2d79af8e1ff3465703e1dc73d3ef2182fd269ea2609c8afabdf1b80693405c1d

Analysis

max time kernel
106s
max time network
109s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241023-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
03/01/2025, 16:48

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

HorionInjector.exe
Size

147KB
MD5

6b5b6e625de774e5c285712b7c4a0da7
SHA1

317099aef530afbe3a0c5d6a2743d51e04805267
SHA256

2d79af8e1ff3465703e1dc73d3ef2182fd269ea2609c8afabdf1b80693405c1d
SHA512

104609adf666588af4e152ec7891cedafd89ad8d427063d03fb42a228babefc59428b0c8b1430cb3fc319a5014d2ee1083ff2b74fa585cab2d86cdad346e8b08
SSDEEP

3072:ckgHqUGSCoEslON/q178+oO3BAE4T/DvueX:cNHqUGSCPBh+7VST/Ke

Score

8^/10

discovery phishing

Malware Config

Signatures

Downloads MZ/PE file
A potential corporate email address has been identified in the URL: [email protected]
phishing

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
155	api.ipify.org
157	api.ipify.org

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000\SOFTWARE\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe

Modifies data under HKEY_USERS 17 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentPalette = a6d8ff0076b9ed00429ce3000078d700005a9e000042750000264200f7630c00	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\AccentColorMenu = "4292311040"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\AccentColor = "4292311040"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\EnableWindowColorization = "130"	LogonUI.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColor = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationGlassAttribute = "1"	LogonUI.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133803965551953321"	chrome.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent\StartColorMenu = "4288567808"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglowBalance = "10"	LogonUI.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Explorer\Accent	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Themes\History\AutoColor = "0"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationColorBalance = "89"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationAfterglow = "3288365271"	LogonUI.exe
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\DWM\ColorizationBlurBalance = "1"	LogonUI.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByDirection = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0\MRUListEx = ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1 = 14002e80d43aad2469a5304598e1ab02f9417aa80000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 020202	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\FFlags = "1092616193"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).right = "1050"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\IconSize = "16"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupView = "0"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\GroupView = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\GroupByKey:PID = "0"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:PID = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).bottom = "650"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\IconSize = "16"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\SniffedFolderType = "Documents"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616209"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\ColInfo = 00000000000000000000000000000000fddfdffd100000000000000000000000040000001800000030f125b7ef471a10a5f102608c9eebac0a0000001001000030f125b7ef471a10a5f102608c9eebac0e0000009000000030f125b7ef471a10a5f102608c9eebac040000007800000030f125b7ef471a10a5f102608c9eebac0c00000050000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\HotKey = "0"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Mode = "4"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\KnownFolderDerivedFolderType = "{885A186E-A440-4ADA-812B-DB871B942259}"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:FMTID = "{B725F130-47EF-101A-A5F1-02608C9EEBAC}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0a00000001000000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2 = 14002e8005398e082303024b98265d99428e115f0000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\1	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\NodeSlot = "4"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).x = "4294967295"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\0 = 14002e80922b16d365937a46956b92703aca08af0000	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\NavBar = 000000000000000000000000000000008b000000870000003153505305d5cdd59c2e1b10939708002b2cf9ae6b0000005a000000007b00360044003800420042003300440033002d0039004400380037002d0034004100390031002d0041004200350036002d003400460033003000430046004600450046004500390046007d005f0057006900640074006800000013000000cc0000000000000000000000	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByKey:FMTID = "{00000000-0000-0000-0000-000000000000}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Mode = "4"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\GroupByKey:PID = "14"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-1669812756-2240353048-2660728061-1000\{BFF2742E-F7A3-4F3F-B898-7EE17D3D5E2B}	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Rev = "0"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\Vid = "{0057D0E0-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{885A186E-A440-4ADA-812B-DB871B942259}	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\SniffedFolderType = "Pictures"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\GroupByDirection = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 0100000000000000ffffffff	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\2\MRUListEx = ffffffff	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MaxPos1280x720x96(1).y = "4294967295"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).left = "250"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Rev = "0"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\1\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\2\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{B3690E58-E961-423B-B687-386EBFD83239}	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\3\Shell\{B3690E58-E961-423B-B687-386EBFD83239}\Mode = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\LogicalViewMode = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\MinPos1280x720x96(1).y = "4294935296"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).top = "50"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\ShowCmd = "1"	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1669812756-2240353048-2660728061-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\4\Shell\{885A186E-A440-4ADA-812B-DB871B942259}\Sort = 000000000000000000000000000000000100000030f125b7ef471a10a5f102608c9eebac0e000000ffffffff	explorer.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
4420	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe
2784	HorionInjector.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4420	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2784	HorionInjector.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe
Token: SeCreatePagefilePrivilege	1956	chrome.exe
Token: SeShutdownPrivilege	1956	chrome.exe

Suspicious use of FindShellTrayWindow 28 IoCs

pid	Process
2784	HorionInjector.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe
1956	chrome.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
4420	explorer.exe
4420	explorer.exe
4420	explorer.exe
4420	explorer.exe
4420	explorer.exe
4420	explorer.exe
4420	explorer.exe
4420	explorer.exe
4420	explorer.exe
4420	explorer.exe
3480	LogonUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2784 wrote to memory of 3464	2784	HorionInjector.exe	82
PID 2784 wrote to memory of 3464	2784	HorionInjector.exe	82
PID 1956 wrote to memory of 3624	1956	chrome.exe	99
PID 1956 wrote to memory of 3624	1956	chrome.exe	99
PID 1956 wrote to memory of 4964	1956	chrome.exe	100
PID 1956 wrote to memory of 4964	1956	chrome.exe	100
PID 1956 wrote to memory of 4964	1956	chrome.exe	100
PID 1956 wrote to memory of 4964	1956	chrome.exe	100
PID 1956 wrote to memory of 4964	1956	chrome.exe	100
PID 1956 wrote to memory of 4964	1956	chrome.exe	100
PID 1956 wrote to memory of 4964	1956	chrome.exe	100
PID 1956 wrote to memory of 4964	1956	chrome.exe	100
PID 1956 wrote to memory of 4964	1956	chrome.exe	100
PID 1956 wrote to memory of 4964	1956	chrome.exe	100
PID 1956 wrote to memory of 4964	1956	chrome.exe	100
PID 1956 wrote to memory of 4964	1956	chrome.exe	100
PID 1956 wrote to memory of 4964	1956	chrome.exe	100
PID 1956 wrote to memory of 4964	1956	chrome.exe	100
PID 1956 wrote to memory of 4964	1956	chrome.exe	100
PID 1956 wrote to memory of 4964	1956	chrome.exe	100
PID 1956 wrote to memory of 4964	1956	chrome.exe	100
PID 1956 wrote to memory of 4964	1956	chrome.exe	100
PID 1956 wrote to memory of 4964	1956	chrome.exe	100
PID 1956 wrote to memory of 4964	1956	chrome.exe	100
PID 1956 wrote to memory of 4964	1956	chrome.exe	100
PID 1956 wrote to memory of 4964	1956	chrome.exe	100
PID 1956 wrote to memory of 4964	1956	chrome.exe	100
PID 1956 wrote to memory of 4964	1956	chrome.exe	100
PID 1956 wrote to memory of 4964	1956	chrome.exe	100
PID 1956 wrote to memory of 4964	1956	chrome.exe	100
PID 1956 wrote to memory of 4964	1956	chrome.exe	100
PID 1956 wrote to memory of 4964	1956	chrome.exe	100
PID 1956 wrote to memory of 4964	1956	chrome.exe	100
PID 1956 wrote to memory of 4964	1956	chrome.exe	100
PID 1956 wrote to memory of 4628	1956	chrome.exe	101
PID 1956 wrote to memory of 4628	1956	chrome.exe	101
PID 1956 wrote to memory of 2616	1956	chrome.exe	102
PID 1956 wrote to memory of 2616	1956	chrome.exe	102
PID 1956 wrote to memory of 2616	1956	chrome.exe	102
PID 1956 wrote to memory of 2616	1956	chrome.exe	102
PID 1956 wrote to memory of 2616	1956	chrome.exe	102
PID 1956 wrote to memory of 2616	1956	chrome.exe	102
PID 1956 wrote to memory of 2616	1956	chrome.exe	102
PID 1956 wrote to memory of 2616	1956	chrome.exe	102
PID 1956 wrote to memory of 2616	1956	chrome.exe	102
PID 1956 wrote to memory of 2616	1956	chrome.exe	102
PID 1956 wrote to memory of 2616	1956	chrome.exe	102
PID 1956 wrote to memory of 2616	1956	chrome.exe	102
PID 1956 wrote to memory of 2616	1956	chrome.exe	102
PID 1956 wrote to memory of 2616	1956	chrome.exe	102
PID 1956 wrote to memory of 2616	1956	chrome.exe	102
PID 1956 wrote to memory of 2616	1956	chrome.exe	102
PID 1956 wrote to memory of 2616	1956	chrome.exe	102
PID 1956 wrote to memory of 2616	1956	chrome.exe	102
PID 1956 wrote to memory of 2616	1956	chrome.exe	102
PID 1956 wrote to memory of 2616	1956	chrome.exe	102
PID 1956 wrote to memory of 2616	1956	chrome.exe	102
PID 1956 wrote to memory of 2616	1956	chrome.exe	102
PID 1956 wrote to memory of 2616	1956	chrome.exe	102
PID 1956 wrote to memory of 2616	1956	chrome.exe	102
PID 1956 wrote to memory of 2616	1956	chrome.exe	102
PID 1956 wrote to memory of 2616	1956	chrome.exe	102
PID 1956 wrote to memory of 2616	1956	chrome.exe	102
PID 1956 wrote to memory of 2616	1956	chrome.exe	102

C:\Users\Admin\AppData\Local\Temp\HorionInjector.exe
"C:\Users\Admin\AppData\Local\Temp\HorionInjector.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2784
- C:\Windows\explorer.exe
  explorer.exe shell:appsFolder\Microsoft.MinecraftUWP_8wekyb3d8bbwe!App
  2⤵
  PID:3464

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4420

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x220,0x224,0x228,0x1fc,0x22c,0x7ffabe90cc40,0x7ffabe90cc4c,0x7ffabe90cc58
  2⤵
  PID:3624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1976,i,7805941357347419696,6506182291472785126,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=1948 /prefetch:2
  2⤵
  PID:4964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2100,i,7805941357347419696,6506182291472785126,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2212 /prefetch:3
  2⤵
  PID:4628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2280,i,7805941357347419696,6506182291472785126,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=2496 /prefetch:8
  2⤵
  PID:2616
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3176,i,7805941357347419696,6506182291472785126,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3188 /prefetch:1
  2⤵
  PID:3452
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3196,i,7805941357347419696,6506182291472785126,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3244 /prefetch:1
  2⤵
  PID:1188
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=4564,i,7805941357347419696,6506182291472785126,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3728 /prefetch:1
  2⤵
  PID:2856
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=3208,i,7805941357347419696,6506182291472785126,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4864 /prefetch:8
  2⤵
  PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5016,i,7805941357347419696,6506182291472785126,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5028 /prefetch:8
  2⤵
  PID:2032
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4876,i,7805941357347419696,6506182291472785126,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5168 /prefetch:8
  2⤵
  PID:1756
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4728,i,7805941357347419696,6506182291472785126,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=4864 /prefetch:8
  2⤵
  PID:432
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=unzip.mojom.Unzipper --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=5052,i,7805941357347419696,6506182291472785126,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5048 /prefetch:8
  2⤵
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4872,i,7805941357347419696,6506182291472785126,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5072 /prefetch:8
  2⤵
  PID:4136
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --extension-process --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=5172,i,7805941357347419696,6506182291472785126,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5140 /prefetch:2
  2⤵
  PID:4072
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=5508,i,7805941357347419696,6506182291472785126,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5520 /prefetch:1
  2⤵
  PID:4496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5472,i,7805941357347419696,6506182291472785126,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5380 /prefetch:1
  2⤵
  PID:3864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=5532,i,7805941357347419696,6506182291472785126,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5616 /prefetch:1
  2⤵
  PID:5044
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --field-trial-handle=4804,i,7805941357347419696,6506182291472785126,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3560 /prefetch:1
  2⤵
  PID:1256
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --field-trial-handle=5592,i,7805941357347419696,6506182291472785126,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3248 /prefetch:8
  2⤵
  PID:1624
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5424,i,7805941357347419696,6506182291472785126,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=5808 /prefetch:8
  2⤵
  - Modifies registry class
  PID:4416
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=21 --field-trial-handle=5544,i,7805941357347419696,6506182291472785126,262144 --variations-seed-version=20241022-180310.361000 --mojo-platform-channel-handle=3276 /prefetch:1
  2⤵
  PID:1268

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:2900

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:480

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa3a2e855 /state1:0x41c64e6d
1⤵
- Modifies data under HKEY_USERS
- Suspicious use of SetWindowsHookEx
PID:3480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
18cc430f043d5e5f266043b238ae0490

SHA1
3f3740bc5e79b795e45aff5fcb7a7489b47310f6

SHA256
a59c47e46a1b833d8b4b3000f097d87ec3fd7aa3555a94a4e1b0bc77d6742028

SHA512
7eec05a25a4b914f39984f2e2f3958b25bba7e8e2968c40edb27075e5e77f0d8486f6d5fc57b170b71e0f5511a9dda9645990685b5fd1ec9bf8fb6ef15eb59a1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
1KB

MD5
7b4cfe3ea90a88f551134b104b876e59

SHA1
473faeb3611e07dc23e1c9e4721ea8e6fe3073b9

SHA256
8ef42f0add6109482b7f17774febec749ab275ce3c7f6246d9053712436f2334

SHA512
14d8a850077c77b0725067c918534aaaed4869f700a5d1d3ef278d5a7a2d343c459eec625ada77f1eaa9a32abdd88a85fe4d53e155a8d0b47d3f23bf644730ac

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
f0c35a84419e02df6ab9d6f54856ca7f

SHA1
21873ca311920ed364bb8806e2e4d449bfeb0cd2

SHA256
541d3bc5542e8a8e54569d2426d8ed0b621bb950b461e1c04dda10f95b62dc38

SHA512
713505d5592aee8c8754b1d3a3722bd3e546837c83de510c2b133b12483a9a91e3cd602a985e425a3c144700ba76b157cf7c10c37c8fd3633535be7f05ab149f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\_locales\en\messages.json

Filesize
851B

MD5
07ffbe5f24ca348723ff8c6c488abfb8

SHA1
6dc2851e39b2ee38f88cf5c35a90171dbea5b690

SHA256
6895648577286002f1dc9c3366f558484eb7020d52bbf64a296406e61d09599c

SHA512
7ed2c8db851a84f614d5daf1d5fe633bd70301fd7ff8a6723430f05f642ceb3b1ad0a40de65b224661c782ffcec69d996ebe3e5bb6b2f478181e9a07d8cd41f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\ghbmnnjooekpmoecnnnilnnbdlolhkhi\1.85.1_0\dasherSettingSchema.json

Filesize
854B

MD5
4ec1df2da46182103d2ffc3b92d20ca5

SHA1
fb9d1ba3710cf31a87165317c6edc110e98994ce

SHA256
6c69ce0fe6fab14f1990a320d704fee362c175c00eb6c9224aa6f41108918ca6

SHA512
939d81e6a82b10ff73a35c931052d8d53d42d915e526665079eeb4820df4d70f1c6aebab70b59519a0014a48514833fefd687d5a3ed1b06482223a168292105d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
12KB

MD5
7422074ebe46a16816c4f64a2ba720fd

SHA1
ad2fd95673389ac927929bd5c8d14a89f69c69f2

SHA256
7809dfc0d1f4796a319470dc7e3c9a257bf8d7b6c49e97b17c928f58cdb81a4f

SHA512
2ba986b680f348d637824a0628c14f5c625aaf107ea436fa061b80cad7180a7337474f0057492faad2b38f0f81ffcc291cff7df3de032daa28542ec4a86a4ec7

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
7cb82d6d46bdf1742dbedae6b75f0975

SHA1
10c97b91c4fc4568a05aed33c5e7c01aa04831f4

SHA256
ba4077ab262ba7878d3c81ecccc65f06e8bf24c173d0065b5a4db461fd476ed8

SHA512
ef70a082b05d98d0afb7af8e183f57f3072589392717cbd3ccfc7b930d69019425cc832cd8783890e39e17bc0f81a835651f68a951fe97fcf99e6b226020640f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
352B

MD5
ad41dfcbabde6b52174d3ab0ce9ad7e6

SHA1
9020c651709e260445bd76427592bb6e2a640eb4

SHA256
d2f11eefec9f718ff31ed17d80bf9597ac80ba0a9269735a9e1dbc09056c67b7

SHA512
0d495161ed20bece819dd71a520b6d69332ad41afa1078f9c6e061ac21b533d3d08ba392d6ae2943b6e1cb8832861b661aa07ba3deddf12685bef407e953a74e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
1KB

MD5
59f1158e3d6b798495b520d11f321c0f

SHA1
339a52a8e42f3df7c9ebd1c5fd522153bc9cff02

SHA256
efd06e4e3c48a3780c1953b18fffe064e33440954d3b5601870db98cc250310e

SHA512
c04f2b268730e1ab3924a49acb5ea6eb35d9ee13c54c42d9b8adf1ddd997b2d035ee7813b8adfc3edac781b1df784a9424e6a73d7f7615c83ec14afc1a760c66

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
dc5c05b9da76d37b0d55b925f9c70d71

SHA1
baf8a7711dfc294ce9eba56df2eacbfbea74b54d

SHA256
acc93b21d724447e3cfa03c12e17676fa452fed3d07c670e8932870be5d9888a

SHA512
385f2949ae2b3b62828bcc9d1e3f97043149a6dccdf3eae3ac5d5e8b9d3bc9c0e79927bf257fd29926788d280ad6d837f5cff2604ba14462ee37bca3a115be78

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e35e560f211de6cb96c687fe737c7c80

SHA1
37d7195483ffe28e3947f55094c9fc0048fefcfa

SHA256
9c622ed858e0558ec3b046d78faf52e2875aabec051e6e823bfe5a785f432b8d

SHA512
bde5380d4ed4da157931a2b20ac3423cbe5ea332ccccdd49264a1787a6d8d4169d4e58963aebfad723942be3c7d304d7c191c31b1dc17bf770e3e2a3018ac537

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
6408131b16c083f0ea5b47a42af300a6

SHA1
43c0a105ff7678de1f4a96b3c77247185967c712

SHA256
214893694f6f64dfa1d3978b394ee11346bf25be43308b4fa866b37d4bdf57b5

SHA512
564b15fbb69ed7cfba9a3cb09d79c221e84bf415a44fafb0dac5b77968af4c653dc9485c4dae03ea8747f094d834d32b7b627a97266eec58150412b59a9d9928

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a5c5914153c79613cf137f702a8f9bff

SHA1
c1ba7f54142c86e936e72a9910cce30ae4f9d0cf

SHA256
213721ee68cacd0b9d1c4c45834aa09f45e96418ea6054ff347492d99ecb95bf

SHA512
d3fa3e8a87eaf46f1f54b707a9c7e05453222d6744da2f72815f06f045175ed64a5db66de7d866daccb0bbac138613e80eab0392aac195c3a880261cfd8ac24c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
22ad5a0f151f885e44ce64c0a6824eae

SHA1
3a840198c60305971fe0939e96a9a8c0ec9da319

SHA256
84d17b319ac98b1e88f83ca865c712a1a4d0f73817344f9d4a967cd5d5d387b6

SHA512
bcb8c1096d33a84efa3f890bf7dcdcd64614276f8b88b85c428b8663044d224187267e445003ab1faa4416cba36a85fc53fb15d183411ac01538f4504b911451

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
e2ca53b6da4a6799ccb700b95d5e8afa

SHA1
8a08c20283120587c112363c02a0fccd9892defb

SHA256
bd92df0c93ddf5937f6866f2009c28696ebd1b2a8d85b03aca1d57f2bd14e0e2

SHA512
1f6007ac326d3516c8beaf1c989ad2cba1e092fd2218428a4233e6035f6deaa5217ca2f7aea9dcb6356485f86fecc6f66697007ee460b6b51c18f2f80d2af9ae

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
eb9d494dec2f02a02faf80577ec5f3f0

SHA1
5b8db5bcffcfd72a4fbea2962fc8a35c18ad4d28

SHA256
ebf8c3cb2c4c4799c2c83a762391536b0654579fd55fc641b87b5a9d8bd77301

SHA512
b4b184693e839b9a209995d434eca4a2e2b33d50684c1488608f8e1516fec8aa1b93b5f36fa5f29c615d7a59a2a408c98087de7dcb818c5cc745655da09b92ea

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
3339e6af987d3b87141b187b91f08c44

SHA1
4aa5425cb71cbed36377cd7ddafa4182aea57e84

SHA256
1dae3801c96aeb355bd7eb9f196994d672be7f7c4c1d8438ab5cb60361be01e7

SHA512
005a076feb9ed861917d297d4528441de69a72c54fec6599a84dff065eff9edfc50189379c4347f775f4508b81ec2ea27de37dd7cf739b5a3e1ceb32b034411c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
3747f91b3c14815b1df9b89fc5818c57

SHA1
f498502b151c08a0784f87c9632a465c2ed00a54

SHA256
3177e010b1186db6425febe0843076db40619177b46a9dda4f49c1443856696b

SHA512
ed9a08f2ce6617a78ed8c03b3b61582c66687373bcacf8ff84b5f51f61b02f43ddb898fafe80dedf331c48844c71041cb4bd80e951e01185ea2cedd440fe4731

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
233KB

MD5
91ce173b91c9989a8e085c72c7965f7d

SHA1
1b6d0101153ada5e7576adcf9ad01d0ebd3a5da7

SHA256
f3c5b05df706234e7d5ef05c40710e96410801ed9aa2519c31141b4dfe8dba3c

SHA512
a9d8fbb5f9a3f6792a4b72543d09c69e466517b1ac98baa2cd821e598d3f167d87209ac85d792f093e5cb918eaaa96b5e5629748f857cf0e48bf6d5615a4a303

Download Submit
C:\Users\Admin\AppData\Local\Temp\scoped_dir1956_1611662508\CRX_INSTALL\_locales\en\messages.json

Filesize
711B

MD5
558659936250e03cc14b60ebf648aa09

SHA1
32f1ce0361bbfdff11e2ffd53d3ae88a8b81a825

SHA256
2445cad863be47bb1c15b57a4960b7b0d01864e63cdfde6395f3b2689dc1444b

SHA512
1632f5a3cd71887774bf3cb8a4d8b787ea6278271657b0f1d113dbe1a7fd42c4daa717cc449f157ce8972037572b882dc946a7dc2c0e549d71982dcdee89f727

Download Submit
memory/2784-17-0x00007FFABED70000-0x00007FFABF832000-memory.dmp

Filesize
10.8MB

Download
memory/2784-18-0x00007FFABED70000-0x00007FFABF832000-memory.dmp

Filesize
10.8MB

Download
memory/2784-1-0x0000021067440000-0x0000021067468000-memory.dmp

Filesize
160KB

Download
memory/2784-2-0x00007FFABED70000-0x00007FFABF832000-memory.dmp

Filesize
10.8MB

Download
memory/2784-3-0x000002106BCF0000-0x000002106BDAA000-memory.dmp

Filesize
744KB

Download
memory/2784-4-0x00007FFABED70000-0x00007FFABF832000-memory.dmp

Filesize
10.8MB

Download
memory/2784-5-0x00007FFABED70000-0x00007FFABF832000-memory.dmp

Filesize
10.8MB

Download
memory/2784-6-0x000002106BCE0000-0x000002106BCE8000-memory.dmp

Filesize
32KB

Download
memory/2784-7-0x00007FFABED70000-0x00007FFABF832000-memory.dmp

Filesize
10.8MB

Download
memory/2784-8-0x000002106FD50000-0x000002106FD88000-memory.dmp

Filesize
224KB

Download
memory/2784-9-0x000002106FD20000-0x000002106FD2E000-memory.dmp

Filesize
56KB

Download
memory/2784-10-0x00007FFABED73000-0x00007FFABED75000-memory.dmp

Filesize
8KB

Download
memory/2784-15-0x00007FFABED70000-0x00007FFABF832000-memory.dmp

Filesize
10.8MB

Download
memory/2784-16-0x00007FFABED70000-0x00007FFABF832000-memory.dmp

Filesize
10.8MB

Download
memory/2784-0-0x00007FFABED73000-0x00007FFABED75000-memory.dmp

Filesize
8KB

Download
memory/4420-33-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/4420-25-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/4420-20-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/4420-21-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/4420-22-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/4420-24-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/4420-23-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/4420-19-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/4420-26-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/4420-28-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/4420-34-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/4420-32-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/4420-31-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/4420-27-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/4420-29-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download
memory/4420-30-0x0000000007C90000-0x0000000007CA0000-memory.dmp

Filesize
64KB

Download