2d79af8e1ff3465703e1dc73d3ef2182fd269ea2609c8afabdf1b80693405c1d

Analysis

max time kernel
91s
max time network
94s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
03/08/2024, 09:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HorionInjector.exe
Size

147KB
MD5

6b5b6e625de774e5c285712b7c4a0da7
SHA1

317099aef530afbe3a0c5d6a2743d51e04805267
SHA256

2d79af8e1ff3465703e1dc73d3ef2182fd269ea2609c8afabdf1b80693405c1d
SHA512

104609adf666588af4e152ec7891cedafd89ad8d427063d03fb42a228babefc59428b0c8b1430cb3fc319a5014d2ee1083ff2b74fa585cab2d86cdad346e8b08
SSDEEP

3072:ckgHqUGSCoEslON/q178+oO3BAE4T/DvueX:cNHqUGSCPBh+7VST/Ke

Score

1^/10

Malware Config

Signatures

Checks processor information in registry 2 TTPs 12 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).y = "4294935296"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).left = "250"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1 = 14002e8005398e082303024b98265d99428e115f0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupView = "4294967295"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616193"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\Registry\User\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\NotificationData	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).x = "4294935296"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).y = "4294967295"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Downloads"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 0100000000000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Rev = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).top = "46"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 0202	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByDirection = "4294967295"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).right = "1050"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\NodeSlot = "2"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).x = "4294967295"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).bottom = "646"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-3007475212-2160282277-2943627620-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1200	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe
4660	HorionInjector.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1200	explorer.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	4660	HorionInjector.exe
Token: SeDebugPrivilege	1932	firefox.exe
Token: SeDebugPrivilege	1932	firefox.exe

Suspicious use of FindShellTrayWindow 21 IoCs

pid	Process
1932	firefox.exe
1932	firefox.exe
1932	firefox.exe
1932	firefox.exe
1932	firefox.exe
1932	firefox.exe
1932	firefox.exe
1932	firefox.exe
1932	firefox.exe
1932	firefox.exe
1932	firefox.exe
1932	firefox.exe
1932	firefox.exe
1932	firefox.exe
1932	firefox.exe
1932	firefox.exe
1932	firefox.exe
1932	firefox.exe
1932	firefox.exe
1932	firefox.exe
1932	firefox.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1200	explorer.exe
1932	firefox.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4660 wrote to memory of 1492	4660	HorionInjector.exe	81
PID 4660 wrote to memory of 1492	4660	HorionInjector.exe	81
PID 328 wrote to memory of 1932	328	firefox.exe	90
PID 328 wrote to memory of 1932	328	firefox.exe	90
PID 328 wrote to memory of 1932	328	firefox.exe	90
PID 328 wrote to memory of 1932	328	firefox.exe	90
PID 328 wrote to memory of 1932	328	firefox.exe	90
PID 328 wrote to memory of 1932	328	firefox.exe	90
PID 328 wrote to memory of 1932	328	firefox.exe	90
PID 328 wrote to memory of 1932	328	firefox.exe	90
PID 328 wrote to memory of 1932	328	firefox.exe	90
PID 328 wrote to memory of 1932	328	firefox.exe	90
PID 328 wrote to memory of 1932	328	firefox.exe	90
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 3856	1932	firefox.exe	91
PID 1932 wrote to memory of 4868	1932	firefox.exe	92
PID 1932 wrote to memory of 4868	1932	firefox.exe	92
PID 1932 wrote to memory of 4868	1932	firefox.exe	92
PID 1932 wrote to memory of 4868	1932	firefox.exe	92
PID 1932 wrote to memory of 4868	1932	firefox.exe	92
PID 1932 wrote to memory of 4868	1932	firefox.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\HorionInjector.exe
"C:\Users\Admin\AppData\Local\Temp\HorionInjector.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4660
- C:\Windows\explorer.exe
  explorer.exe shell:appsFolder\Microsoft.MinecraftUWP_8wekyb3d8bbwe!App
  2⤵
  PID:1492

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:1200

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:328
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1932
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1948 -parentBuildID 20240401114208 -prefsHandle 1876 -prefMapHandle 1868 -prefsLen 23600 -prefMapSize 244628 -appDir "C:\Program Files\Mozilla Firefox\browser" - {366b3e74-99fd-403a-b741-59f55c6b513a} 1932 "\\.\pipe\gecko-crash-server-pipe.1932" gpu
    3⤵
    PID:3856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2348 -parentBuildID 20240401114208 -prefsHandle 2340 -prefMapHandle 2328 -prefsLen 23636 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {9b0b9011-c6ec-4e81-acca-f1743a2b3f7c} 1932 "\\.\pipe\gecko-crash-server-pipe.1932" socket
    3⤵
    - Checks processor information in registry
    PID:4868
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3052 -childID 1 -isForBrowser -prefsHandle 3160 -prefMapHandle 3200 -prefsLen 23777 -prefMapSize 244628 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fab2b177-261d-4831-b57e-c18094258c39} 1932 "\\.\pipe\gecko-crash-server-pipe.1932" tab
    3⤵
    PID:1192
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3972 -childID 2 -isForBrowser -prefsHandle 2524 -prefMapHandle 2688 -prefsLen 29010 -prefMapSize 244628 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {659e6c0d-e521-4075-a65c-e55b568bb427} 1932 "\\.\pipe\gecko-crash-server-pipe.1932" tab
    3⤵
    PID:4856
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4764 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4676 -prefMapHandle 4684 -prefsLen 29010 -prefMapSize 244628 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {dc9e8402-66b5-4fff-95d7-cff4ae8cbfa2} 1932 "\\.\pipe\gecko-crash-server-pipe.1932" utility
    3⤵
    - Checks processor information in registry
    PID:220
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5292 -childID 3 -isForBrowser -prefsHandle 5284 -prefMapHandle 5280 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {be27caa7-3528-47e3-b48a-e28c84edaeef} 1932 "\\.\pipe\gecko-crash-server-pipe.1932" tab
    3⤵
    PID:5424
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5468 -childID 4 -isForBrowser -prefsHandle 5388 -prefMapHandle 5392 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {fa95ba41-c955-4276-83ca-c94bbf3e8b25} 1932 "\\.\pipe\gecko-crash-server-pipe.1932" tab
    3⤵
    PID:5436
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5596 -childID 5 -isForBrowser -prefsHandle 5312 -prefMapHandle 5364 -prefsLen 26989 -prefMapSize 244628 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ae9776eb-a6a4-4b2f-9356-e6e950619135} 1932 "\\.\pipe\gecko-crash-server-pipe.1932" tab
    3⤵
    PID:5448
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6096 -childID 6 -isForBrowser -prefsHandle 6088 -prefMapHandle 5960 -prefsLen 27211 -prefMapSize 244628 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {49d7fea0-8632-44b7-8d51-f18a87d8548b} 1932 "\\.\pipe\gecko-crash-server-pipe.1932" tab
    3⤵
    PID:3232

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\6o52671h.default-release\activity-stream.discovery_stream.json.tmp

Filesize
18KB

MD5
e8ba985601f8be0a402d591e6ecc0729

SHA1
b49d2558a593d9398dbeb5e136d3698565e2f630

SHA256
a85457125571e904f41c24fc04ad50b27b5bfb749eda9df696d97b7c5de20fa8

SHA512
ef0070825cde84ef99512540a7b44668f5bd892a11c9140e5f435ece8f7f6ea8df9682f7667c07a5d59210c120cdadcde9b921bba810ad0bb13ef2d649a2111b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
9448b025dea3216a5200884c373c4ae4

SHA1
e728fcc3e55e18bd08a3366b2fdb52a760d08a24

SHA256
d6d56ff1673eb40d191b89da161dfe5b46f2dfdccf2215b1a3c8e9f0664478fe

SHA512
8bee3de6c0c5782a3024cc10892c9d8373ef4899db4623291c5911c9a18c0ba8a81cfb4c3800165a45c30ca6f5b0eefc35382586e1863d14fd0dba03d1e6a8e6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
6KB

MD5
2769229d7caee640be6cb27581082c73

SHA1
95cd00b248eb2bcc92875d5c05725a044e10344e

SHA256
fe338beb5dcaf913f3944fbcd83797fecfa70d5e70f34e6fac730ea0c0175a5c

SHA512
1a41607d93551b93987c40f360b62d7c51913be3d446c09d1941d0ae4cf64e90c2b0c2cf63c79f44a55ef2f03ffac74e56a227914e8e614b9d304ab3ee5d18f0

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
3c8dc9bb4890d9f2f5d137d5afd82f44

SHA1
7df02f68a7bb451a661c85a55cfb85b668e31bef

SHA256
a1d0b6ca872669f5731c8faba0f97d9a580c795639c00c5ca4825026f3f034a4

SHA512
cdb4265ebd5151639a26647e6c1f8a21765f23643e99fdd4a96577297cd9ab06ec3159bc3e0841663792410db05bdc2d9417c8ead593a488bbd2b2a13b0ec2ed

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\1ff8d0ee-0340-4d4e-9162-e1fa95044401

Filesize
8KB

MD5
e9616a6f7f49cbe5568cc8946d6596e1

SHA1
d146812e2f50a67eada13f414af7487a43c0170a

SHA256
0a6ceae23e8ad0c93480d2e4878ca979bc9a5899cadfc8288e501f923589e1d4

SHA512
442fd815a9e8ac3e08df1f5777c66bb338963406365436d373e01e112c3cfb9fbd83c2b8db6f46ae4aa79e60973676f88c8215c30cab9a777c7ac961420bd027

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\78d69bd7-9f02-4a6d-a244-1b3dcaedd4ca

Filesize
671B

MD5
0951cdf6592f6389d0fed12f25820335

SHA1
11ab648da35e889d8d7e14e4d47ba839df98cb30

SHA256
ef036cd61a1c1f5c9ebfebfec8be69541a76c9b9a688cfb421f3ee96c85297ea

SHA512
8bf53a4aee8c288af97eedfd3b69c9dd5e2fcd610e50427f330abbaa3374ddc9efece6445d985715f1fbcac9696dab7c2efb24663dee5f4424ea0d8565edc437

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\9463aa57-7df6-433b-9fae-aebf8286c1b0

Filesize
982B

MD5
69bdf3f731e03ce8eb99336275e69ddd

SHA1
0d2aa1d7d434f85023a01b069d166b4ff0c64eab

SHA256
3af1f4c52a18b9973a1e560044e1664e146afaf104c2e2479b0108725434a438

SHA512
3a5cf7f052f465b8151dd3c35e64075b168c47da946c0bdefceec5526392e86db4a296fe3e49b287e60add9f90f926d4ca80c09c56f6701a316e4d0a2ca2a8b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\datareporting\glean\pending_pings\cc3aa95d-fa60-4010-9310-7f17047f19d8

Filesize
26KB

MD5
b46fcb1e935125c30b5be260d95d1b19

SHA1
263e4d727e4d326707ee1b88aee34dfcc7515b72

SHA256
747d080cde6636a30fe9f1318406635aaea48c79b6421a4798f29ea10942883b

SHA512
8c5f6ab76c6823f64a65d7d7dd7cae02e995ac5e14fd078284e4d759f0b92f910169e6e1bc6b31c12d5c1a74ce70cd00a2fed02d7eba24bfc39b3c74fe68ede5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\prefs-1.js

Filesize
11KB

MD5
3697c4c973a483028735df384cdbd146

SHA1
9126f6bb678309d2491440ec2a553953ec3cc37a

SHA256
43df1796cda678fe1b6f12fb04c96c3c0ee8fcdd4fae99daf227fa5f3933e71c

SHA512
91004cc2c365b0b21c94646d61d5bd78e3dace56fdaaf791cfa7128452c222f924c754bdc3786e0cf3986f52103121b936fe6b878a8bacd9c8c5b1214e889a06

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\prefs-1.js

Filesize
10KB

MD5
ce0ef443e58a48fd3dad46e1b6849e9f

SHA1
79689b2b2826c978222b8b29956f582ca500a2cc

SHA256
ee3c238fc3fb9ab84381e9a5e4ccf5364e18eb77090803c9c67b35b5de3fb052

SHA512
1df80bccfaf94a855222cbd41a58a26353473261a5714ec3e7e2c44c8258ccf4c017a4525474fe7a3741039689299f87561f44159d344f92115aedf004b33eb6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\6o52671h.default-release\storage\default\https+++www.ebay.co.uk\idb\2728594770keeryovtasl-.sqlite

Filesize
48KB

MD5
9b38eebe679664032b8058632fec550a

SHA1
213b3e731b740c3b8ccbd45e38171e80dfb5ec34

SHA256
ae66317b881b30e2d9d4bbd21973458771f5dce3f78531f4642b82df0d6c2ddf

SHA512
f2a25c8d45710714222b32ee26ae211ee0b36aa2d7e90bceb18b5380b2770e6e26d715d9527c6962b340d8e45d498484b79d062db414eff1b39bbe621fa68a07

Download Submit
memory/4660-5-0x00007FFFE8BA0000-0x00007FFFE9662000-memory.dmp

Filesize
10.8MB

Download
memory/4660-14-0x00007FFFE8BA0000-0x00007FFFE9662000-memory.dmp

Filesize
10.8MB

Download
memory/4660-9-0x00007FFFE8BA0000-0x00007FFFE9662000-memory.dmp

Filesize
10.8MB

Download
memory/4660-8-0x0000029C74540000-0x0000029C7454E000-memory.dmp

Filesize
56KB

Download
memory/4660-7-0x0000029C74570000-0x0000029C745A8000-memory.dmp

Filesize
224KB

Download
memory/4660-6-0x0000029C74050000-0x0000029C74058000-memory.dmp

Filesize
32KB

Download
memory/4660-0-0x00007FFFE8BA3000-0x00007FFFE8BA5000-memory.dmp

Filesize
8KB

Download
memory/4660-4-0x00007FFFE8BA0000-0x00007FFFE9662000-memory.dmp

Filesize
10.8MB

Download
memory/4660-3-0x0000029C70520000-0x0000029C705DA000-memory.dmp

Filesize
744KB

Download
memory/4660-2-0x00007FFFE8BA0000-0x00007FFFE9662000-memory.dmp

Filesize
10.8MB

Download
memory/4660-1-0x0000029C55CC0000-0x0000029C55CE8000-memory.dmp

Filesize
160KB

Download