2d79af8e1ff3465703e1dc73d3ef2182fd269ea2609c8afabdf1b80693405c1d

Analysis

max time kernel
71s
max time network
71s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
09/08/2024, 23:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HorionInjector.exe
Size

147KB
MD5

6b5b6e625de774e5c285712b7c4a0da7
SHA1

317099aef530afbe3a0c5d6a2743d51e04805267
SHA256

2d79af8e1ff3465703e1dc73d3ef2182fd269ea2609c8afabdf1b80693405c1d
SHA512

104609adf666588af4e152ec7891cedafd89ad8d427063d03fb42a228babefc59428b0c8b1430cb3fc319a5014d2ee1083ff2b74fa585cab2d86cdad346e8b08
SSDEEP

3072:ckgHqUGSCoEslON/q178+oO3BAE4T/DvueX:cNHqUGSCPBh+7VST/Ke

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\Registry\User\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\NotificationData	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1735401866-3802634615-1355934272-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe

Suspicious behavior: AddClipboardFormatListener 2 IoCs

pid	Process
4888	explorer.exe
4412	vlc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe
4424	HorionInjector.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4412	vlc.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4424	HorionInjector.exe

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
872	helppane.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe

Suspicious use of SendNotifyMessage 34 IoCs

pid	Process
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
4412	vlc.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe
236	msedge.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
4888	explorer.exe
4888	explorer.exe
4412	vlc.exe
2380	MiniSearchHost.exe
872	helppane.exe
872	helppane.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4424 wrote to memory of 3156	4424	HorionInjector.exe	80
PID 4424 wrote to memory of 3156	4424	HorionInjector.exe	80
PID 872 wrote to memory of 236	872	helppane.exe	95
PID 872 wrote to memory of 236	872	helppane.exe	95
PID 236 wrote to memory of 3196	236	msedge.exe	96
PID 236 wrote to memory of 3196	236	msedge.exe	96
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 4556	236	msedge.exe	97
PID 236 wrote to memory of 5064	236	msedge.exe	98
PID 236 wrote to memory of 5064	236	msedge.exe	98
PID 236 wrote to memory of 4480	236	msedge.exe	99
PID 236 wrote to memory of 4480	236	msedge.exe	99
PID 236 wrote to memory of 4480	236	msedge.exe	99
PID 236 wrote to memory of 4480	236	msedge.exe	99
PID 236 wrote to memory of 4480	236	msedge.exe	99
PID 236 wrote to memory of 4480	236	msedge.exe	99
PID 236 wrote to memory of 4480	236	msedge.exe	99
PID 236 wrote to memory of 4480	236	msedge.exe	99
PID 236 wrote to memory of 4480	236	msedge.exe	99
PID 236 wrote to memory of 4480	236	msedge.exe	99
PID 236 wrote to memory of 4480	236	msedge.exe	99
PID 236 wrote to memory of 4480	236	msedge.exe	99
PID 236 wrote to memory of 4480	236	msedge.exe	99
PID 236 wrote to memory of 4480	236	msedge.exe	99
PID 236 wrote to memory of 4480	236	msedge.exe	99
PID 236 wrote to memory of 4480	236	msedge.exe	99

C:\Users\Admin\AppData\Local\Temp\HorionInjector.exe
"C:\Users\Admin\AppData\Local\Temp\HorionInjector.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4424
- C:\Windows\explorer.exe
  explorer.exe shell:appsFolder\Microsoft.MinecraftUWP_8wekyb3d8bbwe!App
  2⤵
  PID:3156

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4888

C:\Program Files\VideoLAN\VLC\vlc.exe
"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\Desktop\MoveMerge.mp4v"
1⤵
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:4412

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2380

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:4156

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,Control_RunDLL C:\Windows\System32\srchadmin.dll ,
1⤵
PID:5208

C:\Windows\helppane.exe
C:\Windows\helppane.exe -Embedding
1⤵
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:872
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:https://go.microsoft.com/fwlink/p/?linkid=852246
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb3d5a3cb8,0x7ffb3d5a3cc8,0x7ffb3d5a3cd8
    3⤵
    PID:3196
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,18119573230861017513,800314189636686570,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1916 /prefetch:2
    3⤵
    PID:4556
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,18119573230861017513,800314189636686570,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2256 /prefetch:3
    3⤵
    PID:5064
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,18119573230861017513,800314189636686570,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2604 /prefetch:8
    3⤵
    PID:4480
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18119573230861017513,800314189636686570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3324 /prefetch:1
    3⤵
    PID:3460
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18119573230861017513,800314189636686570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3388 /prefetch:1
    3⤵
    PID:1972
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18119573230861017513,800314189636686570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4088 /prefetch:1
    3⤵
    PID:4416
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18119573230861017513,800314189636686570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4904 /prefetch:1
    3⤵
    PID:436
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18119573230861017513,800314189636686570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3276 /prefetch:1
    3⤵
    PID:1408
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18119573230861017513,800314189636686570,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3976 /prefetch:1
    3⤵
    PID:1192
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18119573230861017513,800314189636686570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
    3⤵
    PID:2028
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18119573230861017513,800314189636686570,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5640 /prefetch:1
    3⤵
    PID:832
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18119573230861017513,800314189636686570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5028 /prefetch:1
    3⤵
    PID:3384
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18119573230861017513,800314189636686570,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5044 /prefetch:1
    3⤵
    PID:3648
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,18119573230861017513,800314189636686570,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5968 /prefetch:1
    3⤵
    PID:5552
- - C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,18119573230861017513,800314189636686570,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6096 /prefetch:8
    3⤵
    PID:1796
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,18119573230861017513,800314189636686570,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5264 /prefetch:8
    3⤵
    PID:5564

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5420

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:6136

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6fdbe80e9fe20761b59e8f32398f4b14

SHA1
049b1f0c6fc4e93a4ba6b3c992f1d6cecf3ada1f

SHA256
b7f0d9ece2307bdc4f05a2d814c947451b007067ff8af977f77f06c3d5706942

SHA512
cf25c7fd0d6eccc46e7b58949c16d17ebeefb7edd6c76aa62f7ab5da52d1c6fc88bde620be40396d336789bd0d62b2162209a947d7ab69389e8c03682e880234

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
9828ffacf3deee7f4c1300366ec22fab

SHA1
9aff54b57502b0fc2be1b0b4b3380256fb785602

SHA256
a3d21f0fb6563a5c9d0f7a6e9c125ec3faaa86ff43f37cb85a8778abc87950f7

SHA512
2e73ea4d2fcd7c8d52487816110f5f4a808ed636ae87dd119702d1cd1ae315cbb25c8094a9dddf18f07472b4deaed3e7e26c9b499334b26bdb70d4fa7f84168d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
456B

MD5
b02a2d5d41371fb7c329e04c934d44f6

SHA1
34f38913163a270db467884141558365a5d8b72c

SHA256
f8fdc7062ca3b40e32e9f20d13a18b63ca2bad230c3a3e2f094730d9bdda78e9

SHA512
d9ece965dbd474904c8a48115f341919b448a876800022ef4fb9546a03a71dc1338941e1c520cad7638a13e9dafd65ce14a8c4a7bdb8ab72c03f86e9d6ffad62

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
1KB

MD5
df92b1ba3db1a23c3db00a117e738b9a

SHA1
ffc6dabd7e2ef969983214053b5c49b33c8b9a2c

SHA256
f2dfb9786fd9d0b87adc19986edf6652d71fada5a50d1be2619da94097127040

SHA512
555dd93d9c3031bfe2acd61a4186df087f7642cc07829eeeb946b5da6888b4f92cc711734dc34d15159923f7c0f444e58ea9c60849243415d73c08f1c7196e95

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
d0fc12216bed99fc8a596adb3339a4b2

SHA1
d458e3cee3ed40e00e9329b1e8cac2b010d357ce

SHA256
737c87d73966a82edefdab2cad99dc55a7e4dba50d384939e4fd6a8971eb60a6

SHA512
9fc70864d482b107f405589e178c9f9787dc332e12cc4294e132cdbf957c5b5572216723b53f503c046e8c642bb64cac481f11eac8bedf675ccf72e752133be9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
d33049239217f5f14c494044f05e5ab2

SHA1
f201f0235a865f23e423bc51648771984ceb8b16

SHA256
da385799dbf6e0473908957f913c5d14f5b36fdcf5ddb0f3b65d478a0587eb48

SHA512
4ef36bbc38489bab932d35a9d44b131b9d09aa733510481d2f2cf4733282d88f6079d3ab96829856ecd409e143b03cd1d692cfd1a533033f289ea253d1e596fe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
66e8526c3e351c3ba5d92906ec9170d4

SHA1
a551a939152866ec953d0cfdb6b7ce40afb140ed

SHA256
812f2ed8200e6fdfec4c01fe052b1befebeb3aec42800ceaa1326e4b58a2a6f3

SHA512
f0f777605178b402ff921e500172f9b2d06540e0b751575a898943404b6fa784a49d68c5f11fb9f0c3e8d30ef1ba507f9598dd0ae58ffe234f84fa240ee358e5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
278ee4406d50059c3f85e780ad469d81

SHA1
dd7fe07aa77260cd376c71fe655d80bf3f36e036

SHA256
8744e7c8152f6fb1ca9c6682a856c456ffc972931a977dfa6a016e757af6e32f

SHA512
a80e572bc23fe20684bf560791f51de23cc19f3a558102cf9e494485074f6939dfb9eb79a74587a9abececa29fded4b9769615a9d0ed52e3415c8493a358e00e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe58ba23.TMP

Filesize
1KB

MD5
e06b72e78767cd70397d4628a8b6c2dc

SHA1
c0b78de973cd2c444206f8a7c0243efb425ed553

SHA256
55975283c21d3c2c59260445546adda11a46537b78ce2467b4f75041efb7d951

SHA512
b48c1bd0657d933039e0483378edccdec5496e2bdd8dcec327c49920323772fb352ba6c3c40a7031ad6603282b4874e3b715eba5f4e2f07984ea5f91cec725d5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
23027d5eaf034df02e06f12eb029d373

SHA1
89297285e0235dbc17654024a37af27ab02d0487

SHA256
1a921c5c6d711dc9dbce198776c36a00bb5b478eaa823051ace3a84889ddcb87

SHA512
b953fbe645e9898d0eb1905cb7611d6c24c3137797f87df90c529702e173ba75ced73031cab9120aa7d4274364ca06b9746502e0a5f377aba580beb4df911ea0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\a4c9d03e-fbc0-4fac-b5e6-cc75e4dc9ac8.tmp

Filesize
10KB

MD5
5a5b97d49f4dda489a6918170657b809

SHA1
294485f5ba30a09a46b47be59a55e84c6f0183d8

SHA256
47ca701b785ec108f55696ad3e165003b5d06a09f4f1985d201e7ecca0d0fe3a

SHA512
d8290123b60751467752d81ed9256f0dc28ea6a1bb3a0d542d17f406410825595edcf42e4ad3c99988e7cfb177dffc90ae7bddbb328b311f1b4938231ad0e270

Download Submit
C:\Users\Admin\AppData\Roaming\vlc\vlc-qt-interface.ini

Filesize
76B

MD5
f87b8cf8d92c9196a241dd7ca58fb242

SHA1
d63bf1adafeb7f8869278fb12468828205a34e70

SHA256
7b37d58ea6e604481b81c92c02c07486e3b8e2077be86a442c6dbef84a909e22

SHA512
8ed8f495d5d5f2e5c70a4721b200b6b6998a8f5c0f5e8349bad883504cd22f1b861fc6636e9ffd9ebe56e92bfd3919131de3d75da83f7d780525360c03bc3d50

Download Submit
memory/4412-48-0x00007FFB42120000-0x00007FFB42154000-memory.dmp

Filesize
208KB

Download
memory/4412-47-0x00007FF7C91C0000-0x00007FF7C92B8000-memory.dmp

Filesize
992KB

Download
memory/4412-49-0x00007FFB30E00000-0x00007FFB310B6000-memory.dmp

Filesize
2.7MB

Download
memory/4412-51-0x00007FFB2F3D0000-0x00007FFB2F4DE000-memory.dmp

Filesize
1.1MB

Download
memory/4412-50-0x00007FFB2FB40000-0x00007FFB30BF0000-memory.dmp

Filesize
16.7MB

Download
memory/4424-14-0x00007FFB305F3000-0x00007FFB305F5000-memory.dmp

Filesize
8KB

Download
memory/4424-17-0x00007FFB305F0000-0x00007FFB310B2000-memory.dmp

Filesize
10.8MB

Download
memory/4424-16-0x00007FFB305F0000-0x00007FFB310B2000-memory.dmp

Filesize
10.8MB

Download
memory/4424-15-0x00007FFB305F0000-0x00007FFB310B2000-memory.dmp

Filesize
10.8MB

Download
memory/4424-0-0x00007FFB305F3000-0x00007FFB305F5000-memory.dmp

Filesize
8KB

Download
memory/4424-9-0x00007FFB305F0000-0x00007FFB310B2000-memory.dmp

Filesize
10.8MB

Download
memory/4424-8-0x00000186C9F10000-0x00000186C9F1E000-memory.dmp

Filesize
56KB

Download
memory/4424-7-0x00000186C9F40000-0x00000186C9F78000-memory.dmp

Filesize
224KB

Download
memory/4424-6-0x00000186C9EC0000-0x00000186C9EC8000-memory.dmp

Filesize
32KB

Download
memory/4424-5-0x00007FFB305F0000-0x00007FFB310B2000-memory.dmp

Filesize
10.8MB

Download
memory/4424-4-0x00007FFB305F0000-0x00007FFB310B2000-memory.dmp

Filesize
10.8MB

Download
memory/4424-3-0x00000186C5EC0000-0x00000186C5F7A000-memory.dmp

Filesize
744KB

Download
memory/4424-2-0x00007FFB305F0000-0x00007FFB310B2000-memory.dmp

Filesize
10.8MB

Download
memory/4424-1-0x00000186AB690000-0x00000186AB6B8000-memory.dmp

Filesize
160KB

Download