Malware Analysis Report

2025-08-05 23:04

Sample ID 240411-25bv5sgb66
Target Library.exe
SHA256 7da1fb99de280b8baf392e8d5a62026cf709b202bf78cc74652c3f84c90c929f
Tags
themida evasion trojan
score
9/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
9/10

SHA256

7da1fb99de280b8baf392e8d5a62026cf709b202bf78cc74652c3f84c90c929f

Threat Level: Likely malicious

The file Library.exe was found to be: Likely malicious.

Malicious Activity Summary

themida evasion trojan

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Themida packer

Checks BIOS information in registry

Checks whether UAC is enabled

Legitimate hosting services abused for malware hosting/C2

Suspicious use of NtSetInformationThreadHideFromDebugger

Drops file in Windows directory

Enumerates physical storage devices

Unsigned PE

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: GetForegroundWindowSpam

Modifies registry class

Modifies Internet Explorer settings

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of SendNotifyMessage

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-04-11 23:09

Signatures

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-04-11 23:09

Reported

2024-04-11 23:10

Platform

win7-20240221-en

Max time kernel

49s

Max time network

43s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Library.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Library.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Library.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Library.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Library.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Library.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\IME\1.sys C:\Users\Admin\AppData\Local\Temp\Library.exe N/A
File created C:\Windows\Fonts\AMIDEWINx64.EXE C:\Users\Admin\AppData\Local\Temp\Library.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9E344BF1-F858-11EE-A5A1-E299A69EE862} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9E31EA91-F858-11EE-A5A1-E299A69EE862} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com\NumberOfSubdomains = "1" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a9606900000000020000000000106600000001000020000000f14eaf499fa6e6acc12547a9d9294c95a668e25260134ba98917209c3113f262000000000e80000000020000200000000a7c44f26d9c867ed6fe31c656b686bfe904de5aeaa40a02f378edc7d4ec7f1420000000adcbeedaf5aab819e7e81f19075edbd81f4158b3644ff7117202a54d3945cdf540000000b3b713b74b36b0e805fcedc36853268b77fa41af4e50a2ab09ce4341a255832598d06e368081cc927a884ea2e8411cf763bb9bdc9cf56fd444fce3bce9bc6193 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9E347301-F858-11EE-A5A1-E299A69EE862} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a9606900000000020000000000106600000001000020000000b732da1f8974dbf644ecf98fd946b2c00ad5b6ce64354beb7a55b92889ccca24000000000e800000000200002000000049b8538555c1931f37eda57a8c34e3233b343b7e05f3575e2fbb5517b7ec71c790000000f895f21348bbd483b591495658858a2da79763324846916876b196180299b12b7c7dc02fb5d0f641f646ac803facb7cada0d6957ae37e3ebe67d79c03d28bff147a4227656ba8522a52a9d646d1a91039726bb2c802287e76b8fabce47c3818fdf76c3ebb3042a5e019dd5afee0c136fd69a4d27b9f8320ddcd4141d8901720d2dc99cc889a68da0972c2716f68f0f5440000000c2b4f784cac7f1a74b98062d6cd6c5be98d2514344a0a1a95ea284b3cae0c3e4aee491985fdc92476fb9797f845faf3bdf39f97d537bff8c22198a1b19df17fe C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Library.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A
N/A N/A C:\Windows\system32\taskmgr.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2120 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Library.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2120 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Library.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2120 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Library.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2120 wrote to memory of 2616 N/A C:\Users\Admin\AppData\Local\Temp\Library.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2120 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\Library.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2120 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\Library.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2120 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\Library.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2120 wrote to memory of 2564 N/A C:\Users\Admin\AppData\Local\Temp\Library.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2120 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\Library.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2120 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\Library.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2120 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\Library.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2120 wrote to memory of 2980 N/A C:\Users\Admin\AppData\Local\Temp\Library.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2616 wrote to memory of 1956 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2616 wrote to memory of 1956 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2616 wrote to memory of 1956 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2616 wrote to memory of 1956 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2564 wrote to memory of 1720 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2564 wrote to memory of 1720 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2564 wrote to memory of 1720 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2564 wrote to memory of 1720 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2980 wrote to memory of 2016 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2980 wrote to memory of 2016 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2980 wrote to memory of 2016 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2980 wrote to memory of 2016 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

Processes

C:\Users\Admin\AppData\Local\Temp\Library.exe

"C:\Users\Admin\AppData\Local\Temp\Library.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://discord.gg/blammed

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://blammed.pro/

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe" https://t.me/blammedsolutions

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2616 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2980 CREDAT:275457 /prefetch:2

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2564 CREDAT:275457 /prefetch:2

C:\Windows\system32\taskmgr.exe

"C:\Windows\system32\taskmgr.exe" /4

Network

Country Destination Domain Proto
US 8.8.8.8:53 discord.gg udp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 blammed.pro udp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 162.159.130.234:443 discord.gg tcp
US 162.159.130.234:443 discord.gg tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 discord.com udp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 162.159.128.233:443 discord.com tcp
US 8.8.8.8:53 store13.gofile.io udp
FR 31.14.70.249:443 store13.gofile.io tcp
US 8.8.8.8:53 cold8.gofile.io udp
US 136.175.8.111:443 cold8.gofile.io tcp

Files

memory/2120-0-0x0000000001090000-0x00000000019CE000-memory.dmp

memory/2120-1-0x0000000076B50000-0x0000000076C60000-memory.dmp

memory/2120-2-0x0000000076B50000-0x0000000076C60000-memory.dmp

memory/2120-3-0x0000000075830000-0x0000000075877000-memory.dmp

memory/2120-6-0x0000000076B50000-0x0000000076C60000-memory.dmp

memory/2120-4-0x0000000076B50000-0x0000000076C60000-memory.dmp

memory/2120-8-0x0000000076B50000-0x0000000076C60000-memory.dmp

memory/2120-10-0x0000000076B50000-0x0000000076C60000-memory.dmp

memory/2120-13-0x0000000076B50000-0x0000000076C60000-memory.dmp

memory/2120-14-0x0000000077830000-0x0000000077832000-memory.dmp

memory/2120-15-0x0000000076B50000-0x0000000076C60000-memory.dmp

memory/2120-12-0x0000000076B50000-0x0000000076C60000-memory.dmp

memory/2120-16-0x0000000076B50000-0x0000000076C60000-memory.dmp

memory/2120-11-0x0000000076B50000-0x0000000076C60000-memory.dmp

memory/2120-18-0x0000000074840000-0x0000000074F2E000-memory.dmp

memory/2120-17-0x0000000001090000-0x00000000019CE000-memory.dmp

memory/2120-19-0x0000000001090000-0x00000000019CE000-memory.dmp

memory/2120-20-0x0000000000C40000-0x0000000000C80000-memory.dmp

memory/2120-21-0x00000000057D0000-0x0000000005BA6000-memory.dmp

memory/2120-22-0x0000000000C40000-0x0000000000C80000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9E31EA91-F858-11EE-A5A1-E299A69EE862}.dat

MD5 20093f6ea64a6e31903e143750d9222e
SHA1 a933d3344895765941038870bc940dfbb9336b0e
SHA256 b33ecb749bb912bdf5fe88ea95364d4cda994d74dc0f958ce1c1c623c7001c7e
SHA512 2d00df825937e0fa96f6e3460d7a62bad7b26c6ad85a09c8cd46049e1878a776ee1722088cd649098dbb1a86f135e396ab3f4e21b4c6d49a6539e79ec9957d55

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9E31EA91-F858-11EE-A5A1-E299A69EE862}.dat

MD5 860247c98835b0534d0cebd924eff876
SHA1 e076764c32e434745a7830738fffb3622b548591
SHA256 09a134821350f0b0e348ffbb2d6633d5477f6c2158a5a53131b3d0290cc77f8e
SHA512 155a0dd1038dce8bd4b2f81be5518eeeca44496709fb953c438173790ba9c5eb22fe0ae69545c0d6ece6637a2f797f72e88cb9fdcabb21d72db65e30adcbde47

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9E347301-F858-11EE-A5A1-E299A69EE862}.dat

MD5 2249771f42fa6bf68d6f3e38b60f48a9
SHA1 9e0cf314ecea2f08425faf82197a97a65f5578e2
SHA256 9133475501da1e6e5e5c523383db7907f71a5f240af96f775ebf1dbf20da25ca
SHA512 b99074869fa9aeb53e830ba22988c05e023ad55c2a375543eee06333daa448aeed94e5d73387e1aa15b2a9c5fc6ff5d6dd7229f3e23edfa9ec9b9ee684e238eb

C:\Users\Admin\AppData\Local\Temp\Cab3D7E.tmp

MD5 ac05d27423a85adc1622c714f2cb6184
SHA1 b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256 c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA512 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

C:\Users\Admin\AppData\Local\Temp\Cab3E8A.tmp

MD5 29f65ba8e88c063813cc50a4ea544e93
SHA1 05a7040d5c127e68c25d81cc51271ffb8bef3568
SHA256 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184
SHA512 e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

C:\Users\Admin\AppData\Local\Temp\Tar3E8F.tmp

MD5 435a9ac180383f9fa094131b173a2f7b
SHA1 76944ea657a9db94f9a4bef38f88c46ed4166983
SHA256 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34
SHA512 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 e0b99b6375d129ccc908c8293790bde2
SHA1 8e5ecc3aeb4921ba69d59a452f5e28da0b03f6b4
SHA256 6383484308a3c7e0f25bf9e112f096dbd48287a5b816150736f5c5d02325c537
SHA512 d8036c4a3e74e38d19363f0288bc60a02f01d5dc766da6223fa67bfe4716ff08024649cbe383ce0b6f342930f8930bbe1db67ce7a79253d2dbe468aa5bfd6479

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bd8a41075f10df71e8582bc307ca4b0b
SHA1 e28bd8447c760f80fd2f8f0f771bfd28c3f4b432
SHA256 9b231bc7a5439a98b9a21040147d1ba9aece42122fd38d5b71954760888d4c36
SHA512 7de64dd4aec21df7ad5853ac0817a0ee2bfd51bde30af682cfa265b425bea1eb1cddd8cb9057cb797d72255ac4d2d169c562eb0261a49ff51a1bc594b67a2b79

memory/2120-173-0x0000000001090000-0x00000000019CE000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\favicon[1].ico

MD5 ec2c34cadd4b5f4594415127380a85e6
SHA1 e7e129270da0153510ef04a148d08702b980b679
SHA256 128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7
SHA512 c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\sxsuh4u\imagestore.dat

MD5 064fc7e561d242664cc48ef15e7f3d8d
SHA1 fba8a9c6d0fad6730142b215e6df244f3ea1b740
SHA256 73c9f2b221201a3d4b967cd4b4177855bfec0b2736034964d2a92465d37f8d41
SHA512 ff151b41f0a36d89dbddcb2056e9d19d33ca64a0b765ef5cabf9eaa6b24c0dedc1fa6f510af19b99bcbbc1f80e9fa6be106dba3fdfc977805a3fccca5c195cac

memory/2120-198-0x0000000076B50000-0x0000000076C60000-memory.dmp

memory/2120-200-0x0000000076B50000-0x0000000076C60000-memory.dmp

memory/2120-199-0x0000000075830000-0x0000000075877000-memory.dmp

memory/2120-204-0x0000000076B50000-0x0000000076C60000-memory.dmp

memory/2120-206-0x0000000076B50000-0x0000000076C60000-memory.dmp

memory/2120-205-0x0000000076B50000-0x0000000076C60000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c6cdca7c34c40fe497b1d57c17670ed6
SHA1 74a53feb2812aebd2293f3c4fe6ab37282f3b7e0
SHA256 f6cdf09c064528ac69db49853558ec49395aa9481b0ef97e04eec611bf9dfcd4
SHA512 a311384ba19ea8f89e6e934e15f0b563be83aae19a0b1b3a3bf6009cb3bb4eaaecec9ffb00401654d5f0a8ae96591892ff182506f547bad69b71a959f5c17068

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 0c847796eb39acfc471e2799d7083692
SHA1 b082759926a114e987b380e59535add69aba135b
SHA256 aef4e64180d5cfb8b6631a443e7a0373d1e775c3651bd747c61f0f7caea6329c
SHA512 7c5f7f984f5c209a9575b74822f9a3b108c978514b7f9bbda1a6a564c441113be02f711a0e61cb127d3e15da3dc7662e6b5939180bf33939cd8d1c8f15d34b90

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 cd46a9ae25104a85be20e556e2c0bb32
SHA1 987466f88d4bd0c761a319bad05670fa94816756
SHA256 9f6fdb9d1cd3fadff07ce5043d7a1d318655a07a4096a528227aafe5addba0fe
SHA512 39b68beeeaf498f13e9246607d014aef8c46df6a43f1667ddfebf839cd7912f672857d85ae465ac9b83feaecd17869c4b6738c8897abe71793f3f1fd44fde566

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 f55c0f692a94b8152c434ece3152b62d
SHA1 f8b1042be907e438f38537ce88fdb2dc0c801ae5
SHA256 dd8d89801a0347bc67b9aa176784220ecd6b883dd6dc189347a50832a5e6dcf8
SHA512 430382a181338734dd9b09f28508a29e07a00403fc2534009ac61516fa329028b5a404fe4f929ce0ed4ee7e2aafc4233347c012e6014470f0da931b334e664d7

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 41bd86920678116273b3125b40ba8c3c
SHA1 0e6c9d1025609db208554cf480d75c122df44ddc
SHA256 dd3ce878f761a84933ca578163ca8ffcb64792770c1fa3566335945e930fa4d4
SHA512 f655497f2733b21ae269030990ed363ab483009d51a4356031906b7cb2597e5cb55021352669e75cdc2c277ed27fcbc252cc91797705b1c4206bf6f18715a608

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 d974711cafd8303ca600d31da594d61e
SHA1 4c9d7e09e4c77307396b3d5579273f272c5dcabf
SHA256 f7586fe4cd737dc7565c33accc03497f9074d662e231e956cbbe093fdc15ad18
SHA512 51f64cc95e5cf0824d34ae096fa08f249c3b3e6402a3e9cf29812bf94dcb0982a8784e3508bb3b4a90e5cbd01a09bbe1402192bb42b68e05b7c23ea9952a0476

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c6bcc99d938ecb0f478c0766956ce441
SHA1 b0a6ede3d5a5fec899a3edade44577c47c8a5265
SHA256 2976055ef7908933986c0991a2b688d0f6411def4f4c6a7cf21324d46bb81677
SHA512 be78caa9ad6f3a6f0663e95842048be8ce75a9840a3e717bdd8cafc08f4900ea1d5271b5e0742091b35e394809a56467224b2731790e4bcfc6b3d6060310b80f

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2ced6d96077924cfa0a2cff76bb0fbe6
SHA1 8b3ec7bf577112cd7cfd6aec9122e39f9f968a3d
SHA256 6b1b08554be9d065dbc3b50fddc6afeb68a0d48c0ded958df0222868b3a2e80c
SHA512 b3b96fa3a5537f4eb241eaf0dba786366151a991414e603084fae047ee06b1d96b7e9cf1a21a1c132c24e883aea69a2da83cb3a67c16412874527d9482bc3185

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 95d002f7dd1d5d1843ae9681e2d2263e
SHA1 c9c4a8c9bb4b880dbb7cb27e44bb2008fd36a3ae
SHA256 fc69e6294e87dd5f2ea0376357636527831b597bbec0cf3c0bc39983fb81fff1
SHA512 7f0f70eb2bb7253eeb7b1f7eb5654900fbf087e71c519bcbe14e8a22742951e77df839814a5311f31cbfc736924322ead5efceccfb50e673306c271c99680f78

memory/2120-520-0x0000000076B50000-0x0000000076C60000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 134ca3a29f6e731411ca8cc754554b85
SHA1 96b46c27c45545aa8a72a516fad9fed6b69474f6
SHA256 35482c309d56a92eda2476fa03e4ad72796a03ddc35fecccc44224947352f9d5
SHA512 d76650bdf8bcd1793218ac46b229bf7ad6aa20eaa566dfcfbc0649a264dfe85db70df68681efd826010cd5c83f14974867f6c1d02252bf8cdb01bf53a25222c4

memory/2120-647-0x0000000074840000-0x0000000074F2E000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{5339A170-D0C3-11EE-87E8-C695CBC44580}.dat

MD5 f7c950cf3dea9fd3c92b8e046e9cb0f1
SHA1 708436bfef9b31a82f4e89b7e08f68ed67cc0a62
SHA256 84fba41aef1984217e0b284ac4f748fa0b7a0745d576e8ac9c8c54be10ccdb9f
SHA512 ba9ba64c263154d8345c45dac9a1bd8e5dee45fc519b589b9a929b2eab1d2f0e0908b803d43235e67f1cfe74eeea02609580b72e5885d5d4ad42dd8246306b0a

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{9E31EA94-F858-11EE-A5A1-E299A69EE862}.dat

MD5 6498562b5eaad231fb1a47aaba988341
SHA1 35a88b28f4214ae029a47110865d3884234cf059
SHA256 e1c730ab756197312a8c7616654c9bc7129f988b844a630e75b29ebe439b1922
SHA512 6b450083e93d809854c365601a9219010b76f3bcf5e21dda1467c263e40a4dd98dc551ce6df625213beef28eea46a894e273b2be636afc98eb10c5b6679293ef

C:\Users\Admin\AppData\Local\Temp\~DF3B0E6C314C311BCB.TMP

MD5 d02fb6dca4e85882e1050901d1783935
SHA1 5579f9d6e54f61a43781401e51add0f8bb181a08
SHA256 107919610b9fcaa74f2c8c269cabc516f8d8f4466317694a6e9acbc1d1030d26
SHA512 3495318358d72c545cb48fe3892fed7b520e7cb206dce2cbb4b424eb373aff55194a085227a2c1ded936fbbf3caa7bd959e1e29df8cc0003f04e1db5528bc25c

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{A4A38370-F858-11EE-A5A1-E299A69EE862}.dat

MD5 d20e75b0e4794f3564b5666c73a24039
SHA1 e4433023cda8fd6ceeac5f13dcbbfc7b38e76eb0
SHA256 d217f525ed0273c7f4bb027857c129c7761ddc08180e68514673767c2cb584c3
SHA512 73f9a83d3625c5f4e51de5710fea3eb9ce3c8215131a88e00f9ba4d86e40402743b5ea5eed927128790611009443dfade4b552f876d76ef93209413739a65a3d

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{5339A170-D0C3-11EE-87E8-C695CBC44580}.dat

MD5 f217d3eb71428f918ed2b68914c97230
SHA1 fc10e8a317600a01d8d435911670087445c28a96
SHA256 7c970c06cec8f7fa756c6d51efb0098e6abd69a004ccae3eda63808a5ee1bead
SHA512 70e542dd873d84c102922990176e68fd91019dff63df9241b8f3fd3e846618b9ea044a26c8f680baafb2e29deb3e4605083d2730a3c991242112610ca452862d

memory/2120-672-0x0000000000C40000-0x0000000000C80000-memory.dmp

memory/2120-673-0x0000000000C40000-0x0000000000C80000-memory.dmp

memory/2188-675-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2188-676-0x0000000140000000-0x00000001405E8000-memory.dmp

memory/2120-679-0x0000000075830000-0x0000000075877000-memory.dmp

memory/2120-678-0x0000000076B50000-0x0000000076C60000-memory.dmp

memory/2120-680-0x0000000001090000-0x00000000019CE000-memory.dmp

memory/2120-682-0x0000000000C40000-0x0000000000C80000-memory.dmp

memory/2120-681-0x0000000074840000-0x0000000074F2E000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-04-11 23:09

Reported

2024-04-11 23:12

Platform

win10v2004-20240226-en

Max time kernel

148s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\Library.exe"

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\Library.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\Library.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion C:\Users\Admin\AppData\Local\Temp\Library.exe N/A

Themida packer

themida
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\Library.exe N/A

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\Library.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{31EEF14F-C9F5-4804-83ED-BAEBD733D964} C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\Library.exe

"C:\Users\Admin\AppData\Local\Temp\Library.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/blammed

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://blammed.pro/

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=1408 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/blammedsolutions

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=2144 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=4588 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=4300 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4048 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5888 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=6128 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=5696 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=6448 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6592 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=5644 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6804 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5572 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 discord.gg udp
US 8.8.8.8:53 discord.gg udp
US 8.8.8.8:53 discord.gg udp
US 162.159.130.234:443 discord.gg tcp
US 8.8.8.8:53 blammed.pro udp
US 8.8.8.8:53 blammed.pro udp
US 8.8.8.8:53 blammed.pro udp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 nav-edge.smartscreen.microsoft.com udp
US 8.8.8.8:53 business.bing.com udp
US 8.8.8.8:53 business.bing.com udp
US 13.107.6.158:443 business.bing.com tcp
GB 51.11.108.188:443 nav-edge.smartscreen.microsoft.com tcp
NL 149.154.167.99:443 t.me tcp
US 8.8.8.8:53 blammed.pro udp
NL 149.154.167.99:443 t.me tcp
GB 51.11.108.188:443 nav-edge.smartscreen.microsoft.com tcp
GB 51.11.108.188:443 nav-edge.smartscreen.microsoft.com tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 bzib.nelreports.net udp
US 8.8.8.8:53 bzib.nelreports.net udp
NL 72.246.173.187:443 www.microsoft.com tcp
US 8.8.8.8:53 blammed.pro udp
US 8.8.8.8:53 blammed.pro udp
GB 104.77.118.137:443 bzib.nelreports.net tcp
US 8.8.8.8:53 discord.com udp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 234.130.159.162.in-addr.arpa udp
US 8.8.8.8:53 159.113.53.23.in-addr.arpa udp
US 8.8.8.8:53 99.167.154.149.in-addr.arpa udp
US 8.8.8.8:53 187.173.246.72.in-addr.arpa udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 telegram.org udp
US 8.8.8.8:53 telegram.org udp
US 8.8.8.8:53 cdn1.cdn-telegram.org udp
US 8.8.8.8:53 cdn1.cdn-telegram.org udp
US 34.111.15.3:443 cdn1.cdn-telegram.org tcp
US 8.8.8.8:53 google.com udp
US 8.8.8.8:53 google.com udp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
NL 149.154.167.99:443 telegram.org tcp
US 8.8.8.8:53 137.118.77.104.in-addr.arpa udp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp
NL 149.154.167.99:443 telegram.org tcp
US 8.8.8.8:53 t.me udp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 3.15.111.34.in-addr.arpa udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 20.231.121.79:80 tcp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 nw-umwatson.events.data.microsoft.com udp
US 20.189.173.21:443 nw-umwatson.events.data.microsoft.com tcp
US 8.8.8.8:53 21.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 c.s-microsoft.com udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 8.8.8.8:53 edgestatic.azureedge.net udp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
US 13.107.246.64:443 edgestatic.azureedge.net tcp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 8.8.8.8:53 wcpstatic.microsoft.com udp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
US 13.107.246.64:443 wcpstatic.microsoft.com tcp
NL 23.62.61.75:443 www.bing.com udp
US 162.159.138.232:443 discord.com udp
N/A 127.0.0.1:6463 tcp
US 8.8.8.8:53 cdn.discordapp.com udp
US 8.8.8.8:53 cdn.discordapp.com udp
US 162.159.134.233:443 cdn.discordapp.com udp
US 8.8.8.8:53 233.134.159.162.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
N/A 127.0.0.1:6464 tcp
N/A 127.0.0.1:6465 tcp
N/A 127.0.0.1:6466 tcp
N/A 127.0.0.1:6467 tcp
N/A 127.0.0.1:6468 tcp
N/A 127.0.0.1:6469 tcp
N/A 127.0.0.1:6470 tcp
N/A 127.0.0.1:6471 tcp
N/A 127.0.0.1:6472 tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 27.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 t.me udp
US 8.8.8.8:53 t.me udp

Files

memory/3400-0-0x00000000005D0000-0x0000000000F0E000-memory.dmp

memory/3400-1-0x0000000075860000-0x0000000075950000-memory.dmp

memory/3400-2-0x0000000075860000-0x0000000075950000-memory.dmp

memory/3400-3-0x0000000075860000-0x0000000075950000-memory.dmp

memory/3400-4-0x0000000075860000-0x0000000075950000-memory.dmp

memory/3400-7-0x0000000075860000-0x0000000075950000-memory.dmp

memory/3400-6-0x0000000075860000-0x0000000075950000-memory.dmp

memory/3400-5-0x0000000075860000-0x0000000075950000-memory.dmp

memory/3400-8-0x0000000075860000-0x0000000075950000-memory.dmp

memory/3400-9-0x0000000077A14000-0x0000000077A16000-memory.dmp

memory/3400-12-0x00000000005D0000-0x0000000000F0E000-memory.dmp

memory/3400-13-0x00000000005D0000-0x0000000000F0E000-memory.dmp

memory/3400-14-0x0000000006380000-0x0000000006924000-memory.dmp

memory/3400-15-0x0000000005B60000-0x0000000005BF2000-memory.dmp

memory/3400-16-0x0000000005C20000-0x0000000005C2A000-memory.dmp

memory/3400-17-0x0000000005FA0000-0x0000000006376000-memory.dmp

memory/3400-19-0x00000000005D0000-0x0000000000F0E000-memory.dmp

memory/3400-20-0x0000000005DC0000-0x0000000005DD0000-memory.dmp

memory/3400-21-0x0000000075860000-0x0000000075950000-memory.dmp

memory/3400-22-0x0000000075860000-0x0000000075950000-memory.dmp

memory/3400-23-0x0000000075860000-0x0000000075950000-memory.dmp

memory/3400-24-0x0000000075860000-0x0000000075950000-memory.dmp

memory/3400-26-0x0000000075860000-0x0000000075950000-memory.dmp

memory/3400-27-0x0000000075860000-0x0000000075950000-memory.dmp

memory/3400-28-0x0000000007800000-0x000000000789C000-memory.dmp

memory/3400-29-0x0000000075860000-0x0000000075950000-memory.dmp

memory/3400-31-0x0000000075860000-0x0000000075950000-memory.dmp

memory/3400-33-0x0000000005DC0000-0x0000000005DD0000-memory.dmp