e97de3c318532ff7b6708d5da4f6864ec8b6315760d56736ace4834af99af1d5

Analysis

max time kernel
30s
max time network
32s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
29-03-2023 20:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

blueberry_valorant_external_free.exe
Size

4.3MB
MD5

aaaacda428369e9232ce8823b4a81f48
SHA1

c81f44134cddf51ba05da3c42327c084e239a956
SHA256

e97de3c318532ff7b6708d5da4f6864ec8b6315760d56736ace4834af99af1d5
SHA512

32225ee9eb191fb1797207fdbd518c6879f5bdf0e8d8bd1c8081a5b1938904ed80ae94f6928725a9bf691531b99db1ded47d890607aa4e9e0a8183173d9d2867
SSDEEP

98304:oj6Zo4FxbjVj69T4wrXuIPdqkf0SodDK3D5l4zdro7hW8vU8:3oA/j6pxQkw+lwk7Pvb

Score

9^/10

evasion persistence themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

blueberry_valorant_external_free.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ blueberry_valorant_external_free.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	blueberry_valorant_external_free.exe

Sets service image path in registry 2 TTPs 16 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

blueberry_valorant_external_free.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\dpGXLcJeGpWww\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\dpGXLcJeGpWww"	blueberry_valorant_external_free.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mWZyjosWmTwisWow\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\mWZyjosWmTwisWow"	blueberry_valorant_external_free.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\QjGkmqFjeYzkbNDK\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\QjGkmqFjeYzkbNDK"	blueberry_valorant_external_free.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\mwoWpkJxPVBlKFLgtxufXuGvR\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\mwoWpkJxPVBlKFLgtxufXuGvR"	blueberry_valorant_external_free.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\JCDqaXumnHrEQzSTUzJIrd\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\JCDqaXumnHrEQzSTUzJIrd"	blueberry_valorant_external_free.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ACoBOeNsquZyfa\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\ACoBOeNsquZyfa"	blueberry_valorant_external_free.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\ePVoRYaFaAbzPR\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\ePVoRYaFaAbzPR"	blueberry_valorant_external_free.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\tdkQCLLuymRSVTwQpid\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\tdkQCLLuymRSVTwQpid"	blueberry_valorant_external_free.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\JcvaUaeTKFeByQvryfGKAV\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\JcvaUaeTKFeByQvryfGKAV"	blueberry_valorant_external_free.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\fpdMXVqYDCoChILFjtINVd\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\fpdMXVqYDCoChILFjtINVd"	blueberry_valorant_external_free.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\svcrwOubebE\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\svcrwOubebE"	blueberry_valorant_external_free.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\lwRhezcDSIrgZgRM\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\lwRhezcDSIrgZgRM"	blueberry_valorant_external_free.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\PJzTgtgQCOthJXYi\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\PJzTgtgQCOthJXYi"	blueberry_valorant_external_free.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\XQKezJHhOhGQmUgCEUb\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\XQKezJHhOhGQmUgCEUb"	blueberry_valorant_external_free.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\XqSuEFXIqrUTELDmZoe\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\XqSuEFXIqrUTELDmZoe"	blueberry_valorant_external_free.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\CDzgHAcVboWVnCTACug\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\CDzgHAcVboWVnCTACug"	blueberry_valorant_external_free.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

blueberry_valorant_external_free.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	blueberry_valorant_external_free.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	blueberry_valorant_external_free.exe

Themida packer 7 IoCs

Detects Themida, an advanced Windows software protection system.

themida

Processes:

resource	yara_rule
behavioral2/memory/2440-133-0x00007FF6B6AC0000-0x00007FF6B761C000-memory.dmp	themida
behavioral2/memory/2440-134-0x00007FF6B6AC0000-0x00007FF6B761C000-memory.dmp	themida
behavioral2/memory/2440-135-0x00007FF6B6AC0000-0x00007FF6B761C000-memory.dmp	themida
behavioral2/memory/2440-136-0x00007FF6B6AC0000-0x00007FF6B761C000-memory.dmp	themida
behavioral2/memory/2440-232-0x00007FF6B6AC0000-0x00007FF6B761C000-memory.dmp	themida
behavioral2/memory/2440-457-0x00007FF6B6AC0000-0x00007FF6B761C000-memory.dmp	themida
behavioral2/memory/2440-578-0x00007FF6B6AC0000-0x00007FF6B761C000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

blueberry_valorant_external_free.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	blueberry_valorant_external_free.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

blueberry_valorant_external_free.exe

pid process

2440 blueberry_valorant_external_free.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

Processes:

msedge.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

Processes:

msedge.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ msedge.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msedge.exemsedge.exe

pid process

380 msedge.exe
380 msedge.exe
4868 msedge.exe
4868 msedge.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msedge.exe

pid	process
380	msedge.exe
380	msedge.exe
4868	msedge.exe
4868	msedge.exe

Suspicious behavior: LoadsDriver 53 IoCs

Processes:

blueberry_valorant_external_free.exe

pid	process
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe
2440	blueberry_valorant_external_free.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 3 IoCs

Processes:

msedge.exe

pid process

4868 msedge.exe
4868 msedge.exe
4868 msedge.exe

pid	process
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe

Suspicious use of AdjustPrivilegeToken 53 IoCs

Processes:

blueberry_valorant_external_free.exe

description	pid	process
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe
Token: SeLoadDriverPrivilege	2440	blueberry_valorant_external_free.exe

Suspicious use of FindShellTrayWindow 4 IoCs

Processes:

msedge.exe

pid process

4868 msedge.exe
4868 msedge.exe
4868 msedge.exe
4868 msedge.exe

pid	process
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe
4868	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

blueberry_valorant_external_free.execmd.exemsedge.exe

description	pid	process	target process
PID 2440 wrote to memory of 4676	2440	blueberry_valorant_external_free.exe	cmd.exe
PID 2440 wrote to memory of 4676	2440	blueberry_valorant_external_free.exe	cmd.exe
PID 4676 wrote to memory of 4868	4676	cmd.exe	msedge.exe
PID 4676 wrote to memory of 4868	4676	cmd.exe	msedge.exe
PID 4868 wrote to memory of 2756	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 2756	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 1244	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 380	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 380	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 3796	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 3796	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 3796	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 3796	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 3796	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 3796	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 3796	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 3796	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 3796	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 3796	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 3796	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 3796	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 3796	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 3796	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 3796	4868	msedge.exe	msedge.exe
PID 4868 wrote to memory of 3796	4868	msedge.exe	msedge.exe

C:\Users\Admin\AppData\Local\Temp\blueberry_valorant_external_free.exe
"C:\Users\Admin\AppData\Local\Temp\blueberry_valorant_external_free.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Sets service image path in registry
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c start https://discord.gg/9Psv9VZMUn
2⤵
- Suspicious use of WriteProcessMemory
PID:4676

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/9Psv9VZMUn
3⤵
- Enumerates system info in registry
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:4868

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffa7ce446f8,0x7ffa7ce44708,0x7ffa7ce44718
4⤵
PID:2756

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2136,17155698902501750251,8259482288371863487,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2240 /prefetch:2
4⤵
PID:1244

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2136,17155698902501750251,8259482288371863487,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2292 /prefetch:3
4⤵
- Suspicious behavior: EnumeratesProcesses
PID:380

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2136,17155698902501750251,8259482288371863487,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
4⤵
PID:3796

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17155698902501750251,8259482288371863487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3592 /prefetch:1
4⤵
PID:3236

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17155698902501750251,8259482288371863487,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3584 /prefetch:1
4⤵
PID:3504

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2136,17155698902501750251,8259482288371863487,131072 --disable-gpu-compositing --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5160 /prefetch:1
4⤵
PID:4008

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c pause >nul 2>&1
2⤵
PID:712

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
2⤵
PID:4016

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3516

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
cd4f5fe0fc0ab6b6df866b9bfb9dd762

SHA1
a6aaed363cd5a7b6910e9b3296c0093b0ac94759

SHA256
3b803b53dbd3d592848fc66e5715f39f6bc02cbc95fb2452cd5822d98c6b8f81

SHA512
7072630ec28cf6a8d5b072555234b5150c1e952138e5cdc29435a6242fda4b4217b81fb57acae927d2b908fa06f36414cb3fab35110d63107141263e3bba9676

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
Filesize
152B

MD5
1d40312629d09d2420e992fdb8a78c1c

SHA1
903950d5ba9d64ec21c9f51264272ca8dfae9540

SHA256
1e7c6aa575c3ec46cd1fdf6df51063113d277012ed28f5f6b37aea95cd3a64ac

SHA512
a7073247ae95e451ed32ceeae91c6638192c15eaad718875c1272eff51c0564016d9f84690543f27df509a7d579de329d101fbf82fed7cbeb27af57393de24ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
48B

MD5
5f1f2ecb7d7498721805e4823c2c63ab

SHA1
8a05bd14a52313af596658538137b9577820f825

SHA256
d8fe959a4d9ed1b3c6d6b6b01bfec8deedbf70476a2b19751bd8b969d29b7976

SHA512
b483dabc612dab2123b0ba7968ca71469c6ae3c2bf23f5777a371e96f615a9a3f759143fca47addacfe295c494bd6fc0ae27bccf237201b802d9c499d91dc996

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
Filesize
120B

MD5
e849218fa5f77a569790ceff9b4c0e31

SHA1
19497564b62b34f6382e13c3e83eba1f582815c7

SHA256
aa86b3a2d2a05cb681966226356f3c99664284826ff6375e133ab9d4560fc062

SHA512
d16c05a227d337fab5fca75b68652bb82b1a3abc620246cb47d12ffd6d0212f2bfbeca3a00dfc3638c584c282fbefb1292946b87ff0db0114bcc9ec402098dc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Microsoft Edge.lnk
Filesize
2KB

MD5
7922556394d9a73007243d76cc639c9f

SHA1
787fbc715bf89bbab90996d9124348287eac740d

SHA256
1f79d73f5abed11743e8b2890864811a8acfb6ae583223544c745a9a7a9c65db

SHA512
32c2edaa074f07d2d2f3466ff4777f58a99cc02833f673aca8e9c49f07b8014bb43da03e1c4bcf208150342b28aeb931c731be48bab0fd8567058398974d922a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State
Filesize
459B

MD5
467ebfc7e4014c738870ef6fc4a67c56

SHA1
3fd5124e097b7f5a5d837e834ef8f9244825ffb1

SHA256
f17b90a06dab3c958ef60f6b5ad1618b01bc4ccf594b8eb74b56d5c5e11b3fe6

SHA512
8f76028d29738814218f08fbcda64cbfa2709a4a06139fd15c5cdada9786e725086fabc38e1c449c16bc11cd1e39ad55c32227f2367b14a387ddb0ec24a790d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
4KB

MD5
ea81fe99b061a5f3ad3d16a3378670e2

SHA1
29678f2bada2d4cafcdcdd27c67797fe8d6f773a

SHA256
10ce81d9aab7710e5181e633645a33ec2cb9fe06612a87d0538b897cc361d16e

SHA512
2befc94ba20620f2ef641b55d55e1b2fa45906b35c596dbbbb87270d617e05cec6bf660b21097c4c9d102cc4d79a907edc050f9dadee39f3a99ae359868edf79

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
Filesize
6KB

MD5
efb1737f5683aca654f5f685484c6b1b

SHA1
6def1e81d2a809b63c4f55ab8dd649add80be746

SHA256
268a6913f368eb628501cbb08468885d2085c9ac1319091e10bb2f11dc27705e

SHA512
ae15d48e6a43b51c75a7f318f580f23c44e85419d703aa7d5b4cd0250bac0ffa7120334e198cf26dfa81774ca67b01b9bf447398e594e8b60db7a2090f97e9f4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences
Filesize
24KB

MD5
1463bf2a54e759c40d9ad64228bf7bec

SHA1
2286d0ac3cfa9f9ca6c0df60699af7c49008a41f

SHA256
9b4fd2eea856352d8fff054b51ea5d6141a540ca253a2e4dc28839bc92cbf4df

SHA512
33e0c223b45acac2622790dda4b59a98344a89094c41ffdb2531d7f1c0db86a0ea4f1885fea7c696816aa4ceab46de6837cc081cd8e63e3419d9fcb8c5a0eb66

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Session Storage\MANIFEST-000001
Filesize
41B

MD5
5af87dfd673ba2115e2fcf5cfdb727ab

SHA1
d5b5bbf396dc291274584ef71f444f420b6056f1

SHA256
f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4

SHA512
de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\a8cb0e83-8380-4d3e-8f54-2fb1b488c54f.tmp
Filesize
70KB

MD5
e5e3377341056643b0494b6842c0b544

SHA1
d53fd8e256ec9d5cef8ef5387872e544a2df9108

SHA256
e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25

SHA512
83f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\shared_proto_db\CURRENT
Filesize
16B

MD5
46295cac801e5d4857d09837238a6394

SHA1
44e0fa1b517dbf802b18faf0785eeea6ac51594b

SHA256
0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

SHA512
8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\GrShaderCache\GPUCache\data_1
Filesize
264KB

MD5
f50f89a0a91564d0b8a211f8921aa7de

SHA1
112403a17dd69d5b9018b8cede023cb3b54eab7d

SHA256
b1e963d702392fb7224786e7d56d43973e9b9efd1b89c17814d7c558ffc0cdec

SHA512
bf8cda48cf1ec4e73f0dd1d4fa5562af1836120214edb74957430cd3e4a2783e801fa3f4ed2afb375257caeed4abe958265237d6e0aacf35a9ede7a2e8898d58

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
Filesize
9KB

MD5
61133d7eca52148cc4f858a038109cac

SHA1
d875021634a11fc6e6769ffdd02c4d212cc9077e

SHA256
c8f32c09eb4c68d5236e5979b3e0b54f903612272cc84e9c2e89f71a3fd7d4d2

SHA512
27b111ef7de12dac6d890b3b31f478cadb4d6bec9515da11e0afddb8a2a09ca484108831f64a07fba6557e956cf5cb721349fcbb0b5f0219dd5a732594cb8181

Download Submit
C:\Users\Admin\AppData\Local\Temp\lwRhezcDSIrgZgRM
Filesize
33KB

MD5
1898ceda3247213c084f43637ef163b3

SHA1
d04e5db5b6c848a29732bfd52029001f23c3da75

SHA256
4429f32db1cc70567919d7d47b844a91cf1329a6cd116f582305f3b7b60cd60b

SHA512
84c3ccc657f83725b24a20f83b87577603f580993920cc42d6da58648c6888d950fd19fbb8b404ce51a3eab674066c5cefe275763fbdb32e1ae1ba98097ab377

Download Submit
\??\pipe\LOCAL\crashpad_4868_ARNABIPXZHZLGUUD
MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/2440-136-0x00007FF6B6AC0000-0x00007FF6B761C000-memory.dmp

Filesize
11.4MB

Download
memory/2440-135-0x00007FF6B6AC0000-0x00007FF6B761C000-memory.dmp

Filesize
11.4MB

Download
memory/2440-134-0x00007FF6B6AC0000-0x00007FF6B761C000-memory.dmp

Filesize
11.4MB

Download
memory/2440-232-0x00007FF6B6AC0000-0x00007FF6B761C000-memory.dmp

Filesize
11.4MB

Download
memory/2440-133-0x00007FF6B6AC0000-0x00007FF6B761C000-memory.dmp

Filesize
11.4MB

Download
memory/2440-457-0x00007FF6B6AC0000-0x00007FF6B761C000-memory.dmp

Filesize
11.4MB

Download
memory/2440-578-0x00007FF6B6AC0000-0x00007FF6B761C000-memory.dmp

Filesize
11.4MB

Download