Malware Analysis Report

2025-06-15 21:44

Sample ID 230413-x2rd7seh7t
Target BlitzedGrabberV12-main.zip
SHA256 9fc3d534a8cbdc6147fb1e68bc0416a5cf7ce2b52fd485f207d2c914c938656c
Tags
agilenet
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral9

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral10

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral11

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral12

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

9fc3d534a8cbdc6147fb1e68bc0416a5cf7ce2b52fd485f207d2c914c938656c

Threat Level: Shows suspicious behavior

The file BlitzedGrabberV12-main.zip was found to be: Shows suspicious behavior.

Malicious Activity Summary

agilenet

Loads dropped DLL

Obfuscated with Agile.Net obfuscator

Program crash

Modifies Internet Explorer settings

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-04-13 19:21

Signatures

N/A

Analysis: behavioral3

Detonation Overview

Submitted

2023-04-13 19:21

Reported

2023-04-13 19:23

Platform

win7-20230220-en

Max time kernel

100s

Max time network

135s

Command Line

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\BlitzedGrabberV12.exe.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "388185862" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fba6cfbdd4578d48a4e75475bed73c6a00000000020000000000106600000001000020000000b7fbbd9605b95644b7a1180e81b8c00182a20a782bdf70495d24ab0e2ee7124e000000000e8000000002000020000000a06e229fb7c88b61858484f946fb53a2128a2d0181d670984afa3958bcefb21f20000000f7c7540695d9084da99cc9d3b2c144c87439b6fa10c9b4a60a086049dcd26b694000000043b148e1c7ce5862c918ec8ef37f8ed67d5b0b956d9ddbeac58120602131431f3e86a34bff7812c42014a52157b1c622ff3ad7ef723e4e463ca3a65f74aca4ed C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fba6cfbdd4578d48a4e75475bed73c6a0000000002000000000010660000000100002000000087737da2257fca3b8b6947a0418afa105ece228bd036389fc4eca97b2b516c45000000000e80000000020000200000008032187773a23abd099daa73ae917c249d1ef6b48f83fbaef9becc9012a1ac2a90000000c8e87054512dd3200ccdd3563bd059f9aa548f0a8c012bb45c66770ef02329d5515c39ebbde3cdf5796a8a9c63bd050ee8a890dd63a1d0e6d21d00118b31f3ad59f042ef89e5db8456ad1b27b59bdbb97bcd9379530f021a735c621b630d902678a6d2652d0afc69d01da0bdf54512a7ae5bab3d87e3e1c1a7f69a48218f2ed2567cd78a5b4aea314e42685a5e11f90f4000000052110a6bae3fc9dadd8856773d3f86b0ea8b49da6c1f3c7d8090cdb2fd5a4939752505d77c1fe2f90fa308c050e4a2a8323cf254169aa4928841d65d2356c2b0 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = e0386bfd4d6ed901 C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{26A31201-DA41-11ED-88FE-724BB54F6CA2} = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3948302646-268491222-1934009652-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 688 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1992 wrote to memory of 688 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1992 wrote to memory of 688 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 1992 wrote to memory of 688 N/A C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 688 wrote to memory of 1392 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 688 wrote to memory of 1392 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 688 wrote to memory of 1392 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 688 wrote to memory of 1392 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe C:\Program Files\Internet Explorer\IEXPLORE.EXE
PID 1392 wrote to memory of 524 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1392 wrote to memory of 524 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1392 wrote to memory of 524 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1392 wrote to memory of 524 N/A C:\Program Files\Internet Explorer\IEXPLORE.EXE C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE

"C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE14\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\BlitzedGrabberV12.exe.xml"

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -nohome

C:\Program Files\Internet Explorer\IEXPLORE.EXE

"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1392 CREDAT:275457 /prefetch:2

Network

Country Destination Domain Proto
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

C:\Users\Admin\AppData\Local\Temp\Cab6A0D.tmp

MD5 fc4666cbca561e864e7fdf883a9e6661
SHA1 2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5
SHA256 10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b
SHA512 c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 e71c8443ae0bc2e282c73faead0a6dd3
SHA1 0c110c1b01e68edfacaeae64781a37b1995fa94b
SHA256 95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72
SHA512 b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

C:\Users\Admin\AppData\Local\Temp\Tar6B5B.tmp

MD5 be2bec6e8c5653136d3e72fe53c98aa3
SHA1 a8182d6db17c14671c3d5766c72e58d87c0810de
SHA256 1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd
SHA512 0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7a5ad311f29c56edde87a45973d24423
SHA1 e36a1b6743a5601af1da5beb60a73a2e76d26b25
SHA256 70fa592340454596813513ebe8fd65f8a9701cb3735351bcd6edcea0701d7ec5
SHA512 0c72c9f54752c480d7a70d899ab6829a31a62061abb515794d505d001e247f7bd640d7a915ca985ab181553c9381828c1537cdb1b6de4039a7f219ad5c785cd5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2e8dd1dee2db8209af7a1146b3b785f2
SHA1 574d326fb7668c3366965005322608952d713f50
SHA256 d73d99e555826b84450e57d06169acde4ad4428545d38734b132b9c6594313f9
SHA512 843327224b21b8522f7b1d6607e82c4a8cdb86fdfe857671578fcadfe9a5cebb36a2b6f1095c0a991cab23855fd87e5965c5d8a2e511dec3ea8b3169e73fe657

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2d1b527ecbdf91171ad39923cf2a7f3e
SHA1 c6125628c7d829a8c0dcd46365c994be1c0a485b
SHA256 11d0c43d4d8cd686933a9f89aae7b044c0418c2ba22ab763fab943d4ebb08c3d
SHA512 86f510a34b3830b2b8be6b73fbd4f373ab3169cd5db5765c148147f6a9fb83c7d82763047b60fbf6109e424b3370394221a7342c5f19d9ecaf52315a6696ab0d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 269e4cd371ccddc31edd7bc560983e8f
SHA1 4b974bd49bb4208554fc19c0e595ce5653fc2055
SHA256 0d49e45d1bce3aa89aab93cf341c7e1974142a12885a3fc3e994244b438786af
SHA512 61c42d57c0f67bd38efd8f829b544d2a9244dabe5eba3d5a24db210120f567b5a4eb6437849d4fca8067891edf1402b01427697a9a79b79d6e1ac6f031af668d

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 eb8308140d128c46313c7347c238b707
SHA1 2961d1130cb1e800daff6ed740b6f0e312c8790b
SHA256 60c09e64ed28cd9b2b584bfc84c7b9638f569e83f223f7bd88f2fa22cb6ac391
SHA512 1a65050eb31da48733106854b4c21eda9d8d481cde58cfdd3014a7e3ebd8ecfef60fd98e1ec5e15738a22d5bc55553b52e9d95f5ec02fcf4c99782ce556272bc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 5f688de5656d46e931e7361ff989c92a
SHA1 180f073aeb14a89ef20a3a659f16a919f39ecbe8
SHA256 a389f85ccfdc2a4a8c0d7e96393511e9b2b59f2425aafa96d03b8ac3b71b08b7
SHA512 80216e2b0ea0308f15a36941c67651938d1c3dfe0b28c0fdd87bb7100329f40e12ccf0fd3fc92744b4082795c2862a82cab7d94004982888a650bc63022c7fe8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e562bf0546756b33d754a24fbbd3506b
SHA1 231172b7f5241feafd855e95afa4b7a29dde0ca9
SHA256 fb64091ebf4da3bf52c6c81e82fa707a2ca900da340cc0f0604735af96d3d10d
SHA512 0af1bb8bdc029eaefcc3911b5406738a92778c1d7b5a7757d3cffeb4ef29fe2fd099e7f8088641acfdf9b47c3c75abedd3a815def529b5febaee766d348670cc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7e6d3140ea0d8c30f78023807f573cc9
SHA1 a514781c23899cdd11fe85fa13dd89c07749d0fe
SHA256 95813117488bff6cfcb6dbe0803314698dad7d1bb272059826f032cabfdd142e
SHA512 545581523cbe3f1717df36ed19f21e28830f147d1ec677d7c7cbf59a1df8d5cc9628a3f864bd82d22544548bb144ca8cb987843c8dbeb9afdc8bba2559e51a76

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 393107f58e705e36b090609865b8d614
SHA1 8ec5702169467e605da169d404994fa0d26f9a33
SHA256 2a9d73a235b435e3fe0d39c34a7cbb989ae05d1bfdcca0e32bc8de4a6f69f302
SHA512 b889c9e5a33a95e2d98c949ea681081af2c199e942f493da9eae6751481bca7a8e9ec85b3ac2ea10179d2a15d2afa8f409c07692c5159a909ca9c8a4da605966

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\QMZ9HGIF.txt

MD5 17562ee9a1b5fa8a823435d1e07ed4f6
SHA1 fc74911ba3cf9fcc0a5e97a33621f00776e0b05f
SHA256 4988e836f542b9f3604941a0a53f215ae441ae041f4b73752773deaad1ccf7e6
SHA512 a5c274fbca3ddf15f0a2ec5321dc948c08bc0af9d3386eaa9ccdc41fd10208582ba88d30153a6f2ddd219ae11ec6ee2e5b135680dd8d13639f8aee8d8044ab71

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\AFOBZ3YS\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral6

Detonation Overview

Submitted

2023-04-13 19:21

Reported

2023-04-13 19:24

Platform

win10v2004-20230220-en

Max time kernel

120s

Max time network

143s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\APIFOR.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\APIFOR.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 240.232.18.117.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 117.18.237.29:80 tcp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 58.55.71.13.in-addr.arpa udp
US 8.8.8.8:53 254.211.247.8.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 20.189.173.5:443 tcp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
US 117.18.237.29:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 204.79.197.203:80 tcp
US 117.18.232.240:80 tcp

Files

N/A

Analysis: behavioral7

Detonation Overview

Submitted

2023-04-13 19:21

Reported

2023-04-13 19:23

Platform

win7-20230220-en

Max time kernel

30s

Max time network

33s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\BouncyCastle.Crypto.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\BouncyCastle.Crypto.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral9

Detonation Overview

Submitted

2023-04-13 19:21

Reported

2023-04-13 19:23

Platform

win7-20230220-en

Max time kernel

31s

Max time network

34s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\Newtonsoft.Json.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\Newtonsoft.Json.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral10

Detonation Overview

Submitted

2023-04-13 19:21

Reported

2023-04-13 19:24

Platform

win10v2004-20230220-en

Max time kernel

62s

Max time network

153s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\Newtonsoft.Json.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\Newtonsoft.Json.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 8.3.197.209.in-addr.arpa udp
US 117.18.237.29:80 tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 20.189.173.1:443 tcp
NL 8.238.177.126:80 tcp
NL 173.223.113.164:443 tcp
NL 173.223.113.131:80 tcp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
NL 8.238.177.126:80 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-04-13 19:21

Reported

2023-04-13 19:23

Platform

win7-20230220-en

Max time kernel

141s

Max time network

30s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\BlitzedGrabberV12.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\BlitzedGrabberV12.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\BlitzedGrabberV12.exe

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\BlitzedGrabberV12.exe"

Network

N/A

Files

memory/1972-54-0x0000000000A60000-0x0000000000C0C000-memory.dmp

memory/1972-55-0x0000000004EA0000-0x0000000005092000-memory.dmp

\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dll

MD5 9af5eb006bb0bab7f226272d82c896c7
SHA1 c2a5bb42a5f08f4dc821be374b700652262308f0
SHA256 77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db
SHA512 7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a

C:\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dll

MD5 9af5eb006bb0bab7f226272d82c896c7
SHA1 c2a5bb42a5f08f4dc821be374b700652262308f0
SHA256 77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db
SHA512 7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a

memory/1972-62-0x0000000074990000-0x0000000074A10000-memory.dmp

memory/1972-63-0x0000000004EA0000-0x000000000508E000-memory.dmp

memory/1972-64-0x0000000004EA0000-0x000000000508E000-memory.dmp

memory/1972-66-0x0000000004EA0000-0x000000000508E000-memory.dmp

memory/1972-68-0x0000000004B80000-0x0000000004BC0000-memory.dmp

memory/1972-69-0x0000000004EA0000-0x000000000508E000-memory.dmp

memory/1972-70-0x0000000074380000-0x00000000743B7000-memory.dmp

memory/1972-72-0x0000000004EA0000-0x000000000508E000-memory.dmp

memory/1972-74-0x0000000004EA0000-0x000000000508E000-memory.dmp

memory/1972-76-0x0000000004EA0000-0x000000000508E000-memory.dmp

memory/1972-78-0x0000000004EA0000-0x000000000508E000-memory.dmp

memory/1972-80-0x0000000004EA0000-0x000000000508E000-memory.dmp

memory/1972-82-0x0000000004EA0000-0x000000000508E000-memory.dmp

memory/1972-84-0x0000000004EA0000-0x000000000508E000-memory.dmp

memory/1972-86-0x0000000004EA0000-0x000000000508E000-memory.dmp

memory/1972-88-0x0000000004EA0000-0x000000000508E000-memory.dmp

memory/1972-90-0x0000000004EA0000-0x000000000508E000-memory.dmp

memory/1972-92-0x0000000004EA0000-0x000000000508E000-memory.dmp

memory/1972-94-0x0000000004EA0000-0x000000000508E000-memory.dmp

memory/1972-96-0x0000000004EA0000-0x000000000508E000-memory.dmp

memory/1972-98-0x0000000004EA0000-0x000000000508E000-memory.dmp

memory/1972-100-0x0000000004EA0000-0x000000000508E000-memory.dmp

memory/1972-102-0x0000000004EA0000-0x000000000508E000-memory.dmp

memory/1972-104-0x0000000004EA0000-0x000000000508E000-memory.dmp

memory/1972-106-0x0000000004EA0000-0x000000000508E000-memory.dmp

memory/1972-108-0x0000000004EA0000-0x000000000508E000-memory.dmp

memory/1972-110-0x0000000004EA0000-0x000000000508E000-memory.dmp

memory/1972-112-0x0000000004EA0000-0x000000000508E000-memory.dmp

memory/1972-114-0x0000000004EA0000-0x000000000508E000-memory.dmp

memory/1972-116-0x0000000004EA0000-0x000000000508E000-memory.dmp

memory/1972-118-0x0000000004EA0000-0x000000000508E000-memory.dmp

memory/1972-120-0x0000000004EA0000-0x000000000508E000-memory.dmp

memory/1972-122-0x0000000004EA0000-0x000000000508E000-memory.dmp

memory/1972-124-0x0000000004EA0000-0x000000000508E000-memory.dmp

memory/1972-126-0x0000000004EA0000-0x000000000508E000-memory.dmp

memory/1972-1242-0x0000000074380000-0x00000000743B7000-memory.dmp

memory/1972-1241-0x0000000004B80000-0x0000000004BC0000-memory.dmp

memory/1972-11721-0x0000000004B80000-0x0000000004BC0000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\BlitzedGrabberV12.exe.Config

MD5 02bafe634a181de6af59ecfb1a9a7230
SHA1 5fb944dc91a95007795d83f2037cfe42f0d959f0
SHA256 6288699c8a0e00de7329c8f642bc22e6d7ed873f1decd32f05231cf69cac4470
SHA512 3e4dc4ae10bf527b98608883638356a84aa9652707276981458b0d9c58f000b290f24b4fbd1794ef02484ccf5ff43d5b55ab7161f5c9f408f68f7caa0676b362

memory/1972-11730-0x0000000004B80000-0x0000000004BC0000-memory.dmp

memory/1972-11729-0x0000000004B80000-0x0000000004BC0000-memory.dmp

memory/1972-11731-0x0000000004B80000-0x0000000004BC0000-memory.dmp

memory/1972-11733-0x0000000004B80000-0x0000000004BC0000-memory.dmp

memory/1972-11732-0x0000000004B80000-0x0000000004BC0000-memory.dmp

memory/1972-11734-0x0000000004B80000-0x0000000004BC0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-04-13 19:21

Reported

2023-04-13 19:24

Platform

win10v2004-20230220-en

Max time kernel

146s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\BlitzedGrabberV12.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\BlitzedGrabberV12.exe N/A

Obfuscated with Agile.Net obfuscator

agilenet
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\BlitzedGrabberV12.exe

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\BlitzedGrabberV12.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 14.110.152.52.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 45.8.109.52.in-addr.arpa udp
US 209.197.3.8:80 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp
US 52.152.110.14:443 tcp

Files

memory/3000-133-0x00000000009E0000-0x0000000000B8C000-memory.dmp

memory/3000-134-0x0000000005C20000-0x00000000061C4000-memory.dmp

memory/3000-135-0x0000000005560000-0x00000000055F2000-memory.dmp

memory/3000-136-0x0000000005660000-0x0000000005670000-memory.dmp

memory/3000-137-0x0000000005530000-0x000000000553A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dll

MD5 9af5eb006bb0bab7f226272d82c896c7
SHA1 c2a5bb42a5f08f4dc821be374b700652262308f0
SHA256 77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db
SHA512 7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a

C:\Users\Admin\AppData\Local\Temp\dcfb00f9-5ae7-4197-ba59-e48107e40d35\GunaDotNetRT.dll

MD5 9af5eb006bb0bab7f226272d82c896c7
SHA1 c2a5bb42a5f08f4dc821be374b700652262308f0
SHA256 77dc05a6bda90757f66552ee3f469b09f1e00732b4edca0f542872fb591ed9db
SHA512 7badd41be4c1039302fda9bba19d374ec9446ce24b7db33b66bee4ef38180d1abcd666d2aea468e7e452aa1e1565eedfefed582bf1c2fe477a4171d99d48772a

memory/3000-145-0x0000000073470000-0x00000000734F9000-memory.dmp

memory/3000-146-0x0000000005920000-0x0000000005B0E000-memory.dmp

memory/3000-147-0x0000000005920000-0x0000000005B0E000-memory.dmp

memory/3000-149-0x0000000005920000-0x0000000005B0E000-memory.dmp

memory/3000-151-0x0000000005920000-0x0000000005B0E000-memory.dmp

memory/3000-153-0x0000000005920000-0x0000000005B0E000-memory.dmp

memory/3000-155-0x0000000005920000-0x0000000005B0E000-memory.dmp

memory/3000-157-0x0000000005920000-0x0000000005B0E000-memory.dmp

memory/3000-159-0x0000000005920000-0x0000000005B0E000-memory.dmp

memory/3000-162-0x0000000005920000-0x0000000005B0E000-memory.dmp

memory/3000-161-0x0000000071160000-0x0000000071197000-memory.dmp

memory/3000-164-0x0000000005920000-0x0000000005B0E000-memory.dmp

memory/3000-166-0x0000000005920000-0x0000000005B0E000-memory.dmp

memory/3000-168-0x0000000005920000-0x0000000005B0E000-memory.dmp

memory/3000-170-0x0000000005920000-0x0000000005B0E000-memory.dmp

memory/3000-172-0x0000000005920000-0x0000000005B0E000-memory.dmp

memory/3000-174-0x0000000005920000-0x0000000005B0E000-memory.dmp

memory/3000-176-0x0000000005920000-0x0000000005B0E000-memory.dmp

memory/3000-178-0x0000000005920000-0x0000000005B0E000-memory.dmp

memory/3000-180-0x0000000005920000-0x0000000005B0E000-memory.dmp

memory/3000-182-0x0000000005920000-0x0000000005B0E000-memory.dmp

memory/3000-184-0x0000000005920000-0x0000000005B0E000-memory.dmp

memory/3000-186-0x0000000005920000-0x0000000005B0E000-memory.dmp

memory/3000-188-0x0000000005920000-0x0000000005B0E000-memory.dmp

memory/3000-190-0x0000000005920000-0x0000000005B0E000-memory.dmp

memory/3000-192-0x0000000005920000-0x0000000005B0E000-memory.dmp

memory/3000-194-0x0000000005920000-0x0000000005B0E000-memory.dmp

memory/3000-196-0x0000000005920000-0x0000000005B0E000-memory.dmp

memory/3000-198-0x0000000005920000-0x0000000005B0E000-memory.dmp

memory/3000-200-0x0000000005920000-0x0000000005B0E000-memory.dmp

memory/3000-202-0x0000000005920000-0x0000000005B0E000-memory.dmp

memory/3000-204-0x0000000005920000-0x0000000005B0E000-memory.dmp

memory/3000-206-0x0000000005920000-0x0000000005B0E000-memory.dmp

memory/3000-208-0x0000000005920000-0x0000000005B0E000-memory.dmp

memory/3000-715-0x0000000005660000-0x0000000005670000-memory.dmp

memory/3000-822-0x0000000071160000-0x0000000071197000-memory.dmp

memory/3000-11803-0x00000000012F0000-0x000000000138C000-memory.dmp

memory/3000-11804-0x0000000005660000-0x0000000005670000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\BlitzedGrabberV12.exe.Config

MD5 02bafe634a181de6af59ecfb1a9a7230
SHA1 5fb944dc91a95007795d83f2037cfe42f0d959f0
SHA256 6288699c8a0e00de7329c8f642bc22e6d7ed873f1decd32f05231cf69cac4470
SHA512 3e4dc4ae10bf527b98608883638356a84aa9652707276981458b0d9c58f000b290f24b4fbd1794ef02484ccf5ff43d5b55ab7161f5c9f408f68f7caa0676b362

memory/3000-11811-0x0000000005660000-0x0000000005670000-memory.dmp

memory/3000-11813-0x0000000005660000-0x0000000005670000-memory.dmp

memory/3000-11814-0x0000000005660000-0x0000000005670000-memory.dmp

memory/3000-11815-0x0000000005660000-0x0000000005670000-memory.dmp

memory/3000-11816-0x0000000005660000-0x0000000005670000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2023-04-13 19:21

Reported

2023-04-13 19:24

Platform

win10v2004-20230220-en

Max time kernel

136s

Max time network

156s

Command Line

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\BlitzedGrabberV12.exe.xml"

Signatures

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31026766" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31026766" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "388185874" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 500c76044e6ed901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "15315966" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31026766" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "50160938" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 10698b044e6ed901 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{2ABFEF1B-DA41-11ED-BDA1-5E272E2E2FB8} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000eb827cf93ddd146af8365c0e3ca130200000000020000000000106600000001000020000000cf7c4fec0a1e72e73732a04ce7684a3cbe8baba95fc54c3d86f724d35c002e59000000000e8000000002000020000000a5accc0a4dbb0b50b24b293c0ee3b4d4275ea50b3edf46d6a78f44649e45fbf020000000da23df161dec0151b73f34d384169292f49ed56fc562a593b122e2a4f53254c2400000006c7f5ff33563079e339f2313fa3bc5202a065a40cc5832b6ca05f42ccc933ad1b69e38e6c09e5f559cf4d0a0e0b0c134084fe9a5ede2e1fa825f228bef3b9d66 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000eb827cf93ddd146af8365c0e3ca1302000000000200000000001066000000010000200000008441cf7eb7296786cf967e6c86f9a77993fb1a892e14d4ea82edbdc830f063b9000000000e8000000002000020000000bc021250d41c7baecf328bd0a6cad54d9a9def286cba6cf0881f4009b0e8590e20000000b835d8e08af4a14d6bd3cdbcc8b4a03a596daaacb7c2e751cec667422d6b6404400000002c9c67cdc0c7aabf37c02d9bcff6b9a14d5c05ced6daa78f4925d2d33a45fed676a0cd6d96ce8011271ab0cd851e017e33a78ada2ec270b4db710575fe71c4a3 C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "15160344" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4238149048-355649189-894321705-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Processes

C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE

"C:\Program Files\Microsoft Office\Root\VFS\ProgramFilesCommonX64\Microsoft Shared\Office16\MSOXMLED.EXE" /verb open "C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\BlitzedGrabberV12.exe.xml"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\BlitzedGrabberV12.exe.xml

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2032 CREDAT:17410 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 76.38.195.152.in-addr.arpa udp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
FR 40.79.141.152:443 tcp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 200.232.18.117.in-addr.arpa udp
NL 173.223.113.164:443 tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp

Files

memory/1916-133-0x00007FFB256D0000-0x00007FFB256E0000-memory.dmp

memory/1916-135-0x00007FFB256D0000-0x00007FFB256E0000-memory.dmp

memory/1916-134-0x00007FFB256D0000-0x00007FFB256E0000-memory.dmp

memory/1916-136-0x00007FFB256D0000-0x00007FFB256E0000-memory.dmp

memory/1916-137-0x00007FFB256D0000-0x00007FFB256E0000-memory.dmp

memory/1916-138-0x00007FFB256D0000-0x00007FFB256E0000-memory.dmp

memory/1916-139-0x00007FFB256D0000-0x00007FFB256E0000-memory.dmp

memory/1916-140-0x00007FFB256D0000-0x00007FFB256E0000-memory.dmp

memory/1916-141-0x00007FFB256D0000-0x00007FFB256E0000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 e8392651321f87e3ed45adfbb9963dde
SHA1 2681d4e4d69061f06d3e6521f87c8304f96dd7a0
SHA256 56a7cccea3cb6cdee9a73c416bc77daab8973ef78ec520cd9af6ff4837c4259b
SHA512 3d75882c19847e7af7d089b09d08d4b08ea2c5b09dc3c17ac890f3a9bf2b42637bddb6cbf1455521d2562ec0cbe3e26a83156f63123819ab7b434a529bb6da18

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

MD5 dd25eece262055fa2e7c798da8245627
SHA1 7f8dff5bf53fc2a6775d657cf30e43c712333a5e
SHA256 67d71d2d39ee7819764bef14658bb14d434a0969010f4a63936a478e55441637
SHA512 268aba5ef911eb1dec777fd52bbe230adceefae7b6c145e41d1ab4531b6e3f2858141325d4da67422078181fdf7641df475bb68384cecb334a3c24bee62676d2

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\K941J8ND\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Analysis: behavioral5

Detonation Overview

Submitted

2023-04-13 19:21

Reported

2023-04-13 19:24

Platform

win7-20230220-en

Max time kernel

28s

Max time network

31s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\APIFOR.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\APIFOR.dll,#1

Network

N/A

Files

N/A

Analysis: behavioral8

Detonation Overview

Submitted

2023-04-13 19:21

Reported

2023-04-13 19:23

Platform

win10v2004-20230220-en

Max time kernel

76s

Max time network

98s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\BouncyCastle.Crypto.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\BouncyCastle.Crypto.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 126.136.241.8.in-addr.arpa udp
US 8.8.8.8:53 5.233.140.95.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 64.13.109.52.in-addr.arpa udp
US 8.247.210.254:80 tcp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
NL 173.223.113.164:443 tcp

Files

N/A

Analysis: behavioral11

Detonation Overview

Submitted

2023-04-13 19:21

Reported

2023-04-13 19:24

Platform

win7-20230220-en

Max time kernel

29s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\UltraEmbeddable.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\UltraEmbeddable.exe

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\UltraEmbeddable.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1704 -s 552

Network

N/A

Files

memory/1704-54-0x00000000010B0000-0x000000000112A000-memory.dmp

Analysis: behavioral12

Detonation Overview

Submitted

2023-04-13 19:21

Reported

2023-04-13 19:24

Platform

win10v2004-20230220-en

Max time kernel

135s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\UltraEmbeddable.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\UltraEmbeddable.exe

"C:\Users\Admin\AppData\Local\Temp\BlitzedGrabberV12-main\BlitzedGrabberV12\Resources\UltraEmbeddable.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 440 -p 2284 -ip 2284

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 2284 -s 872

Network

Country Destination Domain Proto
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 68.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 158.240.127.40.in-addr.arpa udp
US 8.8.8.8:53 109.133.99.20.in-addr.arpa udp
US 8.8.8.8:53 52.194.44.20.in-addr.arpa udp
US 8.8.8.8:53 198.209.218.23.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 52.152.108.96:443 tcp
US 52.152.108.96:443 tcp
US 52.152.108.96:443 tcp
US 20.189.173.5:443 tcp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 1.77.109.52.in-addr.arpa udp
US 8.8.8.8:53 2.36.159.162.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 135.1.85.104.in-addr.arpa udp
US 8.8.8.8:53 250.108.137.52.in-addr.arpa udp
US 8.8.8.8:53 37.184.99.20.in-addr.arpa udp
US 8.8.8.8:53 119.110.54.20.in-addr.arpa udp
US 8.8.8.8:53 250.255.255.239.in-addr.arpa udp
US 8.8.8.8:53 5.233.140.95.in-addr.arpa udp
US 8.8.8.8:53 240.232.229.192.in-addr.arpa udp
US 8.8.8.8:53 203.34.21.2.in-addr.arpa udp
US 8.8.8.8:53 153.86.200.23.in-addr.arpa udp
US 8.8.8.8:53 126.133.255.8.in-addr.arpa udp
US 93.184.220.29:80 tcp

Files

memory/2284-133-0x00000000004F0000-0x000000000056A000-memory.dmp