2d79af8e1ff3465703e1dc73d3ef2182fd269ea2609c8afabdf1b80693405c1d

Analysis

max time kernel
93s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20250217-en
resource tags

arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2025, 01:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HorionInjector.exe
Size

147KB
MD5

6b5b6e625de774e5c285712b7c4a0da7
SHA1

317099aef530afbe3a0c5d6a2743d51e04805267
SHA256

2d79af8e1ff3465703e1dc73d3ef2182fd269ea2609c8afabdf1b80693405c1d
SHA512

104609adf666588af4e152ec7891cedafd89ad8d427063d03fb42a228babefc59428b0c8b1430cb3fc319a5014d2ee1083ff2b74fa585cab2d86cdad346e8b08
SSDEEP

3072:ckgHqUGSCoEslON/q178+oO3BAE4T/DvueX:cNHqUGSCPBh+7VST/Ke

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
26	3012	HorionInjector.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies registry class 48 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).y = "4294935296"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).x = "4294967295"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616209"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).bottom = "650"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616193"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).y = "4294967295"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).x = "4294935296"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).top = "50"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Rev = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).right = "1050"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).left = "250"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2593460650-190333679-3676257533-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1140	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe
3012	HorionInjector.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3012	HorionInjector.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe
2216	msedge.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe
1140	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3012 wrote to memory of 3208	3012	HorionInjector.exe	90
PID 3012 wrote to memory of 3208	3012	HorionInjector.exe	90
PID 2216 wrote to memory of 4152	2216	msedge.exe	99
PID 2216 wrote to memory of 4152	2216	msedge.exe	99
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 824	2216	msedge.exe	100
PID 2216 wrote to memory of 1628	2216	msedge.exe	101
PID 2216 wrote to memory of 1628	2216	msedge.exe	101
PID 2216 wrote to memory of 2572	2216	msedge.exe	102
PID 2216 wrote to memory of 2572	2216	msedge.exe	102
PID 2216 wrote to memory of 2572	2216	msedge.exe	102
PID 2216 wrote to memory of 2572	2216	msedge.exe	102
PID 2216 wrote to memory of 2572	2216	msedge.exe	102
PID 2216 wrote to memory of 2572	2216	msedge.exe	102
PID 2216 wrote to memory of 2572	2216	msedge.exe	102
PID 2216 wrote to memory of 2572	2216	msedge.exe	102
PID 2216 wrote to memory of 2572	2216	msedge.exe	102
PID 2216 wrote to memory of 2572	2216	msedge.exe	102
PID 2216 wrote to memory of 2572	2216	msedge.exe	102
PID 2216 wrote to memory of 2572	2216	msedge.exe	102
PID 2216 wrote to memory of 2572	2216	msedge.exe	102
PID 2216 wrote to memory of 2572	2216	msedge.exe	102
PID 2216 wrote to memory of 2572	2216	msedge.exe	102
PID 2216 wrote to memory of 2572	2216	msedge.exe	102
PID 2216 wrote to memory of 2572	2216	msedge.exe	102
PID 2216 wrote to memory of 2572	2216	msedge.exe	102

C:\Users\Admin\AppData\Local\Temp\HorionInjector.exe
"C:\Users\Admin\AppData\Local\Temp\HorionInjector.exe"
1⤵
- Downloads MZ/PE file
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3012
- C:\Windows\explorer.exe
  explorer.exe shell:appsFolder\Microsoft.MinecraftUWP_8wekyb3d8bbwe!App
  2⤵
  PID:3208

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1140

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --profile-directory=Default
1⤵
- Enumerates system info in registry
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xf8,0x128,0x7ff826c246f8,0x7ff826c24708,0x7ff826c24718
  2⤵
  PID:4152
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2112,10479191081867945796,9528357352376037443,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2128 /prefetch:2
  2⤵
  PID:824
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2112,10479191081867945796,9528357352376037443,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2236 /prefetch:3
  2⤵
  PID:1628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2112,10479191081867945796,9528357352376037443,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2780 /prefetch:8
  2⤵
  PID:2572
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10479191081867945796,9528357352376037443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3428 /prefetch:1
  2⤵
  PID:1936
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10479191081867945796,9528357352376037443,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3452 /prefetch:1
  2⤵
  PID:2828
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10479191081867945796,9528357352376037443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5112 /prefetch:1
  2⤵
  PID:4412
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10479191081867945796,9528357352376037443,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
  2⤵
  PID:3500
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,10479191081867945796,9528357352376037443,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  PID:3808
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2112,10479191081867945796,9528357352376037443,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5396 /prefetch:8
  2⤵
  PID:1460
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10479191081867945796,9528357352376037443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:3012
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10479191081867945796,9528357352376037443,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4524 /prefetch:1
  2⤵
  PID:3288
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2112,10479191081867945796,9528357352376037443,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2832 /prefetch:1
  2⤵
  PID:4100

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4208

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
f2b08db3d95297f259f5aabbc4c36579

SHA1
f5160d14e7046d541aee0c51c310b671e199f634

SHA256
a43c97e4f52c27219be115d0d63f8ff38f98fc60f8aab81136e068ba82929869

SHA512
3256d03196afe4fbe81ae359526e686684f5ef8ef03ce500c64a3a8a79c72b779deff71cf64c0ece7d21737ffc67062ec8114c3de5cafd7e8313bb0d08684c75

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
6cdd2d2aae57f38e1f6033a490d08b79

SHA1
a54cb1af38c825e74602b18fb1280371c8865871

SHA256
56e7dc53fb8968feac9775fc4e2f5474bab2d10d5f1a5db8037435694062fbff

SHA512
6cf1ccd4bc6ef53d91c64f152e90f2756f34999a9b9036dc3c4423ec33e0dcee840e754d5efac6715411751facbe78acc6229a2c849877589755f7f578ef949a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
2f03bb7039ae52b42f0e3e77731b7ad0

SHA1
efd8451bbb4b0714d4b068356503d235bb10cf13

SHA256
a5fd06b7f5adc694e278c4600452f9d2816a9a943060102631009c53926df067

SHA512
d9e60857dbdb343e0709299794223ba3b09a52a0d9df701681bd68b3015143448c684fd738d5b22af4383118ca61ae64e60c6ec7a64e79705d1ef9ff8a81c610

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
e32fb016e9449b11de2552821e41d2c6

SHA1
5a517a202e1e287bde2607ca7fc8aa2edc519d0b

SHA256
90e4f9d2cdf2bb3200bc2f5b216a76af09d8f7d37bf7426b5aba5894a1c28d44

SHA512
9de7e601789c67f29622135f2ad1b1806dd30d456e44231ca894c56995aef4d4ae3c344d4cdd22cdc9e28aac4d70e90ecf835862eed23d793ff2508b65aead74

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
3e52dba3dd2e0f32c2a8196dc51bed30

SHA1
05f34c4f32fc588532211238be6d26db2421dbb0

SHA256
003390c4beebbab0eca263a0601f32484ca69df003a33118ff290106c6c77e6f

SHA512
adf1681000d7369379cf9b37bde24042d60fbb78a41ad87888accfa38d6c932a444b884405c4329d5b5d91673d99791dc4b6c3293c8a32703073958512c0e62a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
2a7f7f110b77068aeb749c700701bb71

SHA1
ee3d8989c38b0e110fe0f30c3f66de18705a2a9d

SHA256
948fcc2e68e80b2995b9b2937e89cf3d16c32ac05839d3aa8130399151831c4f

SHA512
4c9f54a62ec7ceb64f3f1d2a7e7a0b44f724bccebc76aebf72ce468e0ff5d9005fa8f5c831f9bdbe0fb3bd3b11667f974f7c534d1018502578263e4cac0edb99

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
f35c70a45f0c20aa2b6c85834890be4e

SHA1
6992c75ae36f7c38d35f03b09992f86870fe6792

SHA256
9d4fd1ca11ab13cddfa22716f559c6c47aa1be60a08df3b4ab81882e17a0de7e

SHA512
adc5cd6f33af509e79d558c45f6a68e7740b62d1d01f85fa6102c0615b468309c05a570d1f7146576f72b32abf5516155afa387c98b069af72a7020f273afc8c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\ShaderCache\GPUCache\data_1

Filesize
264KB

MD5
c48e053ea4153338d6eb7363e055c129

SHA1
741e27d9a99cc47cec6f5bc2105c2f98a11e499b

SHA256
4d8dcb069a912809034fad83e2d1d4e06b77fc2dc513c7ccae8c0397f4259c97

SHA512
3665df0200cf93a9743a1a2ef0291d68358add754ec726a58c1ec8bc6425f630b25fd3fdff4f0b6753b106346a86b2eb2277b8c2f835325ed7891a1e9f49b442

Download Submit
memory/3012-5-0x00007FF817AC0000-0x00007FF818581000-memory.dmp

Filesize
10.8MB

Download
memory/3012-11-0x00007FF817AC0000-0x00007FF818581000-memory.dmp

Filesize
10.8MB

Download
memory/3012-16-0x00007FF817AC0000-0x00007FF818581000-memory.dmp

Filesize
10.8MB

Download
memory/3012-10-0x00007FF817AC3000-0x00007FF817AC5000-memory.dmp

Filesize
8KB

Download
memory/3012-7-0x000002D8F5170000-0x000002D8F51A8000-memory.dmp

Filesize
224KB

Download
memory/3012-8-0x000002D8F4CF0000-0x000002D8F4CFE000-memory.dmp

Filesize
56KB

Download
memory/3012-9-0x00007FF817AC0000-0x00007FF818581000-memory.dmp

Filesize
10.8MB

Download
memory/3012-6-0x000002D8F4C40000-0x000002D8F4C48000-memory.dmp

Filesize
32KB

Download
memory/3012-0-0x00007FF817AC3000-0x00007FF817AC5000-memory.dmp

Filesize
8KB

Download
memory/3012-4-0x00007FF817AC0000-0x00007FF818581000-memory.dmp

Filesize
10.8MB

Download
memory/3012-3-0x000002D8F1040000-0x000002D8F10FA000-memory.dmp

Filesize
744KB

Download
memory/3012-2-0x00007FF817AC0000-0x00007FF818581000-memory.dmp

Filesize
10.8MB

Download
memory/3012-1-0x000002D8ED170000-0x000002D8ED198000-memory.dmp

Filesize
160KB

Download