d1b3a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
1eefee681d024d658f94d5eb2df5f276

SHA1
ab3d640eb03cfa28df9de821c72b695c051fd046

SHA256
60aadec6428f2463d60ee3fd1902c7b6297b7f82a813fd7df6046c63aae9ecd9

SHA512
1973c5ac9b243e221de2897ffdc0eeae92a946d1fc20d6d4a05b6b9099371e4ede32bb681672aabf5fd15f7f0f4b5d02f9eaab6093adb2d3f7d13ea6d8733eae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
a4440f13aa5b7ebd4cba35de5b2cb950

SHA1
ea371a8d667ba14dc28d850b275b4f939fa0807d

SHA256
2b4e05d6899356b3d0a960ba943aff262d56b59dd2d69a3f68c5654d712efc4c

SHA512
7f66be4b5ff62739a1bc92b8396853a57d602f416d8f5f3c760e75b6734aaa78e454b0fa9418f67da75e81df9c47eaea2688a42195db94755a594a2fbf7a2bb1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
b1cd80200ec25e6844dc7e003cb6b84e

SHA1
edb4197e28048bdd10f217584a7f09ac3089b3b8

SHA256
275095844157af60765bc71a7aec60f301259831bd55433fe76cbc1e998b3925

SHA512
a22ac885da146ec01e77027da0ae46148eb6cac9359bff14924245c6cfefee72d8bb1e3c87bee741df8bfcc1dddf59045d044421bded4d7b7f3f186232eb28e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
e1e4291004280dc60c37e336a6c5d5c5

SHA1
b822b618bf8bfdcd5bcada574ea2fac993ebb0e4

SHA256
d7edf15d67a6c3f621d71317ca87399bf42cb1483214e6fb2c8c68814800a022

SHA512
0dd4f3ed832fba30df5825ee738d038d341943964f43645ca48194921ccf215ce21e2e7061669f5a842dee5ea5fa44ddcde52944dbfac7762466485aad6ac7df

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4BD9.tmp

Filesize
1KB

MD5
0579f29ab936caa1c006d50f1afabd69

SHA1
afa6d1ab1e9b31cd9bf7acfac2bba38df09c431f

SHA256
23f8fa9c340f4d121e145654beba9923b9aec6e950b76162d1e4278dad391717

SHA512
26dd4b0bf8d4c71592ec86add436b3b91c0e278d26bf372bad755f900e1153c669b5c88b0b8d7d8a19f95bf781a644471f8b69e1ac27bac95544435c83a9f3ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4D0D.tmp

Filesize
1KB

MD5
33578a530fc89622fa3c69387251b072

SHA1
dbfa571b46d01755382f8ac30142bf8beea79223

SHA256
55c2f61258cc4a722f66d5fe347cf6a9b9e11c5f5e98888a854a9f9e1cc3605e

SHA512
5d2eebc2064702bc73970a10cc4ba436eb2a460a004b5c6d51ee3117be2d5917a049ac3661dfe20f2b027e4c1606783b6ece872dcdb22f380a7199bb5417cc3d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 122686.crdownload

Filesize
50KB

MD5
5c515c9244bc27f0f426244c885fa70d

SHA1
66e1e6a46113b2bd38b6bb3d1e6325af47229668

SHA256
5636beed6886a348e3d78ed59e335a0f3b798604afb47f966b1b5853568932a3

SHA512
0f91a1dc3777d238b784e1bac7540df01bce101e2eba2b078bb33a4313672ccd6fd1e1b2a3b43befd94a2825807723b718b8198b393f8b72d00dffda2dad66e9

Download Submit
memory/4528-120-0x0000000000DA0000-0x0000000000DB2000-memory.dmp

Filesize
72KB

Download