2d79af8e1ff3465703e1dc73d3ef2182fd269ea2609c8afabdf1b80693405c1d

Resubmissions

04-08-2024 11:56

240804-n379nsvbmm 3

04-08-2024 11:52

240804-n1w4mayemg 3

Analysis

max time kernel
70s
max time network
74s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
04-08-2024 11:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HorionInjector.exe
Size

147KB
MD5

6b5b6e625de774e5c285712b7c4a0da7
SHA1

317099aef530afbe3a0c5d6a2743d51e04805267
SHA256

2d79af8e1ff3465703e1dc73d3ef2182fd269ea2609c8afabdf1b80693405c1d
SHA512

104609adf666588af4e152ec7891cedafd89ad8d427063d03fb42a228babefc59428b0c8b1430cb3fc319a5014d2ee1083ff2b74fa585cab2d86cdad346e8b08
SSDEEP

3072:ckgHqUGSCoEslON/q178+oO3BAE4T/DvueX:cNHqUGSCPBh+7VST/Ke

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

DllHost.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language DllHost.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DllHost.exe

Checks processor information in registry 2 TTPs 9 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

firefox.exefirefox.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

chrome.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies registry class 1 IoCs

Processes:

firefox.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings firefox.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

chrome.exe

pid process

4712 chrome.exe
4712 chrome.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	firefox.exe

pid	process
4712	chrome.exe
4712	chrome.exe

Suspicious use of AdjustPrivilegeToken 9 IoCs

Processes:

HorionInjector.exefirefox.exechrome.exe

description	pid	process
Token: SeDebugPrivilege	1864	HorionInjector.exe
Token: SeDebugPrivilege	3020	firefox.exe
Token: SeDebugPrivilege	3020	firefox.exe
Token: SeShutdownPrivilege	4712	chrome.exe
Token: SeShutdownPrivilege	4712	chrome.exe
Token: SeShutdownPrivilege	4712	chrome.exe
Token: SeShutdownPrivilege	4712	chrome.exe
Token: SeShutdownPrivilege	4712	chrome.exe
Token: SeShutdownPrivilege	4712	chrome.exe

Suspicious use of FindShellTrayWindow 39 IoCs

Processes:

firefox.exeHorionInjector.exechrome.exe

pid	process
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
1864	HorionInjector.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe

Suspicious use of SendNotifyMessage 35 IoCs

Processes:

firefox.exechrome.exe

pid	process
3020	firefox.exe
3020	firefox.exe
3020	firefox.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe
4712	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

firefox.exefirefox.exe

description	pid	process	target process
PID 3000 wrote to memory of 3020	3000	firefox.exe	firefox.exe
PID 3000 wrote to memory of 3020	3000	firefox.exe	firefox.exe
PID 3000 wrote to memory of 3020	3000	firefox.exe	firefox.exe
PID 3000 wrote to memory of 3020	3000	firefox.exe	firefox.exe
PID 3000 wrote to memory of 3020	3000	firefox.exe	firefox.exe
PID 3000 wrote to memory of 3020	3000	firefox.exe	firefox.exe
PID 3000 wrote to memory of 3020	3000	firefox.exe	firefox.exe
PID 3000 wrote to memory of 3020	3000	firefox.exe	firefox.exe
PID 3000 wrote to memory of 3020	3000	firefox.exe	firefox.exe
PID 3000 wrote to memory of 3020	3000	firefox.exe	firefox.exe
PID 3000 wrote to memory of 3020	3000	firefox.exe	firefox.exe
PID 3000 wrote to memory of 3020	3000	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2384	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2384	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2384	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 2808	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 324	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 324	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 324	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 324	3020	firefox.exe	firefox.exe
PID 3020 wrote to memory of 324	3020	firefox.exe	firefox.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\HorionInjector.exe
"C:\Users\Admin\AppData\Local\Temp\HorionInjector.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1864

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:3000

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
2⤵
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3020

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.0.768344066\842517048" -parentBuildID 20221007134813 -prefsHandle 1220 -prefMapHandle 1212 -prefsLen 20847 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c1a77027-e5a6-464c-920c-07821371a8a6} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 1284 121d5b58 gpu
3⤵
PID:2384

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.1.162672176\45901209" -parentBuildID 20221007134813 -prefsHandle 1476 -prefMapHandle 1472 -prefsLen 20928 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c9fc5758-c0be-456b-9ad8-2e374af60dc7} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 1488 d71658 socket
3⤵
- Checks processor information in registry
PID:2808

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.2.1038529010\267121126" -childID 1 -isForBrowser -prefsHandle 2008 -prefMapHandle 1772 -prefsLen 20966 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2f48359b-40cd-449e-9c09-aaef9eb27a75} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 2020 1a97f258 tab
3⤵
PID:324

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.3.1294409556\1766113374" -childID 2 -isForBrowser -prefsHandle 608 -prefMapHandle 840 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {c83dc9c1-538b-4a78-8ffc-4f233654cb90} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 2148 121d6758 tab
3⤵
PID:2268

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.4.606876223\238089303" -childID 3 -isForBrowser -prefsHandle 2944 -prefMapHandle 2940 -prefsLen 26216 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {79a170f1-540d-4d3c-b0a2-936c0f0b5a4b} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 2956 d62858 tab
3⤵
PID:2880

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.5.283064829\1918201004" -childID 4 -isForBrowser -prefsHandle 3816 -prefMapHandle 2756 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {dbd0fa04-b01f-4707-89f4-4afa0ba7f8d3} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 3812 d68758 tab
3⤵
PID:3068

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.6.1419879935\911176934" -childID 5 -isForBrowser -prefsHandle 3936 -prefMapHandle 3940 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a7ae622d-5d16-4c13-8b34-6c8769f13df7} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 3924 1ec64458 tab
3⤵
PID:3000

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.7.2001783196\515787434" -childID 6 -isForBrowser -prefsHandle 4128 -prefMapHandle 4132 -prefsLen 26275 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0c6607cc-c8fc-409c-8532-fecf5447b290} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 4116 1ec64758 tab
3⤵
PID:2824

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.8.1650272202\630131409" -childID 7 -isForBrowser -prefsHandle 4356 -prefMapHandle 4384 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2f28b94-5689-45c8-8f62-bbdd92188426} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 4400 2215e258 tab
3⤵
PID:1004

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.9.1452849426\697729705" -childID 8 -isForBrowser -prefsHandle 2500 -prefMapHandle 2508 -prefsLen 26531 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {ede94481-23b4-4956-a63d-a9a911534417} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 2144 217a2858 tab
3⤵
PID:1800

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.10.475487350\681704689" -childID 9 -isForBrowser -prefsHandle 4476 -prefMapHandle 4472 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3fd20e82-c3e7-4742-ab01-c76122f5141e} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 4468 2219f658 tab
3⤵
PID:3368

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.11.1577073404\1900054167" -childID 10 -isForBrowser -prefsHandle 4476 -prefMapHandle 8260 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fdbd9836-3fe0-46f3-9d37-adf65c29bbbc} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 8308 24374558 tab
3⤵
PID:3432

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.12.1050592612\199573999" -childID 11 -isForBrowser -prefsHandle 8168 -prefMapHandle 8164 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {abf7daa1-cc6a-46f4-ac01-580111b82372} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 8180 24374258 tab
3⤵
PID:3484

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.13.457848579\2008242623" -childID 12 -isForBrowser -prefsHandle 7920 -prefMapHandle 7928 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b3791d12-8531-476b-8587-3ddaffed06fd} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 7908 24385358 tab
3⤵
PID:3928

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.14.1222297891\1360976887" -childID 13 -isForBrowser -prefsHandle 7844 -prefMapHandle 7840 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {8b882c2c-cee1-4c34-915d-76644b14dedb} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 7856 24384a58 tab
3⤵
PID:3936

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.15.319915151\1926537352" -childID 14 -isForBrowser -prefsHandle 7672 -prefMapHandle 7668 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fd9a5c58-e589-40c5-ab46-2876f5a8cb41} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 7684 24386858 tab
3⤵
PID:3944

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.16.785173850\1148477435" -childID 15 -isForBrowser -prefsHandle 7780 -prefMapHandle 7776 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {1b3cfe95-1531-4396-bc81-84e37945f108} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 7792 255d2d58 tab
3⤵
PID:1004

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.17.842236702\950602660" -childID 16 -isForBrowser -prefsHandle 7260 -prefMapHandle 7264 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {62201026-24dd-4db5-a150-57117cc704c2} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 7248 265f4458 tab
3⤵
PID:2348

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="3020.18.1001298607\770376798" -childID 17 -isForBrowser -prefsHandle 7128 -prefMapHandle 7124 -prefsLen 26796 -prefMapSize 233444 -jsInitHandle 856 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2cecbf2-ddd2-4d5f-a822-e15b3ac4b935} 3020 "\\.\pipe\gecko-crash-server-pipe.3020" 7140 25a42858 tab
3⤵
PID:3580

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{06622D85-6856-4460-8DE1-A81921B41C4B}
1⤵
- System Location Discovery: System Language Discovery
PID:4528

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:4712

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef63e9758,0x7fef63e9768,0x7fef63e9778
2⤵
PID:4724

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1104 --field-trial-handle=1288,i,5502283262560452002,5610838579009496212,131072 /prefetch:2
2⤵
PID:4880

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1448 --field-trial-handle=1288,i,5502283262560452002,5610838579009496212,131072 /prefetch:8
2⤵
PID:4940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1520 --field-trial-handle=1288,i,5502283262560452002,5610838579009496212,131072 /prefetch:8
2⤵
PID:3804

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2076 --field-trial-handle=1288,i,5502283262560452002,5610838579009496212,131072 /prefetch:1
2⤵
PID:2720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2084 --field-trial-handle=1288,i,5502283262560452002,5610838579009496212,131072 /prefetch:1
2⤵
PID:1720

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1384 --field-trial-handle=1288,i,5502283262560452002,5610838579009496212,131072 /prefetch:2
2⤵
PID:2924

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --mojo-platform-channel-handle=1844 --field-trial-handle=1288,i,5502283262560452002,5610838579009496212,131072 /prefetch:1
2⤵
PID:3424

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3732 --field-trial-handle=1288,i,5502283262560452002,5610838579009496212,131072 /prefetch:8
2⤵
PID:3268

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:5016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\61fcaa69-215a-4363-998a-1a6ab6779cbf.tmp

Filesize
311KB

MD5
cf5585fba5a3c5927f504761e48b9041

SHA1
43e778c4243a72d653dbdbaeb309d8f07d6553f9

SHA256
2e53b7c719987fe182a1d9ba6b1834aabd88e17a075102d09ce745cfcd4ead27

SHA512
07e839f9eddc4cf1a0bb9212736d90a7874d8a7e7570d7065132e11fd3fd389b6c7945522e1da154240af9a03432bd8dc05d05ae39a613429e471a9dcf2db73e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\GPUCache\data_1

Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\shared_proto_db\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\activity-stream.discovery_stream.json.tmp

Filesize
25KB

MD5
97349ae0811b09bfc5b0a680f1382b83

SHA1
25745e34abd37573f3e174416ec7fda85b4b5df8

SHA256
0e30d8e114e66775098f80843526855f9a51aed28de5daf6baa4e1ee5a6efd73

SHA512
4a6948b83d04adbdb1baaed84b7eb611bc45f9011c05c77e9ffde801f4461946c788a84331bc69d9be0e433c053ff8fec821bee34ddcce34ba24087eca12c379

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\doomed\1362

Filesize
255B

MD5
072683cb46bdaa00e865236f152074d2

SHA1
84acf2553db99c00a84e10372904514b15286ab7

SHA256
4d6c2c97c8a3b4676dfbdba5d7b99b837e60f8166555d90b8656af7eaf8dd41f

SHA512
bd09a4237eabbe4336cfb46e172efe512e69460bd49c48e7d119992af3dfee080925fd2fd2c5e050b99e19b08f5805f63720951dd89ab2feadcbbef6588f2040

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\185D15C62C8838180B58BC4E6E157AEAFA76C3FE

Filesize
132KB

MD5
aee7eb71ad88fda60913a228226d5bce

SHA1
8f42bc001facfefe3c4e6768643510e61e104f73

SHA256
c2a56320631cdf038ffd69895d6c7d8c6efdef43efd4ae47f06a5f5d5e5292bf

SHA512
56817c867f0e4c8da755eff12de383ac287cc9a25df5af6d46e28f1bad6952c75d574f71102a49f1493b8b07be1d7371d75091be5a4f9f19e277db8868e68a3e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\491CBF3E3E8A41F10CE712581687A5072CEC495E

Filesize
1.8MB

MD5
7f5be7c87ceb1e238138031d79cb77c7

SHA1
bb54b3f86a795e8e8136965350e74b4269cc5833

SHA256
a8cb11fb868ad27e1cc79e5e1195427a02a2077409dbb137b3b7563bf8f95a63

SHA512
9c7dad5d87354d0dff9353f344cbb53a2788ad50c8e13af470d8e1f9d35ac99ee0cb1bb684d7c368ff08654d96eea778c034242c67e971784916e22e81afe3fd

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\677B80A25A006EDCC273545819E7C8B9A97E5201

Filesize
41KB

MD5
b7a06590511dc4518e227947c920e294

SHA1
9cc5703d8c82030efde1df494ab94893fb9ce2c2

SHA256
105b5fb0208b92e3bc48373280b4be906b7a292b216437f5c93ba1addf977ce1

SHA512
07b7972516bf0e2f5aaec8d81d66e0771adf32387c0976a352ee22e4d471e2f0c0d47f89b49f5d11bb47937ba91ede874e2b1b09a6be3a453365aa7aec4a62f3

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\7D3068195A30D049CC263CE0A0641E65E92E39CF

Filesize
794KB

MD5
f3244d8798b13fa216a886ac2058d56d

SHA1
780b612272c94dad9845f28b9bf226b595b346d3

SHA256
ac1811abf1eb61353745ee8bafe1b0958a848db2bbcb46e063c808d02ee50811

SHA512
21ce71ef37f1f5a7e473724fdc8aaae1b9f6aa2ccda0c23e7a52218e0ffcd46e3208a2a9d589ae8be87247f5b596e4e710a72a5c84cbe4dc32ac26cecf4b7b96

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\9DC265B5DCCDC6D8E46E5F2CE94CC2CBCC9E6726

Filesize
208KB

MD5
83db568a0bb03f001c1b2abb1950e2a2

SHA1
754b82465561232cc2c9470ec4491ee9f4e41dc4

SHA256
9b138ab7a53f78ea895764fd839d93c259a3287a2cc34d5efc96ab8953572b0f

SHA512
34add70a41baae511a7b47d36baf5fe3e0cee14cf952456da143a9ecdc98cdcdc8835200284fbccd82fd845675c3ea463dfbb96986dbc95114b8824ebcd9800e

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\9F0360216CC49F3C9C33C30D5D21CF3F3CAA26C2

Filesize
29KB

MD5
3c60b1d065479e9aae7ae30a6ec166a0

SHA1
ed2dbdba8332b616643d20badcfd98fdd35df4cf

SHA256
fa3072a6d3b7db610653c5874cce257ef194fbade6248147f1c75b8db0e51b8e

SHA512
c066bc979d7a43922cdc2cd2a7718ed92b5e77cf0225626353dd3a8edc8e1b2580ec8dd599ae1ed0752825a56a457db2c694b398c8e2b3060e37ba63ec349cf2

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\cache2\entries\FBE113019ECDE668142C34625ECE7E334337FAFB

Filesize
108KB

MD5
96a54c0e94793acdbfa5668c797e0c5b

SHA1
f811454975f5bf3b8f02aa188dad35f647876e78

SHA256
e0be659c3095b288f3c20349d98be90aaa671d16f87b070f033fe385379b595a

SHA512
9c9c3d00840cfbc4a70331eceae3d7d5a1da794cd9b01dc35dde349b22d36f33cae63098708cf6567ced1c3425201605d26a347a7d3b8a409a91c767f0bcd0fc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\db\data.safe.bin

Filesize
2KB

MD5
6aef247ac62d5ea2e1db06be3e96b726

SHA1
8f761bbcdc43768cb9ebcf9c983d0607b0837f2e

SHA256
7d4454e75fd4173a5e064d809ac9b5375150cf1afc9b8c2b33b40c9256c07747

SHA512
ac63cfff7a0489158a611d816b4c8d0bc7edd4918c69c27448e74d597958a68e20954f44c25c5c818552324c9f135986ae7fff51ca6c4247483bcae9efa4d865

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\pending_pings\378afcd9-8fef-41db-8659-9978864bd574

Filesize
13KB

MD5
65198ea806f2a6fe83c9dc4fdb3dc771

SHA1
ef8edbf79693f5dc8e1cdbbed336a07b8c6d28a4

SHA256
d72b9a80f33a4419c1aeb8a4fc6846580def30572a8369a892d8ae76f651e227

SHA512
30e0039e7d8dd98021724484f28016ade13a8d1049a3e57e56abb51344745881bd144e5ebd5e599af7a6a1111c2836ddf1decc99fd5701eb13f273fbc9015546

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\datareporting\glean\pending_pings\3cdab8b3-f81a-4f57-bff4-46b80dad0541

Filesize
745B

MD5
c5356e59d467abb72855d0013bbd5b61

SHA1
623f04a916e0a1d46a6a1bda7f361488c7bcaa5f

SHA256
3e8c681fbe1af193a5a009b486c3de9f17c37a179409f933bd1f2ff86f9750c3

SHA512
8c844a3c28ab90173aa2476a7865ce6d45cb4a8b95433957ca398ab6f7d1e2daecc694d940551cf43d3861fba710a1fcf5799ad25c245996a04260a07799619b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs-1.js

Filesize
6KB

MD5
4d762d0be368382ffb6f17a242096bef

SHA1
e390c483de8ba8590f07e6283dda540b551cf72a

SHA256
3fc447cdf1952f498181e06a83a5fdd779b5ac425e94e6d84c58323b221d3622

SHA512
f7dd7f4ba5de2824ab24d4b63eb242b84ee9f4e50accd8a207e39100ca36f577cb002670ce0e57d41a21a054873826e281a4ab7c99f62ba33a9cb39b296dbf7f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\prefs-1.js

Filesize
6KB

MD5
156884d5013855492a34bdfbc8d0052c

SHA1
e71e04a3f9cf7b92eec9e518b454afdaec6a4cc3

SHA256
7db02053aa9dc605e96b473f032b32d582a4b5340187898b918f62d2381d34d7

SHA512
ceef4f5eeb4dc548bbf22eebaea42319c876dc048198f8912e5b4ce036a7992940bc90df2b1e727a4ba3050404de240d598d784cd81f6e0468f3f50328976ab3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
2KB

MD5
8b9c4bc3ab2f74a631865c99f5c46f8b

SHA1
e215f48d1141d963face9317bcf16a828d671f3b

SHA256
3f4385aa00bfda54e55dfa63051cc2430362f2938788e0ce42ab3fcdd4e08910

SHA512
94f3aa93475d14483993a648ae44b7b52cd39ec36ac85d141921a4c93a8d321f496376df78b073c93fdec3ae8ba345e5bb0676cb330858f81c29147a4408153e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
9beb4e005d92b74e0a62891adfb107fa

SHA1
34b9b00019a02f381f72f2555db175443018f2f1

SHA256
13405fed7d5fa2a5641724011c07a8069432feaceda0c1aa3cfe9fdf29f1052e

SHA512
947ff4710d150cdeeb654a4101417f029ab7d539bf47a39d5206b0f63f962bbf63e4fda246d0187ef5e3eee7c8a91ddeb28df101e10bfb684b8d3797305045b4

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
6KB

MD5
8aca5db7a9c5fcaaaf4544272aff7862

SHA1
7e0da654bcb2bc8b5a80f7e0b096d06915284d4a

SHA256
6b629106d7cf6416cb22fc85f2cd8c96c69371c3dafe48fef9b5324a38d2b711

SHA512
2f8f79ca75c23586168d00ccddafd4bdfb09c432f4d440bbb39b9adcc6202faacea5207ad80e53a9f9389396ef1ab57e8c2b9bb3de245cc91159739a61919bd8

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\bz1ih2a5.default-release\sessionstore.jsonlz4

Filesize
6KB

MD5
0684647e840a438571ec5b9132242e70

SHA1
fcf7bf6eaff60fa14b64e2b12f559ae9eb6da2cd

SHA256
4a32ddcf5a19fe8330b2d2b2a99cb4ae82135ec887def82f2f4a0254c4b519bc

SHA512
e2d9092719d14b169bb5f5b414736a7db8cb732f858068068eb081e1cbe528785dbcf5bf16bee0f025aea5ad6297fb0f0447ad5c0b19250aed88dcaa9e80fa7d

Download Submit
\??\PIPE\samr

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/1864-183-0x000007FEF5A23000-0x000007FEF5A24000-memory.dmp

Filesize
4KB

Download
memory/1864-0-0x000007FEF5A23000-0x000007FEF5A24000-memory.dmp

Filesize
4KB

Download
memory/1864-5-0x0000000000150000-0x000000000015A000-memory.dmp

Filesize
40KB

Download
memory/1864-4-0x0000000000150000-0x000000000015A000-memory.dmp

Filesize
40KB

Download
memory/1864-261-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/1864-1072-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/1864-3-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/1864-2-0x000007FEF5A20000-0x000007FEF640C000-memory.dmp

Filesize
9.9MB

Download
memory/1864-1-0x000000013FC80000-0x000000013FCA8000-memory.dmp

Filesize
160KB

Download