hxxps://cdn[.]discordapp[.]com/attachments/1282029184755171388/1282035065047613500/Xclient_Rat_V3[.]rar?ex=66dde3b2&is=66dc9232&hm=fc9d54cf75acb5238ce35091e48083aee17d24909659084cf4abbbd77b6e4f76&

Analysis

max time kernel
1131s
max time network
1133s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2024, 17:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1282029184755171388/1282035065047613500/Xclient_Rat_V3.rar?ex=66dde3b2&is=66dc9232&hm=fc9d54cf75acb5238ce35091e48083aee17d24909659084cf4abbbd77b6e4f76&

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1302416131-1437503476-2806442725-1000\{7108C498-5D6B-4FA5-B84A-B018836A3D20}	msedge.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1608	msedge.exe
1608	msedge.exe
2000	msedge.exe
2000	msedge.exe
2892	identity_helper.exe
2892	identity_helper.exe
2512	msedge.exe
2512	msedge.exe
1200	msedge.exe
1200	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe
3852	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 15 IoCs

pid	Process
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe
2000	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2000 wrote to memory of 1516	2000	msedge.exe	83
PID 2000 wrote to memory of 1516	2000	msedge.exe	83
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1648	2000	msedge.exe	84
PID 2000 wrote to memory of 1608	2000	msedge.exe	85
PID 2000 wrote to memory of 1608	2000	msedge.exe	85
PID 2000 wrote to memory of 1900	2000	msedge.exe	86
PID 2000 wrote to memory of 1900	2000	msedge.exe	86
PID 2000 wrote to memory of 1900	2000	msedge.exe	86
PID 2000 wrote to memory of 1900	2000	msedge.exe	86
PID 2000 wrote to memory of 1900	2000	msedge.exe	86
PID 2000 wrote to memory of 1900	2000	msedge.exe	86
PID 2000 wrote to memory of 1900	2000	msedge.exe	86
PID 2000 wrote to memory of 1900	2000	msedge.exe	86
PID 2000 wrote to memory of 1900	2000	msedge.exe	86
PID 2000 wrote to memory of 1900	2000	msedge.exe	86
PID 2000 wrote to memory of 1900	2000	msedge.exe	86
PID 2000 wrote to memory of 1900	2000	msedge.exe	86
PID 2000 wrote to memory of 1900	2000	msedge.exe	86
PID 2000 wrote to memory of 1900	2000	msedge.exe	86
PID 2000 wrote to memory of 1900	2000	msedge.exe	86
PID 2000 wrote to memory of 1900	2000	msedge.exe	86
PID 2000 wrote to memory of 1900	2000	msedge.exe	86
PID 2000 wrote to memory of 1900	2000	msedge.exe	86
PID 2000 wrote to memory of 1900	2000	msedge.exe	86
PID 2000 wrote to memory of 1900	2000	msedge.exe	86

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://cdn.discordapp.com/attachments/1282029184755171388/1282035065047613500/Xclient_Rat_V3.rar?ex=66dde3b2&is=66dc9232&hm=fc9d54cf75acb5238ce35091e48083aee17d24909659084cf4abbbd77b6e4f76&
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fffee3946f8,0x7fffee394708,0x7fffee394718
  2⤵
  PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,1349711648521274099,1059168579754720478,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2212 /prefetch:2
  2⤵
  PID:1648
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2200,1349711648521274099,1059168579754720478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2188 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1608
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2200,1349711648521274099,1059168579754720478,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2836 /prefetch:8
  2⤵
  PID:1900
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,1349711648521274099,1059168579754720478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3400 /prefetch:1
  2⤵
  PID:1436
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,1349711648521274099,1059168579754720478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3412 /prefetch:1
  2⤵
  PID:232
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,1349711648521274099,1059168579754720478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  PID:1568
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2200,1349711648521274099,1059168579754720478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5244 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2200,1349711648521274099,1059168579754720478,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=180 /prefetch:8
  2⤵
  PID:3952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,1349711648521274099,1059168579754720478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4060 /prefetch:1
  2⤵
  PID:2228
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,1349711648521274099,1059168579754720478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6004 /prefetch:1
  2⤵
  PID:4284
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,1349711648521274099,1059168579754720478,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5996 /prefetch:1
  2⤵
  PID:3852
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,1349711648521274099,1059168579754720478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5808 /prefetch:1
  2⤵
  PID:3692
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,1349711648521274099,1059168579754720478,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5792 /prefetch:1
  2⤵
  PID:3376
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,1349711648521274099,1059168579754720478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6064 /prefetch:1
  2⤵
  PID:4840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,1349711648521274099,1059168579754720478,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3448 /prefetch:1
  2⤵
  PID:4504
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,1349711648521274099,1059168579754720478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2148 /prefetch:1
  2⤵
  PID:2004
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,1349711648521274099,1059168579754720478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6380 /prefetch:1
  2⤵
  PID:3684
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2200,1349711648521274099,1059168579754720478,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6352 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2512
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,1349711648521274099,1059168579754720478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6552 /prefetch:1
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,1349711648521274099,1059168579754720478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6484 /prefetch:1
  2⤵
  PID:2748
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,1349711648521274099,1059168579754720478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6256 /prefetch:1
  2⤵
  PID:1912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2200,1349711648521274099,1059168579754720478,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=3000 /prefetch:8
  2⤵
  PID:4312
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2200,1349711648521274099,1059168579754720478,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5736 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:1200
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2200,1349711648521274099,1059168579754720478,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=25 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2200,1349711648521274099,1059168579754720478,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1980 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3852

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3000

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f9664c896e19205022c094d725f820b6

SHA1
f8f1baf648df755ba64b412d512446baf88c0184

SHA256
7121d84202a850791c2320385eb59eda4d697310dc51b1fcd4d51264aba2434e

SHA512
3fa5d2c68a9e70e4a25eaac2095171d87c741eec2624c314c6a56f4fa390d6319633bf4c48b1a4af7e9a0451f346beced9693da88cfc7bcba8dfe209cbd1b3ae

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
847d47008dbea51cb1732d54861ba9c9

SHA1
f2099242027dccb88d6f05760b57f7c89d926c0d

SHA256
10292fa05d896a2952c1d602a72d761d34bc776b44d6a7df87e49b5b613a8ac1

SHA512
bd1526aa1cc1c016d95dfcc53a78b45b09dde4ce67357fc275ab835dbe1bb5b053ca386239f50cde95ad243a9c1bbb12f7505818577589beecc6084f7b94e83f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
29245d553dd13f361719ce441e0e625b

SHA1
9cf900fc077d93dd923c55154f5816a253b9d6c6

SHA256
cf94bbaba3059ecd9d41f86bc330234e52cc915f6cc19f9d98e9cf4f3b2ee17b

SHA512
40f3958e043eb7993a112538d3ce8302d49e85305b131ca268534807f3ff79d12ef64334a965727bc739ff6c9d1c91dc1fb44be74cce332eea8f0c5e646706c8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
543B

MD5
6400738c186991f7a4d918065b3ef33c

SHA1
b5de3a801d4320b51ffe1fd592f0000fe684b1f0

SHA256
f216e5379832fc9893cbdc0298d3cf33fb4e0bb47098e9838368ec1e5e1468bc

SHA512
e5e038c603c1a9b001bb1e5008eab08f3950cd6f708e284616711db9fdbbc103a7ab373653a8d3e54eeef98a89ac83e4180267a0fa1136760484ea7a1e8b38d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
807419ca9a4734feaf8d8563a003b048

SHA1
a723c7d60a65886ffa068711f1e900ccc85922a6

SHA256
aa10bf07b0d265bed28f2a475f3564d8ddb5e4d4ffee0ab6f3a0cc564907b631

SHA512
f10d496ae75db5ba412bd9f17bf0c7da7632db92a3fabf7f24071e40f5759c6a875ad8f3a72bad149da58b3da3b816077df125d0d9f3544adba68c66353d206c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
e1f3bedfa1fb671724a0fb6c6957c563

SHA1
cd48b4b88ee649801bafc1493008c937652a338b

SHA256
08029d2553acaf8cf06c76c6c6639e61ed1edc4989070007b25ebb3667232ff8

SHA512
30f988438b908f8331fd977c53f993db5b1690e467bda090c4a3d32d1cd55dbb88221644e27543a058bf9df2612e35d1476b3f18147c1f967be244d8cf4a5fda

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
db047cfdae798fc1774f786761b834b5

SHA1
1275e1515569fd0b0bc9b49dc43c46c8ec4180d1

SHA256
5614c98ee35b70fb2178c84d44622b8c13ea19aca49e43083055319ae6cc0855

SHA512
16bff41893b10097fc15cd1d51e5731e0509728d800297c4758bfdcae7d46644cc3f4bdf818860d96f61cea9ac78285419a4fbc147cf8d849d6191c9c99458fd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
f74afe8ebd65dad24e4e2e7a716d1fb0

SHA1
31c1cd978506d986e8a0dab3dbbea243cf189b58

SHA256
0461795e4f807348425a9256e69613be4a7e5a38c6f5c84a5c1022a593e97d06

SHA512
321bc7497244274559fb8b9fda96186ef779d1bad8f640600e025237f82b52f9bab4bc61e8b320077d180ad48d07894dfe6f539d8e1507489b101cc66043e7d0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
7342c31f59136a05fd44b8d931d35731

SHA1
cc409d7cb0a1f9bb6241edf55187f97b0bd564e5

SHA256
ac1b4147afb67697562689efdc4a7598ab65582347663fbef485f180d9d15eba

SHA512
015bc3d11ad735955402d602413055614ffd39b2e65de742f8c0ffc49822372c4bd669632d9ef8b6cd8ee7cc2559d0c738675738d799893393896865b6c641d8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
538B

MD5
b178c6eb359529d33c9577e20d849ecc

SHA1
5280347af1826b2df3735a03741c29005c27c12e

SHA256
f12147a56504b6c1db62b781da771aa2806287f5b0c1b46123d6abcbcfa0d4b7

SHA512
8cd2a91748e5c23afc8bb0d19eb3781254b03605be484dd3481cf9ad5373af43d7eea4b792776893899754de7df003364d12c01284238f9920a62f9a43f1d261

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe588b34.TMP

Filesize
370B

MD5
34051e6ea7203bd36ccd66b71b615969

SHA1
9292103db457b348fe07d7df52c7ad0611988a75

SHA256
5bbca2998bde2c2bcbc0e2d1bed5c39b2fe09aff29875366c535b22cd126bb1e

SHA512
ceff266e6a8f4522d4704b304ece1afd0e47480ce791b1e677d18e010aef587efee6ba4942d1fdf98754fee007ad6da21a4c7fcc4e280e85e74e82a592540e70

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
984e5f5c280bd61bb5e49d59523ced69

SHA1
f8f36948219c77d9c62f13144af0052ec305182d

SHA256
200631ba9dcf2b97cb074d0e3540de208db43537861bbe10ebbaa5f8f2869231

SHA512
32b1f52538eaeb3e5a8c870ac912f6047753eb8c1f730f160e3f30453ffdaed54995d956b05e4fb0c1f06348c6a4692830450d7cb08cfb67cb6aa7f8f20c2c2d

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 813458.crdownload

Filesize
15.3MB

MD5
547154bf45432df856eb44da21a65758

SHA1
7b5e58f8ab51d19f5de1f4de1e22c11b12d69ed0

SHA256
28721963c3f4a4859b87025ba358bc1e3bdbde907fd4839742ea39cb2eb43642

SHA512
1e527e25bc217f637829a380e2f4377addc0bfbaf7506cf1eed693e5524228bf096b3a2a679c6a17aa9404d83c7131ddbd2eae0cda800993225087943dbf3039

Download Submit