2d79af8e1ff3465703e1dc73d3ef2182fd269ea2609c8afabdf1b80693405c1d

Analysis

max time kernel
118s
max time network
125s
platform
windows10-1703_x64
resource
win10-20230220-en
resource tags

arch:x64arch:x86image:win10-20230220-enlocale:en-usos:windows10-1703-x64system
submitted
07/05/2023, 12:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HorionInjector.exe
Size

147KB
MD5

6b5b6e625de774e5c285712b7c4a0da7
SHA1

317099aef530afbe3a0c5d6a2743d51e04805267
SHA256

2d79af8e1ff3465703e1dc73d3ef2182fd269ea2609c8afabdf1b80693405c1d
SHA512

104609adf666588af4e152ec7891cedafd89ad8d427063d03fb42a228babefc59428b0c8b1430cb3fc319a5014d2ee1083ff2b74fa585cab2d86cdad346e8b08
SSDEEP

3072:ckgHqUGSCoEslON/q178+oO3BAE4T/DvueX:cNHqUGSCPBh+7VST/Ke

Score

8^/10

persistence

Malware Config

Signatures

Downloads MZ/PE file

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Windows\CurrentVersion\Run	chrome.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2252	2028	WerFault.exe	65

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe

Checks processor information in registry 2 TTPs 8 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133279436692106876"	chrome.exe

Modifies registry class 21 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-640001698-3754512395-3275565439-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4152	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2124	chrome.exe
2124	chrome.exe
4876	taskmgr.exe
4876	taskmgr.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe
2028	HorionInjector.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2124	chrome.exe
2124	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeDebugPrivilege	4876	taskmgr.exe
Token: SeSystemProfilePrivilege	4876	taskmgr.exe
Token: SeCreateGlobalPrivilege	4876	taskmgr.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeDebugPrivilege	2028	HorionInjector.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe
Token: SeShutdownPrivilege	2124	chrome.exe
Token: SeCreatePagefilePrivilege	2124	chrome.exe

Suspicious use of FindShellTrayWindow 45 IoCs

pid	Process
3844	firefox.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
3844	firefox.exe
3844	firefox.exe
3844	firefox.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
2124	chrome.exe
2028	HorionInjector.exe

Suspicious use of SendNotifyMessage 40 IoCs

pid	Process
3844	firefox.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
2124	chrome.exe
3844	firefox.exe
3844	firefox.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe
4876	taskmgr.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
3844	firefox.exe
4152	explorer.exe
4152	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 3844	2536	firefox.exe	68
PID 2536 wrote to memory of 3844	2536	firefox.exe	68
PID 2536 wrote to memory of 3844	2536	firefox.exe	68
PID 2536 wrote to memory of 3844	2536	firefox.exe	68
PID 2536 wrote to memory of 3844	2536	firefox.exe	68
PID 2536 wrote to memory of 3844	2536	firefox.exe	68
PID 2536 wrote to memory of 3844	2536	firefox.exe	68
PID 2536 wrote to memory of 3844	2536	firefox.exe	68
PID 2536 wrote to memory of 3844	2536	firefox.exe	68
PID 2536 wrote to memory of 3844	2536	firefox.exe	68
PID 2536 wrote to memory of 3844	2536	firefox.exe	68
PID 2124 wrote to memory of 4660	2124	chrome.exe	70
PID 2124 wrote to memory of 4660	2124	chrome.exe	70
PID 3844 wrote to memory of 2832	3844	firefox.exe	71
PID 3844 wrote to memory of 2832	3844	firefox.exe	71
PID 2124 wrote to memory of 3516	2124	chrome.exe	74
PID 2124 wrote to memory of 3516	2124	chrome.exe	74
PID 2124 wrote to memory of 3516	2124	chrome.exe	74
PID 2124 wrote to memory of 3516	2124	chrome.exe	74
PID 2124 wrote to memory of 3516	2124	chrome.exe	74
PID 2124 wrote to memory of 3516	2124	chrome.exe	74
PID 2124 wrote to memory of 3516	2124	chrome.exe	74
PID 2124 wrote to memory of 3516	2124	chrome.exe	74
PID 2124 wrote to memory of 3516	2124	chrome.exe	74
PID 2124 wrote to memory of 3516	2124	chrome.exe	74
PID 2124 wrote to memory of 3516	2124	chrome.exe	74
PID 2124 wrote to memory of 3516	2124	chrome.exe	74
PID 2124 wrote to memory of 3516	2124	chrome.exe	74
PID 2124 wrote to memory of 3516	2124	chrome.exe	74
PID 2124 wrote to memory of 3516	2124	chrome.exe	74
PID 2124 wrote to memory of 3516	2124	chrome.exe	74
PID 2124 wrote to memory of 3516	2124	chrome.exe	74
PID 2124 wrote to memory of 3516	2124	chrome.exe	74
PID 2124 wrote to memory of 3516	2124	chrome.exe	74
PID 2124 wrote to memory of 3516	2124	chrome.exe	74
PID 2124 wrote to memory of 3516	2124	chrome.exe	74
PID 2124 wrote to memory of 3516	2124	chrome.exe	74
PID 2124 wrote to memory of 3516	2124	chrome.exe	74
PID 2124 wrote to memory of 3516	2124	chrome.exe	74
PID 2124 wrote to memory of 3516	2124	chrome.exe	74
PID 2124 wrote to memory of 3516	2124	chrome.exe	74
PID 2124 wrote to memory of 3516	2124	chrome.exe	74
PID 2124 wrote to memory of 3516	2124	chrome.exe	74
PID 2124 wrote to memory of 3516	2124	chrome.exe	74
PID 2124 wrote to memory of 3516	2124	chrome.exe	74
PID 2124 wrote to memory of 3516	2124	chrome.exe	74
PID 2124 wrote to memory of 3516	2124	chrome.exe	74
PID 2124 wrote to memory of 3516	2124	chrome.exe	74
PID 2124 wrote to memory of 3516	2124	chrome.exe	74
PID 2124 wrote to memory of 3516	2124	chrome.exe	74
PID 2124 wrote to memory of 3516	2124	chrome.exe	74
PID 2124 wrote to memory of 3516	2124	chrome.exe	74
PID 2124 wrote to memory of 3516	2124	chrome.exe	74
PID 2124 wrote to memory of 2072	2124	chrome.exe	73
PID 2124 wrote to memory of 2072	2124	chrome.exe	73
PID 2124 wrote to memory of 4760	2124	chrome.exe	75
PID 2124 wrote to memory of 4760	2124	chrome.exe	75
PID 2124 wrote to memory of 4760	2124	chrome.exe	75
PID 2124 wrote to memory of 4760	2124	chrome.exe	75
PID 2124 wrote to memory of 4760	2124	chrome.exe	75
PID 2124 wrote to memory of 4760	2124	chrome.exe	75
PID 2124 wrote to memory of 4760	2124	chrome.exe	75
PID 2124 wrote to memory of 4760	2124	chrome.exe	75
PID 2124 wrote to memory of 4760	2124	chrome.exe	75

C:\Users\Admin\AppData\Local\Temp\HorionInjector.exe
"C:\Users\Admin\AppData\Local\Temp\HorionInjector.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2028
- C:\Windows\explorer.exe
  explorer.exe shell:appsFolder\Microsoft.MinecraftUWP_8wekyb3d8bbwe!App
  2⤵
  PID:320
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2028 -s 2688
  2⤵
  - Program crash
  PID:2252

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:3844
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3844.0.1843380466\1916095133" -parentBuildID 20221007134813 -prefsHandle 1604 -prefMapHandle 1596 -prefsLen 20888 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc3cc7fc-7548-433a-8a57-0640ee0ba70b} 3844 "\\.\pipe\gecko-crash-server-pipe.3844" 1668 1df3700fb58 gpu
    3⤵
    PID:2832
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3844.1.1366447316\1757738895" -parentBuildID 20221007134813 -prefsHandle 1996 -prefMapHandle 1984 -prefsLen 20969 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b27a3855-400e-4822-8c24-daf0a98d3070} 3844 "\\.\pipe\gecko-crash-server-pipe.3844" 2032 1df35434858 socket
    3⤵
    - Checks processor information in registry
    PID:1732
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3844.2.292998458\350598962" -childID 1 -isForBrowser -prefsHandle 2812 -prefMapHandle 2824 -prefsLen 21052 -prefMapSize 232675 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {966b5b7e-cd4a-4dcd-b8b1-0a96ac670e76} 3844 "\\.\pipe\gecko-crash-server-pipe.3844" 2424 1df39cf5558 tab
    3⤵
    PID:32
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3844.3.1238046250\272906923" -childID 2 -isForBrowser -prefsHandle 2428 -prefMapHandle 2436 -prefsLen 21158 -prefMapSize 232675 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dffd9f6b-58ca-42a0-9a6e-7ee32d69c93b} 3844 "\\.\pipe\gecko-crash-server-pipe.3844" 1464 1df3a691a58 tab
    3⤵
    PID:1548
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3844.4.325363965\284401135" -childID 3 -isForBrowser -prefsHandle 3320 -prefMapHandle 3324 -prefsLen 21158 -prefMapSize 232675 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b0d764f8-e0a1-43e8-a720-1ca09fcc726e} 3844 "\\.\pipe\gecko-crash-server-pipe.3844" 1320 1df3a691d58 tab
    3⤵
    PID:1800
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3844.5.2092385343\1118347642" -childID 4 -isForBrowser -prefsHandle 3496 -prefMapHandle 3500 -prefsLen 21158 -prefMapSize 232675 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d5345bab-a04c-4b0b-9f33-5f8775c53faf} 3844 "\\.\pipe\gecko-crash-server-pipe.3844" 3488 1df3a692658 tab
    3⤵
    PID:1580
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3844.6.75107867\1649750340" -childID 5 -isForBrowser -prefsHandle 3344 -prefMapHandle 3348 -prefsLen 26844 -prefMapSize 232675 -jsInitHandle 1284 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8d2d6c66-bdc6-4e9a-b905-2a8887af32e2} 3844 "\\.\pipe\gecko-crash-server-pipe.3844" 2384 1df2b265858 tab
    3⤵
    PID:812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --single-argument C:\Users\Admin\Desktop\StartConvert.shtml
1⤵
- Adds Run key to start application
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xcc,0xd0,0xd4,0xa8,0xd8,0x7ffdd0409758,0x7ffdd0409768,0x7ffdd0409778
  2⤵
  PID:4660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1848 --field-trial-handle=1776,i,17932391107665416728,17064667821802088895,131072 /prefetch:8
  2⤵
  PID:2072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1652 --field-trial-handle=1776,i,17932391107665416728,17064667821802088895,131072 /prefetch:2
  2⤵
  PID:3516
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2092 --field-trial-handle=1776,i,17932391107665416728,17064667821802088895,131072 /prefetch:8
  2⤵
  PID:4760
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3084 --field-trial-handle=1776,i,17932391107665416728,17064667821802088895,131072 /prefetch:1
  2⤵
  PID:4372
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3092 --field-trial-handle=1776,i,17932391107665416728,17064667821802088895,131072 /prefetch:1
  2⤵
  PID:4380

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Drops file in Windows directory
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4876

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4860

C:\Windows\system32\werfault.exe
werfault.exe /h /shared Global\665a4891503140a9990525565326e5d0 /t 4376 /p 4876
1⤵
PID:4016

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:4152

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
629B

MD5
9037208d7d7c36729d78dd0ade223412

SHA1
acd45204764766f203dd76f54a3746adac3ac8c4

SHA256
11794a3b82ff131984825e4e3225d7f0cff7458d66d55d32bb419e897d7a0a24

SHA512
ff125d08b05ab353f284b52fd6c792e8e551776c6ed376f3d4c7e4a10474f8fae06600b1796273675e2b116cb8b30e9b03bd9b5466220f0c0ec84cb971dd9993

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
69b922dd7ff63e367164ff1ccff9cfd2

SHA1
419b700cbfe7b5cc9d4d1e4e40e41cbbb34928fc

SHA256
815a3820eed2125921595d34816a8c1d76731e3ccd5d684148a548aa013524b9

SHA512
f820babb9c8f6fa6f0fe27a443cde05523ebef3e429a74da15db6881b738efba9a44e165ea12deef525c43cfa567d7329cae02332e2bda7c5c9164f1773edc7f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
5KB

MD5
5d8051bd3240910c01b96aaefb78b768

SHA1
5f61d8a820a1fe30ce906d5896cb0593a2f98696

SHA256
4bddebd148b78119a9a7e877fd82eb5643a66e94bbd26d027c50184c86aefd35

SHA512
235be17e328293389b62765f6cc27bc2d021098a234b58a6f912d4ae9acf986ca7138f46c2e572387bc6fe2cad565f1cb8f08569f0112c41504678966cbca206

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\GrShaderCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
148KB

MD5
9ead24affac4da3251b5d1f523b33c7f

SHA1
fcbdd8e4328fdcfe326ce212070e7ceb715b5bfc

SHA256
145a00c555503ac6d9e4a558aaa2416d5fc5d7bff10b024e4eaf1bb65124019d

SHA512
095292e2fa23d1ff483a4385beee5b3bb17137ef05361f56f2e4b851c198620664fc608283707afbec35de107c8ac23fb8bffd2714342f6f2f4d71f3a627fd22

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
149KB

MD5
f0f7f50f5936a99ba841fbcd48f9c3ec

SHA1
a5e207df2028a21dc91101e4945c4d1e91dc6fa3

SHA256
3e681469f72e7c5a177a554526ae51ce1851c7cc552d60f2d11704242f84b7e5

SHA512
d652d5ccb8a03158695ccaf8cd2644bab76ad46f7e6b10025d5536b00a25b9259b680f30861649d456d600ea0d7e1714d44eb343a5d16ce756960aceba48f80d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\510gyhsb.default-release\activity-stream.discovery_stream.json.tmp

Filesize
144KB

MD5
87e2fb50cc792d22312c916c8073afa4

SHA1
07e6963ca55504796c8f2f30a3c82ebc1d38dc13

SHA256
0b98db0977dfb470537a48705b137a640f2d26060b9c8f36e8ed0d99cb37e6cc

SHA512
a43208cce4b107353b615aee224ebc93c310773518a34e4a92744f6e30a4b466360eca87bfaa8b21e38a846fda437c2a09d2f94f421a90236e65954cbf184425

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\510gyhsb.default-release\prefs.js

Filesize
6KB

MD5
c205c8a6591363331cd60c7286ad4ac1

SHA1
7d4c89374e88116484984f5d0b5df0d59aa63ecf

SHA256
81db871d08aa9e5a991e6e04e462d416753cb92830860bca520d0c73d69b07c0

SHA512
fd09bd9b7d42c6bfa6e508c071d0a67caba2437ceb56e0088cbf72e85690619ba9e7a81f2bc9956405a93210e2c46b8ec4bbf5aa7341f382457a5926ab9cd7c9

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\510gyhsb.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
271B

MD5
ae8eed18ba2699c38e78d08a9476cea7

SHA1
f535afabc1cd055628633c175f09d1b3a8082e53

SHA256
eadbbd60b6244fa1d5487a274ba296d6309092c2c7ae27b5f33e7682567cfb25

SHA512
6eb1246b250bf1682bc9afa66dbcdc454a2a3b413d1a8cf49bfe99ce710223651e642dc0c6ae8af8cd56adecc45f90abddeb1903f0d8d4499da995ab6b0b0d26

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\510gyhsb.default-release\sessionstore.jsonlz4

Filesize
446B

MD5
549422974bec128f602f65eb8189efb2

SHA1
2de8d84b1f98e6087cc9a04dbbe5d63d4bbbccd4

SHA256
67fefb6f3e4efe312df86e1fc3e36662223550e69d53042b9737789dc86ef12c

SHA512
afdeab58e77edccdc61734208ebb036146947b65428b767e56e4f9e036d9e8cc030c1e72edd41481516048191258ad0ca8de6c29a08a6c33f1704b3ae04bcad0

Download Submit
memory/2028-313-0x00000161B68A0000-0x00000161B68B0000-memory.dmp

Filesize
64KB

Download
memory/2028-162-0x00000161CF200000-0x00000161CF2B8000-memory.dmp

Filesize
736KB

Download
memory/2028-118-0x00000161B4B20000-0x00000161B4B48000-memory.dmp

Filesize
160KB

Download
memory/2028-227-0x00000161B68A0000-0x00000161B68B0000-memory.dmp

Filesize
64KB

Download
memory/2028-121-0x00000161B68A0000-0x00000161B68B0000-memory.dmp

Filesize
64KB

Download
memory/2028-179-0x00000161B68A0000-0x00000161B68B0000-memory.dmp

Filesize
64KB

Download
memory/2028-314-0x00000161CF5B0000-0x00000161CF5B8000-memory.dmp

Filesize
32KB

Download
memory/2028-200-0x00000161B68A0000-0x00000161B68B0000-memory.dmp

Filesize
64KB

Download
memory/2028-342-0x00000161B68A0000-0x00000161B68B0000-memory.dmp

Filesize
64KB

Download
memory/2028-119-0x00000161B68A0000-0x00000161B68B0000-memory.dmp

Filesize
64KB

Download
memory/2028-388-0x00000161D34C0000-0x00000161D34F8000-memory.dmp

Filesize
224KB

Download
memory/2028-392-0x00000161B68A0000-0x00000161B68B0000-memory.dmp

Filesize
64KB

Download
memory/4152-397-0x00007FFDF1BCB000-0x00007FFDF1BCF000-memory.dmp

Filesize
16KB

Download