Analysis Overview
SHA256
7da1fb99de280b8baf392e8d5a62026cf709b202bf78cc74652c3f84c90c929f
Threat Level: Likely malicious
The file Library.exe was found to be: Likely malicious.
Malicious Activity Summary
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Themida packer
Checks BIOS information in registry
Checks whether UAC is enabled
Legitimate hosting services abused for malware hosting/C2
Suspicious use of NtSetInformationThreadHideFromDebugger
Drops file in Windows directory
Enumerates physical storage devices
Unsigned PE
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Modifies registry class
Modifies Internet Explorer settings
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Suspicious use of SendNotifyMessage
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-11 23:09
Signatures
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-11 23:09
Reported
2024-04-11 23:10
Platform
win7-20240221-en
Max time kernel
49s
Max time network
43s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Library.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Library.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Library.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Library.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Library.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\IME\1.sys | C:\Users\Admin\AppData\Local\Temp\Library.exe | N/A |
| File created | C:\Windows\Fonts\AMIDEWINx64.EXE | C:\Users\Admin\AppData\Local\Temp\Library.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9E344BF1-F858-11EE-A5A1-E299A69EE862} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9E31EA91-F858-11EE-A5A1-E299A69EE862} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage\discord.com\NumberOfSubdomains = "1" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a9606900000000020000000000106600000001000020000000f14eaf499fa6e6acc12547a9d9294c95a668e25260134ba98917209c3113f262000000000e80000000020000200000000a7c44f26d9c867ed6fe31c656b686bfe904de5aeaa40a02f378edc7d4ec7f1420000000adcbeedaf5aab819e7e81f19075edbd81f4158b3644ff7117202a54d3945cdf540000000b3b713b74b36b0e805fcedc36853268b77fa41af4e50a2ab09ce4341a255832598d06e368081cc927a884ea2e8411cf763bb9bdc9cf56fd444fce3bce9bc6193 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\GPU | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\PageSetup | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\DOMStorage | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{9E347301-F858-11EE-A5A1-E299A69EE862} = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Toolbar | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IETld\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Zoom | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5600000000000000dc04000065020000 | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\IntelliForms | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (data) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000e861098c19b4244d8627ee4664a9606900000000020000000000106600000001000020000000b732da1f8974dbf644ecf98fd946b2c00ad5b6ce64354beb7a55b92889ccca24000000000e800000000200002000000049b8538555c1931f37eda57a8c34e3233b343b7e05f3575e2fbb5517b7ec71c790000000f895f21348bbd483b591495658858a2da79763324846916876b196180299b12b7c7dc02fb5d0f641f646ac803facb7cada0d6957ae37e3ebe67d79c03d28bff147a4227656ba8522a52a9d646d1a91039726bb2c802287e76b8fabce47c3818fdf76c3ebb3042a5e019dd5afee0c136fd69a4d27b9f8320ddcd4141d8901720d2dc99cc889a68da0972c2716f68f0f5440000000c2b4f784cac7f1a74b98062d6cd6c5be98d2514344a0a1a95ea284b3cae0c3e4aee491985fdc92476fb9797f845faf3bdf39f97d537bff8c22198a1b19df17fe | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500" | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\InternetRegistry | C:\Program Files\Internet Explorer\iexplore.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\Library.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\Library.exe
"C:\Users\Admin\AppData\Local\Temp\Library.exe"
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://discord.gg/blammed
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://blammed.pro/
C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://t.me/blammedsolutions
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2616 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2980 CREDAT:275457 /prefetch:2
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2564 CREDAT:275457 /prefetch:2
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | discord.gg | udp |
| US | 8.8.8.8:53 | t.me | udp |
| US | 8.8.8.8:53 | blammed.pro | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 162.159.130.234:443 | discord.gg | tcp |
| US | 162.159.130.234:443 | discord.gg | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 162.159.128.233:443 | discord.com | tcp |
| US | 8.8.8.8:53 | store13.gofile.io | udp |
| FR | 31.14.70.249:443 | store13.gofile.io | tcp |
| US | 8.8.8.8:53 | cold8.gofile.io | udp |
| US | 136.175.8.111:443 | cold8.gofile.io | tcp |
Files
memory/2120-0-0x0000000001090000-0x00000000019CE000-memory.dmp
memory/2120-1-0x0000000076B50000-0x0000000076C60000-memory.dmp
memory/2120-2-0x0000000076B50000-0x0000000076C60000-memory.dmp
memory/2120-3-0x0000000075830000-0x0000000075877000-memory.dmp
memory/2120-6-0x0000000076B50000-0x0000000076C60000-memory.dmp
memory/2120-4-0x0000000076B50000-0x0000000076C60000-memory.dmp
memory/2120-8-0x0000000076B50000-0x0000000076C60000-memory.dmp
memory/2120-10-0x0000000076B50000-0x0000000076C60000-memory.dmp
memory/2120-13-0x0000000076B50000-0x0000000076C60000-memory.dmp
memory/2120-14-0x0000000077830000-0x0000000077832000-memory.dmp
memory/2120-15-0x0000000076B50000-0x0000000076C60000-memory.dmp
memory/2120-12-0x0000000076B50000-0x0000000076C60000-memory.dmp
memory/2120-16-0x0000000076B50000-0x0000000076C60000-memory.dmp
memory/2120-11-0x0000000076B50000-0x0000000076C60000-memory.dmp
memory/2120-18-0x0000000074840000-0x0000000074F2E000-memory.dmp
memory/2120-17-0x0000000001090000-0x00000000019CE000-memory.dmp
memory/2120-19-0x0000000001090000-0x00000000019CE000-memory.dmp
memory/2120-20-0x0000000000C40000-0x0000000000C80000-memory.dmp
memory/2120-21-0x00000000057D0000-0x0000000005BA6000-memory.dmp
memory/2120-22-0x0000000000C40000-0x0000000000C80000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9E31EA91-F858-11EE-A5A1-E299A69EE862}.dat
| MD5 | 20093f6ea64a6e31903e143750d9222e |
| SHA1 | a933d3344895765941038870bc940dfbb9336b0e |
| SHA256 | b33ecb749bb912bdf5fe88ea95364d4cda994d74dc0f958ce1c1c623c7001c7e |
| SHA512 | 2d00df825937e0fa96f6e3460d7a62bad7b26c6ad85a09c8cd46049e1878a776ee1722088cd649098dbb1a86f135e396ab3f4e21b4c6d49a6539e79ec9957d55 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9E31EA91-F858-11EE-A5A1-E299A69EE862}.dat
| MD5 | 860247c98835b0534d0cebd924eff876 |
| SHA1 | e076764c32e434745a7830738fffb3622b548591 |
| SHA256 | 09a134821350f0b0e348ffbb2d6633d5477f6c2158a5a53131b3d0290cc77f8e |
| SHA512 | 155a0dd1038dce8bd4b2f81be5518eeeca44496709fb953c438173790ba9c5eb22fe0ae69545c0d6ece6637a2f797f72e88cb9fdcabb21d72db65e30adcbde47 |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Active\RecoveryStore.{9E347301-F858-11EE-A5A1-E299A69EE862}.dat
| MD5 | 2249771f42fa6bf68d6f3e38b60f48a9 |
| SHA1 | 9e0cf314ecea2f08425faf82197a97a65f5578e2 |
| SHA256 | 9133475501da1e6e5e5c523383db7907f71a5f240af96f775ebf1dbf20da25ca |
| SHA512 | b99074869fa9aeb53e830ba22988c05e023ad55c2a375543eee06333daa448aeed94e5d73387e1aa15b2a9c5fc6ff5d6dd7229f3e23edfa9ec9b9ee684e238eb |
C:\Users\Admin\AppData\Local\Temp\Cab3D7E.tmp
| MD5 | ac05d27423a85adc1622c714f2cb6184 |
| SHA1 | b0fe2b1abddb97837ea0195be70ab2ff14d43198 |
| SHA256 | c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d |
| SHA512 | 6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d |
C:\Users\Admin\AppData\Local\Temp\Cab3E8A.tmp
| MD5 | 29f65ba8e88c063813cc50a4ea544e93 |
| SHA1 | 05a7040d5c127e68c25d81cc51271ffb8bef3568 |
| SHA256 | 1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184 |
| SHA512 | e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa |
C:\Users\Admin\AppData\Local\Temp\Tar3E8F.tmp
| MD5 | 435a9ac180383f9fa094131b173a2f7b |
| SHA1 | 76944ea657a9db94f9a4bef38f88c46ed4166983 |
| SHA256 | 67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34 |
| SHA512 | 1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | e0b99b6375d129ccc908c8293790bde2 |
| SHA1 | 8e5ecc3aeb4921ba69d59a452f5e28da0b03f6b4 |
| SHA256 | 6383484308a3c7e0f25bf9e112f096dbd48287a5b816150736f5c5d02325c537 |
| SHA512 | d8036c4a3e74e38d19363f0288bc60a02f01d5dc766da6223fa67bfe4716ff08024649cbe383ce0b6f342930f8930bbe1db67ce7a79253d2dbe468aa5bfd6479 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | bd8a41075f10df71e8582bc307ca4b0b |
| SHA1 | e28bd8447c760f80fd2f8f0f771bfd28c3f4b432 |
| SHA256 | 9b231bc7a5439a98b9a21040147d1ba9aece42122fd38d5b71954760888d4c36 |
| SHA512 | 7de64dd4aec21df7ad5853ac0817a0ee2bfd51bde30af682cfa265b425bea1eb1cddd8cb9057cb797d72255ac4d2d169c562eb0261a49ff51a1bc594b67a2b79 |
memory/2120-173-0x0000000001090000-0x00000000019CE000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\EDQW9R5V\favicon[1].ico
| MD5 | ec2c34cadd4b5f4594415127380a85e6 |
| SHA1 | e7e129270da0153510ef04a148d08702b980b679 |
| SHA256 | 128e20b3b15c65dd470cb9d0dc8fe10e2ff9f72fac99ee621b01a391ef6b81c7 |
| SHA512 | c1997779ff5d0f74a7fbb359606dab83439c143fbdb52025495bdc3a7cb87188085eaf12cc434cbf63b3f8da5417c8a03f2e64f751c0a63508e4412ea4e7425c |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\imagestore\sxsuh4u\imagestore.dat
| MD5 | 064fc7e561d242664cc48ef15e7f3d8d |
| SHA1 | fba8a9c6d0fad6730142b215e6df244f3ea1b740 |
| SHA256 | 73c9f2b221201a3d4b967cd4b4177855bfec0b2736034964d2a92465d37f8d41 |
| SHA512 | ff151b41f0a36d89dbddcb2056e9d19d33ca64a0b765ef5cabf9eaa6b24c0dedc1fa6f510af19b99bcbbc1f80e9fa6be106dba3fdfc977805a3fccca5c195cac |
memory/2120-198-0x0000000076B50000-0x0000000076C60000-memory.dmp
memory/2120-200-0x0000000076B50000-0x0000000076C60000-memory.dmp
memory/2120-199-0x0000000075830000-0x0000000075877000-memory.dmp
memory/2120-204-0x0000000076B50000-0x0000000076C60000-memory.dmp
memory/2120-206-0x0000000076B50000-0x0000000076C60000-memory.dmp
memory/2120-205-0x0000000076B50000-0x0000000076C60000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c6cdca7c34c40fe497b1d57c17670ed6 |
| SHA1 | 74a53feb2812aebd2293f3c4fe6ab37282f3b7e0 |
| SHA256 | f6cdf09c064528ac69db49853558ec49395aa9481b0ef97e04eec611bf9dfcd4 |
| SHA512 | a311384ba19ea8f89e6e934e15f0b563be83aae19a0b1b3a3bf6009cb3bb4eaaecec9ffb00401654d5f0a8ae96591892ff182506f547bad69b71a959f5c17068 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 0c847796eb39acfc471e2799d7083692 |
| SHA1 | b082759926a114e987b380e59535add69aba135b |
| SHA256 | aef4e64180d5cfb8b6631a443e7a0373d1e775c3651bd747c61f0f7caea6329c |
| SHA512 | 7c5f7f984f5c209a9575b74822f9a3b108c978514b7f9bbda1a6a564c441113be02f711a0e61cb127d3e15da3dc7662e6b5939180bf33939cd8d1c8f15d34b90 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | cd46a9ae25104a85be20e556e2c0bb32 |
| SHA1 | 987466f88d4bd0c761a319bad05670fa94816756 |
| SHA256 | 9f6fdb9d1cd3fadff07ce5043d7a1d318655a07a4096a528227aafe5addba0fe |
| SHA512 | 39b68beeeaf498f13e9246607d014aef8c46df6a43f1667ddfebf839cd7912f672857d85ae465ac9b83feaecd17869c4b6738c8897abe71793f3f1fd44fde566 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | f55c0f692a94b8152c434ece3152b62d |
| SHA1 | f8b1042be907e438f38537ce88fdb2dc0c801ae5 |
| SHA256 | dd8d89801a0347bc67b9aa176784220ecd6b883dd6dc189347a50832a5e6dcf8 |
| SHA512 | 430382a181338734dd9b09f28508a29e07a00403fc2534009ac61516fa329028b5a404fe4f929ce0ed4ee7e2aafc4233347c012e6014470f0da931b334e664d7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 41bd86920678116273b3125b40ba8c3c |
| SHA1 | 0e6c9d1025609db208554cf480d75c122df44ddc |
| SHA256 | dd3ce878f761a84933ca578163ca8ffcb64792770c1fa3566335945e930fa4d4 |
| SHA512 | f655497f2733b21ae269030990ed363ab483009d51a4356031906b7cb2597e5cb55021352669e75cdc2c277ed27fcbc252cc91797705b1c4206bf6f18715a608 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d974711cafd8303ca600d31da594d61e |
| SHA1 | 4c9d7e09e4c77307396b3d5579273f272c5dcabf |
| SHA256 | f7586fe4cd737dc7565c33accc03497f9074d662e231e956cbbe093fdc15ad18 |
| SHA512 | 51f64cc95e5cf0824d34ae096fa08f249c3b3e6402a3e9cf29812bf94dcb0982a8784e3508bb3b4a90e5cbd01a09bbe1402192bb42b68e05b7c23ea9952a0476 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | c6bcc99d938ecb0f478c0766956ce441 |
| SHA1 | b0a6ede3d5a5fec899a3edade44577c47c8a5265 |
| SHA256 | 2976055ef7908933986c0991a2b688d0f6411def4f4c6a7cf21324d46bb81677 |
| SHA512 | be78caa9ad6f3a6f0663e95842048be8ce75a9840a3e717bdd8cafc08f4900ea1d5271b5e0742091b35e394809a56467224b2731790e4bcfc6b3d6060310b80f |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 2ced6d96077924cfa0a2cff76bb0fbe6 |
| SHA1 | 8b3ec7bf577112cd7cfd6aec9122e39f9f968a3d |
| SHA256 | 6b1b08554be9d065dbc3b50fddc6afeb68a0d48c0ded958df0222868b3a2e80c |
| SHA512 | b3b96fa3a5537f4eb241eaf0dba786366151a991414e603084fae047ee06b1d96b7e9cf1a21a1c132c24e883aea69a2da83cb3a67c16412874527d9482bc3185 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 95d002f7dd1d5d1843ae9681e2d2263e |
| SHA1 | c9c4a8c9bb4b880dbb7cb27e44bb2008fd36a3ae |
| SHA256 | fc69e6294e87dd5f2ea0376357636527831b597bbec0cf3c0bc39983fb81fff1 |
| SHA512 | 7f0f70eb2bb7253eeb7b1f7eb5654900fbf087e71c519bcbe14e8a22742951e77df839814a5311f31cbfc736924322ead5efceccfb50e673306c271c99680f78 |
memory/2120-520-0x0000000076B50000-0x0000000076C60000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 134ca3a29f6e731411ca8cc754554b85 |
| SHA1 | 96b46c27c45545aa8a72a516fad9fed6b69474f6 |
| SHA256 | 35482c309d56a92eda2476fa03e4ad72796a03ddc35fecccc44224947352f9d5 |
| SHA512 | d76650bdf8bcd1793218ac46b229bf7ad6aa20eaa566dfcfbc0649a264dfe85db70df68681efd826010cd5c83f14974867f6c1d02252bf8cdb01bf53a25222c4 |
memory/2120-647-0x0000000074840000-0x0000000074F2E000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{5339A170-D0C3-11EE-87E8-C695CBC44580}.dat
| MD5 | f7c950cf3dea9fd3c92b8e046e9cb0f1 |
| SHA1 | 708436bfef9b31a82f4e89b7e08f68ed67cc0a62 |
| SHA256 | 84fba41aef1984217e0b284ac4f748fa0b7a0745d576e8ac9c8c54be10ccdb9f |
| SHA512 | ba9ba64c263154d8345c45dac9a1bd8e5dee45fc519b589b9a929b2eab1d2f0e0908b803d43235e67f1cfe74eeea02609580b72e5885d5d4ad42dd8246306b0a |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{9E31EA94-F858-11EE-A5A1-E299A69EE862}.dat
| MD5 | 6498562b5eaad231fb1a47aaba988341 |
| SHA1 | 35a88b28f4214ae029a47110865d3884234cf059 |
| SHA256 | e1c730ab756197312a8c7616654c9bc7129f988b844a630e75b29ebe439b1922 |
| SHA512 | 6b450083e93d809854c365601a9219010b76f3bcf5e21dda1467c263e40a4dd98dc551ce6df625213beef28eea46a894e273b2be636afc98eb10c5b6679293ef |
C:\Users\Admin\AppData\Local\Temp\~DF3B0E6C314C311BCB.TMP
| MD5 | d02fb6dca4e85882e1050901d1783935 |
| SHA1 | 5579f9d6e54f61a43781401e51add0f8bb181a08 |
| SHA256 | 107919610b9fcaa74f2c8c269cabc516f8d8f4466317694a6e9acbc1d1030d26 |
| SHA512 | 3495318358d72c545cb48fe3892fed7b520e7cb206dce2cbb4b424eb373aff55194a085227a2c1ded936fbbf3caa7bd959e1e29df8cc0003f04e1db5528bc25c |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\{A4A38370-F858-11EE-A5A1-E299A69EE862}.dat
| MD5 | d20e75b0e4794f3564b5666c73a24039 |
| SHA1 | e4433023cda8fd6ceeac5f13dcbbfc7b38e76eb0 |
| SHA256 | d217f525ed0273c7f4bb027857c129c7761ddc08180e68514673767c2cb584c3 |
| SHA512 | 73f9a83d3625c5f4e51de5710fea3eb9ce3c8215131a88e00f9ba4d86e40402743b5ea5eed927128790611009443dfade4b552f876d76ef93209413739a65a3d |
C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\Recovery\High\Last Active\RecoveryStore.{5339A170-D0C3-11EE-87E8-C695CBC44580}.dat
| MD5 | f217d3eb71428f918ed2b68914c97230 |
| SHA1 | fc10e8a317600a01d8d435911670087445c28a96 |
| SHA256 | 7c970c06cec8f7fa756c6d51efb0098e6abd69a004ccae3eda63808a5ee1bead |
| SHA512 | 70e542dd873d84c102922990176e68fd91019dff63df9241b8f3fd3e846618b9ea044a26c8f680baafb2e29deb3e4605083d2730a3c991242112610ca452862d |
memory/2120-672-0x0000000000C40000-0x0000000000C80000-memory.dmp
memory/2120-673-0x0000000000C40000-0x0000000000C80000-memory.dmp
memory/2188-675-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2188-676-0x0000000140000000-0x00000001405E8000-memory.dmp
memory/2120-679-0x0000000075830000-0x0000000075877000-memory.dmp
memory/2120-678-0x0000000076B50000-0x0000000076C60000-memory.dmp
memory/2120-680-0x0000000001090000-0x00000000019CE000-memory.dmp
memory/2120-682-0x0000000000C40000-0x0000000000C80000-memory.dmp
memory/2120-681-0x0000000074840000-0x0000000074F2E000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-11 23:09
Reported
2024-04-11 23:12
Platform
win10v2004-20240226-en
Max time kernel
148s
Max time network
154s
Command Line
Signatures
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\Library.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\Library.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion | C:\Users\Admin\AppData\Local\Temp\Library.exe | N/A |
Themida packer
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks whether UAC is enabled
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA | C:\Users\Admin\AppData\Local\Temp\Library.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\Library.exe | N/A |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-3808065738-1666277613-1125846146-1000\{31EEF14F-C9F5-4804-83ED-BAEBD733D964} | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 3400 wrote to memory of 3084 | N/A | C:\Users\Admin\AppData\Local\Temp\Library.exe | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe |
| PID 3400 wrote to memory of 3084 | N/A | C:\Users\Admin\AppData\Local\Temp\Library.exe | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe |
| PID 3400 wrote to memory of 3288 | N/A | C:\Users\Admin\AppData\Local\Temp\Library.exe | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe |
| PID 3400 wrote to memory of 3288 | N/A | C:\Users\Admin\AppData\Local\Temp\Library.exe | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe |
| PID 3400 wrote to memory of 1976 | N/A | C:\Users\Admin\AppData\Local\Temp\Library.exe | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe |
| PID 3400 wrote to memory of 1976 | N/A | C:\Users\Admin\AppData\Local\Temp\Library.exe | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\Library.exe
"C:\Users\Admin\AppData\Local\Temp\Library.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/blammed
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://blammed.pro/
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=1408 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://t.me/blammedsolutions
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=2144 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=4588 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=4300 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4048 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5888 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=6128 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=5696 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=6448 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=6592 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --lang=en-US --service-sandbox-type=audio --no-appcompat-clear --mojo-platform-channel-handle=5644 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --mojo-platform-channel-handle=6804 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5572 --field-trial-handle=2900,i,14549994492153927475,12895178890800740987,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | discord.gg | udp |
| US | 8.8.8.8:53 | discord.gg | udp |
| US | 8.8.8.8:53 | discord.gg | udp |
| US | 162.159.130.234:443 | discord.gg | tcp |
| US | 8.8.8.8:53 | blammed.pro | udp |
| US | 8.8.8.8:53 | blammed.pro | udp |
| US | 8.8.8.8:53 | blammed.pro | udp |
| US | 8.8.8.8:53 | t.me | udp |
| US | 8.8.8.8:53 | t.me | udp |
| US | 8.8.8.8:53 | t.me | udp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | nav-edge.smartscreen.microsoft.com | udp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 8.8.8.8:53 | business.bing.com | udp |
| US | 13.107.6.158:443 | business.bing.com | tcp |
| GB | 51.11.108.188:443 | nav-edge.smartscreen.microsoft.com | tcp |
| NL | 149.154.167.99:443 | t.me | tcp |
| US | 8.8.8.8:53 | blammed.pro | udp |
| NL | 149.154.167.99:443 | t.me | tcp |
| GB | 51.11.108.188:443 | nav-edge.smartscreen.microsoft.com | tcp |
| GB | 51.11.108.188:443 | nav-edge.smartscreen.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| US | 8.8.8.8:53 | bzib.nelreports.net | udp |
| NL | 72.246.173.187:443 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | blammed.pro | udp |
| US | 8.8.8.8:53 | blammed.pro | udp |
| GB | 104.77.118.137:443 | bzib.nelreports.net | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 234.130.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 159.113.53.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.167.154.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 187.173.246.72.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | telegram.org | udp |
| US | 8.8.8.8:53 | telegram.org | udp |
| US | 8.8.8.8:53 | cdn1.cdn-telegram.org | udp |
| US | 8.8.8.8:53 | cdn1.cdn-telegram.org | udp |
| US | 34.111.15.3:443 | cdn1.cdn-telegram.org | tcp |
| US | 8.8.8.8:53 | google.com | udp |
| US | 8.8.8.8:53 | google.com | udp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 8.8.8.8:53 | 137.118.77.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
| NL | 149.154.167.99:443 | telegram.org | tcp |
| US | 8.8.8.8:53 | t.me | udp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 3.15.111.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| US | 20.231.121.79:80 | tcp | |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | nw-umwatson.events.data.microsoft.com | udp |
| US | 20.189.173.21:443 | nw-umwatson.events.data.microsoft.com | tcp |
| US | 8.8.8.8:53 | 21.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | c.s-microsoft.com | udp |
| US | 8.8.8.8:53 | c.s-microsoft.com | udp |
| US | 8.8.8.8:53 | edgestatic.azureedge.net | udp |
| US | 8.8.8.8:53 | edgestatic.azureedge.net | udp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| US | 13.107.246.64:443 | edgestatic.azureedge.net | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 8.8.8.8:53 | wcpstatic.microsoft.com | udp |
| US | 13.107.246.64:443 | wcpstatic.microsoft.com | tcp |
| US | 13.107.246.64:443 | wcpstatic.microsoft.com | tcp |
| NL | 23.62.61.75:443 | www.bing.com | udp |
| US | 162.159.138.232:443 | discord.com | udp |
| N/A | 127.0.0.1:6463 | tcp | |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | cdn.discordapp.com | udp |
| US | 162.159.134.233:443 | cdn.discordapp.com | udp |
| US | 8.8.8.8:53 | 233.134.159.162.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| N/A | 127.0.0.1:6464 | tcp | |
| N/A | 127.0.0.1:6465 | tcp | |
| N/A | 127.0.0.1:6466 | tcp | |
| N/A | 127.0.0.1:6467 | tcp | |
| N/A | 127.0.0.1:6468 | tcp | |
| N/A | 127.0.0.1:6469 | tcp | |
| N/A | 127.0.0.1:6470 | tcp | |
| N/A | 127.0.0.1:6471 | tcp | |
| N/A | 127.0.0.1:6472 | tcp | |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| US | 8.8.8.8:53 | t.me | udp |
| US | 8.8.8.8:53 | 27.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | t.me | udp |
| US | 8.8.8.8:53 | t.me | udp |
Files
memory/3400-0-0x00000000005D0000-0x0000000000F0E000-memory.dmp
memory/3400-1-0x0000000075860000-0x0000000075950000-memory.dmp
memory/3400-2-0x0000000075860000-0x0000000075950000-memory.dmp
memory/3400-3-0x0000000075860000-0x0000000075950000-memory.dmp
memory/3400-4-0x0000000075860000-0x0000000075950000-memory.dmp
memory/3400-7-0x0000000075860000-0x0000000075950000-memory.dmp
memory/3400-6-0x0000000075860000-0x0000000075950000-memory.dmp
memory/3400-5-0x0000000075860000-0x0000000075950000-memory.dmp
memory/3400-8-0x0000000075860000-0x0000000075950000-memory.dmp
memory/3400-9-0x0000000077A14000-0x0000000077A16000-memory.dmp
memory/3400-12-0x00000000005D0000-0x0000000000F0E000-memory.dmp
memory/3400-13-0x00000000005D0000-0x0000000000F0E000-memory.dmp
memory/3400-14-0x0000000006380000-0x0000000006924000-memory.dmp
memory/3400-15-0x0000000005B60000-0x0000000005BF2000-memory.dmp
memory/3400-16-0x0000000005C20000-0x0000000005C2A000-memory.dmp
memory/3400-17-0x0000000005FA0000-0x0000000006376000-memory.dmp
memory/3400-19-0x00000000005D0000-0x0000000000F0E000-memory.dmp
memory/3400-20-0x0000000005DC0000-0x0000000005DD0000-memory.dmp
memory/3400-21-0x0000000075860000-0x0000000075950000-memory.dmp
memory/3400-22-0x0000000075860000-0x0000000075950000-memory.dmp
memory/3400-23-0x0000000075860000-0x0000000075950000-memory.dmp
memory/3400-24-0x0000000075860000-0x0000000075950000-memory.dmp
memory/3400-26-0x0000000075860000-0x0000000075950000-memory.dmp
memory/3400-27-0x0000000075860000-0x0000000075950000-memory.dmp
memory/3400-28-0x0000000007800000-0x000000000789C000-memory.dmp
memory/3400-29-0x0000000075860000-0x0000000075950000-memory.dmp
memory/3400-31-0x0000000075860000-0x0000000075950000-memory.dmp
memory/3400-33-0x0000000005DC0000-0x0000000005DD0000-memory.dmp