2d79af8e1ff3465703e1dc73d3ef2182fd269ea2609c8afabdf1b80693405c1d

Analysis

max time kernel
150s
max time network
150s
platform
windows11-21h2_x64
resource
win11-20250211-en
resource tags

arch:x64arch:x86image:win11-20250211-enlocale:en-usos:windows11-21h2-x64system
submitted
16/02/2025, 11:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HorionInjector.exe
Size

147KB
MD5

6b5b6e625de774e5c285712b7c4a0da7
SHA1

317099aef530afbe3a0c5d6a2743d51e04805267
SHA256

2d79af8e1ff3465703e1dc73d3ef2182fd269ea2609c8afabdf1b80693405c1d
SHA512

104609adf666588af4e152ec7891cedafd89ad8d427063d03fb42a228babefc59428b0c8b1430cb3fc319a5014d2ee1083ff2b74fa585cab2d86cdad346e8b08
SSDEEP

3072:ckgHqUGSCoEslON/q178+oO3BAE4T/DvueX:cNHqUGSCPBh+7VST/Ke

Score

8^/10

adware defense_evasion discovery persistence privilege_escalation stealer

Malware Config

Signatures

Boot or Logon Autostart Execution: Active Setup 2 TTPs 7 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\ = "Microsoft Edge"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\StubPath = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\Installer\\setup.exe\" --configure-user-settings --verbose-logging --system-level --msedge --channel=stable"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Localized Name = "Microsoft Edge"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\IsInstalled = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Active Setup\Installed Components\{9459C573-B17A-45AE-9F64-1857B5D58CEE}\Version = "43,0,0,0"	setup.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
21	1776	Process not Found

Event Triggered Execution: Component Object Model Hijacking 1 TTPs
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
persistence privilege_escalation

Component Object Model Hijacking
T1546.015

Executes dropped EXE 13 IoCs

pid	Process
2888	HorionInjector.exe
2108	HorionInjector.exe
1412	setup.exe
1080	setup.exe
220	HorionInjector.exe
3036	setup.exe
3440	setup.exe
3924	setup.exe
3332	setup.exe
2564	setup.exe
1888	setup.exe
1724	setup.exe
384	setup.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Installs/modifies Browser Helper Object 2 TTPs 8 IoCs

BHOs are DLL modules which act as plugins for Internet Explorer.

stealer adware

Modify Registry

T1112

Browser Extensions

T1176

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ = "IEToEdge BHO"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\NoExplorer = "1"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects	setup.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\Microsoft Edge.lnk	setup.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\VisualElements\LogoCanary.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\kn.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\msedge.exe.sig	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Trust Protection Lists\Mu\Entities	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\identity_proxy\resources.pri	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Trust Protection Lists\Mu\CompatExceptions	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\ga.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\identity_proxy\win10\identity_helper.Sparse.Stable.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\en-US.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Sigma\Content	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\VisualElements\SmallLogoBeta.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\es.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\nb.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\13fd8784-2890-468c-b49b-48171f4ab4df.tmp	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\dual_engine_adapter_x64.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\ne.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\VisualElements\SmallLogoCanary.png	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\ga.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\EdgeWebView.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\tr.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\identity_proxy\win11\identity_helper.Sparse.Internal.msix	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\id.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\SetupMetrics\3036_13384178040007903_3036.pma	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\cookie_exporter.exe	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\gd.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\ko.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Trust Protection Lists\Sigma\Staging	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\identity_proxy\win10\identity_helper.Sparse.Canary.msix	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\eu.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\or.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\Cryptomining	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\mip_protection_sdk.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\msvcp140_codecvt_ids.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\vk_swiftshader.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Trust Protection Lists\manifest.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\da.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\sr-Latn-RS.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\qu.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\v8_context_snapshot.bin	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\vk_swiftshader_icd.json	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\te.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\es-419.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\mk.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\msedge.dll	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\et.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\tt.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\msedge_elf.dll	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\Fingerprinting	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\gl.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\icudtl.dat	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\mi.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\notification_helper.exe	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\bg.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\kk.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\ru.pak	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\da.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Trust Protection Lists\Mu\Social	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\am.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\Locales\nb.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\edge_feedback\mf_trace.wprp	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Trust Protection Lists\Sigma\Entities	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Locales\pt-PT.pak	setup.exe
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\VisualElements\SmallLogoDev.png	setup.exe
File created	C:\Program Files (x86)\Microsoft\EdgeCore\133.0.3065.69\onnxruntime.dll	setup.exe

Drops file in Windows directory 37 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp	chrome.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp\msedge_installer.log	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe
File opened for modification	C:\Windows\SystemTemp	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\settings.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File created	C:\Windows\SystemTemp\cf990d1f-733a-4945-b170-4b8d6bb6b409.tmp	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\throttle_store.dat	setup.exe
File opened for modification	C:\Windows\SystemTemp\MsEdgeCrashpad\metadata	setup.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 1 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\HorionInjector.exe:Zone.Identifier	chrome.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MicrosoftEdgeUpdate.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3604	MicrosoftEdgeUpdate.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies Internet Explorer settings 1 TTPs 40 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\BHO"	setup.exe
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Main\EnterpriseMode\MSEdgePath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application"	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\EdgeIntegration\AdapterLocations\C:\Program Files (x86)\Microsoft\Edge\Application = "1"	setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute\microsoft-edge	setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy	setup.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\Policy = "3"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\ProtocolExecute	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppPath = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\BHO"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\AppName = "ie_to_edge_stub.exe"	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Internet Explorer\Toolbar\Locked = "1"	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\ITBar7Layout = 13000000000000000000000020000000100000000000000001000000010700005e01000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Main\EnterpriseMode	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\Low Rights\ElevationPolicy\{c9abcf16-8dc2-4a95-bae3-24fd98f2ed29}\ = "IEToEdge Handler"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\EdgeIntegration	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000\Software\Microsoft\Internet Explorer\Toolbar	explorer.exe

Modifies data under HKEY_USERS 4 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge\InstallerPinned = "0"	setup.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133841779482790317"	chrome.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Edge	setup.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).top = "46"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\ = "Interface {C9C2B807-7731-4F34-81B7-44FF7779522B}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.svg\OpenWithProgIds\MSEdgeHTM	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\VersionIndependentProgID\	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\DefaultIcon\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\msedge.exe,0"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.shtml	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.svg\OpenWithProgids	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pdf\OpenWithProgids\MSEdgePDF	setup.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1\MRUListEx = ffffffff	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\DisplayName = "PDF Preview Handler"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\CLASSES\MIME\Database	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1"	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\ = "TypeLib for Interface {C9C2B807-7731-4F34-81B7-44FF7779522B}"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell\open	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\DisplayName = "PDF Preview Handler"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\Application\ApplicationIcon = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\msedge.exe,0"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.shtml\OpenWithProgids\MSEdgeHTM	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.pdf\OpenWithProgids	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616193"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\FFlags = "1092616209"	explorer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LoadUserSettings = "1"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\open	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeMHT\Application\ApplicationName = "Microsoft Edge"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ie_to_edge_bho.IEToEdgeBHO\CurVer\	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgePDF\shell\runas\command	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\win32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\ProgID\ = "ie_to_edge_bho.IEToEdgeBHO.1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\ = "PDF Preview Handler"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgeHTM\shell\runas\command\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\msedge.exe\" --do-not-de-elevate --single-argument %1"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.htm\OpenWithProgIds\MSEdgeHTM	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C}\Implemented Categories\	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.mht	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\ie_to_edge_bho.dll\AppID = "{31575964-95F7-414B-85E4-0E9A93699E13}"	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{31575964-95F7-414B-85E4-0E9A93699E13}	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	explorer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	explorer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{628ACE20-B77A-456F-A88D-547DB6CEEDD5}\LocalServer32	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Interface\{C9C2B807-7731-4F34-81B7-44FF7779522B}\TypeLib	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{C9C2B807-7731-4F34-81B7-44FF7779522B}\1.0\0\win64\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\elevation_service.exe"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{31575964-95F7-414B-85E4-0E9A93699E13}\ = "ie_to_edge_bho"	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\DefaultIcon\ = "C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\msedge.exe,11"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\MSEdgeMHT\shell\runas\command	setup.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	explorer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\Vid = "{137E7700-3573-11CF-AE69-08002B2E1262}"	explorer.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\{7D49D726-3C21-4F05-99AA-FDC2C9474656}\LogicalViewMode = "1"	explorer.exe
Key created	\REGISTRY\MACHINE\Software\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4A749F25-A9E2-4CBE-9859-CF7B15255E14}\LocalServer32\ = "\"C:\\Program Files (x86)\\Microsoft\\Edge\\Application\\133.0.3065.69\\notification_click_helper.exe\""	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MSEdgePDF\ = "Microsoft Edge PDF Document"	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xhtml\OpenWithProgids	setup.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.xml	setup.exe
Key created	\Registry\User\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\NotificationData	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\1	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3A84F9C2-6164-485C-A7D9-4B27F8AC009E}\AppID = "{6d2b5079-2f0b-48dd-ab7f-97cec514d30b}"	setup.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1008898722-3518013580-3694625758-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\AllFolders\Shell\WinPos1280x720x96(1).bottom = "646"	explorer.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\HorionInjector.exe:Zone.Identifier	chrome.exe

Suspicious behavior: AddClipboardFormatListener 4 IoCs

pid	Process
4300	explorer.exe
3328	explorer.exe
1984	explorer.exe
1760	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe
5016	HorionInjector.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4300	explorer.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 9 IoCs

pid	Process
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5016	HorionInjector.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe
Token: SeCreatePagefilePrivilege	3672	chrome.exe
Token: SeShutdownPrivilege	3672	chrome.exe

Suspicious use of FindShellTrayWindow 35 IoCs

pid	Process
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe

Suspicious use of SendNotifyMessage 12 IoCs

pid	Process
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe
3672	chrome.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4300	explorer.exe
4300	explorer.exe
3328	explorer.exe
3328	explorer.exe
1984	explorer.exe
1984	explorer.exe
1760	explorer.exe
1760	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5016 wrote to memory of 4424	5016	HorionInjector.exe	86
PID 5016 wrote to memory of 4424	5016	HorionInjector.exe	86
PID 3672 wrote to memory of 3460	3672	chrome.exe	97
PID 3672 wrote to memory of 3460	3672	chrome.exe	97
PID 3672 wrote to memory of 3036	3672	chrome.exe	98
PID 3672 wrote to memory of 3036	3672	chrome.exe	98
PID 3672 wrote to memory of 3036	3672	chrome.exe	98
PID 3672 wrote to memory of 3036	3672	chrome.exe	98
PID 3672 wrote to memory of 3036	3672	chrome.exe	98
PID 3672 wrote to memory of 3036	3672	chrome.exe	98
PID 3672 wrote to memory of 3036	3672	chrome.exe	98
PID 3672 wrote to memory of 3036	3672	chrome.exe	98
PID 3672 wrote to memory of 3036	3672	chrome.exe	98
PID 3672 wrote to memory of 3036	3672	chrome.exe	98
PID 3672 wrote to memory of 3036	3672	chrome.exe	98
PID 3672 wrote to memory of 3036	3672	chrome.exe	98
PID 3672 wrote to memory of 3036	3672	chrome.exe	98
PID 3672 wrote to memory of 3036	3672	chrome.exe	98
PID 3672 wrote to memory of 3036	3672	chrome.exe	98
PID 3672 wrote to memory of 3036	3672	chrome.exe	98
PID 3672 wrote to memory of 3036	3672	chrome.exe	98
PID 3672 wrote to memory of 3036	3672	chrome.exe	98
PID 3672 wrote to memory of 3036	3672	chrome.exe	98
PID 3672 wrote to memory of 3036	3672	chrome.exe	98
PID 3672 wrote to memory of 3036	3672	chrome.exe	98
PID 3672 wrote to memory of 3036	3672	chrome.exe	98
PID 3672 wrote to memory of 3036	3672	chrome.exe	98
PID 3672 wrote to memory of 3036	3672	chrome.exe	98
PID 3672 wrote to memory of 3036	3672	chrome.exe	98
PID 3672 wrote to memory of 3036	3672	chrome.exe	98
PID 3672 wrote to memory of 3036	3672	chrome.exe	98
PID 3672 wrote to memory of 3036	3672	chrome.exe	98
PID 3672 wrote to memory of 3036	3672	chrome.exe	98
PID 3672 wrote to memory of 3036	3672	chrome.exe	98
PID 3672 wrote to memory of 2272	3672	chrome.exe	99
PID 3672 wrote to memory of 2272	3672	chrome.exe	99
PID 3672 wrote to memory of 4964	3672	chrome.exe	100
PID 3672 wrote to memory of 4964	3672	chrome.exe	100
PID 3672 wrote to memory of 4964	3672	chrome.exe	100
PID 3672 wrote to memory of 4964	3672	chrome.exe	100
PID 3672 wrote to memory of 4964	3672	chrome.exe	100
PID 3672 wrote to memory of 4964	3672	chrome.exe	100
PID 3672 wrote to memory of 4964	3672	chrome.exe	100
PID 3672 wrote to memory of 4964	3672	chrome.exe	100
PID 3672 wrote to memory of 4964	3672	chrome.exe	100
PID 3672 wrote to memory of 4964	3672	chrome.exe	100
PID 3672 wrote to memory of 4964	3672	chrome.exe	100
PID 3672 wrote to memory of 4964	3672	chrome.exe	100
PID 3672 wrote to memory of 4964	3672	chrome.exe	100
PID 3672 wrote to memory of 4964	3672	chrome.exe	100
PID 3672 wrote to memory of 4964	3672	chrome.exe	100
PID 3672 wrote to memory of 4964	3672	chrome.exe	100
PID 3672 wrote to memory of 4964	3672	chrome.exe	100
PID 3672 wrote to memory of 4964	3672	chrome.exe	100
PID 3672 wrote to memory of 4964	3672	chrome.exe	100
PID 3672 wrote to memory of 4964	3672	chrome.exe	100
PID 3672 wrote to memory of 4964	3672	chrome.exe	100
PID 3672 wrote to memory of 4964	3672	chrome.exe	100
PID 3672 wrote to memory of 4964	3672	chrome.exe	100
PID 3672 wrote to memory of 4964	3672	chrome.exe	100
PID 3672 wrote to memory of 4964	3672	chrome.exe	100
PID 3672 wrote to memory of 4964	3672	chrome.exe	100
PID 3672 wrote to memory of 4964	3672	chrome.exe	100
PID 3672 wrote to memory of 4964	3672	chrome.exe	100

System policy modification 1 TTPs 4 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\	setup.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID	setup.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Ext\CLSID\{1FD49718-1D00-4B19-AF5F-070AF6D5D54C} = "1"	setup.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\HorionInjector.exe
"C:\Users\Admin\AppData\Local\Temp\HorionInjector.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Windows\explorer.exe
  explorer.exe shell:appsFolder\Microsoft.MinecraftUWP_8wekyb3d8bbwe!App
  2⤵
  PID:4424

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:4300
- C:\Users\Admin\Downloads\HorionInjector.exe
  "C:\Users\Admin\Downloads\HorionInjector.exe"
  2⤵
  - Executes dropped EXE
  PID:2108
- - C:\Windows\explorer.exe
    explorer.exe shell:appsFolder\Microsoft.MinecraftUWP_8wekyb3d8bbwe!App
    3⤵
    PID:4800
- C:\Users\Admin\Downloads\HorionInjector.exe
  "C:\Users\Admin\Downloads\HorionInjector.exe"
  2⤵
  - Executes dropped EXE
  PID:220
- - C:\Windows\explorer.exe
    explorer.exe shell:appsFolder\Microsoft.MinecraftUWP_8wekyb3d8bbwe!App
    3⤵
    PID:1612

C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\MicrosoftEdgeUpdate.exe" /ping PD94bWwgdmVyc2lvbj0iMS4wIiBlbmNvZGluZz0iVVRGLTgiPz48cmVxdWVzdCBwcm90b2NvbD0iMy4wIiB1cGRhdGVyPSJPbWFoYSIgdXBkYXRlcnZlcnNpb249IjEuMy4xOTUuNDMiIHNoZWxsX3ZlcnNpb249IjEuMy4xOTUuNDMiIGlzbWFjaGluZT0iMSIgc2Vzc2lvbmlkPSJ7ODdCOTdFRjItNEU4NS00MUZELThEMDAtNTREQjQzOUVEMEZCfSIgdXNlcmlkPSJ7NzQyOURGRjQtMUI2Qy00NEFCLTk0QTEtQUU2NUUyMTZCMDNFfSIgaW5zdGFsbHNvdXJjZT0ibGltaXRlZCIgcmVxdWVzdGlkPSJ7QUVBNUJFN0MtNEM4My00RDlFLUI3OTQtOTVGOEREM0I0REUxfSIgZGVkdXA9ImNyIiBkb21haW5qb2luZWQ9IjAiPjxodyBsb2dpY2FsX2NwdXM9IjIiIHBoeXNtZW1vcnk9IjQiIGRpc2tfdHlwZT0iMiIgc3NlPSIxIiBzc2UyPSIxIiBzc2UzPSIxIiBzc3NlMz0iMSIgc3NlNDE9IjEiIHNzZTQyPSIxIiBhdng9IjEiLz48b3MgcGxhdGZvcm09IndpbiIgdmVyc2lvbj0iMTAuMC4yMjAwMC40OTMiIHNwPSIiIGFyY2g9Ing2NCIgcHJvZHVjdF90eXBlPSI0OCIgaXNfd2lwPSIwIiBpc19pbl9sb2NrZG93bl9tb2RlPSIwIi8-PG9lbSBwcm9kdWN0X21hbnVmYWN0dXJlcj0iIiBwcm9kdWN0X25hbWU9IiIvPjxleHAgZXRhZz0iJnF1b3Q7RSt4YkF6Nlk2c1UxMjg5YlM2cWw0VlJMYmtqZkJVR1RNSnNqckhyNDRpST0mcXVvdDsiLz48YXBwIGFwcGlkPSJ7OEE2OUQzNDUtRDU2NC00NjNjLUFGRjEtQTY5RDlFNTMwRjk2fSIgdmVyc2lvbj0iMTIzLjAuNjMxMi4xMjMiIG5leHR2ZXJzaW9uPSIiIGxhbmc9ImVuIiBicmFuZD0iR0dMUyIgY2xpZW50PSIiIGluc3RhbGxhZ2U9IjQiIGluc3RhbGxkYXRldGltZT0iMTczOTI5NDgzNCIgb29iZV9pbnN0YWxsX3RpbWU9IjEzMzgzNzY2NTUyNTM3MDAwMCI-PGV2ZW50IGV2ZW50dHlwZT0iMzEiIGV2ZW50cmVzdWx0PSIxIiBlcnJvcmNvZGU9IjAiIGV4dHJhY29kZTE9IjIxNzk4NjIiIHN5c3RlbV91cHRpbWVfdGlja3M9IjQ4OTc4NzIwMDUiLz48L2FwcD48L3JlcXVlc3Q-
1⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
PID:3604

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe"
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3672
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff86701cc40,0x7ff86701cc4c,0x7ff86701cc58
  2⤵
  PID:3460
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1812,i,1330853241709133744,1386088122597011186,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=1808 /prefetch:2
  2⤵
  PID:3036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2096,i,1330853241709133744,1386088122597011186,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=2108 /prefetch:3
  2⤵
  PID:2272
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2200,i,1330853241709133744,1386088122597011186,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=2208 /prefetch:8
  2⤵
  PID:4964
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3068,i,1330853241709133744,1386088122597011186,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=3220 /prefetch:1
  2⤵
  PID:3640
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3132,i,1330853241709133744,1386088122597011186,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=3252 /prefetch:1
  2⤵
  PID:3092
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --field-trial-handle=3536,i,1330853241709133744,1386088122597011186,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=3532 /prefetch:1
  2⤵
  PID:1888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4572,i,1330853241709133744,1386088122597011186,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=4556 /prefetch:8
  2⤵
  PID:900
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4564,i,1330853241709133744,1386088122597011186,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=4700 /prefetch:8
  2⤵
  PID:228
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4692,i,1330853241709133744,1386088122597011186,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=4656 /prefetch:8
  2⤵
  PID:1896
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=4776,i,1330853241709133744,1386088122597011186,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=4664 /prefetch:8
  2⤵
  PID:3984
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --field-trial-handle=4968,i,1330853241709133744,1386088122597011186,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=4336 /prefetch:1
  2⤵
  PID:1724
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --field-trial-handle=3724,i,1330853241709133744,1386088122597011186,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=5048 /prefetch:1
  2⤵
  PID:2544
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --field-trial-handle=3312,i,1330853241709133744,1386088122597011186,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=3364 /prefetch:1
  2⤵
  PID:1192
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --field-trial-handle=4988,i,1330853241709133744,1386088122597011186,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=3736 /prefetch:1
  2⤵
  PID:4512
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=16 --field-trial-handle=5188,i,1330853241709133744,1386088122597011186,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=5212 /prefetch:1
  2⤵
  PID:4168
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --field-trial-handle=3340,i,1330853241709133744,1386088122597011186,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=3280 /prefetch:1
  2⤵
  PID:2992
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5596,i,1330853241709133744,1386088122597011186,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=5620 /prefetch:8
  2⤵
  PID:1548
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5564,i,1330853241709133744,1386088122597011186,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=5760 /prefetch:8
  2⤵
  PID:2920
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5612,i,1330853241709133744,1386088122597011186,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=5924 /prefetch:8
  2⤵
  PID:2936
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5800,i,1330853241709133744,1386088122597011186,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=6080 /prefetch:8
  2⤵
  PID:1844
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=5956,i,1330853241709133744,1386088122597011186,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=6224 /prefetch:8
  2⤵
  PID:4684
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5784,i,1330853241709133744,1386088122597011186,262144 --variations-seed-version=20250211-050107.114000 --mojo-platform-channel-handle=5208 /prefetch:8
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - NTFS ADS
  PID:1020
- C:\Users\Admin\Downloads\HorionInjector.exe
  "C:\Users\Admin\Downloads\HorionInjector.exe"
  2⤵
  - Executes dropped EXE
  PID:2888
- - C:\Windows\explorer.exe
    explorer.exe shell:appsFolder\Microsoft.MinecraftUWP_8wekyb3d8bbwe!App
    3⤵
    PID:1372

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:3800

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:5100

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:3328

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1984

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FDE278B6-9240-4A3D-B5D4-BFFC157D29D5}\MicrosoftEdge_X64_133.0.3065.69.exe
"C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FDE278B6-9240-4A3D-B5D4-BFFC157D29D5}\MicrosoftEdge_X64_133.0.3065.69.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
1⤵
PID:3120
- C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FDE278B6-9240-4A3D-B5D4-BFFC157D29D5}\EDGEMITMP_F6A15.tmp\setup.exe
  "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FDE278B6-9240-4A3D-B5D4-BFFC157D29D5}\EDGEMITMP_F6A15.tmp\setup.exe" --install-archive="C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FDE278B6-9240-4A3D-B5D4-BFFC157D29D5}\MicrosoftEdge_X64_133.0.3065.69.exe" --msedge --verbose-logging --do-not-launch-msedge --system-level --channel=stable
  2⤵
  - Boot or Logon Autostart Execution: Active Setup
  - Executes dropped EXE
  - Installs/modifies Browser Helper Object
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Modifies Internet Explorer settings
  - Modifies registry class
  - System policy modification
  PID:1412
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FDE278B6-9240-4A3D-B5D4-BFFC157D29D5}\EDGEMITMP_F6A15.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FDE278B6-9240-4A3D-B5D4-BFFC157D29D5}\EDGEMITMP_F6A15.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FDE278B6-9240-4A3D-B5D4-BFFC157D29D5}\EDGEMITMP_F6A15.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff67c086a68,0x7ff67c086a74,0x7ff67c086a80
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1080
- - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FDE278B6-9240-4A3D-B5D4-BFFC157D29D5}\EDGEMITMP_F6A15.tmp\setup.exe
    "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FDE278B6-9240-4A3D-B5D4-BFFC157D29D5}\EDGEMITMP_F6A15.tmp\setup.exe" --msedge --channel=stable --system-level --verbose-logging --create-shortcuts=2 --install-level=1
    3⤵
    - Executes dropped EXE
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Modifies data under HKEY_USERS
    PID:3036
  - - C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FDE278B6-9240-4A3D-B5D4-BFFC157D29D5}\EDGEMITMP_F6A15.tmp\setup.exe
      "C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FDE278B6-9240-4A3D-B5D4-BFFC157D29D5}\EDGEMITMP_F6A15.tmp\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FDE278B6-9240-4A3D-B5D4-BFFC157D29D5}\EDGEMITMP_F6A15.tmp\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff67c086a68,0x7ff67c086a74,0x7ff67c086a80
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:3440
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --msedge --channel=stable --register-package-identity --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3924
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7351f6a68,0x7ff7351f6a74,0x7ff7351f6a80
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:2564
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --msedge --channel=stable --remove-deprecated-packages --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:3332
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7351f6a68,0x7ff7351f6a74,0x7ff7351f6a80
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:1724
- - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --msedge --channel=stable --update-game-assist-package --verbose-logging --system-level
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    PID:1888
  - - C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --type=crashpad-handler /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\SystemTemp\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=133.0.6943.99 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\133.0.3065.69\Installer\setup.exe" --annotation=plat=Win64 --annotation=prod=Edge --annotation=ver=133.0.3065.69 --initial-client-data=0x23c,0x240,0x244,0x218,0x248,0x7ff7351f6a68,0x7ff7351f6a74,0x7ff7351f6a80
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      PID:384

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Modifies Internet Explorer settings
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:1760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Browser Extensions

T1176

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Event Triggered Execution

T1546

Component Object Model Hijacking

T1546.015

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\EdgeUpdate\Install\{FDE278B6-9240-4A3D-B5D4-BFFC157D29D5}\EDGEMITMP_F6A15.tmp\setup.exe

Filesize
6.8MB

MD5
bdb1aecedc15fc82a63083452dad45c2

SHA1
a074fcd78665ff90ee3e50ffcccad5f6c3e7ddcb

SHA256
4ea0907c3fc2c2f6a4259002312671c82e008846d49957bb3b9915612e35b99f

SHA512
50909640c2957fc35dd5bcac3b51797aa5daa2fb95364e69df95d3577482e13f0c36a70ae098959cb9c2aaeb4cfe43025c1d8d55b5f8858b474bcb702609749d

Download Submit
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Filesize
3.9MB

MD5
4aaa893417cccc147989f876c6a7b295

SHA1
b1e35c83518bb275924ead0cd6206bf0c982d30f

SHA256
2c38e3c3f18e2d3fb7f04336356b9b5186cabe06b3343beec318ef0def1a9eeb

SHA512
109e0c88977fae65a4950fc38393ca32a70d68ef41aeb75b28e6566e0fa626e32e31be38308e7ed5b6a8ba1f56fb5f2133a07aa8bb643224c3dbb089ce9cfd0e

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
840B

MD5
c09511159a6238e0cedb3862138adb09

SHA1
ec0a0321e7786db32f3069dd824731c6fb330b2c

SHA256
a7d916611075bd0b746fd772a47ac24c9ba144ebe8b9f3897dca2186fac0f776

SHA512
d5b1681f0610ccb26cc9094421cc82d0ee9d90ad15462d9aa499b1ef21d218143247ebf972c1c48077a75798ad5f61aa9e49c2f57aa3cc4964f30867751f9ef4

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\DawnCache\data_1

Filesize
264KB

MD5
7ba7df9f91e83681565ac0fd6c358f68

SHA1
600ab1677b4986f826f23d72c8453bcd01799894

SHA256
bd0e3c5f19ac041c0efd1a266ebf47c17a0774d9431a72a2a546f85a87719cba

SHA512
a9f9e34292ab31d3fb32a8456c531c111fb2e1997c44dea287c156f4785e5dfedbd98c0a8f3b25bf1f8058ed87e5fb1e6124985e225803108fb0870069c31091

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
9KB

MD5
9d12e79a55050955204cc2571193bb2a

SHA1
4e9b66f76554f5ee987bc6a37f589a361076270b

SHA256
5675a0d38b1aa8410388f13e5fe95d859e89738d5ee1af3c028cb90be0182d23

SHA512
dee375edf3628c58fab9e3bf9fab10ea8ab815cd561772a53b3da63a7dc8488f2cd05cdf729ac05eaa8d56b06a8f59dee0ec0d0e75a5d81de0fccdeeca8c01b9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
356B

MD5
db6190a5cdf46b9544e1096573643280

SHA1
668b71bea7f3f56904c28d596fe420b07fe87698

SHA256
2b93c37c98829545e8ea18bf9bf0e67bf3effa72044412f42326f741bc2d4c86

SHA512
60c9ebce10c8ab81db14d24ff817ed3e93ae6fd34d66fc28613af9bb59a52fba1859d1d094c608c3b95b62d70125620bdac5ac77d2b5d0f552248e5f8210523a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
87fbcf2c4fb91ccde9838f3fc1623717

SHA1
aa81a95836f8a682c8138917d952c1fb628010e2

SHA256
ff4c012251e03de098a23740e0d24edc5afdcaeb5587153fc6b67512156de491

SHA512
6010ded72aa39878fac39223fb236fb7760e9b2b31a9c08b5343c84c6c29f3e0bac2d35d1095abd8cc6de392d45c5e2adc3d5b8c1619fa1d867f9c717a44ed50

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
692B

MD5
594cbd1d2af04fa79d3acf74f883bcee

SHA1
671c4a62b27eb9f2280bb995765d9b491f8faf15

SHA256
48965d7ce9003685a8530c333fc1baf5f160bab272bcb544810db61d1f47b5ea

SHA512
9670bf457b28c6ded5e3d4b50ebdb9cc1ba3e6cbb545eacd357ecf612e0d77d6479e6e0ee21ee48fbce7e6122908563ab0d34ba8f28b694a581c9e69b3ade262

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
a962a1550c0d059685f6e3667a0f5430

SHA1
3a3795954d65206544dec7c3b4f03507ced9717f

SHA256
3a44885485a19e111dc1f92cde37f7d0b3eabdaa8360043f91e8fccb371ddad9

SHA512
5f644e14e09ec43857d067da360667a18e3e75fc94b7a7c2bc3fabe79ed6dfac4727375af20f1499884ba8511c4e61f7255019f7bafbdd8ce028fb4cee52a269

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
15ece32f9ae3c801f273d1f02a88c2b9

SHA1
7f36666f808780e917ff3b6ea48790277aba2881

SHA256
301e28200e79b3a13e1886154e623b4c4a690835052c822367044b1b4b549a9b

SHA512
d74f4b80c779d9fb2d308443fca87cba5bdabcd53f2a1753dc8b1f3425b5b026c705644b4c600ba5a17a39afde89b0471e88a68e5bd1acd9e85db5b4f1b60d8f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
e0fec045287b2b9a98b4dfb9bb5fc61e

SHA1
e106d9c374fa7a5814914d888d01e415940e3a22

SHA256
540ff886e7814404e4d8f87167756d7de3abc4a8915ae0af81d7be2b82d97cf4

SHA512
fc2cc7ef499f0b7664f3b7420cb1d291c9f218809b76fd3261e2ef20cce1765b4e291ec0fcd91a88d67bca4f0d4a1ff20db83b4407582b1091ca2dc2337f2cba

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
10KB

MD5
e3e8db09f4e4efd5c2f5cd5c42b18c54

SHA1
b62448195ee3087ebf87cc4a857f54747df7f5cf

SHA256
294c6b11b297bcf41980fe9920ef31bd035c1558ccc86e16110f2421cf476700

SHA512
6653d9749e0e4cc1078421332931224caf7bc962c490efbdba5d69250a9bfc0251bd4d7d7c800fc195517dade49e630231e2e97df0cd3c1407a4e662d623e302

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Secure Preferences

Filesize
15KB

MD5
1c23d4080dad3bbf14a2fa38264821a0

SHA1
74547cb003e95fd64788dc974185227f88481c53

SHA256
21f391f279afe1afbf316e78ef0b24214b40729fb121b4334f3d000e0ec48f2f

SHA512
f6f3caeaf3c106c82d62c5476487728d07be0a84bb228bc0dcfb72647be39f79e4525cc40f70a13d3dd9687a8036ef6e3cf7d84861f4824e478a6b92960c0aa5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
247KB

MD5
14044c279f6324de69ec58b2a0914178

SHA1
f569393cdee34cf077fda2aa5356f28078cdde3b

SHA256
c55621caea9f05b465991003e23fa91917b2cbbcf18da0105c468075e7e60c0f

SHA512
df628d3ae185011224d4cd91e03eecdc934864880e3b6a19c1fa056599e7d97fe58e8232415c26ba384e25fcc866edef46fc24e8524e12ed8a4a1b1a8d2d48f1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
247KB

MD5
873ac00d9ed950dd6863fed5967f1f30

SHA1
f900e526c770089086f9a6fd0db39dfb01186a8f

SHA256
2e86215988a4ca2d978d7fba0f433aa5c9142848e1292812db204eeb88c89a14

SHA512
cfce2aedac5c75c1bdaf50152afd4c6af71bc4a976e8be5d8ec849de85a7d14b5061f53d4e2833c12b735428dc10b8344ec1dced16334e4492f98200df566ff0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
247KB

MD5
ae5181778c678460bc4603ee6b3ff721

SHA1
d5521cdba7f8f5752af3a6adc365a20cacf2a3fa

SHA256
ac3a3c1f7b858e63dfe3a660b2a3548b9ed5eb45cce784fcd91717816f045931

SHA512
3f880a64fe83adf5a3b5ec63a984665156571a6530d776b87ab0b39e18e50618629d84d21b0fb91962c959459f7ebf1cdf37d1e4217f6a3da82130aa46aafe43

Download Submit
C:\Users\Admin\AppData\Local\Temp\Horion.dll

Filesize
2.9MB

MD5
3fa9ea1c0b62498bf0e5eeb3301283c5

SHA1
b5754ac473b18cdbdad637c634c598a47c737940

SHA256
9078b4f782ea6db2ad36063120ffab6ca9e4f4bc5ac4142382448cc3ec803eb6

SHA512
509407002956b1159de65cd491d89349b1132d4a5a31daa3023dc86266c5915c9c862ce3e3fad2a1bb04d2e86be28ff3fe68e18f84e2e4de3fc33f4fddebcefc

Download Submit
C:\Users\Admin\Downloads\234bcf4a-6871-403d-b83c-09ec7d745051.tmp

Filesize
147KB

MD5
6b5b6e625de774e5c285712b7c4a0da7

SHA1
317099aef530afbe3a0c5d6a2743d51e04805267

SHA256
2d79af8e1ff3465703e1dc73d3ef2182fd269ea2609c8afabdf1b80693405c1d

SHA512
104609adf666588af4e152ec7891cedafd89ad8d427063d03fb42a228babefc59428b0c8b1430cb3fc319a5014d2ee1083ff2b74fa585cab2d86cdad346e8b08

Download Submit
C:\Users\Admin\Downloads\HorionInjector.exe:Zone.Identifier

Filesize
136B

MD5
f522e79f91c842e3bae02f3b6f7e4d77

SHA1
c23b3d2a78b4074931d20e0284cdcd10ea031cbe

SHA256
fd04eb31b802d4763656bd355c803f3ab5b4f49832e6cbf667ad6a3a336f973f

SHA512
5dfe44a0c92b00f69fab499f72b0707293bd5b1753d584675144de4d4c6d73ab58eb30c98923ef47eabf1ac04aa30a8498331741164f038e4d07472cd8635056

Download Submit
C:\Windows\SystemTemp\msedge_installer.log

Filesize
74KB

MD5
aeb4849c786e7c0eb6a88adc6f6b6005

SHA1
d3df324b7c3c50fc22ab6835de7728ce4f7c3119

SHA256
86b14f6a72e3f71edbe549d26cb086858eeea2fa93d9329f3ea8db5c93ad665d

SHA512
c8d8279c06e5a13e9d687879b96c1e4192ac278a796b8c7e4d710753e20be307eb23a50d473ae05fe10ae5ccc4e84c17863703f2afaa0971166923451eff7779

Download Submit
C:\Windows\SystemTemp\msedge_installer.log

Filesize
101KB

MD5
6e6dea218889f8698ba1b91d638e41ea

SHA1
ee8d18b17e00a0356450fe80c3261cd68a33185f

SHA256
62bcc91808407433cc64e413109427753ba3cf6bea7eaad96a3e93835a42289f

SHA512
48717cf12f63983a3f8d84e39d6ab8c6be6406a064ef5edc4b6b5a0f964cafa5dc0c7e9b7b1bfe6815e7965a4a8e76980b421405ed6dc06fa91ed91de351b30d

Download Submit
C:\Windows\SystemTemp\msedge_installer.log

Filesize
106KB

MD5
2574913bde1eb039a717ff2faf939086

SHA1
a69739889bbb18e85412b77afd3afa33413cc2ac

SHA256
51a94d7110f94c857bb8c750467917fcbd76640d6a92ab5ca5117cff25215645

SHA512
e6c07c35b688ba4f5e36696a27d27bd7f57bff593847ac0e63db44f652049bb9570cf28b48aeb63c7cc2004ff10334968826fbd589c039461e07832e71400378

Download Submit
C:\Windows\SystemTemp\msedge_installer.log

Filesize
106KB

MD5
d8a0156ed5fe796cef9e156ec684667c

SHA1
68c04f6abc0a404c5c1050009a00187d086b6234

SHA256
ee89376eec74489946da59a4e2409dda8f61a287e72a48d9c86d37196e9c5a37

SHA512
87aee579168e34af33b40984598d69484a80e78428fe8a6bc8074128ee0c5c6c2bd20147ea7aed1bda412d060c5aee467c0388592642e06333fc74dd943dc1e2

Download Submit
memory/220-459-0x0000015EEB900000-0x0000015EEBA4F000-memory.dmp

Filesize
1.3MB

Download
memory/220-458-0x0000015EEB900000-0x0000015EEBA4F000-memory.dmp

Filesize
1.3MB

Download
memory/220-402-0x0000015EEB900000-0x0000015EEBA4F000-memory.dmp

Filesize
1.3MB

Download
memory/2108-385-0x000001DD1A190000-0x000001DD1A2DF000-memory.dmp

Filesize
1.3MB

Download
memory/2108-378-0x000001DD1A190000-0x000001DD1A2DF000-memory.dmp

Filesize
1.3MB

Download
memory/5016-5-0x00007FF866570000-0x00007FF867032000-memory.dmp

Filesize
10.8MB

Download
memory/5016-7-0x000001F4D4C30000-0x000001F4D4C68000-memory.dmp

Filesize
224KB

Download
memory/5016-3-0x00007FF866570000-0x00007FF867032000-memory.dmp

Filesize
10.8MB

Download
memory/5016-0-0x00007FF866573000-0x00007FF866575000-memory.dmp

Filesize
8KB

Download
memory/5016-6-0x000001F4D84F0000-0x000001F4D84F8000-memory.dmp

Filesize
32KB

Download
memory/5016-8-0x000001F4D4BF0000-0x000001F4D4BFE000-memory.dmp

Filesize
56KB

Download
memory/5016-2-0x000001F4D4460000-0x000001F4D451A000-memory.dmp

Filesize
744KB

Download
memory/5016-4-0x00007FF866570000-0x00007FF867032000-memory.dmp

Filesize
10.8MB

Download
memory/5016-9-0x00007FF866570000-0x00007FF867032000-memory.dmp

Filesize
10.8MB

Download
memory/5016-1-0x000001F4B9CC0000-0x000001F4B9CE8000-memory.dmp

Filesize
160KB

Download
memory/5016-14-0x00007FF866573000-0x00007FF866575000-memory.dmp

Filesize
8KB

Download
memory/5016-15-0x00007FF866570000-0x00007FF867032000-memory.dmp

Filesize
10.8MB

Download
memory/5016-16-0x00007FF866570000-0x00007FF867032000-memory.dmp

Filesize
10.8MB

Download
memory/5016-17-0x00007FF866570000-0x00007FF867032000-memory.dmp

Filesize
10.8MB

Download
memory/5016-18-0x00007FF866570000-0x00007FF867032000-memory.dmp

Filesize
10.8MB

Download