Malware Analysis Report

2025-08-05 21:25

Sample ID 231220-tlfe8aacc5
Target e2b22c7e6a61834361d49697274d8cb3
SHA256 c151884ac7e723b223f637c64a4e352b7439f0d37099327e800959dd062d14e0
Tags
vmprotect persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c151884ac7e723b223f637c64a4e352b7439f0d37099327e800959dd062d14e0

Threat Level: Shows suspicious behavior

The file e2b22c7e6a61834361d49697274d8cb3 was found to be: Shows suspicious behavior.

Malicious Activity Summary

vmprotect persistence

Executes dropped EXE

Loads dropped DLL

VMProtect packed file

Checks computer location settings

Drops startup file

Adds Run key to start application

Enumerates physical storage devices

Unsigned PE

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-12-20 16:08

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-12-20 16:08

Reported

2023-12-22 09:40

Platform

win7-20231215-en

Max time kernel

0s

Max time network

146s

Command Line

cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\discordgrabberdataalert.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DiscordGrabber.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2108 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\e2b22c7e6a61834361d49697274d8cb3.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\e2b22c7e6a61834361d49697274d8cb3.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\e2b22c7e6a61834361d49697274d8cb3.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 3052 N/A C:\Users\Admin\AppData\Local\Temp\e2b22c7e6a61834361d49697274d8cb3.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\e2b22c7e6a61834361d49697274d8cb3.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\e2b22c7e6a61834361d49697274d8cb3.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\e2b22c7e6a61834361d49697274d8cb3.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\e2b22c7e6a61834361d49697274d8cb3.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\e2b22c7e6a61834361d49697274d8cb3.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\e2b22c7e6a61834361d49697274d8cb3.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\e2b22c7e6a61834361d49697274d8cb3.exe C:\Windows\SysWOW64\cmd.exe
PID 2108 wrote to memory of 2136 N/A C:\Users\Admin\AppData\Local\Temp\e2b22c7e6a61834361d49697274d8cb3.exe C:\Windows\SysWOW64\cmd.exe
PID 3052 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3052 wrote to memory of 2284 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2344 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\DiscordGrabber.exe
PID 2344 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\DiscordGrabber.exe
PID 2344 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\DiscordGrabber.exe
PID 2344 wrote to memory of 2700 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\DiscordGrabber.exe
PID 2136 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\discordgrabberdataalert.exe
PID 2136 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\discordgrabberdataalert.exe
PID 2136 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\discordgrabberdataalert.exe
PID 2136 wrote to memory of 2752 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\discordgrabberdataalert.exe

Processes

C:\Windows\SysWOW64\cmd.exe

cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit

C:\Users\Admin\AppData\Local\Temp\e2b22c7e6a61834361d49697274d8cb3.exe

"C:\Users\Admin\AppData\Local\Temp\e2b22c7e6a61834361d49697274d8cb3.exe"

C:\Users\Admin\AppData\Local\Temp\discordgrabberdataalert.exe

C:\Users\Admin\AppData\Local\Temp\discordgrabberdataalert.exe

C:\Users\Admin\AppData\Local\Temp\DiscordGrabber.exe

C:\Users\Admin\AppData\Local\Temp\DiscordGrabber.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"

C:\Windows\SysWOW64\cmd.exe

cmd /c start C:\Users\Admin\AppData\Local\Temp\discordgrabberdataalert.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c start C:\Users\Admin\AppData\Local\Temp\DiscordGrabber.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dcyqigq.vbs"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\

Network

Country Destination Domain Proto
US 8.8.8.8:53 00000000.me udp

Files

C:\Users\Admin\AppData\Local\Temp\discordgrabberdataalert.exe

MD5 388cdcfca24309c6293ba05e77a877b5
SHA1 42cd6023dc7e3e6dd535a8ba702d1e4500d6bcdf
SHA256 0fc048c8ad65106ca2b8ad5fb0c10479a2868b8b542721d0d18c15d94dcb28f5
SHA512 e5f424e79ff399707ff3d15b17d2342e1962a8c8787e74f2111b898db416822e30d955b6cb206f388ec5a9059341e7765dfd3d351b05cfbd7692879c5012c978

C:\Users\Admin\AppData\Local\Temp\discordgrabberdataalert.exe

MD5 efeee1149ce5321d3965c3a710709f9f
SHA1 cf4c97ecb3b3023dec8c8da90d9d1860a6ceebca
SHA256 caed1021c3210591debe5947652c6327c4455009c2f03fba89331ce0dc6bac4d
SHA512 28ccde2b4964be07a522be9507592baec3e0be5e5dc456ae24c23e00781b71c064601e3703910d007c83aaf3a638f9c6085fc527f64b02df24474070099853e2

C:\Users\Admin\AppData\Local\Temp\DiscordGrabber.exe

MD5 26a633c80363cc69fd56c9cb21043468
SHA1 24031612c3bdec8211f62d290293cf19e6dfd1cc
SHA256 6b79ceb99a3830de885f53d488b092e8aaac9128ff7110d0aeb814ca15e46d1b
SHA512 ee660762dd3e0d4f67d74b152e5b4e26f249f6132ac4708bae17abe0ba4a4477986f0fe9acc125c7e87d6e8e0781f4c9bd96e78da30a40543e29a84c59546352

C:\Users\Admin\AppData\Local\Temp\DiscordGrabber.exe

MD5 a8a8813ccae5fadcfd5ceb54bd73d487
SHA1 5db2d1806db9e8225d8a43cf6ddf0dd6f86ee508
SHA256 954990088ae0a2f592afaabe9be890ecc79eb21eb11a68e5e851fd9a1a91f60a
SHA512 0fddda23d652db74b6da169eb1386d689ab52bcd3ac3af633866c16e3ccb13c354d0b2ba881c975a9f3f1df68b909d19750d81397b198f7b705fa6c915fddf37

\Users\Admin\AppData\Local\Temp\DiscordGrabber.exe

MD5 c553eee0b01c283e89aeaba14f0b7396
SHA1 659d7598adee8fc0349941771df0fb6179672a20
SHA256 900f6dd1d7085c960667c35790384eae95e3e610875f098c14c23ba1f98a6054
SHA512 cb8482fd5c19a639b12ef558d28db4ec58ecaf5857f83fe41af9b86aa6b100f89f7f4b3bb07ccc8fbc7609d1ca835bade64d2dda31631a5bce2cb3fecdecc73b

\Users\Admin\AppData\Local\Temp\discordgrabberdataalert.exe

MD5 61d896ca84ea2de3a978c3489b16fc48
SHA1 daa2b2bc89a6064f2980ea55bba0c4b5cc88ebe9
SHA256 05649a9858017745b88822c3aaabe887bfda83fb0c8a692701e728c019c1ed9b
SHA512 28076868772376c93cc8cbebcdf0a04617dcada0530cb8397c5063af1feb5b2d05611b920314e79e22d8adf9d1bcd73784e83e00ab6a420b0cd06e979a8fea47

memory/2752-10-0x000000013FA90000-0x000000013FB0A000-memory.dmp

memory/2700-13-0x0000000000270000-0x0000000000A6A000-memory.dmp

memory/2700-14-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

memory/2284-16-0x0000000002AB0000-0x0000000002AF0000-memory.dmp

memory/2284-18-0x0000000002AB0000-0x0000000002AF0000-memory.dmp

memory/2284-20-0x0000000002AB0000-0x0000000002AF0000-memory.dmp

memory/2284-19-0x00000000739F0000-0x0000000073F9B000-memory.dmp

memory/2284-17-0x00000000739F0000-0x0000000073F9B000-memory.dmp

memory/2752-15-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

memory/2284-21-0x00000000739F0000-0x0000000073F9B000-memory.dmp

memory/2548-27-0x00000000739B0000-0x0000000073F5B000-memory.dmp

memory/2548-29-0x00000000739B0000-0x0000000073F5B000-memory.dmp

memory/2548-31-0x0000000002960000-0x00000000029A0000-memory.dmp

memory/2700-32-0x0000000002960000-0x00000000029A0000-memory.dmp

memory/2548-30-0x0000000002960000-0x00000000029A0000-memory.dmp

memory/2700-36-0x0000000002960000-0x00000000029A0000-memory.dmp

memory/2700-37-0x000000001BB10000-0x000000001BB90000-memory.dmp

memory/2700-38-0x000000001BDF0000-0x000000001C058000-memory.dmp

memory/2700-35-0x0000000002960000-0x00000000029A0000-memory.dmp

memory/2548-34-0x00000000739B0000-0x0000000073F5B000-memory.dmp

memory/2700-33-0x0000000002960000-0x00000000029A0000-memory.dmp

memory/2548-28-0x0000000002960000-0x00000000029A0000-memory.dmp

memory/2700-40-0x000000001BB10000-0x000000001BB90000-memory.dmp

memory/2700-39-0x000000001BB10000-0x000000001BB90000-memory.dmp

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8JXWZNLMOJ7NJUPBU1Y5.temp

MD5 07daa5888db7344322eb2d93048a79e8
SHA1 a034a143075e904235ebc87b23b134f20c3d54b9
SHA256 a1b8dcdcf8767c4ddeb38a3bd338a1139b3ea14f4bbb0f2994b05e108bf0e765
SHA512 92432753284c2ad48b910e272f71350bea8c344a938239e6a659b724715a36de114a8890efb32598bad629746cc6ab9c64611d6115cca1ebf915bf044f04e8c8

memory/2700-41-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

memory/2752-42-0x000007FEF54B0000-0x000007FEF5E9C000-memory.dmp

memory/2752-44-0x0000000002250000-0x00000000022DA000-memory.dmp

memory/2752-52-0x0000000002250000-0x00000000022D5000-memory.dmp

memory/2752-72-0x0000000002250000-0x00000000022D5000-memory.dmp

memory/2752-78-0x0000000002250000-0x00000000022D5000-memory.dmp

memory/2752-100-0x0000000002250000-0x00000000022D5000-memory.dmp

memory/2752-108-0x0000000002250000-0x00000000022D5000-memory.dmp

memory/2752-106-0x0000000002250000-0x00000000022D5000-memory.dmp

memory/2752-104-0x0000000002250000-0x00000000022D5000-memory.dmp

memory/2752-102-0x0000000002250000-0x00000000022D5000-memory.dmp

memory/2752-98-0x0000000002250000-0x00000000022D5000-memory.dmp

memory/2752-96-0x0000000002250000-0x00000000022D5000-memory.dmp

memory/2752-94-0x0000000002250000-0x00000000022D5000-memory.dmp

memory/2752-92-0x0000000002250000-0x00000000022D5000-memory.dmp

memory/2752-90-0x0000000002250000-0x00000000022D5000-memory.dmp

memory/2752-88-0x0000000002250000-0x00000000022D5000-memory.dmp

memory/2752-86-0x0000000002250000-0x00000000022D5000-memory.dmp

memory/2752-84-0x0000000002250000-0x00000000022D5000-memory.dmp

memory/2752-82-0x0000000002250000-0x00000000022D5000-memory.dmp

memory/2752-80-0x0000000002250000-0x00000000022D5000-memory.dmp

memory/2752-76-0x0000000002250000-0x00000000022D5000-memory.dmp

memory/2752-74-0x0000000002250000-0x00000000022D5000-memory.dmp

memory/2752-70-0x0000000002250000-0x00000000022D5000-memory.dmp

memory/2752-68-0x0000000002250000-0x00000000022D5000-memory.dmp

memory/2752-66-0x0000000002250000-0x00000000022D5000-memory.dmp

memory/2752-64-0x0000000002250000-0x00000000022D5000-memory.dmp

memory/2752-62-0x0000000002250000-0x00000000022D5000-memory.dmp

memory/2752-60-0x0000000002250000-0x00000000022D5000-memory.dmp

memory/2752-58-0x0000000002250000-0x00000000022D5000-memory.dmp

memory/2752-56-0x0000000002250000-0x00000000022D5000-memory.dmp

memory/2752-54-0x0000000002250000-0x00000000022D5000-memory.dmp

memory/2752-50-0x0000000002250000-0x00000000022D5000-memory.dmp

memory/2752-48-0x0000000002250000-0x00000000022D5000-memory.dmp

memory/2752-46-0x0000000002250000-0x00000000022D5000-memory.dmp

memory/2752-45-0x0000000002250000-0x00000000022D5000-memory.dmp

memory/2752-43-0x000000001BA70000-0x000000001BAF0000-memory.dmp

memory/2752-485-0x000000001ADB0000-0x000000001AE04000-memory.dmp

memory/2752-486-0x000000001AE00000-0x000000001AE4C000-memory.dmp

memory/2752-484-0x0000000000760000-0x000000000076C000-memory.dmp

memory/2752-483-0x00000000024E0000-0x0000000002532000-memory.dmp

memory/1740-497-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

memory/1740-499-0x000007FEED1D0000-0x000007FEEDB6D000-memory.dmp

memory/1740-500-0x0000000002C80000-0x0000000002D00000-memory.dmp

memory/1740-505-0x000007FEED1D0000-0x000007FEEDB6D000-memory.dmp

memory/1740-504-0x0000000002C80000-0x0000000002D00000-memory.dmp

memory/1740-503-0x0000000002C80000-0x0000000002D00000-memory.dmp

memory/1740-502-0x0000000002C80000-0x0000000002D00000-memory.dmp

memory/1740-501-0x000007FEED1D0000-0x000007FEEDB6D000-memory.dmp

memory/1740-498-0x00000000004F0000-0x00000000004F8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\dcyqigq.vbs

MD5 4b13abd262e6f452b680b7c404285a32
SHA1 a5b55774c48678a82ab377a7d23a00ec6a174dea
SHA256 e09b4b2ffbca61fbfaa017d9a6c7c60ec4242bfc468bf2f58887e79c97966eff
SHA512 8dc590452e549d1dbb582e6552e5cfe960adeb43987435b67d6d1f18d3ff44e7be01f638a7f62f7f47da561303fdc5203ca4412639662f170b6e0022e3ae6bc8

memory/2700-506-0x0000000002960000-0x00000000029A0000-memory.dmp

memory/2700-508-0x0000000002960000-0x00000000029A0000-memory.dmp

memory/2700-507-0x0000000002960000-0x00000000029A0000-memory.dmp

memory/2700-510-0x000000001BB10000-0x000000001BB90000-memory.dmp

memory/2700-512-0x000000001BB10000-0x000000001BB90000-memory.dmp

memory/2700-511-0x000000001BB10000-0x000000001BB90000-memory.dmp

memory/2752-513-0x000000001BA70000-0x000000001BAF0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-12-20 16:08

Reported

2023-12-22 09:39

Platform

win10v2004-20231215-en

Max time kernel

145s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\e2b22c7e6a61834361d49697274d8cb3.exe"

Signatures

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\discordgrabberdataalert.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\Control Panel\International\Geo\Nation C:\Windows\System32\WScript.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\discordgrabberdataalert.vbs C:\Users\Admin\AppData\Local\Temp\discordgrabberdataalert.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\discordgrabberdataalert.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\DiscordGrabber.exe N/A

VMProtect packed file

vmprotect
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\discordgrabberdataalert = "\"C:\\Users\\Admin\\AppData\\Roaming\\discordgrabberdataalert.exe\"" C:\Users\Admin\AppData\Local\Temp\discordgrabberdataalert.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-768304381-2824894965-3840216961-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\discordgrabberdataalert.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\discordgrabberdataalert.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4744 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\e2b22c7e6a61834361d49697274d8cb3.exe C:\Windows\SysWOW64\cmd.exe
PID 4744 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\e2b22c7e6a61834361d49697274d8cb3.exe C:\Windows\SysWOW64\cmd.exe
PID 4744 wrote to memory of 3580 N/A C:\Users\Admin\AppData\Local\Temp\e2b22c7e6a61834361d49697274d8cb3.exe C:\Windows\SysWOW64\cmd.exe
PID 4744 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\e2b22c7e6a61834361d49697274d8cb3.exe C:\Windows\SysWOW64\cmd.exe
PID 4744 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\e2b22c7e6a61834361d49697274d8cb3.exe C:\Windows\SysWOW64\cmd.exe
PID 4744 wrote to memory of 556 N/A C:\Users\Admin\AppData\Local\Temp\e2b22c7e6a61834361d49697274d8cb3.exe C:\Windows\SysWOW64\cmd.exe
PID 4744 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\e2b22c7e6a61834361d49697274d8cb3.exe C:\Windows\SysWOW64\cmd.exe
PID 4744 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\e2b22c7e6a61834361d49697274d8cb3.exe C:\Windows\SysWOW64\cmd.exe
PID 4744 wrote to memory of 3476 N/A C:\Users\Admin\AppData\Local\Temp\e2b22c7e6a61834361d49697274d8cb3.exe C:\Windows\SysWOW64\cmd.exe
PID 3476 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\discordgrabberdataalert.exe
PID 3476 wrote to memory of 2040 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\discordgrabberdataalert.exe
PID 3580 wrote to memory of 4448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3580 wrote to memory of 4448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3580 wrote to memory of 4448 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 556 wrote to memory of 4700 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\DiscordGrabber.exe
PID 556 wrote to memory of 4700 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Local\Temp\DiscordGrabber.exe
PID 3580 wrote to memory of 468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3580 wrote to memory of 468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 3580 wrote to memory of 468 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
PID 2040 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\discordgrabberdataalert.exe C:\Windows\System32\WScript.exe
PID 2040 wrote to memory of 4460 N/A C:\Users\Admin\AppData\Local\Temp\discordgrabberdataalert.exe C:\Windows\System32\WScript.exe
PID 4460 wrote to memory of 3040 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
PID 4460 wrote to memory of 3040 N/A C:\Windows\System32\WScript.exe C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

Processes

C:\Users\Admin\AppData\Local\Temp\e2b22c7e6a61834361d49697274d8cb3.exe

"C:\Users\Admin\AppData\Local\Temp\e2b22c7e6a61834361d49697274d8cb3.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force" & powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force" & exit

C:\Windows\SysWOW64\cmd.exe

cmd /c start C:\Users\Admin\AppData\Local\Temp\discordgrabberdataalert.exe

C:\Users\Admin\AppData\Local\Temp\DiscordGrabber.exe

C:\Users\Admin\AppData\Local\Temp\DiscordGrabber.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionPath @($env:UserProfile,$env:AppData,$env:Temp,$env:SystemRoot,$env:HomeDrive,$env:SystemDrive) -Force"

C:\Users\Admin\AppData\Local\Temp\discordgrabberdataalert.exe

C:\Users\Admin\AppData\Local\Temp\discordgrabberdataalert.exe

C:\Windows\SysWOW64\cmd.exe

cmd /c start C:\Users\Admin\AppData\Local\Temp\DiscordGrabber.exe

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

powershell -Command "Add-MpPreference -ExclusionExtension @('exe','dll') -Force"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Set-MpPreference -ExclusionPath C:\

C:\Windows\System32\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\tfcfd.vbs"

Network

Country Destination Domain Proto
US 8.8.8.8:53 21.53.126.40.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 204.79.197.200:443 g.bing.com tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 00000000.me udp
US 8.8.8.8:53 00000000.me udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 18.134.221.88.in-addr.arpa udp
US 8.8.8.8:53 00000000.me udp
US 8.8.8.8:53 00000000.me udp
US 8.8.8.8:53 194.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 00000000.me udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 00000000.me udp
US 8.8.8.8:53 00000000.me udp
US 8.8.8.8:53 00000000.me udp
US 8.8.8.8:53 178.223.142.52.in-addr.arpa udp
US 8.8.8.8:53 00000000.me udp

Files

C:\Users\Admin\AppData\Local\Temp\discordgrabberdataalert.exe

MD5 c4552a772dc60787a049c358a68d3eb8
SHA1 a321d3b31646b2d622e494211db30ef2f0d074e3
SHA256 710564d854f80216ea45de04154c7dfdecd981e56e92c87ba2a245739eadb5a6
SHA512 7393214bba04dc9027144148b84f41c9bf0221e06c325ed9b9e2235f691d3391abb7c7482bc6d3b09d04629f96a9ecf2b6e5ae81ca7f449fd455efc4942bd284

memory/2040-6-0x0000000000FD0000-0x000000000104A000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\DiscordGrabber.exe

MD5 3918a913e66245ecd633914cf6bf8787
SHA1 308781490cb78254e141dfeb8fbbf200034d130f
SHA256 85fb4aedcdc160f7b678b5a25e37509bc04c6f85842a424aa329ef069c58922b
SHA512 b3a1a0f1efe70955699b638a707bc02d618b3981f5c10a2e372b810b0cbc0474ef4ce171df49f62321402e0f7193a43f240b830e3867092561e8a17b2fed9a19

C:\Users\Admin\AppData\Local\Temp\DiscordGrabber.exe

MD5 40f103c0b1ae2a324c9603952e402d39
SHA1 70ee62e1b444534d379670db3a1729f4bdee5b98
SHA256 fe1334213e9e0fa8d2d0c8c28ff587e5cde8233e30e7175cb41cd7e33fb03369
SHA512 a798854ec4c54102a593b09a7c6ee6dd205ea10cb1733d2dc36e336e7f4c21a9fe8f472a0c6e9738f4c00a973eafef962d2ea0d18637a35aa67837e8a20dc81e

memory/4700-10-0x000002D3F4CB0000-0x000002D3F54AA000-memory.dmp

memory/2040-9-0x00007FFB79C00000-0x00007FFB7A6C1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\discordgrabberdataalert.exe

MD5 71f5dc81a150a7e645e3e7ab4b84fc20
SHA1 f1d1d7f83c310d24d7f00454fab118b1cb4e6507
SHA256 0a4c57c281745b1bbec33b17cf481124e34c7c960dc1e867f5390b3edb273963
SHA512 27a4af11b865c8b8f39e4dfea32b864cf672938d99499da18fcff12ea647d475abe4cf4c03e3e3a95e9ae7b964ae372754c83aebf654db40b9a20984f40eba82

memory/4448-11-0x0000000002530000-0x0000000002566000-memory.dmp

memory/4448-12-0x0000000074B90000-0x0000000075340000-memory.dmp

memory/4448-13-0x0000000004BE0000-0x0000000005208000-memory.dmp

memory/4448-14-0x00000000024E0000-0x00000000024F0000-memory.dmp

memory/4700-15-0x00007FFB79C00000-0x00007FFB7A6C1000-memory.dmp

memory/4448-16-0x0000000005240000-0x0000000005262000-memory.dmp

memory/4448-17-0x00000000053E0000-0x0000000005446000-memory.dmp

memory/4448-23-0x00000000054C0000-0x0000000005526000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ewxxqoau.emk.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/4448-28-0x0000000005720000-0x0000000005A74000-memory.dmp

memory/4448-30-0x0000000005B10000-0x0000000005B5C000-memory.dmp

memory/4700-31-0x000002D3F5850000-0x000002D3F5851000-memory.dmp

memory/4448-29-0x0000000005AC0000-0x0000000005ADE000-memory.dmp

memory/4700-32-0x000002D3F5850000-0x000002D3F5851000-memory.dmp

memory/4700-33-0x000002D3F7A60000-0x000002D3F7A70000-memory.dmp

memory/4700-34-0x000002D3F7AA0000-0x000002D3F7D08000-memory.dmp

memory/4448-48-0x00000000024E0000-0x00000000024F0000-memory.dmp

memory/4448-49-0x0000000006CA0000-0x0000000006D43000-memory.dmp

memory/4448-47-0x0000000006070000-0x000000000608E000-memory.dmp

memory/4448-37-0x0000000070A50000-0x0000000070A9C000-memory.dmp

memory/4448-51-0x0000000006E00000-0x0000000006E1A000-memory.dmp

memory/4448-50-0x0000000007440000-0x0000000007ABA000-memory.dmp

memory/4448-52-0x0000000006E70000-0x0000000006E7A000-memory.dmp

memory/4448-36-0x00000000060B0000-0x00000000060E2000-memory.dmp

memory/4448-53-0x0000000007090000-0x0000000007126000-memory.dmp

memory/4448-35-0x000000007F6D0000-0x000000007F6E0000-memory.dmp

memory/4448-54-0x0000000007000000-0x0000000007011000-memory.dmp

memory/4448-55-0x0000000007040000-0x000000000704E000-memory.dmp

memory/4448-58-0x0000000007080000-0x0000000007088000-memory.dmp

memory/4448-57-0x0000000007130000-0x000000000714A000-memory.dmp

memory/4448-56-0x0000000007050000-0x0000000007064000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

MD5 968cb9309758126772781b83adb8a28f
SHA1 8da30e71accf186b2ba11da1797cf67f8f78b47c
SHA256 92099c10776bb7e3f2a8d1b82d4d40d0c4627e4f1bf754a6e58dfd2c2e97042a
SHA512 4bd50732f8af4d688d95999bddfd296115d7033ddc38f86c9fb1f47fde202bffa27e9088bebcaa3064ca946af2f5c1ca6cbde49d0907f0005c7ab42874515dd3

memory/468-63-0x0000000074C30000-0x00000000753E0000-memory.dmp

memory/468-65-0x00000000046B0000-0x00000000046C0000-memory.dmp

memory/2040-72-0x00007FFB79C00000-0x00007FFB7A6C1000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a72fd299e59ad4aafcf8fe177901630d
SHA1 bdbde2a69c1ac8ebd0a83fbd99ec0c40aafd147a
SHA256 d9da98a8e8aba6179d86d3f518b31a022241684d407830ce544652a1ea22096a
SHA512 50437ab68f0674c0e5ff221dda40437102cdc10912aea2232e40d39ee8ae664db749b5809752817221a5f211dd4b3c0a45782ca71ae0d564d5e05c5fdea0c462

memory/468-71-0x00000000054D0000-0x0000000005824000-memory.dmp

memory/468-64-0x00000000046B0000-0x00000000046C0000-memory.dmp

memory/4448-61-0x0000000074B90000-0x0000000075340000-memory.dmp

memory/468-79-0x0000000070A50000-0x0000000070A9C000-memory.dmp

memory/468-78-0x000000007FB60000-0x000000007FB70000-memory.dmp

memory/468-90-0x0000000074C30000-0x00000000753E0000-memory.dmp

memory/4700-91-0x00007FFB79C00000-0x00007FFB7A6C1000-memory.dmp

memory/2040-92-0x000000001CB00000-0x000000001CB8A000-memory.dmp

memory/2040-93-0x0000000003BF0000-0x0000000003C00000-memory.dmp

memory/2040-105-0x000000001CB00000-0x000000001CB85000-memory.dmp

memory/2040-127-0x000000001CB00000-0x000000001CB85000-memory.dmp

memory/2040-145-0x000000001CB00000-0x000000001CB85000-memory.dmp

memory/2040-157-0x000000001CB00000-0x000000001CB85000-memory.dmp

memory/2040-155-0x000000001CB00000-0x000000001CB85000-memory.dmp

memory/2040-153-0x000000001CB00000-0x000000001CB85000-memory.dmp

memory/2040-151-0x000000001CB00000-0x000000001CB85000-memory.dmp

memory/2040-149-0x000000001CB00000-0x000000001CB85000-memory.dmp

memory/2040-147-0x000000001CB00000-0x000000001CB85000-memory.dmp

memory/2040-143-0x000000001CB00000-0x000000001CB85000-memory.dmp

memory/2040-141-0x000000001CB00000-0x000000001CB85000-memory.dmp

memory/2040-139-0x000000001CB00000-0x000000001CB85000-memory.dmp

memory/2040-137-0x000000001CB00000-0x000000001CB85000-memory.dmp

memory/2040-135-0x000000001CB00000-0x000000001CB85000-memory.dmp

memory/2040-133-0x000000001CB00000-0x000000001CB85000-memory.dmp

memory/2040-131-0x000000001CB00000-0x000000001CB85000-memory.dmp

memory/2040-129-0x000000001CB00000-0x000000001CB85000-memory.dmp

memory/2040-125-0x000000001CB00000-0x000000001CB85000-memory.dmp

memory/2040-123-0x000000001CB00000-0x000000001CB85000-memory.dmp

memory/2040-121-0x000000001CB00000-0x000000001CB85000-memory.dmp

memory/2040-119-0x000000001CB00000-0x000000001CB85000-memory.dmp

memory/2040-117-0x000000001CB00000-0x000000001CB85000-memory.dmp

memory/2040-115-0x000000001CB00000-0x000000001CB85000-memory.dmp

memory/2040-113-0x000000001CB00000-0x000000001CB85000-memory.dmp

memory/2040-111-0x000000001CB00000-0x000000001CB85000-memory.dmp

memory/2040-109-0x000000001CB00000-0x000000001CB85000-memory.dmp

memory/2040-107-0x000000001CB00000-0x000000001CB85000-memory.dmp

memory/2040-103-0x000000001CB00000-0x000000001CB85000-memory.dmp

memory/2040-101-0x000000001CB00000-0x000000001CB85000-memory.dmp

memory/2040-99-0x000000001CB00000-0x000000001CB85000-memory.dmp

memory/2040-97-0x000000001CB00000-0x000000001CB85000-memory.dmp

memory/2040-95-0x000000001CB00000-0x000000001CB85000-memory.dmp

memory/2040-94-0x000000001CB00000-0x000000001CB85000-memory.dmp

memory/2040-535-0x000000001E1E0000-0x000000001E234000-memory.dmp

memory/2040-536-0x000000001E230000-0x000000001E27C000-memory.dmp

memory/2040-534-0x0000000003BC0000-0x0000000003BCC000-memory.dmp

memory/2040-533-0x000000001E190000-0x000000001E1E2000-memory.dmp

memory/4700-532-0x000002D3F7A60000-0x000002D3F7A70000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tfcfd.vbs

MD5 4b13abd262e6f452b680b7c404285a32
SHA1 a5b55774c48678a82ab377a7d23a00ec6a174dea
SHA256 e09b4b2ffbca61fbfaa017d9a6c7c60ec4242bfc468bf2f58887e79c97966eff
SHA512 8dc590452e549d1dbb582e6552e5cfe960adeb43987435b67d6d1f18d3ff44e7be01f638a7f62f7f47da561303fdc5203ca4412639662f170b6e0022e3ae6bc8

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 47339868d6b1e248b7b203c63af7f686
SHA1 c6a428fad02bf4856683d7314f5bf5e692809f69
SHA256 a18504c585b1fa84f3c4f7f40d6b77101c59f135efb350368da8fdd3d3879739
SHA512 c7e499aecfd42a7548c9b596b5f37c1c5dae06d398645abed463831d439d6189e6b76303741a065007ccf453a5614cbf28b3e2219b85bb7e608ebef3a2a6416a

memory/3040-555-0x0000021CE35F0000-0x0000021CE3600000-memory.dmp

memory/3040-554-0x0000021CE35F0000-0x0000021CE3600000-memory.dmp

memory/3040-553-0x00007FFB79C00000-0x00007FFB7A6C1000-memory.dmp

memory/3040-559-0x00007FFB79C00000-0x00007FFB7A6C1000-memory.dmp

memory/3040-548-0x0000021CE3FE0000-0x0000021CE4002000-memory.dmp

memory/2040-561-0x0000000003BF0000-0x0000000003C00000-memory.dmp