2d79af8e1ff3465703e1dc73d3ef2182fd269ea2609c8afabdf1b80693405c1d

Analysis

max time kernel
147s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
15-08-2024 08:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HorionInjector.exe
Size

147KB
MD5

6b5b6e625de774e5c285712b7c4a0da7
SHA1

317099aef530afbe3a0c5d6a2743d51e04805267
SHA256

2d79af8e1ff3465703e1dc73d3ef2182fd269ea2609c8afabdf1b80693405c1d
SHA512

104609adf666588af4e152ec7891cedafd89ad8d427063d03fb42a228babefc59428b0c8b1430cb3fc319a5014d2ee1083ff2b74fa585cab2d86cdad346e8b08
SSDEEP

3072:ckgHqUGSCoEslON/q178+oO3BAE4T/DvueX:cNHqUGSCPBh+7VST/Ke

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

msedge.exemsedge.exemsedge.exeidentity_helper.exemsedge.exe

pid	process
3384	msedge.exe
3384	msedge.exe
3444	msedge.exe
3444	msedge.exe
4172	msedge.exe
4172	msedge.exe
4760	identity_helper.exe
4760	identity_helper.exe
1732	msedge.exe
1732	msedge.exe
1732	msedge.exe
1732	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 18 IoCs

Processes:

msedge.exe

pid	process
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

HorionInjector.exe

description pid process

Token: SeDebugPrivilege 4348 HorionInjector.exe

description	pid	process
Token: SeDebugPrivilege	4348	HorionInjector.exe

Suspicious use of FindShellTrayWindow 25 IoCs

Processes:

msedge.exe

pid	process
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe

Suspicious use of SendNotifyMessage 12 IoCs

Processes:

msedge.exe

pid	process
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe
3444	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

msedge.exe

description	pid	process	target process
PID 3444 wrote to memory of 1120	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 1120	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3332	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3384	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3384	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3236	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3236	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3236	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3236	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3236	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3236	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3236	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3236	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3236	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3236	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3236	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3236	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3236	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3236	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3236	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3236	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3236	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3236	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3236	3444	msedge.exe	msedge.exe
PID 3444 wrote to memory of 3236	3444	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\HorionInjector.exe
"C:\Users\Admin\AppData\Local\Temp\HorionInjector.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4348

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3444

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffb33bf3cb8,0x7ffb33bf3cc8,0x7ffb33bf3cd8
2⤵
PID:1120

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,15124090995260280330,5539943148397954553,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1812 /prefetch:2
2⤵
PID:3332

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1868,15124090995260280330,5539943148397954553,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2296 /prefetch:3
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:3384

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1868,15124090995260280330,5539943148397954553,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2556 /prefetch:8
2⤵
PID:3236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15124090995260280330,5539943148397954553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
2⤵
PID:2780

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15124090995260280330,5539943148397954553,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
2⤵
PID:940

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15124090995260280330,5539943148397954553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4856 /prefetch:1
2⤵
PID:1224

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15124090995260280330,5539943148397954553,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4048 /prefetch:1
2⤵
PID:2896

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1868,15124090995260280330,5539943148397954553,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3776 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4172

C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1868,15124090995260280330,5539943148397954553,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5368 /prefetch:8
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:4760

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15124090995260280330,5539943148397954553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3564 /prefetch:1
2⤵
PID:2592

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15124090995260280330,5539943148397954553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:1
2⤵
PID:4588

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15124090995260280330,5539943148397954553,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3476 /prefetch:1
2⤵
PID:2220

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15124090995260280330,5539943148397954553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3776 /prefetch:1
2⤵
PID:2100

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15124090995260280330,5539943148397954553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
2⤵
PID:2284

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15124090995260280330,5539943148397954553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5076 /prefetch:1
2⤵
PID:4124

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15124090995260280330,5539943148397954553,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5776 /prefetch:1
2⤵
PID:3132

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15124090995260280330,5539943148397954553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5412 /prefetch:1
2⤵
PID:4812

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15124090995260280330,5539943148397954553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=19 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
2⤵
PID:692

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15124090995260280330,5539943148397954553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=20 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4604 /prefetch:1
2⤵
PID:2944

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15124090995260280330,5539943148397954553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4036 /prefetch:1
2⤵
PID:1500

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15124090995260280330,5539943148397954553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6252 /prefetch:1
2⤵
PID:1660

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15124090995260280330,5539943148397954553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=23 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5532 /prefetch:1
2⤵
PID:3200

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1868,15124090995260280330,5539943148397954553,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=24 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5904 /prefetch:1
2⤵
PID:1876

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1868,15124090995260280330,5539943148397954553,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=3012 /prefetch:2
2⤵
- Suspicious behavior: EnumeratesProcesses
PID:1732

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1352

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:2920

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
228fefc98d7fb5b4e27c6abab1de7207

SHA1
ada493791316e154a906ec2c83c412adf3a7061a

SHA256
448d09169319374935a249b1fc76bcf2430b4e1436611f3c2f3331b6eafe55a2

SHA512
fa74f1cc5da8db978a7a5b8c9ebff3cd433660db7e91ce03c44a1d543dd667a51659ba79270d3d783d52b9e45d76d0f9467458df1482ded72ea79c873b2a5e56

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
026e0c65239e15ba609a874aeac2dc33

SHA1
a75e1622bc647ab73ab3bb2809872c2730dcf2df

SHA256
593f20dfb73d2b81a17bfcc1f246848080dfc96898a1a62c5ddca62105ed1292

SHA512
9fb7644c87bdd3430700f42137154069badbf2b7a67e5ac6c364382bca8cba95136d460f49279b346703d4b4fd81087e884822a01a2a38901568a3c3e3387569

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000002
Filesize
209KB

MD5
3e552d017d45f8fd93b94cfc86f842f2

SHA1
dbeebe83854328e2575ff67259e3fb6704b17a47

SHA256
27d9c4613df7a3c04da0b79c13217aa69992b441acb7e44bf2a7578ca87d97d6

SHA512
e616436f2f15615429c7c5c37de3990c3e86c5e1da7d75a0f524fc458b75d44a5be1a3648a628d63e1cf8aa062e08b538f2f2bc9c6a0b42157beb24f82c571d9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000007
Filesize
24KB

MD5
c594a826934b9505d591d0f7a7df80b7

SHA1
c04b8637e686f71f3fc46a29a86346ba9b04ae18

SHA256
e664eef3d68ac6336a28be033165d4780e8a5ab28f0d90df1b148ef86babb610

SHA512
04a1dfdb8ee2f5fefa101d5e3ff36e87659fd774e96aa8c5941d3353ccc268a125822cf01533c74839e5f1c54725da9cc437d3d69b88e5bf3f99caccd4d75961

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
312B

MD5
14498ae775e747e78522ecfc2775c323

SHA1
e85f9e388074c0c792a1df04baa38175a1fb36f7

SHA256
e21eff4861f91b72ceb28363a060a56084685565851d905c68a24f289f0366ae

SHA512
b9c5fabcf228cc7639fb0972a749d4bf9f2bdf971d154ed0a08cd374ea189cc1db0b79e3683f597c9a7dc995e1f92f8de9d582b43837c423323e576079684332

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
168B

MD5
b3b0cf7bc2461c054f34f899605a5936

SHA1
4f196e593e30af7bbb572695b6b51e5bbdd6eca6

SHA256
9b6122f30cbc70b78ef10ddffde2759cee540c4ef19433e9e841393dadadb934

SHA512
0edec0795f65b3210534f94cbcdae6b9fad7e843b9c05f621f647904c955818493f8a1e49e5422f40afc18b737b5c6e9fc0ed736028358951495b2123f87e085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
1c5cb955783f56a2e97d6d26d7cdfc72

SHA1
84bd0d065f23d38fcd6ad1c0eaf6e18c500a2a4b

SHA256
25065ca7634f9cd8aa5c1c31caa96d2c998e9d8b139547f1554feff3a213b777

SHA512
88b997c33cefe28b8d1b252facae244cdf27a6f43864e2076c5077f7d90c606468c9882c09e03f348644773c9e8e63764d1f5b47776ff6a6f560204dd3efd521

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
1KB

MD5
eb2ffbce514b3522ca0d855f48fe10de

SHA1
ae59ab77713085c36ed6237ffd29bc364e315719

SHA256
20ec6849d4e3145dee15caaf2c8bb9e32b496e1cf040411021ab4eb20147b20f

SHA512
418cb932edda66a849236836ad67c9a14f7aed6bfe34f951833e815af6d23ebd64a3b74ab4230996b782751500d40a302aced332b1d19d7ada4633f20b27cff4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
4dcb0be47c0e43b85cea00988a053e8d

SHA1
c6e98ca070a3c25983333d5cb909254f948c7dd7

SHA256
be6c2b1988146f615d90dd73316323cc105a6557f6e333e600ad89982bc534ca

SHA512
4ce7945a6a791e8a8952a81745c1930554f79766528e05e992ca0e5fc84e161e00a44fa5ae1e6fa777b86098d7409106c898949aa83671c139257f9ab7d4bdb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
dcefd87d51439fdc26bbc67b5d2654b3

SHA1
6a2929db4ff13868e33d2e6f1cbecc46d9456dab

SHA256
3371dca0d730fa5049dbc608c25c49d4ea1251f4b30c9ab2aa843a4bdab501bf

SHA512
dffbee57ad5c62cc925a9683da3e9bab02964b0f3e1db374588773e8c731334db89e333c866c89fbf56a01decbcf09e8407336e3b8a85d09c9f0105101185b49

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
e08eaa54252d622b4a9b5a65073cf270

SHA1
884933f65acefc45a3836df404ed0cd4e9943075

SHA256
b4b1de968014d5d59231e62e0e1f194eb07f37b3538713f5e8c72fa713332b9e

SHA512
edbe7ce2f5befa42e70d21d4661737af373ba96b5a308797ef3701d0f059abb5aec282adcb87d47bee5c0b8a0d95461c3c7838226ec5caf971bb004095900269

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
8KB

MD5
207e5227b2e00b9f578f76aab19ac003

SHA1
ddbf83d8f2e6bd46a210c5a505fc3a9fdaa77e7a

SHA256
06a958c7152d5e2c82554c242ee2de53c9a02a4c940a7d08a488ce7dbf2a8d0d

SHA512
38c8ca534d2ca5abefc015b78bb3e4b50594872cc08cd86c7a34433016f89c64ed2a82bb6e58bdc8e3957035bc7049a509013a2fca4113debde37c5e7a144101

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
5KB

MD5
2dc1cb274d3c32443e5d68df44b3f964

SHA1
293fb610fef483142da3df390bc7922cc0f1f214

SHA256
b1551c27ef4ac5bce1a31d86ac53d817e03ff8e38a29c977abc85f0f5de0c124

SHA512
0a5c72dc14a6266bd3e3284f84b65227d97ecd262de843f3b89d9e6c8240499c2f95e3cd73f3c9b750b69665e235659fb7f8d9d003ccf347d085e5813b3c20b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
Filesize
16B

MD5
206702161f94c5cd39fadd03f4014d98

SHA1
bd8bfc144fb5326d21bd1531523d9fb50e1b600a

SHA256
1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

SHA512
0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
11KB

MD5
c6e261fe20e22c78681c22c7b1f0c1db

SHA1
9318521458e22a49c09f2c8d285c7ed4d51fc848

SHA256
6202bf6377b702f36ce7e33523451b228a35552e172ec7fce6a036f9f925455f

SHA512
8401870731f224b932048ee03b1734b4cbbb87f9cd703011fe1e392322cf14ad5d4393998c2f029471865121b25a2b7f45a86169984539a8a4df4fb031ae3103

Download Submit
\??\pipe\LOCAL\crashpad_3444_DMUXKJPWDRQRDUHL
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/4348-34-0x00007FFB3B213000-0x00007FFB3B215000-memory.dmp

Filesize
8KB

Download
memory/4348-0-0x00007FFB3B213000-0x00007FFB3B215000-memory.dmp

Filesize
8KB

Download
memory/4348-3-0x00000251FA3F0000-0x00000251FA4AA000-memory.dmp

Filesize
744KB

Download
memory/4348-35-0x00007FFB3B210000-0x00007FFB3BCD2000-memory.dmp

Filesize
10.8MB

Download
memory/4348-2-0x00007FFB3B210000-0x00007FFB3BCD2000-memory.dmp

Filesize
10.8MB

Download
memory/4348-5-0x00007FFB3B210000-0x00007FFB3BCD2000-memory.dmp

Filesize
10.8MB

Download
memory/4348-1-0x00000251F7BD0000-0x00000251F7BF8000-memory.dmp

Filesize
160KB

Download
memory/4348-4-0x00007FFB3B210000-0x00007FFB3BCD2000-memory.dmp

Filesize
10.8MB

Download