hxxps://cdn[.]discordapp[.]com/attachments/1256510022771413002/1257043951299596288/xuaa[.]exe?ex=6682f8e8&is=6681a768&hm=39326ee7136dbd436bc766cd47711a503983ae1be81ce8e5b1bf0d8663ae9783&

Analysis

max time kernel
38s
max time network
101s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30/06/2024, 19:41

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1256510022771413002/1257043951299596288/xuaa.exe?ex=6682f8e8&is=6681a768&hm=39326ee7136dbd436bc766cd47711a503983ae1be81ce8e5b1bf0d8663ae9783&

Score

8^/10

Malware Config

Signatures

Downloads MZ/PE file

Executes dropped EXE 1 IoCs

pid	Process
4132	xuaa.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	msedge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	msedge.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	msedge.exe
Key created	\REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 424154.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1312	msedge.exe
1312	msedge.exe
2948	msedge.exe
2948	msedge.exe
640	identity_helper.exe
640	identity_helper.exe
1120	msedge.exe
1120	msedge.exe
5588	msedge.exe
5588	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe
2948	msedge.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5588	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 4240	2948	msedge.exe	86
PID 2948 wrote to memory of 4240	2948	msedge.exe	86
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 3188	2948	msedge.exe	87
PID 2948 wrote to memory of 1312	2948	msedge.exe	88
PID 2948 wrote to memory of 1312	2948	msedge.exe	88
PID 2948 wrote to memory of 3276	2948	msedge.exe	89
PID 2948 wrote to memory of 3276	2948	msedge.exe	89
PID 2948 wrote to memory of 3276	2948	msedge.exe	89
PID 2948 wrote to memory of 3276	2948	msedge.exe	89
PID 2948 wrote to memory of 3276	2948	msedge.exe	89
PID 2948 wrote to memory of 3276	2948	msedge.exe	89
PID 2948 wrote to memory of 3276	2948	msedge.exe	89
PID 2948 wrote to memory of 3276	2948	msedge.exe	89
PID 2948 wrote to memory of 3276	2948	msedge.exe	89
PID 2948 wrote to memory of 3276	2948	msedge.exe	89
PID 2948 wrote to memory of 3276	2948	msedge.exe	89
PID 2948 wrote to memory of 3276	2948	msedge.exe	89
PID 2948 wrote to memory of 3276	2948	msedge.exe	89
PID 2948 wrote to memory of 3276	2948	msedge.exe	89
PID 2948 wrote to memory of 3276	2948	msedge.exe	89
PID 2948 wrote to memory of 3276	2948	msedge.exe	89
PID 2948 wrote to memory of 3276	2948	msedge.exe	89
PID 2948 wrote to memory of 3276	2948	msedge.exe	89
PID 2948 wrote to memory of 3276	2948	msedge.exe	89
PID 2948 wrote to memory of 3276	2948	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1256510022771413002/1257043951299596288/xuaa.exe?ex=6682f8e8&is=6681a768&hm=39326ee7136dbd436bc766cd47711a503983ae1be81ce8e5b1bf0d8663ae9783&
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffa9db446f8,0x7ffa9db44708,0x7ffa9db44718
  2⤵
  PID:4240
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,16821458160346846566,14937893554562313270,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2116 /prefetch:2
  2⤵
  PID:3188
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,16821458160346846566,14937893554562313270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,16821458160346846566,14937893554562313270,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2884 /prefetch:8
  2⤵
  PID:3276
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16821458160346846566,14937893554562313270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2132 /prefetch:1
  2⤵
  PID:4252
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16821458160346846566,14937893554562313270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3440 /prefetch:1
  2⤵
  PID:3232
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,16821458160346846566,14937893554562313270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  PID:4468
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,16821458160346846566,14937893554562313270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5380 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:640
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16821458160346846566,14937893554562313270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4108 /prefetch:1
  2⤵
  PID:1352
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16821458160346846566,14937893554562313270,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4104 /prefetch:1
  2⤵
  PID:4216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,16821458160346846566,14937893554562313270,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5788 /prefetch:8
  2⤵
  PID:316
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16821458160346846566,14937893554562313270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5836 /prefetch:1
  2⤵
  PID:1184
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --field-trial-handle=2100,16821458160346846566,14937893554562313270,131072 --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=6320 /prefetch:8
  2⤵
  PID:4008
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16821458160346846566,14937893554562313270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5748 /prefetch:1
  2⤵
  PID:2196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16821458160346846566,14937893554562313270,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6312 /prefetch:1
  2⤵
  PID:3060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,16821458160346846566,14937893554562313270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5148 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1120
- C:\Users\Admin\Downloads\xuaa.exe
  "C:\Users\Admin\Downloads\xuaa.exe"
  2⤵
  - Executes dropped EXE
  PID:4132
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16821458160346846566,14937893554562313270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5524 /prefetch:1
  2⤵
  PID:4644
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16821458160346846566,14937893554562313270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6072 /prefetch:1
  2⤵
  PID:772
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16821458160346846566,14937893554562313270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2000 /prefetch:1
  2⤵
  PID:3248
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16821458160346846566,14937893554562313270,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=1308 /prefetch:1
  2⤵
  PID:1328
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16821458160346846566,14937893554562313270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
  2⤵
  PID:3096
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16821458160346846566,14937893554562313270,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4928 /prefetch:1
  2⤵
  PID:5192
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,16821458160346846566,14937893554562313270,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3496 /prefetch:1
  2⤵
  PID:5200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --field-trial-handle=2100,16821458160346846566,14937893554562313270,131072 --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=5944 /prefetch:8
  2⤵
  PID:5456
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=2100,16821458160346846566,14937893554562313270,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:5588

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:440

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2260

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
81e892ca5c5683efdf9135fe0f2adb15

SHA1
39159b30226d98a465ece1da28dc87088b20ecad

SHA256
830f394548cff6eed3608476190a7ee7d65fe651adc638c5b27ce58639a91e17

SHA512
c943f4cfe8615ac159cfac13c10b67e6c0c9093851dd3ac6dda3b82e195d3554e3c37962010a2d0ae5074828d376402624f0dda5499c9997e962e4cfd26444c0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
56067634f68231081c4bd5bdbfcc202f

SHA1
5582776da6ffc75bb0973840fc3d15598bc09eb1

SHA256
8c08b0cbceb301c8f960aa674c6e7f6dbf40b4a1c2684e6fb0456ec5ff0e56b4

SHA512
c4657393e0b9ec682570d7e251644a858d33e056ccd0f3eebffd0fde25244b3a699b8d9244bcdac00d6f74b49833629b270e099c2b557f729a9066922583f784

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_00000c

Filesize
211KB

MD5
151fb811968eaf8efb840908b89dc9d4

SHA1
7ec811009fd9b0e6d92d12d78b002275f2f1bee1

SHA256
043fd8558e4a5a60aaccd2f0377f77a544e3e375242e9d7200dc6e51f94103ed

SHA512
83aface0ab01da52fd077f747c9d5916e3c06b0ea5c551d7d316707ec3e8f3f986ce1c82e6f2136e48c6511a83cb0ac67ff6dc8f0e440ac72fc6854086a87674

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
cf87dc6146de2cbef12a8ce9da451166

SHA1
37cc5ad71b434633d4d08b2951c43cf0b5d1b03a

SHA256
86a5973d268c50146eb8ee87361410bd5b43f8544b35c6a2a3e6a80be2ff1193

SHA512
734a2f1f2b0baf05aa68003cf4901e9964be8116514bfea41092a459fc284e8e029a3ccc34007aee64fdb8d636e42d713f4438e0e866e99e8c3468d978bbc4f3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
02655d1e8dc6b7c19e8222c86573f796

SHA1
62fb0de06d512ce332ce9e007af2d17b8fca372d

SHA256
a632e49545e383650cf1f94c4e0b6cf42ec61be26a58848f8fd7fce1a53f0e2e

SHA512
89b114428c1ade93283880e2f63f72ee5b402596a3b5261f97c775c11aead31c14b55924e8036d1a6cce7feefa7916284dd6dc001cfcaa14d660a7bd5e25bce7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
c50dc63dae4dfbcd5ec11197cdaee69e

SHA1
12e5b86c23776832d679a1ad60a51022d665307b

SHA256
0f3bf9a0af7d39fbe8312e892da811614cc569e9f98c4ed4fc06620104c371b8

SHA512
efaad865b390dc60d9a929d12001eb2d10f3bf6afbb440b3405f09a79dd7392824cef1c765a29010da0ada0c5167750bf6003c48492cfb5501c4ea602f60b2a1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
29f59e2e214a01fa923f14ae212a8299

SHA1
e71a40b863ef1b45d09051f9441a5c27e1c1efda

SHA256
cac55bfd92d6a0daace921ebe45485d73bf8c980747ba270e0f00b340df4e4df

SHA512
56689b3655b4f4529bcd534bb334c5480aa5dd8620c6046c175cf2adf2b61f1a9fd5f30a7a57934dead0fc81e8a6f70717cdb95134ac1f2194261da6678d5ff1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
38eae65ffc0821d410bd53a919d726c5

SHA1
7014437cced601c3615f8ba5513d97753f5bcaa9

SHA256
834dfbc6dbc1af13d7fb94b1565267b33f7d6fd09eed48f290d40b4646851796

SHA512
7ec8efb62e2e28951cb91095076af835e12a11b508849b0ad1e7562a6c7ba1d672dcb437d28aa8f2fd8215cf126a88b13ebdbbe6964c7075264bd2a72e070825

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
610bfddbcc32c361c80e27b20e703378

SHA1
a175e50f6c3d47f25bf186f45e896221f1743862

SHA256
13fa5686855211b50a7c0d0d02a5dfa6e9a649a28091cdc9f9ee944413ee0bbc

SHA512
29e84d9815144d6ed57c2c4178c781b0ae9f94eff60922bffca58221670189df9c18fbb6df8278b6eb1c8035cd847f255121df07b60c1c2865dfdb1a06d46b3c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
990f441082a36ec5bb6a1f0a1c41cfee

SHA1
e380190b3da4e0b6a7d2b97c8a93c545b4732877

SHA256
fad08d74f52568412b0aacd6b49bb76c3f2f93ec4352f9a525c2415ddc28676a

SHA512
c208bee49df849a1747870d5b6b800b169d57a290977727c9b07142ede5b002a92fd633af804232ba0f118565246aa17cb1045d58bff09121cd5a67ab23248d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe586443.TMP

Filesize
48B

MD5
9868d9145a4677e2fea43dffe467e27d

SHA1
b00057137787ff8aed14ec55b1fffe33eb53d192

SHA256
186f8b8249f2d5e9bcc309030542a9e4060e1ec6a6c768a10c73f9951d5b4c14

SHA512
5d97c5386a91fb95eb6d7599c9fe1f0a66f04732200008bf13e117a8fe98f05cda3014b155167184bf4f4603941a36d35cef02ff0949f7048edcbe78038ddb09

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d18880f9d43156a00ffbfd336b901a57

SHA1
3ca924475fc47fb2ae60ecbe3bc5d198661de1f1

SHA256
e169a308e9f759668008bc5e81e8b2c3e8a77a8f8efd02b02614c14913688ee1

SHA512
d70d760ad20c20ff82a4dfa85542c0095c4c0b938b02cfa694c2552448cb906055883eb7a24adcd02efacdf6df057838020042defe79e6fe54bfe7e27a845f14

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9127f3795dc1bbdf77aa3796a002fb86

SHA1
5c2d2aefb3bc9b1cce5b0cbba8c3151a544475fb

SHA256
d514ffd51b1c777e4dbfa9919940a7451f93cc01d1558ce33aa165c470f377a1

SHA512
a66255be5b1cb83285ede89419df0700be592ebb5759e600603a2ebb826787486fc61afd0841b1485261b31cdb7f28a67d778d73b7b991eb43b90a8e125ed303

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9086e5020cec26d0fffd1de925c4f00e

SHA1
30f6bdbbf6619088ff98947466ccfbd0098d6693

SHA256
a05b69440f5df34645bcdc0793d9fa03638fbdc22f1717f3308d980adb1cffef

SHA512
f11bfcdf10e12d472b6e2fb4e5c146722bb272567fe582f67782eb68a44d3caf168127ce5d65cef27459b310f91d6035d3fed75565d4187b452cec286ae67aa2

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 424154.crdownload

Filesize
2.1MB

MD5
6fa875e23acae33f3a5bfc2a9f96b4b7

SHA1
bf3499df1a6baaecb6c4bb080aeea413e4ab69cc

SHA256
5b1812dad053d1d5950688422391c7aa89984a7a418e370a3b5244a0cec67d4e

SHA512
ee08ff9e3367375ec1246f414fc3e36ad448a79776fa8c70b2be0369bb20a619508faac8f134a22f94d858e7c00f5ea1341053672ee11cb35234ddcb4e841730

Download Submit