Analysis
-
max time kernel
49s -
max time network
43s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11/04/2024, 23:09
Behavioral task
behavioral1
Sample
Library.exe
Resource
win7-20240221-en
General
-
Target
Library.exe
-
Size
4.1MB
-
MD5
04ed10d94e5cd607770eecc9aee56105
-
SHA1
f43752eb19d1359efcc90e8b1e7078594beed40c
-
SHA256
7da1fb99de280b8baf392e8d5a62026cf709b202bf78cc74652c3f84c90c929f
-
SHA512
ff770a81822005bd0ff9b901cea3fc25d73daf06dafeaebf75cf2ba38841004fae6f6b102e6b34f215d1df5a647c1a398423ed32179ef1bb28b7562fa6036a27
-
SSDEEP
98304:+80h5vs4SZWnzJgKSF3UPDV/KQBR8rOI4i1q3:pGVs44WntglyCQwAz
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ Library.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion Library.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion Library.exe -
resource yara_rule behavioral1/memory/2120-17-0x0000000001090000-0x00000000019CE000-memory.dmp themida behavioral1/memory/2120-19-0x0000000001090000-0x00000000019CE000-memory.dmp themida behavioral1/memory/2188-675-0x0000000140000000-0x00000001405E8000-memory.dmp themida behavioral1/memory/2120-680-0x0000000001090000-0x00000000019CE000-memory.dmp themida -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA Library.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 7 IoCs
flow ioc 34 discord.com 35 discord.com 36 discord.com 30 discord.com 31 discord.com 32 discord.com 33 discord.com -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 2120 Library.exe -
Drops file in Windows directory 2 IoCs
description ioc Process File created C:\Windows\IME\1.sys Library.exe File created C:\Windows\Fonts\AMIDEWINx64.EXE Library.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9E344BF1-F858-11EE-A5A1-E299A69EE862} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9E31EA91-F858-11EE-A5A1-E299A69EE862} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com\NumberOfSubdomains = "1" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a9606900000000020000000000106600000001000020000000f14eaf499fa6e6acc12547a9d9294c95a668e25260134ba98917209c3113f262000000000e80000000020000200000000a7c44f26d9c867ed6fe31c656b686bfe904de5aeaa40a02f378edc7d4ec7f1420000000adcbeedaf5aab819e7e81f19075edbd81f4158b3644ff7117202a54d3945cdf540000000b3b713b74b36b0e805fcedc36853268b77fa41af4e50a2ab09ce4341a255832598d06e368081cc927a884ea2e8411cf763bb9bdc9cf56fd444fce3bce9bc6193 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9E347301-F858-11EE-A5A1-E299A69EE862} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a9606900000000020000000000106600000001000020000000b732da1f8974dbf644ecf98fd946b2c00ad5b6ce64354beb7a55b92889ccca24000000000e800000000200002000000049b8538555c1931f37eda57a8c34e3233b343b7e05f3575e2fbb5517b7ec71c790000000f895f21348bbd483b591495658858a2da79763324846916876b196180299b12b7c7dc02fb5d0f641f646ac803facb7cada0d6957ae37e3ebe67d79c03d28bff147a4227656ba8522a52a9d646d1a91039726bb2c802287e76b8fabce47c3818fdf76c3ebb3042a5e019dd5afee0c136fd69a4d27b9f8320ddcd4141d8901720d2dc99cc889a68da0972c2716f68f0f5440000000c2b4f784cac7f1a74b98062d6cd6c5be98d2514344a0a1a95ea284b3cae0c3e4aee491985fdc92476fb9797f845faf3bdf39f97d537bff8c22198a1b19df17fe iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe -
Suspicious behavior: EnumeratesProcesses 19 IoCs
pid Process 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2188 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2120 Library.exe Token: SeDebugPrivilege 2188 taskmgr.exe -
Suspicious use of FindShellTrayWindow 48 IoCs
pid Process 2564 iexplore.exe 2980 iexplore.exe 2616 iexplore.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe -
Suspicious use of SendNotifyMessage 45 IoCs
pid Process 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe 2188 taskmgr.exe -
Suspicious use of SetWindowsHookEx 16 IoCs
pid Process 2616 iexplore.exe 2616 iexplore.exe 2564 iexplore.exe 2564 iexplore.exe 2980 iexplore.exe 2980 iexplore.exe 1720 IEXPLORE.EXE 1720 IEXPLORE.EXE 2016 IEXPLORE.EXE 2016 IEXPLORE.EXE 1956 IEXPLORE.EXE 1956 IEXPLORE.EXE 2016 IEXPLORE.EXE 2016 IEXPLORE.EXE 1720 IEXPLORE.EXE 1720 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 24 IoCs
description pid Process procid_target PID 2120 wrote to memory of 2616 2120 Library.exe 28 PID 2120 wrote to memory of 2616 2120 Library.exe 28 PID 2120 wrote to memory of 2616 2120 Library.exe 28 PID 2120 wrote to memory of 2616 2120 Library.exe 28 PID 2120 wrote to memory of 2564 2120 Library.exe 29 PID 2120 wrote to memory of 2564 2120 Library.exe 29 PID 2120 wrote to memory of 2564 2120 Library.exe 29 PID 2120 wrote to memory of 2564 2120 Library.exe 29 PID 2120 wrote to memory of 2980 2120 Library.exe 30 PID 2120 wrote to memory of 2980 2120 Library.exe 30 PID 2120 wrote to memory of 2980 2120 Library.exe 30 PID 2120 wrote to memory of 2980 2120 Library.exe 30 PID 2616 wrote to memory of 1956 2616 iexplore.exe 32 PID 2616 wrote to memory of 1956 2616 iexplore.exe 32 PID 2616 wrote to memory of 1956 2616 iexplore.exe 32 PID 2616 wrote to memory of 1956 2616 iexplore.exe 32 PID 2564 wrote to memory of 1720 2564 iexplore.exe 34 PID 2564 wrote to memory of 1720 2564 iexplore.exe 34 PID 2564 wrote to memory of 1720 2564 iexplore.exe 34 PID 2564 wrote to memory of 1720 2564 iexplore.exe 34 PID 2980 wrote to memory of 2016 2980 iexplore.exe 33 PID 2980 wrote to memory of 2016 2980 iexplore.exe 33 PID 2980 wrote to memory of 2016 2980 iexplore.exe 33 PID 2980 wrote to memory of 2016 2980 iexplore.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\Library.exe"C:\Users\Admin\AppData\Local\Temp\Library.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2120 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://discord.gg/blammed2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2616 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2616 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1956
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://blammed.pro/2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2564 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1720
-
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://t.me/blammedsolutions2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2980 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2980 CREDAT:275457 /prefetch:23⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2016
-
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2188
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5bd8a41075f10df71e8582bc307ca4b0b
SHA1e28bd8447c760f80fd2f8f0f771bfd28c3f4b432
SHA2569b231bc7a5439a98b9a21040147d1ba9aece42122fd38d5b71954760888d4c36
SHA5127de64dd4aec21df7ad5853ac0817a0ee2bfd51bde30af682cfa265b425bea1eb1cddd8cb9057cb797d72255ac4d2d169c562eb0261a49ff51a1bc594b67a2b79
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c6cdca7c34c40fe497b1d57c17670ed6
SHA174a53feb2812aebd2293f3c4fe6ab37282f3b7e0
SHA256f6cdf09c064528ac69db49853558ec49395aa9481b0ef97e04eec611bf9dfcd4
SHA512a311384ba19ea8f89e6e934e15f0b563be83aae19a0b1b3a3bf6009cb3bb4eaaecec9ffb00401654d5f0a8ae96591892ff182506f547bad69b71a959f5c17068
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD50c847796eb39acfc471e2799d7083692
SHA1b082759926a114e987b380e59535add69aba135b
SHA256aef4e64180d5cfb8b6631a443e7a0373d1e775c3651bd747c61f0f7caea6329c
SHA5127c5f7f984f5c209a9575b74822f9a3b108c978514b7f9bbda1a6a564c441113be02f711a0e61cb127d3e15da3dc7662e6b5939180bf33939cd8d1c8f15d34b90
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5cd46a9ae25104a85be20e556e2c0bb32
SHA1987466f88d4bd0c761a319bad05670fa94816756
SHA2569f6fdb9d1cd3fadff07ce5043d7a1d318655a07a4096a528227aafe5addba0fe
SHA51239b68beeeaf498f13e9246607d014aef8c46df6a43f1667ddfebf839cd7912f672857d85ae465ac9b83feaecd17869c4b6738c8897abe71793f3f1fd44fde566
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f55c0f692a94b8152c434ece3152b62d
SHA1f8b1042be907e438f38537ce88fdb2dc0c801ae5
SHA256dd8d89801a0347bc67b9aa176784220ecd6b883dd6dc189347a50832a5e6dcf8
SHA512430382a181338734dd9b09f28508a29e07a00403fc2534009ac61516fa329028b5a404fe4f929ce0ed4ee7e2aafc4233347c012e6014470f0da931b334e664d7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD541bd86920678116273b3125b40ba8c3c
SHA10e6c9d1025609db208554cf480d75c122df44ddc
SHA256dd3ce878f761a84933ca578163ca8ffcb64792770c1fa3566335945e930fa4d4
SHA512f655497f2733b21ae269030990ed363ab483009d51a4356031906b7cb2597e5cb55021352669e75cdc2c277ed27fcbc252cc91797705b1c4206bf6f18715a608
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5d974711cafd8303ca600d31da594d61e
SHA14c9d7e09e4c77307396b3d5579273f272c5dcabf
SHA256f7586fe4cd737dc7565c33accc03497f9074d662e231e956cbbe093fdc15ad18
SHA51251f64cc95e5cf0824d34ae096fa08f249c3b3e6402a3e9cf29812bf94dcb0982a8784e3508bb3b4a90e5cbd01a09bbe1402192bb42b68e05b7c23ea9952a0476
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5c6bcc99d938ecb0f478c0766956ce441
SHA1b0a6ede3d5a5fec899a3edade44577c47c8a5265
SHA2562976055ef7908933986c0991a2b688d0f6411def4f4c6a7cf21324d46bb81677
SHA512be78caa9ad6f3a6f0663e95842048be8ce75a9840a3e717bdd8cafc08f4900ea1d5271b5e0742091b35e394809a56467224b2731790e4bcfc6b3d6060310b80f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52ced6d96077924cfa0a2cff76bb0fbe6
SHA18b3ec7bf577112cd7cfd6aec9122e39f9f968a3d
SHA2566b1b08554be9d065dbc3b50fddc6afeb68a0d48c0ded958df0222868b3a2e80c
SHA512b3b96fa3a5537f4eb241eaf0dba786366151a991414e603084fae047ee06b1d96b7e9cf1a21a1c132c24e883aea69a2da83cb3a67c16412874527d9482bc3185
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD595d002f7dd1d5d1843ae9681e2d2263e
SHA1c9c4a8c9bb4b880dbb7cb27e44bb2008fd36a3ae
SHA256fc69e6294e87dd5f2ea0376357636527831b597bbec0cf3c0bc39983fb81fff1
SHA5127f0f70eb2bb7253eeb7b1f7eb5654900fbf087e71c519bcbe14e8a22742951e77df839814a5311f31cbfc736924322ead5efceccfb50e673306c271c99680f78
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5134ca3a29f6e731411ca8cc754554b85
SHA196b46c27c45545aa8a72a516fad9fed6b69474f6
SHA25635482c309d56a92eda2476fa03e4ad72796a03ddc35fecccc44224947352f9d5
SHA512d76650bdf8bcd1793218ac46b229bf7ad6aa20eaa566dfcfbc0649a264dfe85db70df68681efd826010cd5c83f14974867f6c1d02252bf8cdb01bf53a25222c4
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e0b99b6375d129ccc908c8293790bde2
SHA18e5ecc3aeb4921ba69d59a452f5e28da0b03f6b4
SHA2566383484308a3c7e0f25bf9e112f096dbd48287a5b816150736f5c5d02325c537
SHA512d8036c4a3e74e38d19363f0288bc60a02f01d5dc766da6223fa67bfe4716ff08024649cbe383ce0b6f342930f8930bbe1db67ce7a79253d2dbe468aa5bfd6479
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9E31EA91-F858-11EE-A5A1-E299A69EE862}.dat
Filesize4KB
MD520093f6ea64a6e31903e143750d9222e
SHA1a933d3344895765941038870bc940dfbb9336b0e
SHA256b33ecb749bb912bdf5fe88ea95364d4cda994d74dc0f958ce1c1c623c7001c7e
SHA5122d00df825937e0fa96f6e3460d7a62bad7b26c6ad85a09c8cd46049e1878a776ee1722088cd649098dbb1a86f135e396ab3f4e21b4c6d49a6539e79ec9957d55
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9E31EA91-F858-11EE-A5A1-E299A69EE862}.dat
Filesize3KB
MD5860247c98835b0534d0cebd924eff876
SHA1e076764c32e434745a7830738fffb3622b548591
SHA25609a134821350f0b0e348ffbb2d6633d5477f6c2158a5a53131b3d0290cc77f8e
SHA512155a0dd1038dce8bd4b2f81be5518eeeca44496709fb953c438173790ba9c5eb22fe0ae69545c0d6ece6637a2f797f72e88cb9fdcabb21d72db65e30adcbde47
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9E347301-F858-11EE-A5A1-E299A69EE862}.dat
Filesize5KB
MD52249771f42fa6bf68d6f3e38b60f48a9
SHA19e0cf314ecea2f08425faf82197a97a65f5578e2
SHA2569133475501da1e6e5e5c523383db7907f71a5f240af96f775ebf1dbf20da25ca
SHA512b99074869fa9aeb53e830ba22988c05e023ad55c2a375543eee06333daa448aeed94e5d73387e1aa15b2a9c5fc6ff5d6dd7229f3e23edfa9ec9b9ee684e238eb
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{5339A170-D0C3-11EE-87E8-C695CBC44580}.dat
Filesize5KB
MD5f7c950cf3dea9fd3c92b8e046e9cb0f1
SHA1708436bfef9b31a82f4e89b7e08f68ed67cc0a62
SHA25684fba41aef1984217e0b284ac4f748fa0b7a0745d576e8ac9c8c54be10ccdb9f
SHA512ba9ba64c263154d8345c45dac9a1bd8e5dee45fc519b589b9a929b2eab1d2f0e0908b803d43235e67f1cfe74eeea02609580b72e5885d5d4ad42dd8246306b0a
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{5339A170-D0C3-11EE-87E8-C695CBC44580}.dat
Filesize6KB
MD5f217d3eb71428f918ed2b68914c97230
SHA1fc10e8a317600a01d8d435911670087445c28a96
SHA2567c970c06cec8f7fa756c6d51efb0098e6abd69a004ccae3eda63808a5ee1bead
SHA51270e542dd873d84c102922990176e68fd91019dff63df9241b8f3fd3e846618b9ea044a26c8f680baafb2e29deb3e4605083d2730a3c991242112610ca452862d
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{9E31EA94-F858-11EE-A5A1-E299A69EE862}.dat
Filesize4KB
MD56498562b5eaad231fb1a47aaba988341
SHA135a88b28f4214ae029a47110865d3884234cf059
SHA256e1c730ab756197312a8c7616654c9bc7129f988b844a630e75b29ebe439b1922
SHA5126b450083e93d809854c365601a9219010b76f3bcf5e21dda1467c263e40a4dd98dc551ce6df625213beef28eea46a894e273b2be636afc98eb10c5b6679293ef
-
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{A4A38370-F858-11EE-A5A1-E299A69EE862}.dat
Filesize4KB
MD5d20e75b0e4794f3564b5666c73a24039
SHA1e4433023cda8fd6ceeac5f13dcbbfc7b38e76eb0
SHA256d217f525ed0273c7f4bb027857c129c7761ddc08180e68514673767c2cb584c3
SHA51273f9a83d3625c5f4e51de5710fea3eb9ce3c8215131a88e00f9ba4d86e40402743b5ea5eed927128790611009443dfade4b552f876d76ef93209413739a65a3d
-
Filesize
24KB
MD5064fc7e561d242664cc48ef15e7f3d8d
SHA1fba8a9c6d0fad6730142b215e6df244f3ea1b740
SHA25673c9f2b221201a3d4b967cd4b4177855bfec0b2736034964d2a92465d37f8d41
SHA512ff151b41f0a36d89dbddcb2056e9d19d33ca64a0b765ef5cabf9eaa6b24c0dedc1fa6f510af19b99bcbbc1f80e9fa6be106dba3fdfc977805a3fccca5c195cac
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\favicon[1].ico
Filesize23KB
MD5ec2c34cadd4b5f4594415127380a85e6
SHA1e7e129270da0153510ef04a148d08702b980b679
SHA256128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7
SHA512c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
68KB
MD529f65ba8e88c063813cc50a4ea544e93
SHA105a7040d5c127e68c25d81cc51271ffb8bef3568
SHA2561ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa
-
Filesize
177KB
MD5435a9ac180383f9fa094131b173a2f7b
SHA176944ea657a9db94f9a4bef38f88c46ed4166983
SHA25667dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA5121a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a
-
Filesize
16KB
MD5d02fb6dca4e85882e1050901d1783935
SHA15579f9d6e54f61a43781401e51add0f8bb181a08
SHA256107919610b9fcaa74f2c8c269cabc516f8d8f4466317694a6e9acbc1d1030d26
SHA5123495318358d72c545cb48fe3892fed7b520e7cb206dce2cbb4b424eb373aff55194a085227a2c1ded936fbbf3caa7bd959e1e29df8cc0003f04e1db5528bc25c