hxxps://mega[.]nz/file/o3sEwbKJ#fNjG4rkjiCiScNvbhlhqGLf6G3sa4Hx2uiIk5d6273g

Analysis

max time kernel
1810s
max time network
1700s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
18/02/2024, 14:18

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

https://mega.nz/file/o3sEwbKJ#fNjG4rkjiCiScNvbhlhqGLf6G3sa4Hx2uiIk5d6273g

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Horizon Main.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Horizon Main.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Horizon Main.exe

Executes dropped EXE 1 IoCs

pid	Process
3864	Horizon Main.exe

Themida packer 8 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral1/files/0x000600000002328a-195.dat	themida
behavioral1/files/0x000600000002328a-233.dat	themida
behavioral1/memory/3864-235-0x0000000140000000-0x0000000140B16000-memory.dmp	themida
behavioral1/files/0x000600000002328a-236.dat	themida
behavioral1/memory/3864-238-0x0000000140000000-0x0000000140B16000-memory.dmp	themida
behavioral1/memory/3864-239-0x0000000140000000-0x0000000140B16000-memory.dmp	themida
behavioral1/memory/3864-240-0x0000000140000000-0x0000000140B16000-memory.dmp	themida
behavioral1/memory/3864-261-0x0000000140000000-0x0000000140B16000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Horizon Main.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
3864	Horizon Main.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133527395641518890"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2100	chrome.exe
2100	chrome.exe
3800	chrome.exe
3800	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
2100	chrome.exe
2100	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: 33	2268	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	2268	AUDIODG.EXE
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe
Token: SeShutdownPrivilege	2100	chrome.exe
Token: SeCreatePagefilePrivilege	2100	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe
2100	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2100 wrote to memory of 1740	2100	chrome.exe	72
PID 2100 wrote to memory of 1740	2100	chrome.exe	72
PID 2100 wrote to memory of 4820	2100	chrome.exe	86
PID 2100 wrote to memory of 4820	2100	chrome.exe	86
PID 2100 wrote to memory of 4820	2100	chrome.exe	86
PID 2100 wrote to memory of 4820	2100	chrome.exe	86
PID 2100 wrote to memory of 4820	2100	chrome.exe	86
PID 2100 wrote to memory of 4820	2100	chrome.exe	86
PID 2100 wrote to memory of 4820	2100	chrome.exe	86
PID 2100 wrote to memory of 4820	2100	chrome.exe	86
PID 2100 wrote to memory of 4820	2100	chrome.exe	86
PID 2100 wrote to memory of 4820	2100	chrome.exe	86
PID 2100 wrote to memory of 4820	2100	chrome.exe	86
PID 2100 wrote to memory of 4820	2100	chrome.exe	86
PID 2100 wrote to memory of 4820	2100	chrome.exe	86
PID 2100 wrote to memory of 4820	2100	chrome.exe	86
PID 2100 wrote to memory of 4820	2100	chrome.exe	86
PID 2100 wrote to memory of 4820	2100	chrome.exe	86
PID 2100 wrote to memory of 4820	2100	chrome.exe	86
PID 2100 wrote to memory of 4820	2100	chrome.exe	86
PID 2100 wrote to memory of 4820	2100	chrome.exe	86
PID 2100 wrote to memory of 4820	2100	chrome.exe	86
PID 2100 wrote to memory of 4820	2100	chrome.exe	86
PID 2100 wrote to memory of 4820	2100	chrome.exe	86
PID 2100 wrote to memory of 4820	2100	chrome.exe	86
PID 2100 wrote to memory of 4820	2100	chrome.exe	86
PID 2100 wrote to memory of 4820	2100	chrome.exe	86
PID 2100 wrote to memory of 4820	2100	chrome.exe	86
PID 2100 wrote to memory of 4820	2100	chrome.exe	86
PID 2100 wrote to memory of 4820	2100	chrome.exe	86
PID 2100 wrote to memory of 4820	2100	chrome.exe	86
PID 2100 wrote to memory of 4820	2100	chrome.exe	86
PID 2100 wrote to memory of 4820	2100	chrome.exe	86
PID 2100 wrote to memory of 4820	2100	chrome.exe	86
PID 2100 wrote to memory of 4820	2100	chrome.exe	86
PID 2100 wrote to memory of 4820	2100	chrome.exe	86
PID 2100 wrote to memory of 4820	2100	chrome.exe	86
PID 2100 wrote to memory of 4820	2100	chrome.exe	86
PID 2100 wrote to memory of 4820	2100	chrome.exe	86
PID 2100 wrote to memory of 4820	2100	chrome.exe	86
PID 2100 wrote to memory of 2740	2100	chrome.exe	87
PID 2100 wrote to memory of 2740	2100	chrome.exe	87
PID 2100 wrote to memory of 4960	2100	chrome.exe	88
PID 2100 wrote to memory of 4960	2100	chrome.exe	88
PID 2100 wrote to memory of 4960	2100	chrome.exe	88
PID 2100 wrote to memory of 4960	2100	chrome.exe	88
PID 2100 wrote to memory of 4960	2100	chrome.exe	88
PID 2100 wrote to memory of 4960	2100	chrome.exe	88
PID 2100 wrote to memory of 4960	2100	chrome.exe	88
PID 2100 wrote to memory of 4960	2100	chrome.exe	88
PID 2100 wrote to memory of 4960	2100	chrome.exe	88
PID 2100 wrote to memory of 4960	2100	chrome.exe	88
PID 2100 wrote to memory of 4960	2100	chrome.exe	88
PID 2100 wrote to memory of 4960	2100	chrome.exe	88
PID 2100 wrote to memory of 4960	2100	chrome.exe	88
PID 2100 wrote to memory of 4960	2100	chrome.exe	88
PID 2100 wrote to memory of 4960	2100	chrome.exe	88
PID 2100 wrote to memory of 4960	2100	chrome.exe	88
PID 2100 wrote to memory of 4960	2100	chrome.exe	88
PID 2100 wrote to memory of 4960	2100	chrome.exe	88
PID 2100 wrote to memory of 4960	2100	chrome.exe	88
PID 2100 wrote to memory of 4960	2100	chrome.exe	88
PID 2100 wrote to memory of 4960	2100	chrome.exe	88
PID 2100 wrote to memory of 4960	2100	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://mega.nz/file/o3sEwbKJ#fNjG4rkjiCiScNvbhlhqGLf6G3sa4Hx2uiIk5d6273g
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2100
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffde36e9758,0x7ffde36e9768,0x7ffde36e9778
  2⤵
  PID:1740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1620 --field-trial-handle=1716,i,13390918609267168449,14008681955537072907,131072 /prefetch:2
  2⤵
  PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2144 --field-trial-handle=1716,i,13390918609267168449,14008681955537072907,131072 /prefetch:8
  2⤵
  PID:2740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2208 --field-trial-handle=1716,i,13390918609267168449,14008681955537072907,131072 /prefetch:8
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3188 --field-trial-handle=1716,i,13390918609267168449,14008681955537072907,131072 /prefetch:1
  2⤵
  PID:1892
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3172 --field-trial-handle=1716,i,13390918609267168449,14008681955537072907,131072 /prefetch:1
  2⤵
  PID:3740
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3836 --field-trial-handle=1716,i,13390918609267168449,14008681955537072907,131072 /prefetch:8
  2⤵
  PID:2968
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5348 --field-trial-handle=1716,i,13390918609267168449,14008681955537072907,131072 /prefetch:8
  2⤵
  PID:5012
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=4476 --field-trial-handle=1716,i,13390918609267168449,14008681955537072907,131072 /prefetch:8
  2⤵
  PID:3096
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5180 --field-trial-handle=1716,i,13390918609267168449,14008681955537072907,131072 /prefetch:8
  2⤵
  PID:456
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5908 --field-trial-handle=1716,i,13390918609267168449,14008681955537072907,131072 /prefetch:8
  2⤵
  PID:1816
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5788 --field-trial-handle=1716,i,13390918609267168449,14008681955537072907,131072 /prefetch:8
  2⤵
  PID:4888
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5832 --field-trial-handle=1716,i,13390918609267168449,14008681955537072907,131072 /prefetch:8
  2⤵
  PID:4660
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5868 --field-trial-handle=1716,i,13390918609267168449,14008681955537072907,131072 /prefetch:8
  2⤵
  PID:528
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=5236 --field-trial-handle=1716,i,13390918609267168449,14008681955537072907,131072 /prefetch:8
  2⤵
  PID:2164
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5968 --field-trial-handle=1716,i,13390918609267168449,14008681955537072907,131072 /prefetch:8
  2⤵
  PID:3060
- C:\Users\Admin\Downloads\Horizon Main.exe
  "C:\Users\Admin\Downloads\Horizon Main.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Checks whether UAC is enabled
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  PID:3864
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1768 --field-trial-handle=1716,i,13390918609267168449,14008681955537072907,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3800

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1428

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x248 0x2ec
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2268

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:1236

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
PID:4036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000027

Filesize
17KB

MD5
950eca48e414acbe2c3b5d046dcb8521

SHA1
1731f264e979f18cdf08c405c7b7d32789a6fb59

SHA256
c0bbe530abfce19e06697bc4358eb426e076ccdb9113e22df4a6f32085da67a2

SHA512
27e55525ade4d099a6881011f6e2e0d5d3a9ca7181f4f014dc231d40b3b1907d0d437b0c44d336c25dd7b73209cd773b8563675ac260c43c7752e2d2d694d4d9

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
0f6b96ca3933a05564d03078262ed3f2

SHA1
d5b374d13c39b08dbeb8f9b7126a01fdfcac9ef5

SHA256
1466e96b135ba3f451453a75f03de0cb7dc5b844cac905ffa0530f8c23a2d702

SHA512
f13c5e8dc03518b0b27f03f1bfb29a272ba3f5ec2e9f5d005219222f0f5c8724c3c37a173731838eefbefdf6f190c7918629ad704efe59cf16ac548c1b6008b0

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\File System\000\t\Paths\MANIFEST-000001

Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\IndexedDB\https_mega.nz_0.indexeddb.leveldb\CURRENT

Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
9e87fdcaa9bd844fd150f6c19acaf314

SHA1
78574844fdaa213cafefa4348510530bdf72775a

SHA256
63c895160a58b4626f4c8a2f3863d95a7b8dd5004b7bd58873a19c8f26616de3

SHA512
d769b09601e85faa965b8b280d5bd62d1198dc08425b5a32f0874ec346590b4cb6e860d59f05742a3a18a08d158c043076f7b0be2444dd198612c06dd84d9bbb

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
538B

MD5
35771a7de69b8420a675e0b190db7deb

SHA1
86dc8a857fc3d58bda446886033b25697fab03e3

SHA256
9a7b5018c243c7c74b2cee5093a11666a8b4c96bf559e2ec56728e5435edcbc6

SHA512
812c12c8790004af4baa7f6d1abb173be98bad61df6395976f5cb9b52729a947b0ebc814395980c3b39c6e31d88ad62b5633871400eecc954eff8f04e0714e48

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
b0c5c8ab14213e602a3fea9a00ee2628

SHA1
e2f6123d45a3d96e99d9c5929871e7f8cfc33b6c

SHA256
8219db8f163d2b7d3169403e7a54dc7d1eb0b233a76a90c02296fd6da686daa5

SHA512
ab17b684a74d71d3b61aff41115c2ff281992ddf29fa7f869bf692fc19d9eab508926be6919084b14b84119f1334df1f8c0f6976c9a08b9d3c85fbf09e5c5966

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
6KB

MD5
0c1c7ef361fcd3fa6cdf2344582fe514

SHA1
b1a5e17383d20861bcfbea7af8bad4041ac311e1

SHA256
9f615259806494b180694b183dad1b7cdf631a62b3e774a4306e2430b2ca5d7b

SHA512
967ba0ea3a9022c5434b55f4c066f0c98a02a8788ff42e0f347a37378235d906607bd07057f9463e6b41f01dc3c308a5dbb72c33932886db4b7909536e3fa1e1

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index

Filesize
72B

MD5
743fa25f9e6f6c37857a48171c6f5940

SHA1
f8ed1c0a367cd21bd244b420b7de9a20ae3cf531

SHA256
e867531fb3e11e4370245f3c53c0817e71be3105cae6b1f6aa250b65cea4de18

SHA512
ff1e80a903f921190f5af89b9b19fc4f4fff45e24601bd4ad503533610b8f67c9cbf04de49a8b37b11be81094fc59be45bdf96b3f0f4de62a154ba62a9749b2a

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Service Worker\ScriptCache\index-dir\the-real-index~RFe5813d1.TMP

Filesize
48B

MD5
322d4f8f9fa48f9385eed8abfacaba1b

SHA1
152e3f35c91046367f0558c0f5f364177ce259f1

SHA256
37709709de63ae49b4b4d77b2cbdc60adf46385eb39d149ec9de9d181c7cf74c

SHA512
41726df32358c881fd79f496d07e6f1ab011848185ee4d1bb12f1824d15ccff9e4a0bc61e89ab2f379179b27c1d7d87b9266d16f9b9d10daf6c304fbc2876a73

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
114KB

MD5
9d67b77bc0faadaf91a95203aa29298d

SHA1
f926a5940b66ea07ddd522a063a330298dd26724

SHA256
0cc6bc574be4b1ead5c6c58036654db54df8e2ac5f1c2aeb358174fd0b481dd9

SHA512
9a4933eae1bfd18f1c406e4907a1bae1fc2a53e4a4d899bbe0b3b91944e6e8fda086060a341a5e7890cbfc5f59c4a5b7c487d3374b1a75153ecfdc0193b59dc5

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
107KB

MD5
a25463b900323a00bb9cad713a3af864

SHA1
abae7aa69a263d1296403902200f4a5260da897f

SHA256
1ff41958fece5d614ac9ae41274c25644636546046a1072bb1ed925693a77929

SHA512
c2af0988698364ea682369908d7d26b89fe0f027abb073bd03307977269d939bfa6a826dbd1fb9ea5941baf07fafabc07e6b12ba97e068841d25c9eca46a3111

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache

Filesize
114KB

MD5
6769376ad9e3e670a7e2a6b96460220d

SHA1
7e7c100342e7b15a0a6cff6d95691d734a0c6543

SHA256
c16414bcb59c5b04b0266b2d82aa0c59e3dc2180b9c96d4b36535f314e3159ba

SHA512
9c6d8b1b853e74151623897678564820c3fedaa05fc12986f5a9b3f89cd096650d2ec5fa4c921688776c760665190d5f6e6745ab0cc8df9cd34dd7a2f4648355

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Module Info Cache~RFe5817b9.TMP

Filesize
101KB

MD5
ff25b791eb193b1088e4892971436c15

SHA1
1536e36b219cc627b77dd5e5a631875a968bd97c

SHA256
c7f2cf419d7b1e778f89211970acdb33556a55ac5159e4f1e5e5e6242f36305e

SHA512
47bf5a1822126e44b7c8588b30a5635419962df2d842512f4433e9c8e66f16130a568ec301803619127cfbff4d922aeb2f13c9b01ea51271b7ae983e3986dc99

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\d1525652-3bfa-4815-a9a3-c3aef9ba9168.tmp

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\Downloads\Horizon Main.exe

Filesize
4.3MB

MD5
7d3124968ac9e30da8e856cbf513d0d9

SHA1
ff9ea4c1f6c29683a9dc3f8b42227d35b8c3c73e

SHA256
4cd95084f15b2da44f6b23676a4daf40a9598188c71a0dbf22320a05c8a0a9ca

SHA512
3e614cb462cad463df635920c2f92d53844dbbe5cc9954705f99400c679355492eddb37031beededb8cce92becf30323f6cb44d948ddcabbc38eab4cb2dc06d1

Download Submit
C:\Users\Admin\Downloads\Horizon Main.exe

Filesize
3.2MB

MD5
1fc7d20253318426e8b93b1d1005e51b

SHA1
8d4dc5a94e114f3654dbfb333b54e10848ac4e8c

SHA256
6e35e2678a7625c1f4af9ed2b44a9f10b3cde7c75601300e4bbdb442aedb381b

SHA512
dfc5830b3480e59a4b985dcf021ab20a2acad291a500423f15edaccd992d21682742c9d4f62cb1930ae5bcfc4e3efc9f897b850cf0493a22fa28e706c024f250

Download Submit
C:\Users\Admin\Downloads\Horizon Main.exe

Filesize
2.2MB

MD5
fc57f16f8d3d0d265d5e1139df4acd24

SHA1
a319b401a7c6d3e42a58eb179d25d377a12f7fdb

SHA256
89e1026a2e12e68143f470d736fa32a333bf30f820507d3884c49b912dbbfef4

SHA512
85d8925d2153145c61e87f63b707b5c6392c2c93ee1441d4b7a581da99329eb0329d3cd755d311d6d7982b795271ac6a7c5ad51e39f511397e0bc47b80b2c270

Download Submit
memory/3864-235-0x0000000140000000-0x0000000140B16000-memory.dmp

Filesize
11.1MB

Download
memory/3864-240-0x0000000140000000-0x0000000140B16000-memory.dmp

Filesize
11.1MB

Download
memory/3864-239-0x0000000140000000-0x0000000140B16000-memory.dmp

Filesize
11.1MB

Download
memory/3864-238-0x0000000140000000-0x0000000140B16000-memory.dmp

Filesize
11.1MB

Download
memory/3864-261-0x0000000140000000-0x0000000140B16000-memory.dmp

Filesize
11.1MB

Download
memory/3864-237-0x00007FFDF1A50000-0x00007FFDF1C45000-memory.dmp

Filesize
2.0MB

Download