hxxps://cdn[.]discordapp[.]com/attachments/1267410065145593918/1267412602447990826/setup[.]zip?ex=66a8b177&is=66a75ff7&hm=25889dd9dddcffc74a9bfa5301612c6e4360f1a057c5e7506ad1fb4a2463f0c4&

max time kernel
148s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
20/12/2024, 12:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://cdn.discordapp.com/attachments/1267410065145593918/1267412602447990826/setup.zip?ex=66a8b177&is=66a75ff7&hm=25889dd9dddcffc74a9bfa5301612c6e4360f1a057c5e7506ad1fb4a2463f0c4&

Score

6^/10

discovery

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
42	raw.githubusercontent.com
72	raw.githubusercontent.com
73	raw.githubusercontent.com

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4018527317-446799424-2810249686-1000_Classes\Local Settings	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Xeno-v1.1.0-x64.zip:Zone.Identifier	msedge.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2548	msedge.exe
2548	msedge.exe
5776	msedge.exe
5776	msedge.exe
3068	msedge.exe
3068	msedge.exe
936	identity_helper.exe
936	identity_helper.exe
6056	msedge.exe
6056	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3276	msedge.exe
3904	Xeno.exe
3904	Xeno.exe
3904	Xeno.exe
3904	Xeno.exe
3904	Xeno.exe
3904	Xeno.exe
4052	Xeno.exe
4052	Xeno.exe
4052	Xeno.exe
4052	Xeno.exe
4052	Xeno.exe
4052	Xeno.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 14 IoCs

pid	Process
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe
5776	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5776 wrote to memory of 5760	5776	msedge.exe	77
PID 5776 wrote to memory of 5760	5776	msedge.exe	77
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 3300	5776	msedge.exe	78
PID 5776 wrote to memory of 2548	5776	msedge.exe	79
PID 5776 wrote to memory of 2548	5776	msedge.exe	79
PID 5776 wrote to memory of 1968	5776	msedge.exe	80
PID 5776 wrote to memory of 1968	5776	msedge.exe	80
PID 5776 wrote to memory of 1968	5776	msedge.exe	80
PID 5776 wrote to memory of 1968	5776	msedge.exe	80
PID 5776 wrote to memory of 1968	5776	msedge.exe	80
PID 5776 wrote to memory of 1968	5776	msedge.exe	80
PID 5776 wrote to memory of 1968	5776	msedge.exe	80
PID 5776 wrote to memory of 1968	5776	msedge.exe	80
PID 5776 wrote to memory of 1968	5776	msedge.exe	80
PID 5776 wrote to memory of 1968	5776	msedge.exe	80
PID 5776 wrote to memory of 1968	5776	msedge.exe	80
PID 5776 wrote to memory of 1968	5776	msedge.exe	80
PID 5776 wrote to memory of 1968	5776	msedge.exe	80
PID 5776 wrote to memory of 1968	5776	msedge.exe	80
PID 5776 wrote to memory of 1968	5776	msedge.exe	80
PID 5776 wrote to memory of 1968	5776	msedge.exe	80
PID 5776 wrote to memory of 1968	5776	msedge.exe	80
PID 5776 wrote to memory of 1968	5776	msedge.exe	80
PID 5776 wrote to memory of 1968	5776	msedge.exe	80
PID 5776 wrote to memory of 1968	5776	msedge.exe	80

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://cdn.discordapp.com/attachments/1267410065145593918/1267412602447990826/setup.zip?ex=66a8b177&is=66a75ff7&hm=25889dd9dddcffc74a9bfa5301612c6e4360f1a057c5e7506ad1fb4a2463f0c4&
1⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:5776
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb23ba3cb8,0x7ffb23ba3cc8,0x7ffb23ba3cd8
  2⤵
  PID:5760
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,12301427422267789297,16063114770872307096,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1956 /prefetch:2
  2⤵
  PID:3300
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1924,12301427422267789297,16063114770872307096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2548
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1924,12301427422267789297,16063114770872307096,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
  2⤵
  PID:1968
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12301427422267789297,16063114770872307096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
  2⤵
  PID:3652
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12301427422267789297,16063114770872307096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
  2⤵
  PID:6000
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1924,12301427422267789297,16063114770872307096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4128 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3068
- C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1924,12301427422267789297,16063114770872307096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5016 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12301427422267789297,16063114770872307096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4656 /prefetch:1
  2⤵
  PID:4144
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12301427422267789297,16063114770872307096,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:1
  2⤵
  PID:2592
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12301427422267789297,16063114770872307096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3328 /prefetch:1
  2⤵
  PID:4892
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12301427422267789297,16063114770872307096,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5228 /prefetch:1
  2⤵
  PID:3872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12301427422267789297,16063114770872307096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5564 /prefetch:1
  2⤵
  PID:3912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12301427422267789297,16063114770872307096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4684 /prefetch:1
  2⤵
  PID:5260
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12301427422267789297,16063114770872307096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:3908
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12301427422267789297,16063114770872307096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:5052
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12301427422267789297,16063114770872307096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3500 /prefetch:1
  2⤵
  PID:4024
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12301427422267789297,16063114770872307096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6040 /prefetch:1
  2⤵
  PID:688
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12301427422267789297,16063114770872307096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5536 /prefetch:1
  2⤵
  PID:5680
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1924,12301427422267789297,16063114770872307096,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5660 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1924,12301427422267789297,16063114770872307096,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6572 /prefetch:8
  2⤵
  - NTFS ADS
  - Suspicious behavior: EnumeratesProcesses
  PID:6056
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1924,12301427422267789297,16063114770872307096,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=6040 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3276

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2708

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3016

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2196

C:\Users\Admin\Downloads\Xeno-v1.1.0-x64\Xeno-v1.1.0-x64\Xeno.exe
"C:\Users\Admin\Downloads\Xeno-v1.1.0-x64\Xeno-v1.1.0-x64\Xeno.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:3904

C:\Users\Admin\Downloads\Xeno-v1.1.0-x64\Xeno-v1.1.0-x64\Xeno.exe
"C:\Users\Admin\Downloads\Xeno-v1.1.0-x64\Xeno-v1.1.0-x64\Xeno.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:4052

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
003b92b33b2eb97e6c1a0929121829b8

SHA1
6f18e96c7a2e07fb5a80acb3c9916748fd48827a

SHA256
8001f251d5932a62bfe17b0ba3686ce255ecf9adb95a06ecb954faa096be3e54

SHA512
18005c6c07475e6dd1ec310fe511353381cf0f15d086cf20dc6ed8825c872944185c767f80306e56fec9380804933aa37a8f12c720398b4b3b42cb216b41cf77

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
051a939f60dced99602add88b5b71f58

SHA1
a71acd61be911ff6ff7e5a9e5965597c8c7c0765

SHA256
2cff121889a0a77f49cdc4564bdd1320cf588c9dcd36012dbc3669cf73015d10

SHA512
a9c72ed43b895089a9e036aba6da96213fedd2f05f0a69ae8d1fa07851ac8263e58af86c7103ce4b4f9cfe92f9c9d0a46085c066a54ce825ef53505fdb988d1f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
fcf98d07f03ef328f8365df0111db4e7

SHA1
2c45709cc0018666ffc70c031c248275397905e0

SHA256
079e340344de1ef80f578c58232b9aee959dec41ca4621260c56c267e011b07a

SHA512
43ad3f9f4e2670ae7a7d1400def294f0ce7fc6fe867cf4da381f7a780983b2dbcf0fd2562a5ef8884cfc2791463bd25a12742e4f09d9ee70514c76beb60afb28

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
0872b4ee59afcfb842559d2cf346a136

SHA1
b54b0c60818d319bfc6b165cef20024a1127aae4

SHA256
e7c0edfda10a8dc733adcdda35ae36f77f95ca61ddb37996d280de17cb0d9825

SHA512
0d28348b0cabc2e329df2d2d47bfb8cb4d51512c7ddf7af72858ce8bf17059e95def5a7fcd3f4c1b81e139ef543345341f67f60f125022932a6b8ce3cd9d02d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
2KB

MD5
6e63233bc88d129f1a77a2be317dd26b

SHA1
de09150786068095a6da78b793353e9c614d04f6

SHA256
1845163ae94820fcc7b451e483ed71df182a38719dce0c5da1b8f6ceae7d0fc4

SHA512
97d330518b8afc5fef5b5533af4c905e687fd73e676039ae3f0c68ab3450c94b61aeac3dfb2a3d8fa769c05839263bb92c86ddc5a6b689dfd6491cb972ae6fd5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
3KB

MD5
b135873bb85344df81bbe911508068a7

SHA1
7d8118b9d48db0a0b786121df50f093130e33936

SHA256
84caf45aac53b6ba6ce97a31b789d834bf2db9b3abd73cce93b46cf4744b3342

SHA512
e9ae481635569880a4a5386d32d7b6b878e4d1e99c8b77799934b155b646f744ec15131ba41670d543efbda55fa338efe21ae4f8d4d6c4a428361c2cc88bdc13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
618a6019f945feeff00b07fdb3212246

SHA1
8784f9882782ac7316abda44739f0b2961238486

SHA256
c64dae020f792c8c40ae5cc4661e7e477bd584ce70bec35af73e549bde9aed4d

SHA512
f47b2ab478e389d57207643fdcdc907ea59b849776489726995608a95b135a1f18d09601f04fd908d7eb61a09d5e17affc55cd0aabdc85958da0968d9fc2b891

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
7KB

MD5
0889ab9a33af19ff003d1c206ba826ac

SHA1
539075935ee80cd47731e9bdbe698ee702deb504

SHA256
cab9f5d83f19ec701ca0bc0ece6e5f6dff42e10ed4bdc3d70d9b2824816c2743

SHA512
b8c297a3d8e12e429fa6a8919b889458b97d2f6c0c1c4ce55134f32df933725235f545ed95f5b7bd056f1a75268963806bad561fd79b2d4ddcf449b065538ab3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
1576797cfcc6646b12d38fb574faafb4

SHA1
bfdc65ca86934bbaea890b47887404b1a5be8163

SHA256
79b3018697d2a5fecb9f9b72d433aa88e386d91d7428d72a46afaee1021ff65c

SHA512
38abfc1566ea67a09bccf63cdc6ab60a145d73a230a8ea03896bc801cca364964967d661f96731e0541fc1963e3377d90e3b027ff2d9a815e2ec24cffca268e0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
871B

MD5
722fbdd7425c6c786860132c38cef0ff

SHA1
bdb19fade0cb81a5dfb9c500b1aef35c293548bf

SHA256
f7bb67f7f938504fbfafed90e9890f7efef8981d17844b6a86e1f1a866a37c07

SHA512
cb9ef3fdd3d98faaaca9eb1ecd87c62a4687eff1c9296e67e27ecefb7ed37970fc391887c733eae2feaebd9222550200aae095a9b9019542828f4f89e4f7daed

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe581df3.TMP

Filesize
869B

MD5
11e31c5fa2a304c33c2797c4f7014494

SHA1
578a6b81a0a07491cbf048cbd151963b9ae54e2e

SHA256
e96c7646ae0351f43d4477704c776c84d8726f360da4f0671b0fc87498221a31

SHA512
1070f682efe2e3847ea1ba328b595166ad6216ec071415b2121ccf8accbf498360395d70cd57d1692e1097bf360555a1e878d4290188fc690cf2573fc8526b5a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
6e4e38e5b0dfbc0e2f35aedccf01cb3e

SHA1
2023e0cdc29bbab606467837b54a66919be753f1

SHA256
f51367309e4afa5ab29f3e701bab14c5f1b520f48fb18f20b677cdab1ab6123b

SHA512
edd6c7973afe60dddc0232b5a8ada3fe550da178df39be69d9924f1f4908ef27130954ad6b7d3fa9a3beb7fa9028e182938309f19176d780bef22696b3d41bca

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c3abb59903c17bf01f740a1fca33451b

SHA1
4a0e312b542bbbb2c1115c255fb5997dca452ea7

SHA256
b08fc190e1e7f5db02b53451abd608c404a12dbf7cb1bc5bda39b6d928428038

SHA512
20a4e69d74e491d7e30c528fe3db78cfd61cb705b89fe42b06784fd90c27e018f5d999d2107077260321dbc9f6f6872ea1461eba080a12d802fe1a181cf4f5a7

Download Submit
C:\Users\Admin\Downloads\Xeno-v1.1.0-x64.zip

Filesize
4.5MB

MD5
93357db14af91a53bcab556e80103c1c

SHA1
7643f56e7ceace571c7000b937275f747af659af

SHA256
80c4016577c11791f64e2d43e1dfad2b01adf7276100400a4421b48df6e6fbfe

SHA512
5a46cb9f2a3ce090eb44e57609dd12bff268d5df09666ec1fb71f7e9f9d170a58994c4a5a1eef3e23fd91e08f3b47b6d90954cb9477017a71f81c1e1e950f1e4

Download Submit
C:\Users\Admin\Downloads\Xeno-v1.1.0-x64.zip:Zone.Identifier

Filesize
65B

MD5
1792d78568e0cfa5b836d17b187053bb

SHA1
00b7ca8a8bba9303d3fd46cc0f94b1628dea9953

SHA256
c8f2507dffe7f2e2ff80dc4181854cdeafc8ab3feb6f976980c732b039e21f74

SHA512
f9357253b348d03ca82716aaab03292353e7ec040a4abdc289ffaf7207c97e180aab28aa93294f1a3e7c4c3376a386d21b86eb481913663debd49ae6040f53a7

Download Submit