hxxps://cdn[.]discordapp[.]com/attachments/1267410065145593918/1267412602447990826/setup[.]zip?ex=66a8b177&is=66a75ff7&hm=25889dd9dddcffc74a9bfa5301612c6e4360f1a057c5e7506ad1fb4a2463f0c4&

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
06/12/2024, 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1267410065145593918/1267412602447990826/setup.zip?ex=66a8b177&is=66a75ff7&hm=25889dd9dddcffc74a9bfa5301612c6e4360f1a057c5e7506ad1fb4a2463f0c4&

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
136	raw.githubusercontent.com
137	raw.githubusercontent.com
140	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	msedge.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1020	msedge.exe
1020	msedge.exe
1580	msedge.exe
1580	msedge.exe
4920	identity_helper.exe
4920	identity_helper.exe
4660	msedge.exe
4660	msedge.exe
4660	Xeno.exe
4660	Xeno.exe
4660	Xeno.exe
4660	Xeno.exe
4660	Xeno.exe
4660	Xeno.exe
1260	msedge.exe
1260	msedge.exe
1260	msedge.exe
1260	msedge.exe
4956	Xeno.exe
4956	Xeno.exe
4956	Xeno.exe
4956	Xeno.exe
4956	Xeno.exe
4956	Xeno.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 16 IoCs

pid	Process
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe
1580	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1580 wrote to memory of 3728	1580	msedge.exe	86
PID 1580 wrote to memory of 3728	1580	msedge.exe	86
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 3144	1580	msedge.exe	87
PID 1580 wrote to memory of 1020	1580	msedge.exe	88
PID 1580 wrote to memory of 1020	1580	msedge.exe	88
PID 1580 wrote to memory of 4672	1580	msedge.exe	89
PID 1580 wrote to memory of 4672	1580	msedge.exe	89
PID 1580 wrote to memory of 4672	1580	msedge.exe	89
PID 1580 wrote to memory of 4672	1580	msedge.exe	89
PID 1580 wrote to memory of 4672	1580	msedge.exe	89
PID 1580 wrote to memory of 4672	1580	msedge.exe	89
PID 1580 wrote to memory of 4672	1580	msedge.exe	89
PID 1580 wrote to memory of 4672	1580	msedge.exe	89
PID 1580 wrote to memory of 4672	1580	msedge.exe	89
PID 1580 wrote to memory of 4672	1580	msedge.exe	89
PID 1580 wrote to memory of 4672	1580	msedge.exe	89
PID 1580 wrote to memory of 4672	1580	msedge.exe	89
PID 1580 wrote to memory of 4672	1580	msedge.exe	89
PID 1580 wrote to memory of 4672	1580	msedge.exe	89
PID 1580 wrote to memory of 4672	1580	msedge.exe	89
PID 1580 wrote to memory of 4672	1580	msedge.exe	89
PID 1580 wrote to memory of 4672	1580	msedge.exe	89
PID 1580 wrote to memory of 4672	1580	msedge.exe	89
PID 1580 wrote to memory of 4672	1580	msedge.exe	89
PID 1580 wrote to memory of 4672	1580	msedge.exe	89

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1267410065145593918/1267412602447990826/setup.zip?ex=66a8b177&is=66a75ff7&hm=25889dd9dddcffc74a9bfa5301612c6e4360f1a057c5e7506ad1fb4a2463f0c4&
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1580
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd452846f8,0x7ffd45284708,0x7ffd45284718
  2⤵
  PID:3728
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,7692969474204725970,15823469400504240467,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2144 /prefetch:2
  2⤵
  PID:3144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2128,7692969474204725970,15823469400504240467,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2448 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1020
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2128,7692969474204725970,15823469400504240467,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2840 /prefetch:8
  2⤵
  PID:4672
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7692969474204725970,15823469400504240467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3396 /prefetch:1
  2⤵
  PID:3356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7692969474204725970,15823469400504240467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:3080
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,7692969474204725970,15823469400504240467,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  PID:2808
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2128,7692969474204725970,15823469400504240467,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4872 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4920
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7692969474204725970,15823469400504240467,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5348 /prefetch:1
  2⤵
  PID:3140
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7692969474204725970,15823469400504240467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2216 /prefetch:1
  2⤵
  PID:468
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7692969474204725970,15823469400504240467,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3740 /prefetch:1
  2⤵
  PID:3760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7692969474204725970,15823469400504240467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3568 /prefetch:1
  2⤵
  PID:220
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7692969474204725970,15823469400504240467,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5000 /prefetch:1
  2⤵
  PID:4656
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7692969474204725970,15823469400504240467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3672 /prefetch:1
  2⤵
  PID:2320
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7692969474204725970,15823469400504240467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
  2⤵
  PID:4588
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7692969474204725970,15823469400504240467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5880 /prefetch:1
  2⤵
  PID:2476
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7692969474204725970,15823469400504240467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
  2⤵
  PID:5060
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7692969474204725970,15823469400504240467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6068 /prefetch:1
  2⤵
  PID:4856
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7692969474204725970,15823469400504240467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5636 /prefetch:1
  2⤵
  PID:408
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7692969474204725970,15823469400504240467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3376 /prefetch:1
  2⤵
  PID:1356
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7692969474204725970,15823469400504240467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6060 /prefetch:1
  2⤵
  PID:4908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2128,7692969474204725970,15823469400504240467,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=6604 /prefetch:8
  2⤵
  PID:780
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2128,7692969474204725970,15823469400504240467,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2732 /prefetch:1
  2⤵
  PID:840
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2128,7692969474204725970,15823469400504240467,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6616 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4660
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2128,7692969474204725970,15823469400504240467,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=6232 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:1260

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2924

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3760

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3312

C:\Users\Admin\AppData\Local\Temp\Temp1_Xeno-v1.0.9-x64.zip\Xeno-v1.0.9-x64-New\Xeno.exe
"C:\Users\Admin\AppData\Local\Temp\Temp1_Xeno-v1.0.9-x64.zip\Xeno-v1.0.9-x64-New\Xeno.exe"
1⤵
PID:4288

C:\Users\Admin\Downloads\Xeno-v1.0.9-x64\Xeno-v1.0.9-x64-New\Xeno.exe
"C:\Users\Admin\Downloads\Xeno-v1.0.9-x64\Xeno-v1.0.9-x64-New\Xeno.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4660

C:\Users\Admin\Downloads\Xeno-v1.0.9-x64\Xeno-v1.0.9-x64-New\Xeno.exe
"C:\Users\Admin\Downloads\Xeno-v1.0.9-x64\Xeno-v1.0.9-x64-New\Xeno.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
bffcefacce25cd03f3d5c9446ddb903d

SHA1
8923f84aa86db316d2f5c122fe3874bbe26f3bab

SHA256
23e7cbbf64c81122c3cb30a0933c10a320e254447771737a326ce37a0694d405

SHA512
761dae5315b35ec0b2fe68019881397f5d2eadba3963aba79a89f8953a0cd705012d7faf3a204a5f36008926b9f614980e333351596b06ce7058d744345ce2e7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
d22073dea53e79d9b824f27ac5e9813e

SHA1
6d8a7281241248431a1571e6ddc55798b01fa961

SHA256
86713962c3bb287964678b148ee08ea83fb83483dff8be91c8a6085ca560b2a6

SHA512
97152091ee24b6e713b8ec8123cb62511f8a7e8a6c6c3f2f6727d0a60497be28814613b476009b853575d4931e5df950e28a41afbf6707cb672206f1219c4413

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7f991c48cfe8e6bbfeb41fd84a299fff

SHA1
375d18406664c0d8ff01a355224f4d1039822bd9

SHA256
6e33c07fedec6116c08f716b0c73fca0fbb86b15509a142455db1ad5f720a242

SHA512
2702fa311cf769de683d127b1e29b6af53c5407c692e0f3d60535ae52129e489648a325266d29bbc208b1830aea63593c48b032fcd5850d1fc0dc19d280ab810

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
6c1743f6464ec6bc3ed120600cd07fc0

SHA1
61499752c0ab48d8cb6477ce48abdc3c4cc87d16

SHA256
3172bec03a52b87306ed8a8a5ec00e86738007fea404d5b673773030220fa44c

SHA512
05a4c776f2ae1aa6abd0665c01ad4584e55952688b54e0e980f41fc9489bb8a920e8605d0d0b3a83d6f3b99741954b906bbdacac1c00a9de76d6ca4958237ed9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
91a91578e3d6ae26eadc14c512e44557

SHA1
4ad700498e9460886d2e45fe1bd84b9bc2c799c1

SHA256
18893f92d3708e68f716d093e5d56996b9c7f6e6b8aa7a374f71ffe503b9be84

SHA512
93cba06ca40f61833458b5e9efcfe2829c48b2ef880a59beabd75124db71745fd33df85f3be16213854d1969c2d450f5fb31adb5bcad6b57d5b2764580efed28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
d9e878b346076eb273b58087588e6ec0

SHA1
a617a4a7f1dc83efa8c0717e47164a090adef051

SHA256
d3ff8ad1c6b3e4eef7720b6fa5204a8f3a937209529893ba715b29eca5a3166b

SHA512
8b12cb416cb837768aae0a97593445e150b36d2f3b481369ee447d8ace23a59ae2b4ce6ce5b6c4f00d981920f3504e17a76074c2217eeec652533ac2e1298111

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
4a04f560dba32f5fbc3179513cd165b2

SHA1
5e2b878fe516370255ebb67e9c749980fd94ff26

SHA256
fd56f6faa30abd820cd8ed89e410d8a132cc77f3954e9466623a13323abf9947

SHA512
15d624e4d7be7d5391700bf2dd173a88eba857181c6ee0bfc43da5b621ffaf06a672c80fdf7ba18fe0eba0432fc11159d4b2866f3e7ad0d87031889847d2bf25

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
11f05d2140b7adf3343f18510a650d7b

SHA1
83e5578177c77394c3db99ccfbd64cbfe0569229

SHA256
d7fddface62ad366806d063c3d07ab3b555bde88e78dc924e2b828b0477e8cb7

SHA512
cdcd6044a63a09b283bcbe11226e99b48f1c5a7ad14f313e0d4711f848bac29e07cdc576c11c77e6dbb3772ca99e67b0e17c996b4d8bf2ce9b1f1a23c5950df7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
5a02c2635ccbc4173525e710073e1b69

SHA1
6819854e23d2e343029e1773c290113867b91ab1

SHA256
6ec82f7bb7f12a9089b1b786ad5f23262e9d66b5a193f42aa52e01b1c69b1f59

SHA512
8df00049a186913a0c92aab6bca9f6a34f5727696080b1f908a8dcb4b2c819c3591864a247cb233f2754f10feb09c29903c43939bfbbdfe4ac95ad520b320fad

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
099fbc2767e244d8840ad9ba79e6b2dc

SHA1
9b090d660211e4d04d52ea416a0afd146de9d549

SHA256
3a21d176bc37a766c4f0f598a35dfa175ceef7ab654ce4fc48e98f61321ac66b

SHA512
727337f6d9617b6a9c0d92db70cc1198b6c3c72bfca947ff58ffaa0593b68df1eb0000348034d1c2f1371ea0af24bb0030442c6f35b41fea9cd93d919fcd2fdc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
8KB

MD5
c64d8b82ca482481c0d788f8f72875a6

SHA1
bc73dd5b47d75806b3a69d4afaa9666abe13e2d8

SHA256
20343728611e9fada7b59e24517bdb4dc3605fee15a16001e89798d98ef7d334

SHA512
09edf8bf42c250fbbdc27c46f0363fc1f665fb910570342be091605510586aee7a22ee9cb12a99559ab5375b4a68fa08d30a68aedcb0cbe61de0b9c0bbbf14fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58246b.TMP

Filesize
536B

MD5
5d536c8be0f2dd11cd21ff65035c2311

SHA1
ed1600a83d7f318c3ab9b7eff0b4343df056f11c

SHA256
846dd3d54412bce8f9c7ecb1e79073b6cfe2d204ea3b877adb9e2801cf58f02a

SHA512
cc06a8f02b9a4b751f5d97dbc156e25ea2c582ee0ee42c0a7dcab36a521789162a43aedaeaf3dfbaca3dc78b6db9ab4ca988fe0c656b24cf80b65300ff7b58df

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\c0699a1c-f648-4c4b-ade3-85fb86c84677.tmp

Filesize
871B

MD5
e754b34b0b3c26b170951723511d7d30

SHA1
8dda78fb18e28b9c679403fe6fafd22e8500ecdb

SHA256
67c31f5ea4fd82a58df816849f3e53102c979e01c70c6453f21df36e63128a63

SHA512
361c87ed719bd3184693525a6f05df37d682edcdba8a0e9cc4724e51d4e9eb841e3af1a6d2641f022b8eba2878ace73833f5ae69b210d4384006cf00a97f6bbb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
d3decd7f3757c8758078fba08177725c

SHA1
50d9743ff4b73fb1433fd59c63f724c39fafa2cb

SHA256
6543b91c79296bc412be9fccc5d97092a267bb4c3e787f288c6fff9787aca8d2

SHA512
e48565bc6ad3d68b174cecc5a71b9e099c0fb8f9571bfa2b945b37676a02a095ecc04f9188e513574c1dfebc665f5a5e7f4b47ad11058a1067580eea351bed97

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
879d0d672311cd07eb9f327f26b2d7ac

SHA1
69f5cc8257fcd20d47fdbb5b4ab7e9db4eca5f4e

SHA256
1c66378d53ae20247803514b5f8b2e680090e6ac3e72ed11c6d38f620a683f43

SHA512
9c7a518c807588040bda1620a9eef1015cf7c73fd98198cdfd1015d6e2be2879054d202540c97abc59d0f9e6b0dc4b1958d469845d42317fc143cf27509930c5

Download Submit
C:\Users\Admin\Downloads\Xeno-v1.0.9-x64.zip

Filesize
7.1MB

MD5
b32e1b06f1a530bdfd3c43abde00df1e

SHA1
5f25d1ce95c71963b67708e13739b8e3ebd65d9b

SHA256
d4494d6239ab355a31308234f5c4508c6b31cb2e89e0636101de41bd60d544fb

SHA512
5f249c82222bcf8ce8b3e65720c2aa362c8ab6ff53c4aa5e1193a9f48ad628a7edf18f4756f3091f8b0ba0498dd0ef82fe0fe787c5e31a404679b8bea1171e93

Download Submit