2d79af8e1ff3465703e1dc73d3ef2182fd269ea2609c8afabdf1b80693405c1d

Resubmissions

10/02/2024, 02:52

240210-dc5qraab35 7

Analysis

max time kernel
174s
max time network
185s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
10/02/2024, 02:52

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

HorionInjector.exe
Size

147KB
MD5

6b5b6e625de774e5c285712b7c4a0da7
SHA1

317099aef530afbe3a0c5d6a2743d51e04805267
SHA256

2d79af8e1ff3465703e1dc73d3ef2182fd269ea2609c8afabdf1b80693405c1d
SHA512

104609adf666588af4e152ec7891cedafd89ad8d427063d03fb42a228babefc59428b0c8b1430cb3fc319a5014d2ee1083ff2b74fa585cab2d86cdad346e8b08
SSDEEP

3072:ckgHqUGSCoEslON/q178+oO3BAE4T/DvueX:cNHqUGSCPBh+7VST/Ke

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2892	MinecraftInstaller.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "231"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133520072338565060"	chrome.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = 99ebff004cc2ff000091f8000078d4000067c000003e9200001a6800f7630c00	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4290799360"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292114432"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365268"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe

Modifies registry class 45 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).right = "1050"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616193"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).bottom = "646"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Rev = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).x = "4294935296"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).x = "4294967295"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616209"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).y = "4294935296"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).y = "4294967295"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).left = "250"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).top = "46"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WFlags = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1199853020-417986905-91977573-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2016	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe
5096	HorionInjector.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs

pid	Process
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5096	HorionInjector.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe
Token: SeCreatePagefilePrivilege	3600	chrome.exe
Token: SeShutdownPrivilege	3600	chrome.exe

Suspicious use of FindShellTrayWindow 58 IoCs

pid	Process
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe

Suspicious use of SendNotifyMessage 16 IoCs

pid	Process
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe
3600	chrome.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2016	explorer.exe
2016	explorer.exe
2560	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5096 wrote to memory of 4008	5096	HorionInjector.exe	77
PID 5096 wrote to memory of 4008	5096	HorionInjector.exe	77
PID 3600 wrote to memory of 696	3600	chrome.exe	85
PID 3600 wrote to memory of 696	3600	chrome.exe	85
PID 3600 wrote to memory of 4012	3600	chrome.exe	89
PID 3600 wrote to memory of 4012	3600	chrome.exe	89
PID 3600 wrote to memory of 4012	3600	chrome.exe	89
PID 3600 wrote to memory of 4012	3600	chrome.exe	89
PID 3600 wrote to memory of 4012	3600	chrome.exe	89
PID 3600 wrote to memory of 4012	3600	chrome.exe	89
PID 3600 wrote to memory of 4012	3600	chrome.exe	89
PID 3600 wrote to memory of 4012	3600	chrome.exe	89
PID 3600 wrote to memory of 4012	3600	chrome.exe	89
PID 3600 wrote to memory of 4012	3600	chrome.exe	89
PID 3600 wrote to memory of 4012	3600	chrome.exe	89
PID 3600 wrote to memory of 4012	3600	chrome.exe	89
PID 3600 wrote to memory of 4012	3600	chrome.exe	89
PID 3600 wrote to memory of 4012	3600	chrome.exe	89
PID 3600 wrote to memory of 4012	3600	chrome.exe	89
PID 3600 wrote to memory of 4012	3600	chrome.exe	89
PID 3600 wrote to memory of 4012	3600	chrome.exe	89
PID 3600 wrote to memory of 4012	3600	chrome.exe	89
PID 3600 wrote to memory of 4012	3600	chrome.exe	89
PID 3600 wrote to memory of 4012	3600	chrome.exe	89
PID 3600 wrote to memory of 4012	3600	chrome.exe	89
PID 3600 wrote to memory of 4012	3600	chrome.exe	89
PID 3600 wrote to memory of 4012	3600	chrome.exe	89
PID 3600 wrote to memory of 4012	3600	chrome.exe	89
PID 3600 wrote to memory of 4012	3600	chrome.exe	89
PID 3600 wrote to memory of 4012	3600	chrome.exe	89
PID 3600 wrote to memory of 4012	3600	chrome.exe	89
PID 3600 wrote to memory of 4012	3600	chrome.exe	89
PID 3600 wrote to memory of 4012	3600	chrome.exe	89
PID 3600 wrote to memory of 4012	3600	chrome.exe	89
PID 3600 wrote to memory of 4012	3600	chrome.exe	89
PID 3600 wrote to memory of 4012	3600	chrome.exe	89
PID 3600 wrote to memory of 4012	3600	chrome.exe	89
PID 3600 wrote to memory of 4012	3600	chrome.exe	89
PID 3600 wrote to memory of 4012	3600	chrome.exe	89
PID 3600 wrote to memory of 4012	3600	chrome.exe	89
PID 3600 wrote to memory of 4012	3600	chrome.exe	89
PID 3600 wrote to memory of 4012	3600	chrome.exe	89
PID 3600 wrote to memory of 2712	3600	chrome.exe	87
PID 3600 wrote to memory of 2712	3600	chrome.exe	87
PID 3600 wrote to memory of 4620	3600	chrome.exe	88
PID 3600 wrote to memory of 4620	3600	chrome.exe	88
PID 3600 wrote to memory of 4620	3600	chrome.exe	88
PID 3600 wrote to memory of 4620	3600	chrome.exe	88
PID 3600 wrote to memory of 4620	3600	chrome.exe	88
PID 3600 wrote to memory of 4620	3600	chrome.exe	88
PID 3600 wrote to memory of 4620	3600	chrome.exe	88
PID 3600 wrote to memory of 4620	3600	chrome.exe	88
PID 3600 wrote to memory of 4620	3600	chrome.exe	88
PID 3600 wrote to memory of 4620	3600	chrome.exe	88
PID 3600 wrote to memory of 4620	3600	chrome.exe	88
PID 3600 wrote to memory of 4620	3600	chrome.exe	88
PID 3600 wrote to memory of 4620	3600	chrome.exe	88
PID 3600 wrote to memory of 4620	3600	chrome.exe	88
PID 3600 wrote to memory of 4620	3600	chrome.exe	88
PID 3600 wrote to memory of 4620	3600	chrome.exe	88
PID 3600 wrote to memory of 4620	3600	chrome.exe	88
PID 3600 wrote to memory of 4620	3600	chrome.exe	88
PID 3600 wrote to memory of 4620	3600	chrome.exe	88
PID 3600 wrote to memory of 4620	3600	chrome.exe	88

C:\Users\Admin\AppData\Local\Temp\HorionInjector.exe
"C:\Users\Admin\AppData\Local\Temp\HorionInjector.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5096
- C:\Windows\explorer.exe
  explorer.exe shell:appsFolder\Microsoft.MinecraftUWP_8wekyb3d8bbwe!App
  2⤵
  PID:4008

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:2016

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3600
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff9e1f19758,0x7ff9e1f19768,0x7ff9e1f19778
  2⤵
  PID:696
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1972 --field-trial-handle=1832,i,10387127452727137898,2306019837800001913,131072 /prefetch:8
  2⤵
  PID:2712
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1832,i,10387127452727137898,2306019837800001913,131072 /prefetch:8
  2⤵
  PID:4620
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1640 --field-trial-handle=1832,i,10387127452727137898,2306019837800001913,131072 /prefetch:2
  2⤵
  PID:4012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3212 --field-trial-handle=1832,i,10387127452727137898,2306019837800001913,131072 /prefetch:1
  2⤵
  PID:1012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3184 --field-trial-handle=1832,i,10387127452727137898,2306019837800001913,131072 /prefetch:1
  2⤵
  PID:3552
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=4520 --field-trial-handle=1832,i,10387127452727137898,2306019837800001913,131072 /prefetch:1
  2⤵
  PID:4884
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3904 --field-trial-handle=1832,i,10387127452727137898,2306019837800001913,131072 /prefetch:8
  2⤵
  PID:1648
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5156 --field-trial-handle=1832,i,10387127452727137898,2306019837800001913,131072 /prefetch:8
  2⤵
  PID:2420
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5124 --field-trial-handle=1832,i,10387127452727137898,2306019837800001913,131072 /prefetch:8
  2⤵
  PID:4776
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --mojo-platform-channel-handle=4720 --field-trial-handle=1832,i,10387127452727137898,2306019837800001913,131072 /prefetch:1
  2⤵
  PID:1960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --mojo-platform-channel-handle=4796 --field-trial-handle=1832,i,10387127452727137898,2306019837800001913,131072 /prefetch:1
  2⤵
  PID:1568
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --mojo-platform-channel-handle=3852 --field-trial-handle=1832,i,10387127452727137898,2306019837800001913,131072 /prefetch:1
  2⤵
  PID:2020
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 --field-trial-handle=1832,i,10387127452727137898,2306019837800001913,131072 /prefetch:8
  2⤵
  PID:1484
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --mojo-platform-channel-handle=5528 --field-trial-handle=1832,i,10387127452727137898,2306019837800001913,131072 /prefetch:1
  2⤵
  PID:3324
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5648 --field-trial-handle=1832,i,10387127452727137898,2306019837800001913,131072 /prefetch:8
  2⤵
  PID:4284
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2744 --field-trial-handle=1832,i,10387127452727137898,2306019837800001913,131072 /prefetch:8
  2⤵
  PID:2816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3324 --field-trial-handle=1832,i,10387127452727137898,2306019837800001913,131072 /prefetch:8
  2⤵
  PID:2560
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4596 --field-trial-handle=1832,i,10387127452727137898,2306019837800001913,131072 /prefetch:8
  2⤵
  PID:2392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=3220 --field-trial-handle=1832,i,10387127452727137898,2306019837800001913,131072 /prefetch:8
  2⤵
  PID:3532
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5744 --field-trial-handle=1832,i,10387127452727137898,2306019837800001913,131072 /prefetch:8
  2⤵
  PID:984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3272 --field-trial-handle=1832,i,10387127452727137898,2306019837800001913,131072 /prefetch:8
  2⤵
  PID:2132
- C:\Users\Admin\Downloads\MinecraftInstaller.exe
  "C:\Users\Admin\Downloads\MinecraftInstaller.exe"
  2⤵
  - Executes dropped EXE
  PID:2892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=5448 --field-trial-handle=1832,i,10387127452727137898,2306019837800001913,131072 /prefetch:2
  2⤵
  PID:3860

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1068

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a2f855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:2560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000007

Filesize
194KB

MD5
36104d04a9994182ba78be74c7ac3b0e

SHA1
0c049d44cd22468abb1d0711ec844e68297a7b3d

SHA256
ccde155056cdce86d7e51dfd4e8fb603e8d816224b1257adfcf9503139dd28f1

SHA512
8c115e3e5925fb01efd8dda889f4d5e890f6daaf40b10d5b8e3d9b19e15dadcb9dcf344f40c43f59a1f5428b3ee49e24e492cf0cb6826add1c03d21efdec52ba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
168B

MD5
cf5346c4a291d6182a7be1c05f7c201e

SHA1
8e891b97bf8c1d937863971fedec5432e5e6e30e

SHA256
af1c3332b9d86bd011d03d6fb5b3c6b6bbde5b2b6af44bae0030c78f89ae9115

SHA512
9fabe2a61e6257dcdf586558659791f6fd1016d5bcb5c0ea36f66c96c3e20158086872c8df0c602e79a3da33cd686a7436c5a78f4f7273ac21e413b1249f2b9c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
a84bd5cb3d4e2e2c23402f7d4fe9b193

SHA1
45076d7bf6e9dfc18394651f835f145257ebe68d

SHA256
7e9d5eef00d41b18c98f70fe4d68f5e3071d5b06b30a13be466df4c191b534aa

SHA512
bf04b6b81aaec816c2cdc1940301816f29e232c30a57b5308a1ad0095933ab6802c0f8a1221c254aea546931575b170de308d5bc5315a661d7c24b0651469f17

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
869e1c3382a9a3bc71483ebae4a6985d

SHA1
416411e510a0b89c0b436de94eaf4f7a098074d5

SHA256
84f679d93e56d9a94676fb04d7d0586e4dafe2f43866a05d7ab1d91a652cade3

SHA512
90bed2cb876c4a68251cb9638b346564bc5667d8eaeff187026489faca7c0708505990efc21595d3c6d5476602b87c1e03a8c3e32a634e34d961f13cd37d9c6d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
1c9ff39716d3e41baa237aba341c44ec

SHA1
aa585d45c8602766fee904b46222c26be17c5aa8

SHA256
9b10f4c82820a175f47b1c0e45557999f4fc6b02a02f7cfb550ff9518a5ae391

SHA512
b790e8df4625540a2a387d858a77677f9387e05d954759b80f1242dc79915a2007c5c24452ce5ebbf7a200210299bc57c2057f5724a58dcf4788f9403384e20f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
141cbadc86e5a8a653930c458b7f7eb0

SHA1
314d98c216edac40e42e27078c02533cd7931e6c

SHA256
a7e676f86a0b9d2e3427fc1d96b091c47dece0e777b9ccebcac2c4362d3e3596

SHA512
10a04403ec73b488dd17bd8bb2b85d6d2e4309d76e1959819694d7755115451ff91a7bc875c41eca7f10769078da1bb9698a5ecae5534b16e44bf27c03eae458

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
873B

MD5
da1410029fc000c9d1ffc5f50170da7f

SHA1
0f8bf4e048365b297bf0579670af345a1f4f4e03

SHA256
8cea27fa91f5afdf57d440994a7078d89ec64aad56bcead28cb888b5429495c1

SHA512
fa4d0b18ba432d1df756a141ca77ecfa3be72951344bdf1b600e3a84c68844592b724375d17319833dc583956a04dac8a26e713918f93db704fda45ca81a328c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
371B

MD5
a24719dcbace0fcf8e8abb002e90e5a9

SHA1
f310d907390dc65a2b7ec1f14e0c4acd8599872c

SHA256
fccc886bdeaa94cefd43d71947b0a7485370df4aa83e1615a17f24759bd57ea7

SHA512
c6d3a0f316fc420ff564714b21aa8acb5dd2afe00a1a6a66271ce3dc43d499a2055ea183b86b5b81438cc4af75ec1f5a3b670edf46db44cfe0060370dab21e6e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
873B

MD5
00176f6be4a50e5382473139cc6db6ef

SHA1
2d5468c5cc5fbf2943d05447b167e8a9c1c6f624

SHA256
f7d1dd5253e7d5112431b469015996d28c3c270d65ccf28adaee1e807dc1d612

SHA512
55a74351aed96bbc6551611b916e4e7620c6d63d93d0de32cf02047ba8dabd82233ab46b673b8eb28655c154fe6a6197032641bcee22486431f77faa0198c251

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
8083d8babe784c6baf7aefa2067924e4

SHA1
70c9dd4c4790de0ea81488349355d2721c44e845

SHA256
6d7d000001db8484278fc6be90f0e323f19ee92a95b942cf04b97c85dd35a023

SHA512
0bc4a45e38ae296bb1f41dde82251b61ef0d20e12ceaa9100178bacd510bfb9163111019147507f6783a75b0495120df630fc1d5d6701b10599c097954418c1b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
ac66f4167f5da3fb42ba2a84fb76cdda

SHA1
60a7e00a85421487576a221ab7cc1909d52d33a5

SHA256
b8f5e562eecf5b3e5bec850888a43da89b03e11bd415f472a08b08beecab8a7e

SHA512
628fde060c5772e4fb60688d034a2d8870a3afec90502719c74504fb4b926ef5f05308bcfe2f45414fabff90121030e07d96017a794b39b816a72190ae302f64

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
d7c79a798fabe91fb13fe7467410d9f3

SHA1
e7a5a42d181c75789fbade3e0d23c37abb21389b

SHA256
1db3f8e1651f15c89ae3d488e211aea8408a8453e1aa411f506170331fc7b473

SHA512
5436c0c5940adbda6864f37bdf0f6e840bfdaaefa82c66d3f22bc3d73c110f42d62be204314198974203bca324395870c4817f3a7d9b34499a4597534baeeac1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
374a23ad090bcc7a4a4ff5c6a9b20b5d

SHA1
0b94c621f87f31350f6e2b4684d20387e5fe2f34

SHA256
3297b07ea4071e1f25f4b5bb945bf87dbde4c61666498ae1b3be4f22abcce40a

SHA512
c5092d16ff15be52efaa36a79fc728a11cebcf66754712c76da0b28f2b3fffe39b10c0dfbcaff088a7724af3a3c7c05c3282afbb7e5bd4844379b1c1ca9d9ff5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
f239162e0de47be9456b0014bcd8e5d7

SHA1
f1adc44e1a911c1d1ba9e3d15f5c7f3c1f6ec2b3

SHA256
b2e4b62e18c5054c9baa5fd063869fbd9da7459bed4498b0c56e6530282939d7

SHA512
4263ba07a03e4bf1770f5530cfa1e6027b134126dd74f18f5b2ee5ddcf7e394d0dfb5165fe42f243c1a6e0a7acc1372df2e3f43e281ec8777ec5e31496013241

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
441eeebeaef41d44b5d68c5020feafbd

SHA1
f7146f698591aae2f2fcdf177ef37e208fb65231

SHA256
8b5530112ac4b79947d21a2c5e703b252a5af6d8d3e8d46cc32f6ed63e5e77f4

SHA512
f137d7b6a609fa8adfe6e3d23932a81c840a53d2a24466328d2f4838336a512da679a6da11098532517e52dcfc6e2c16010232ffebd0a6333db05510edd13ca2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
05fa0745b53794919a6c3a31003e67cf

SHA1
1b3467709911d7fdff840d5504e23e27f47217fb

SHA256
4f65eca0df5e519061db0b9e6011d4c584253379eb1e93701b2815196270db5b

SHA512
935731989b9a60e974d9e2b186cda30569b6f24f497eed33abc62776c507aec93a82dc40433ce56d19da31f213f287355966b493d96cacaca7ecab11689d6199

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
a481252aaaa5825c5449d1610f03b4d1

SHA1
89119c5379a52053a6865920f23999b30be30e22

SHA256
5b604e84b03c6a692fd050865869ae3b4e53c640ca2ccc78ac1e1ce5e81b2c0d

SHA512
8b769621320de28ceb00651dc2a2fecccd9d287d18e2dbef30fbe626e6f5988ab6d5568149681c55099fa171896b7b01b1c29efd733cc15fb998283a762083b4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
239KB

MD5
ebdeca824bc41dcac39c56e1c460b61d

SHA1
279a0442972dcc88861cb005d93cfe99e3b73c56

SHA256
ef73ace7b08038da577fd9c30af1cfe857b55a21f7d4c3f63f062030009806fc

SHA512
2ba2c958a8399be3bb7321b2e251ea7740391dbcdad6039721da0ed8b3ee7764ffd7fe5dea87515d7fc339a8564e2f6c582b4fa265a3dcf0e5a881ff890a6a96

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
239KB

MD5
6eff784e3dd026f7642973c8ede5db2d

SHA1
372e89c3b3b352ec265074b8ea5b6f8f53293ae1

SHA256
355c9789384542e7096d1fc0f47e80cc53e048989f79f4fc94b656494d3e9821

SHA512
f37e9f529e1fa198d6329dd66bd70659147b45bc9647c28fd03f6f22ad85e7179bab32b00565cd279b8955393680984ab65dbba1a9d7f8006771618e91b6cbbe

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
105KB

MD5
a1e8335fdad1fc72769008c912a1df00

SHA1
85044bc6ee2064ef2d36f8b61a808ac7417baf94

SHA256
b7af03c59d2b2457dc9327bbeaa7baabb9c192e54ab7d9a0eb14e4cf3ff1a4c4

SHA512
fad1d5a5649741b15432ce7a6573f84ce3f6bf6797e3b3141fc6d0bf928e76cb2ed4b820d569317f2b5d1f1ae6fe0dadd3631946dee7ec3b505443d1d984fef2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe59a6a6.TMP

Filesize
89KB

MD5
734c9d6394df3e1dd72982b9bc1bf77a

SHA1
e7eb3c3778c436dddde96d4502451c2521ef031f

SHA256
37b30d382fd637178a5d4af70bb41bcc84dc1e8182610f1469370fd955e394a8

SHA512
f0b32ed09a8a6b6b11021f1f4804d85281b74dd0f36201292770631ddc92c88b0a417d44b50b6f06e6078990609cdbf7ade276a5c0cd7825179b6b04f907abae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\persisted_first_party_sets.json

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Local\MinecraftInstaller\deviceId.txt

Filesize
36B

MD5
a21d939c234450493610e9944022995d

SHA1
fccef7de1d6a262562babd5c7d7a4cd66d8dacf0

SHA256
d9a6d63bd9d22837004a34cad209f46e340bba835263b83022d8d2e7969a8c06

SHA512
e7ebbff80cd17f0ab9e12a48f342bd85b47a62d466c20121135062007a2895548b2fba2df4d09ed20fa8654036fb4bc10cf3b83709b5ca19d33a15077a89f07e

Download Submit
C:\Users\Admin\Downloads\MinecraftInstaller.exe

Filesize
14.2MB

MD5
147ced5899ea5862232d023d7bd78b2a

SHA1
3548626010991cb5059a5604f30b200247e9f7e8

SHA256
4bc592024c0ab41ba271cd52fab61d77e7e64a4078282c3fe99fc3ebb19fffac

SHA512
575944cbd78f90eac9966ff1b0101e0177318d77d65b4bdef343afee447237fd43e1c7aa3e25d60cd9f697794c36a5954acea328db6f00af8a751c88d4733560

Download Submit
C:\Users\Admin\Downloads\MinecraftInstaller.exe

Filesize
832KB

MD5
af29fa5e5c501cf0c5cab41e4b9b7cec

SHA1
3777394696aba81f1f461450020a1992ece14a78

SHA256
9a061d487e01f31c8eb15c8be934aab4458b94be672056c781e8ce91d510ad48

SHA512
49767ee5ae5d828bb9335bfbd7f5b7639d9380e2f5713e3afbc4b45cc0a9a7b60431f244ca247998ecafff6b140180df0965e0bda5329e78fff7d22f8ad1a84e

Download Submit
C:\Users\Admin\Downloads\MinecraftInstaller.exe

Filesize
39KB

MD5
545530bb46ef60b824676eaa399748d9

SHA1
f3c01eae0151f4237eae75f989d89308cb750adb

SHA256
ed86537503c0de7e7847171e5e85b22c94d932a3a2a69c88f72249a425fbc8de

SHA512
285927966721d95e95d81e126772eeac51dd2c4789a929856a4a688b4aa7d43d58169ece0173b2a0b9cedcbb837d26bcc128035727596857623ca3f65060e19d

Download Submit
memory/2892-358-0x0000000007880000-0x0000000007A42000-memory.dmp

Filesize
1.8MB

Download
memory/2892-372-0x00000000074C0000-0x00000000074D0000-memory.dmp

Filesize
64KB

Download
memory/2892-400-0x0000000074AE0000-0x0000000075291000-memory.dmp

Filesize
7.7MB

Download
memory/2892-335-0x0000000074AE0000-0x0000000075291000-memory.dmp

Filesize
7.7MB

Download
memory/2892-336-0x0000000000890000-0x00000000028EA000-memory.dmp

Filesize
32.4MB

Download
memory/2892-378-0x000000000D090000-0x000000000D0B6000-memory.dmp

Filesize
152KB

Download
memory/2892-377-0x000000000B850000-0x000000000B85A000-memory.dmp

Filesize
40KB

Download
memory/2892-357-0x00000000074C0000-0x00000000074D0000-memory.dmp

Filesize
64KB

Download
memory/2892-375-0x000000000B2D0000-0x000000000B2DE000-memory.dmp

Filesize
56KB

Download
memory/2892-360-0x0000000008500000-0x0000000008508000-memory.dmp

Filesize
32KB

Download
memory/2892-361-0x00000000074C0000-0x00000000074D0000-memory.dmp

Filesize
64KB

Download
memory/2892-374-0x000000000B780000-0x000000000B7B8000-memory.dmp

Filesize
224KB

Download
memory/2892-373-0x000000000B2A0000-0x000000000B2A8000-memory.dmp

Filesize
32KB

Download
memory/5096-3-0x000001BD7FB80000-0x000001BD7FC3A000-memory.dmp

Filesize
744KB

Download
memory/5096-8-0x000001BD7FFD0000-0x000001BD80008000-memory.dmp

Filesize
224KB

Download
memory/5096-7-0x000001BD7EBE0000-0x000001BD7EBF0000-memory.dmp

Filesize
64KB

Download
memory/5096-0-0x000001BD7E720000-0x000001BD7E748000-memory.dmp

Filesize
160KB

Download
memory/5096-5-0x000001BD7EBE0000-0x000001BD7EBF0000-memory.dmp

Filesize
64KB

Download
memory/5096-4-0x000001BD7EBE0000-0x000001BD7EBF0000-memory.dmp

Filesize
64KB

Download
memory/5096-2-0x000001BD7EBE0000-0x000001BD7EBF0000-memory.dmp

Filesize
64KB

Download
memory/5096-1-0x00007FF9E1630000-0x00007FF9E20F2000-memory.dmp

Filesize
10.8MB

Download
memory/5096-9-0x000001BD7FF90000-0x000001BD7FF9E000-memory.dmp

Filesize
56KB

Download
memory/5096-6-0x000001BD7FA60000-0x000001BD7FA68000-memory.dmp

Filesize
32KB

Download
memory/5096-14-0x00007FF9E1630000-0x00007FF9E20F2000-memory.dmp

Filesize
10.8MB

Download