7da1fb99de280b8baf392e8d5a62026cf709b202bf78cc74652c3f84c90c929f

Analysis

max time kernel
45s
max time network
42s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
02-05-2024 12:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Library.exe
Size

4.1MB
MD5

04ed10d94e5cd607770eecc9aee56105
SHA1

f43752eb19d1359efcc90e8b1e7078594beed40c
SHA256

7da1fb99de280b8baf392e8d5a62026cf709b202bf78cc74652c3f84c90c929f
SHA512

ff770a81822005bd0ff9b901cea3fc25d73daf06dafeaebf75cf2ba38841004fae6f6b102e6b34f215d1df5a647c1a398423ed32179ef1bb28b7562fa6036a27
SSDEEP

98304:+80h5vs4SZWnzJgKSF3UPDV/KQBR8rOI4i1q3:pGVs44WntglyCQwAz

Score

9^/10

evasion themida trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	Library.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	Library.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	Library.exe

Themida packer 2 IoCs

Detects Themida, an advanced Windows software protection system.

themida

resource	yara_rule
behavioral2/memory/4800-11-0x0000000000AF0000-0x000000000142E000-memory.dmp	themida
behavioral2/memory/4800-12-0x0000000000AF0000-0x000000000142E000-memory.dmp	themida

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Library.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
41	discord.com
42	discord.com

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
4800	Library.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-877519540-908060166-1852957295-1000\{9CDA9E1F-CE2C-4B8C-9EB2-C9C588FB1DAF}	msedge.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
1404	msedge.exe
1404	msedge.exe
2236	msedge.exe
2236	msedge.exe
4540	msedge.exe
4540	msedge.exe
3552	msedge.exe
3552	msedge.exe
1088	identity_helper.exe
1088	identity_helper.exe
5148	msedge.exe
5148	msedge.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs

pid	Process
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe

Suspicious use of FindShellTrayWindow 25 IoCs

pid	Process
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe
2236	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4800 wrote to memory of 3656	4800	Library.exe	96
PID 4800 wrote to memory of 3656	4800	Library.exe	96
PID 3656 wrote to memory of 1596	3656	msedge.exe	97
PID 3656 wrote to memory of 1596	3656	msedge.exe	97
PID 4800 wrote to memory of 2236	4800	Library.exe	98
PID 4800 wrote to memory of 2236	4800	Library.exe	98
PID 2236 wrote to memory of 4268	2236	msedge.exe	99
PID 2236 wrote to memory of 4268	2236	msedge.exe	99
PID 4800 wrote to memory of 4352	4800	Library.exe	100
PID 4800 wrote to memory of 4352	4800	Library.exe	100
PID 4352 wrote to memory of 4456	4352	msedge.exe	101
PID 4352 wrote to memory of 4456	4352	msedge.exe	101
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 4684	2236	msedge.exe	102
PID 2236 wrote to memory of 1404	2236	msedge.exe	103
PID 2236 wrote to memory of 1404	2236	msedge.exe	103
PID 2236 wrote to memory of 3540	2236	msedge.exe	104
PID 2236 wrote to memory of 3540	2236	msedge.exe	104
PID 2236 wrote to memory of 3540	2236	msedge.exe	104
PID 2236 wrote to memory of 3540	2236	msedge.exe	104
PID 2236 wrote to memory of 3540	2236	msedge.exe	104
PID 2236 wrote to memory of 3540	2236	msedge.exe	104
PID 2236 wrote to memory of 3540	2236	msedge.exe	104
PID 2236 wrote to memory of 3540	2236	msedge.exe	104
PID 2236 wrote to memory of 3540	2236	msedge.exe	104
PID 2236 wrote to memory of 3540	2236	msedge.exe	104

C:\Users\Admin\AppData\Local\Temp\Library.exe
"C:\Users\Admin\AppData\Local\Temp\Library.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of WriteProcessMemory
PID:4800
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/blammed
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3656
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xdc,0x108,0x7fff36cd46f8,0x7fff36cd4708,0x7fff36cd4718
    3⤵
    PID:1596
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2064,11306079887477156916,6494859241531547245,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2092 /prefetch:2
    3⤵
    PID:3384
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2064,11306079887477156916,6494859241531547245,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2152 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:4540
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://blammed.pro/
  2⤵
  - Enumerates system info in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7fff36cd46f8,0x7fff36cd4708,0x7fff36cd4718
    3⤵
    PID:4268
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2140,14636441127234380512,10080879172022399338,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2152 /prefetch:2
    3⤵
    PID:4684
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2140,14636441127234380512,10080879172022399338,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2204 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1404
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2140,14636441127234380512,10080879172022399338,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2664 /prefetch:8
    3⤵
    PID:3540
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14636441127234380512,10080879172022399338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
    3⤵
    PID:2564
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14636441127234380512,10080879172022399338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3320 /prefetch:1
    3⤵
    PID:3232
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14636441127234380512,10080879172022399338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3912 /prefetch:1
    3⤵
    PID:3908
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14636441127234380512,10080879172022399338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4632 /prefetch:1
    3⤵
    PID:5184
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14636441127234380512,10080879172022399338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4848 /prefetch:1
    3⤵
    PID:5204
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14636441127234380512,10080879172022399338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
    3⤵
    PID:5680
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14636441127234380512,10080879172022399338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5872 /prefetch:1
    3⤵
    PID:5788
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,14636441127234380512,10080879172022399338,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3436 /prefetch:8
    3⤵
    PID:532
- - C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2140,14636441127234380512,10080879172022399338,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3436 /prefetch:8
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:1088
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14636441127234380512,10080879172022399338,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3368 /prefetch:1
    3⤵
    PID:3840
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14636441127234380512,10080879172022399338,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3344 /prefetch:1
    3⤵
    PID:5060
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2140,14636441127234380512,10080879172022399338,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3484 /prefetch:1
    3⤵
    PID:2004
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2140,14636441127234380512,10080879172022399338,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5172 /prefetch:8
    3⤵
    PID:3112
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2140,14636441127234380512,10080879172022399338,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5872 /prefetch:8
    3⤵
    - Modifies registry class
    - Suspicious behavior: EnumeratesProcesses
    PID:5148
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/blammedsolutions
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4352
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7fff36cd46f8,0x7fff36cd4708,0x7fff36cd4718
    3⤵
    PID:4456
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2060,1900524552291626013,11851653081463898224,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2076 /prefetch:2
    3⤵
    PID:4308
- - C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2060,1900524552291626013,11851653081463898224,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2128 /prefetch:3
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    PID:3552

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:4600

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5168

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:5464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
850f27f857369bf7fe83c613d2ec35cb

SHA1
7677a061c6fd2a030b44841bfb32da0abc1dbefb

SHA256
a7db700e067222e55e323a9ffc71a92f59829e81021e2607cec0d2ec6faf602a

SHA512
7b1efa002b7a1a23973bff0618fb4a82cd0c5193df55cd960c7516caa63509587fd8b36f3aea6db01ece368065865af6472365b820fadce720b64b561ab5f401

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
62c02dda2bf22d702a9b3a1c547c5f6a

SHA1
8f42966df96bd2e8c1f6b31b37c9a19beb6394d6

SHA256
cb8a0964605551ed5a0668c08ab888044bbd845c9225ffee5a28e0b847ede62b

SHA512
a7ce2c0946382188e1d8480cfb096b29bd0dcb260ccdc74167cc351160a1884d04d57a2517eb700b3eef30eaf4a01bfbf31858365b1e624d4b0960ffd0032fa9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
816B

MD5
47040e8cd934b6d4ded2123e3bbeb44d

SHA1
9e5c6eaa62b136bc1e51723accc41312e2fdaebe

SHA256
fe30d9dd4836d12ba278e2ed8720a9e5fd4eb5fca4e1eb00eaa408ebcab021f2

SHA512
050516518fec45147d5024653497b9efb69d364dff91b143106df6fc2612d2ea27750d084a2f0d4cb7ebc70e10bbc6b17554c04fd5e05a35dc71e5b26c14257d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
c75c9193d5e284e9a3a89bf872641224

SHA1
b9e6db85c01094b5eb663f1ad16d4586849578b2

SHA256
051ef46febf3f439eabbaee2bfe940a9cb80e340cb1e5bfb628625245e38d30d

SHA512
389e2d0254df05fc150567bc3e4879a3041fa2269645dd1a0e6d077678bfa188cfc2b71fa41174fa4ee44786ba5971178ee7fa24a19ec634eef59517c0462fd0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
a0e1e981bfaa46bf8b4038022f65104c

SHA1
93c12997fef45d8d2857630f5972c903211eca49

SHA256
17767a5db1a5d21670fc25dae0f9a8c7505a74f0ad796152bbdc9f360e23a978

SHA512
6c5960b73f8337a2d5d1f97f2c39cdf8f09c00ff9814168ab7b224a51ca403d3042b7fa220c8534463978b1667882f0823e142318253e546711ab91c94f45cb9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
980992fb521720d2404c1319bc3cdc87

SHA1
34b834d444f8be6c36e776fc89c9486db909a99b

SHA256
18f1d4d209298bf52b8aa132f636b117e133c0b9201a32091ad3dda2168fde91

SHA512
09a9ecf905d5abfed396b4f181e8e3aea96b3881dfaa7755d4a42e4633afd8c3cc3626efa4026b1c46663c5a3f5924b1ca135b1aad023682b21040f0766e57c2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
c141fa49e6ae4a889d323cc75367093d

SHA1
19a9c2d3ab14bb94405cfe6de3f2f52df65e53cb

SHA256
ad57f8d77450b410c22e550d845ce8d4c5046a4e1801e29661ceb6604dde0796

SHA512
a4dde621e4d19dda073da88a7399ee1e9afb0708904b633ee6f7d5de63b7ec620a34dc240a51ec58fac2c5df0e3e2d99ff14ec8ebe9f1fdc4a98bed1e52b8dc1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
8KB

MD5
b15d3612e714e9c695da83f206d3b69f

SHA1
1826a17ddf157cad3217d886ce9387a62f8922bf

SHA256
f7d77936b831744eb7d37ee5f622c2ce80fb4308c21c31e8e2b1627914d357f7

SHA512
53602afb9bacfff86589c80c6f904986343dc28efbf5a455201a2728718e961979a697f9c2680da91f0dffcc8df47dffb03c7bc899d84743a645bb20a7dc1e67

Download Submit
memory/4800-8-0x00000000760F0000-0x00000000761E0000-memory.dmp

Filesize
960KB

Download
memory/4800-1-0x0000000076110000-0x0000000076111000-memory.dmp

Filesize
4KB

Download
memory/4800-14-0x0000000005D80000-0x0000000005E12000-memory.dmp

Filesize
584KB

Download
memory/4800-15-0x0000000005CB0000-0x0000000005CBA000-memory.dmp

Filesize
40KB

Download
memory/4800-16-0x00000000068E0000-0x0000000006CB6000-memory.dmp

Filesize
3.8MB

Download
memory/4800-17-0x00000000760F0000-0x00000000761E0000-memory.dmp

Filesize
960KB

Download
memory/4800-18-0x0000000000AF0000-0x000000000142E000-memory.dmp

Filesize
9.2MB

Download
memory/4800-20-0x0000000076110000-0x0000000076111000-memory.dmp

Filesize
4KB

Download
memory/4800-12-0x0000000000AF0000-0x000000000142E000-memory.dmp

Filesize
9.2MB

Download
memory/4800-24-0x000000000A6B0000-0x000000000A74C000-memory.dmp

Filesize
624KB

Download
memory/4800-11-0x0000000000AF0000-0x000000000142E000-memory.dmp

Filesize
9.2MB

Download
memory/4800-13-0x0000000006330000-0x00000000068D4000-memory.dmp

Filesize
5.6MB

Download
memory/4800-0-0x0000000000AF0000-0x000000000142E000-memory.dmp

Filesize
9.2MB

Download
memory/4800-3-0x00000000760F0000-0x00000000761E0000-memory.dmp

Filesize
960KB

Download
memory/4800-5-0x00000000760F0000-0x00000000761E0000-memory.dmp

Filesize
960KB

Download
memory/4800-109-0x00000000760F0000-0x00000000761E0000-memory.dmp

Filesize
960KB

Download
memory/4800-110-0x00000000760F0000-0x00000000761E0000-memory.dmp

Filesize
960KB

Download
memory/4800-6-0x00000000760F0000-0x00000000761E0000-memory.dmp

Filesize
960KB

Download
memory/4800-7-0x00000000760F0000-0x00000000761E0000-memory.dmp

Filesize
960KB

Download
memory/4800-4-0x00000000760F0000-0x00000000761E0000-memory.dmp

Filesize
960KB

Download
memory/4800-232-0x00000000760F0000-0x00000000761E0000-memory.dmp

Filesize
960KB

Download
memory/4800-233-0x00000000760F0000-0x00000000761E0000-memory.dmp

Filesize
960KB

Download
memory/4800-2-0x00000000760F0000-0x00000000761E0000-memory.dmp

Filesize
960KB

Download