hxxps://github[.]com/SeppiSnoux/Token-Grabber-For-Discord

Analysis

max time kernel
106s
max time network
112s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
14-02-2024 00:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://github.com/SeppiSnoux/Token-Grabber-For-Discord

Score

8^/10

pyinstaller

Malware Config

Signatures

Downloads MZ/PE file

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	Script.pif
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	Script.pif
Key value queried	\REGISTRY\USER\S-1-5-21-635608581-3370340891-292606865-1000\Control Panel\International\Geo\Nation	Script.pif

Executes dropped EXE 9 IoCs

pid	Process
4136	Script.pif
4032	GRABBER.EXE
4044	Script.pif
4244	GRABBER.EXE
392	Script.pif
1424	GRABBER.EXE
2980	GRABBER.EXE
3464	GRABBER.EXE
1228	GRABBER.EXE

Loads dropped DLL 64 IoCs

pid	Process
1424	GRABBER.EXE
1424	GRABBER.EXE
1424	GRABBER.EXE
1424	GRABBER.EXE
1424	GRABBER.EXE
1424	GRABBER.EXE
1424	GRABBER.EXE
1424	GRABBER.EXE
1424	GRABBER.EXE
3464	GRABBER.EXE
1424	GRABBER.EXE
3464	GRABBER.EXE
1424	GRABBER.EXE
3464	GRABBER.EXE
3464	GRABBER.EXE
3464	GRABBER.EXE
3464	GRABBER.EXE
1424	GRABBER.EXE
1424	GRABBER.EXE
3464	GRABBER.EXE
3464	GRABBER.EXE
1424	GRABBER.EXE
3464	GRABBER.EXE
3464	GRABBER.EXE
3464	GRABBER.EXE
1424	GRABBER.EXE
1424	GRABBER.EXE
1424	GRABBER.EXE
1424	GRABBER.EXE
3464	GRABBER.EXE
3464	GRABBER.EXE
3464	GRABBER.EXE
3464	GRABBER.EXE
1424	GRABBER.EXE
3464	GRABBER.EXE
1424	GRABBER.EXE
1424	GRABBER.EXE
1228	GRABBER.EXE
3464	GRABBER.EXE
1228	GRABBER.EXE
1228	GRABBER.EXE
1228	GRABBER.EXE
1228	GRABBER.EXE
3464	GRABBER.EXE
1228	GRABBER.EXE
1424	GRABBER.EXE
3464	GRABBER.EXE
1228	GRABBER.EXE
1228	GRABBER.EXE
1424	GRABBER.EXE
1424	GRABBER.EXE
1424	GRABBER.EXE
1424	GRABBER.EXE
1424	GRABBER.EXE
1424	GRABBER.EXE
1424	GRABBER.EXE
1424	GRABBER.EXE
1424	GRABBER.EXE
1424	GRABBER.EXE
1228	GRABBER.EXE
3464	GRABBER.EXE
1424	GRABBER.EXE
1424	GRABBER.EXE
1424	GRABBER.EXE

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
57	raw.githubusercontent.com
58	raw.githubusercontent.com

Maps connected drives based on registry 3 TTPs 6 IoCs

Disk information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	GRABBER.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	GRABBER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	GRABBER.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	GRABBER.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\Disk\Enum	GRABBER.EXE
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\disk\Enum\0	GRABBER.EXE

Detects Pyinstaller 12 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0007000000023297-243.dat	pyinstaller
behavioral1/files/0x0007000000023297-396.dat	pyinstaller
behavioral1/files/0x0007000000023297-399.dat	pyinstaller
behavioral1/files/0x00060000000232ee-426.dat	pyinstaller
behavioral1/files/0x00060000000232ee-446.dat	pyinstaller
behavioral1/files/0x00060000000232ee-447.dat	pyinstaller
behavioral1/files/0x0007000000023297-451.dat	pyinstaller
behavioral1/files/0x00060000000232ee-501.dat	pyinstaller
behavioral1/files/0x0007000000023297-571.dat	pyinstaller
behavioral1/files/0x00060000000232ee-617.dat	pyinstaller
behavioral1/files/0x00060000000232ee-619.dat	pyinstaller
behavioral1/files/0x00060000000232ee-678.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	msedge.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	msedge.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\Deployment\Package\*\S-1-5-21-635608581-3370340891-292606865-1000\{F8668144-CB0A-4723-92DD-55A8A8BED182}	msedge.exe

NTFS ADS 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\Downloads\Unconfirmed 680726.crdownload:SmartScreen	msedge.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
4612	msedge.exe
4612	msedge.exe
3724	msedge.exe
3724	msedge.exe
4396	identity_helper.exe
4396	identity_helper.exe
980	msedge.exe
980	msedge.exe
4868	msedge.exe
4868	msedge.exe
1424	GRABBER.EXE
1424	GRABBER.EXE
1228	GRABBER.EXE
1228	GRABBER.EXE
3464	GRABBER.EXE
3464	GRABBER.EXE

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 11 IoCs

pid	Process
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1424	GRABBER.EXE
Token: SeDebugPrivilege	3464	GRABBER.EXE
Token: SeIncreaseQuotaPrivilege	1260	wmic.exe
Token: SeSecurityPrivilege	1260	wmic.exe
Token: SeTakeOwnershipPrivilege	1260	wmic.exe
Token: SeLoadDriverPrivilege	1260	wmic.exe
Token: SeSystemProfilePrivilege	1260	wmic.exe
Token: SeSystemtimePrivilege	1260	wmic.exe
Token: SeProfSingleProcessPrivilege	1260	wmic.exe
Token: SeIncBasePriorityPrivilege	1260	wmic.exe
Token: SeCreatePagefilePrivilege	1260	wmic.exe
Token: SeBackupPrivilege	1260	wmic.exe
Token: SeRestorePrivilege	1260	wmic.exe
Token: SeShutdownPrivilege	1260	wmic.exe
Token: SeDebugPrivilege	1260	wmic.exe
Token: SeSystemEnvironmentPrivilege	1260	wmic.exe
Token: SeRemoteShutdownPrivilege	1260	wmic.exe
Token: SeUndockPrivilege	1260	wmic.exe
Token: SeManageVolumePrivilege	1260	wmic.exe
Token: 33	1260	wmic.exe
Token: 34	1260	wmic.exe
Token: 35	1260	wmic.exe
Token: 36	1260	wmic.exe
Token: SeDebugPrivilege	1228	GRABBER.EXE
Token: SeIncreaseQuotaPrivilege	1260	wmic.exe
Token: SeSecurityPrivilege	1260	wmic.exe
Token: SeTakeOwnershipPrivilege	1260	wmic.exe
Token: SeLoadDriverPrivilege	1260	wmic.exe
Token: SeSystemProfilePrivilege	1260	wmic.exe
Token: SeSystemtimePrivilege	1260	wmic.exe
Token: SeProfSingleProcessPrivilege	1260	wmic.exe
Token: SeIncBasePriorityPrivilege	1260	wmic.exe
Token: SeCreatePagefilePrivilege	1260	wmic.exe
Token: SeBackupPrivilege	1260	wmic.exe
Token: SeRestorePrivilege	1260	wmic.exe
Token: SeShutdownPrivilege	1260	wmic.exe
Token: SeDebugPrivilege	1260	wmic.exe
Token: SeSystemEnvironmentPrivilege	1260	wmic.exe
Token: SeRemoteShutdownPrivilege	1260	wmic.exe
Token: SeUndockPrivilege	1260	wmic.exe
Token: SeManageVolumePrivilege	1260	wmic.exe
Token: 33	1260	wmic.exe
Token: 34	1260	wmic.exe
Token: 35	1260	wmic.exe
Token: 36	1260	wmic.exe
Token: SeIncreaseQuotaPrivilege	2088	wmic.exe
Token: SeSecurityPrivilege	2088	wmic.exe
Token: SeTakeOwnershipPrivilege	2088	wmic.exe
Token: SeLoadDriverPrivilege	2088	wmic.exe
Token: SeSystemProfilePrivilege	2088	wmic.exe
Token: SeSystemtimePrivilege	2088	wmic.exe
Token: SeProfSingleProcessPrivilege	2088	wmic.exe
Token: SeIncBasePriorityPrivilege	2088	wmic.exe
Token: SeCreatePagefilePrivilege	2088	wmic.exe
Token: SeBackupPrivilege	2088	wmic.exe
Token: SeRestorePrivilege	2088	wmic.exe
Token: SeShutdownPrivilege	2088	wmic.exe
Token: SeDebugPrivilege	2088	wmic.exe
Token: SeSystemEnvironmentPrivilege	2088	wmic.exe
Token: SeRemoteShutdownPrivilege	2088	wmic.exe
Token: SeUndockPrivilege	2088	wmic.exe
Token: SeManageVolumePrivilege	2088	wmic.exe
Token: 33	2088	wmic.exe
Token: 34	2088	wmic.exe

Suspicious use of FindShellTrayWindow 38 IoCs

pid	Process
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe
3724	msedge.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3724 wrote to memory of 3600	3724	msedge.exe	39
PID 3724 wrote to memory of 3600	3724	msedge.exe	39
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4628	3724	msedge.exe	86
PID 3724 wrote to memory of 4612	3724	msedge.exe	85
PID 3724 wrote to memory of 4612	3724	msedge.exe	85
PID 3724 wrote to memory of 2360	3724	msedge.exe	87
PID 3724 wrote to memory of 2360	3724	msedge.exe	87
PID 3724 wrote to memory of 2360	3724	msedge.exe	87
PID 3724 wrote to memory of 2360	3724	msedge.exe	87
PID 3724 wrote to memory of 2360	3724	msedge.exe	87
PID 3724 wrote to memory of 2360	3724	msedge.exe	87
PID 3724 wrote to memory of 2360	3724	msedge.exe	87
PID 3724 wrote to memory of 2360	3724	msedge.exe	87
PID 3724 wrote to memory of 2360	3724	msedge.exe	87
PID 3724 wrote to memory of 2360	3724	msedge.exe	87
PID 3724 wrote to memory of 2360	3724	msedge.exe	87
PID 3724 wrote to memory of 2360	3724	msedge.exe	87
PID 3724 wrote to memory of 2360	3724	msedge.exe	87
PID 3724 wrote to memory of 2360	3724	msedge.exe	87
PID 3724 wrote to memory of 2360	3724	msedge.exe	87
PID 3724 wrote to memory of 2360	3724	msedge.exe	87
PID 3724 wrote to memory of 2360	3724	msedge.exe	87
PID 3724 wrote to memory of 2360	3724	msedge.exe	87
PID 3724 wrote to memory of 2360	3724	msedge.exe	87
PID 3724 wrote to memory of 2360	3724	msedge.exe	87

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/SeppiSnoux/Token-Grabber-For-Discord
1⤵
- Enumerates system info in registry
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3724
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffcd57f46f8,0x7ffcd57f4708,0x7ffcd57f4718
  2⤵
  PID:3600
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2160,14778748608019947921,11275729042050107261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2316 /prefetch:3
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4612
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2160,14778748608019947921,11275729042050107261,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2268 /prefetch:2
  2⤵
  PID:4628
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2160,14778748608019947921,11275729042050107261,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2872 /prefetch:8
  2⤵
  PID:2360
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,14778748608019947921,11275729042050107261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3292 /prefetch:1
  2⤵
  PID:1212
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,14778748608019947921,11275729042050107261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3192 /prefetch:1
  2⤵
  PID:2356
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,14778748608019947921,11275729042050107261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:8
  2⤵
  PID:3836
- C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2160,14778748608019947921,11275729042050107261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5508 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4396
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,14778748608019947921,11275729042050107261,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5288 /prefetch:1
  2⤵
  PID:3164
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,14778748608019947921,11275729042050107261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5556 /prefetch:1
  2⤵
  PID:4952
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,14778748608019947921,11275729042050107261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5252 /prefetch:1
  2⤵
  PID:864
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,14778748608019947921,11275729042050107261,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5676 /prefetch:1
  2⤵
  PID:2912
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,14778748608019947921,11275729042050107261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5572 /prefetch:1
  2⤵
  PID:924
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2160,14778748608019947921,11275729042050107261,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5876 /prefetch:8
  2⤵
  PID:1720
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,14778748608019947921,11275729042050107261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6088 /prefetch:1
  2⤵
  PID:2104
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,14778748608019947921,11275729042050107261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=17 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5768 /prefetch:1
  2⤵
  PID:4400
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,14778748608019947921,11275729042050107261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=18 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5620 /prefetch:1
  2⤵
  PID:4976
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2160,14778748608019947921,11275729042050107261,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6648 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:980
- C:\Users\Admin\Downloads\Script.pif
  "C:\Users\Admin\Downloads\Script.pif"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4136
- - C:\Users\Admin\AppData\Local\Temp\GRABBER.EXE
    "C:\Users\Admin\AppData\Local\Temp\GRABBER.EXE"
    3⤵
    - Executes dropped EXE
    PID:4032
  - - C:\Users\Admin\AppData\Local\Temp\GRABBER.EXE
      "C:\Users\Admin\AppData\Local\Temp\GRABBER.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Maps connected drives based on registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1424
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
        5⤵
        
        PID:3472
      - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
        6⤵
        
        PID:920
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1260
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2> nul
        5⤵
        
        PID:2896
      - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName
        6⤵
        
        PID:1516
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2160,14778748608019947921,11275729042050107261,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=6700 /prefetch:8
  2⤵
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  PID:4868
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2160,14778748608019947921,11275729042050107261,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=6564 /prefetch:8
  2⤵
  PID:3196
- C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2160,14778748608019947921,11275729042050107261,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=22 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6764 /prefetch:1
  2⤵
  PID:1340
- C:\Users\Admin\Downloads\Script.pif
  "C:\Users\Admin\Downloads\Script.pif"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:4044
- - C:\Users\Admin\AppData\Local\Temp\GRABBER.EXE
    "C:\Users\Admin\AppData\Local\Temp\GRABBER.EXE"
    3⤵
    - Executes dropped EXE
    PID:4244
  - - C:\Users\Admin\AppData\Local\Temp\GRABBER.EXE
      "C:\Users\Admin\AppData\Local\Temp\GRABBER.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Maps connected drives based on registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3464
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
        5⤵
        
        PID:3772
      - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
        6⤵
        
        PID:4952
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic csproduct get uuid
        5⤵
        
        PID:2904
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2> nul
        5⤵
        
        PID:4036
      - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName
        6⤵
        
        PID:2068
- C:\Users\Admin\Downloads\Script.pif
  "C:\Users\Admin\Downloads\Script.pif"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  PID:392
- - C:\Users\Admin\AppData\Local\Temp\GRABBER.EXE
    "C:\Users\Admin\AppData\Local\Temp\GRABBER.EXE"
    3⤵
    - Executes dropped EXE
    PID:2980
  - - C:\Users\Admin\AppData\Local\Temp\GRABBER.EXE
      "C:\Users\Admin\AppData\Local\Temp\GRABBER.EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Maps connected drives based on registry
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1228
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2> nul
        5⤵
        
        PID:4636
      - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc
        6⤵
        
        PID:1556
    - - C:\Windows\System32\Wbem\wmic.exe
        
        wmic csproduct get uuid
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2> nul
        5⤵
        
        PID:392
      - C:\Windows\system32\reg.exe
        
        REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName
        6⤵
        
        PID:2968

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1340

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:3968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

Filesize
152B

MD5
fa070c9c9ab8d902ee4f3342d217275f

SHA1
ac69818312a7eba53586295c5b04eefeb5c73903

SHA256
245b396ed1accfae337f770d3757c932bc30a8fc8dd133b5cefe82242760c2c7

SHA512
df92ca6d405d603ef5f07dbf9516d9e11e1fdc13610bb59e6d4712e55dd661f756c8515fc2c359c1db6b8b126e7f5a15886e643d93c012ef34a11041e02cc0dc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000011

Filesize
28KB

MD5
5270dd0d89193e808a8765a1a2727f16

SHA1
96df1f1c868e4aa1c2263b202c03768041ad637f

SHA256
5ec6ed2ccd35ff1409189ca352360d2e7371548fe44718dc6f33e286e0a692fb

SHA512
8db721dee73521f821511aca92fe732e51c3a50e76f32ef3f278a3a8e580f29eea2344620095f178c8c5a7ad3422c589e7c76617163c8da9a22358baed943c32

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000012

Filesize
19KB

MD5
2e86a72f4e82614cd4842950d2e0a716

SHA1
d7b4ee0c9af735d098bff474632fc2c0113e0b9c

SHA256
c1334e604dbbffdf38e9e2f359938569afe25f7150d1c39c293469c1ee4f7b6f

SHA512
7a5fd3e3e89c5f8afca33b2d02e5440934e5186b9fa6367436e8d20ad42b211579225e73e3a685e5e763fa3f907fc4632b9425e8bd6d6f07c5c986b6556d47b1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000013

Filesize
69KB

MD5
a127a49f49671771565e01d883a5e4fa

SHA1
09ec098e238b34c09406628c6bee1b81472fc003

SHA256
3f208f049ffaf4a7ed808bf0ff759ce7986c177f476b380d0076fd1f5482fca6

SHA512
61b54222e54e7ab8743a2d6ca3c36768a7b2cf22d5689a3309dee9974b1f804533720ea9de2d3beab44853d565a94f1bc0e60b9382997abcf03945219f98d734

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000014

Filesize
64KB

MD5
d6b36c7d4b06f140f860ddc91a4c659c

SHA1
ccf16571637b8d3e4c9423688c5bd06167bfb9e9

SHA256
34013d7f3f0186a612bef84f2984e2767b32c9e1940df54b01d5bd6789f59e92

SHA512
2a9dd9352298ec7d1b439033b57ee9a390c373eeb8502f7f36d6826e6dd3e447b8ffd4be4f275d51481ef9a6ac2c2d97ef98f3f9d36a5a971275bf6cee48e487

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000015

Filesize
63KB

MD5
710d7637cc7e21b62fd3efe6aba1fd27

SHA1
8645d6b137064c7b38e10c736724e17787db6cf3

SHA256
c0997474b99524325dfedb5c020436e7ea9f9c9a1a759ed6daf7bdd4890bdc2b

SHA512
19aa77bed3c441228789cf8f931ca6194cc8d4bc7bb85d892faf5eaeda67d22c8c3b066f8ceda8169177da95a1fe111bd3436ceeaf4c784bd2bf96617f4d0c44

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000016

Filesize
88KB

MD5
b38fbbd0b5c8e8b4452b33d6f85df7dc

SHA1
386ba241790252df01a6a028b3238de2f995a559

SHA256
b18b9eb934a5b3b81b16c66ec3ec8e8fecdb3d43550ce050eb2523aabc08b9cd

SHA512
546ca9fb302bf28e3a178e798dd6b80c91cba71d0467257b8ed42e4f845aa6ecb858f718aac1e0865b791d4ecf41f1239081847c75c6fb3e9afd242d3704ad16

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000017

Filesize
1.1MB

MD5
cd576832e2c724177023735b219ee010

SHA1
eea8b83001bab88050e5930b0d3f44baa134a015

SHA256
e88ac130e3d71164cf2f2f17b85cc3b9ab36fcbbe65c4a4571701e4fc7e9eaf0

SHA512
2750d9c2ecaf7ec27c3c4092fa3b16e58ec1f5ff79b65eb684ad6549721a38238955bc421871f4fa778069b003db609bdea231fc969db8a36f68e1a61adc9d2d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000018

Filesize
32KB

MD5
bbc7e5859c0d0757b3b1b15e1b11929d

SHA1
59df2c56b3c79ac1de9b400ddf3c5a693fa76c2d

SHA256
851c67fbabfda5b3151a6f73f283f7f0634cd1163719135a8de25c0518234fc2

SHA512
f1fecb77f4cdfe7165cc1f2da042048fd94033ca4e648e50ebc4171c806c3c174666bb321c6dda53f2f175dc310ad2459e8f01778acaee6e7c7606497c0a1dea

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Cache\f_000019

Filesize
75KB

MD5
cf989be758e8dab43e0a5bc0798c71e0

SHA1
97537516ffd3621ffdd0219ede2a0771a9d1e01d

SHA256
beeca69af7bea038faf8f688bf2f10fda22dee6d9d9429306d379a7a4be0c615

SHA512
f8a88edb6bcd029ad02cba25cae57fdf9bbc7fa17c26e7d03f09040eb0559bc27bd4db11025706190ae548363a1d3b3f95519b9740e562bb9531c4d51e3ca2b7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
3KB

MD5
aaf75cd174c95f04b547e4dbc723bf83

SHA1
a1dd797e4f8bd32816227275c1a93b9d41ac3a49

SHA256
57750703d56ddb565758f073f478341597b5100ab91d1806a5cb13985931e6ee

SHA512
98630ec8f78edec1f887d9516aaeaaac1cd07b00060c94afdc946e7f8c861c6540d710061ee745b639729aa90fb5c61fa262787a5f276e02611bcfbe7de1e597

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
2KB

MD5
8474e59f365403838ed0ad706b9c2188

SHA1
ca756197202567272ff429d1d1ad65386681e988

SHA256
2fac37c2d3722deed92cc76c012cb047522a1e6d8c31fb116829e03dbdce775d

SHA512
3678060bc833c19e8e9cfce8c0b466dfa30e98a9f66768e2d8d1bf822b4ebe798a22fcd0f0a814d0f88a7a16634ff39aae515c0592e0fdb6910116f358ff0b7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
111B

MD5
285252a2f6327d41eab203dc2f402c67

SHA1
acedb7ba5fbc3ce914a8bf386a6f72ca7baa33c6

SHA256
5dfc321417fc31359f23320ea68014ebfd793c5bbed55f77dab4180bbd4a2026

SHA512
11ce7cb484fee66894e63c31db0d6b7ef66ad0327d4e7e2eb85f3bcc2e836a3a522c68d681e84542e471e54f765e091efe1ee4065641b0299b15613eb32dcc0d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

Filesize
796B

MD5
fe628a1ceccf05b61d6e35d76f990de5

SHA1
8cbd93ac763fe65ff2f431f2c49c44aeb9c11350

SHA256
bb1b83da48b6a5610aaf14347cf22ab934cd65204d52a893f25c87451becfd9b

SHA512
37ad24eec40698d70ca1ca0f005bb4359c31f741c122a55872764e3f670bd81b1d073574daf41b28bb0f75f3406f33fdb2bd8604b57a7a75c49c8c46753bb030

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
b622fe6cda1ec5057487d6a65927257c

SHA1
0cddedcc6dd3f048ee29d3ddd25e521f3185b172

SHA256
2656bcd8bc98e5ff6fbbd2711a086352e4bdedbb0a438f6d25b3875ed43bb41e

SHA512
eeb7a3b8e1e37c98887da6d18db061624de5bea8df07957ec0991440c131f55a8188335f48894892e2d4a2adfebf2737ffee2189d9d915ea2bf2f089178ef14e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
b05103c746a4bc5df6ee1edd066dcc6c

SHA1
ff68aba8b73977caef84a6ef6682964f5ff28597

SHA256
3d63306d6ae87dde113056b1c725bb1da2d52ddf9d2350a75c4aee9c1d4da307

SHA512
e07f71ec51d9e6c23a13486fb4f418b0c1af5b963bd0ff2a698a62dcc9b9fc3bf98545d29a7afb46e3497c4c45099abb1708b83de347ac7449d421916218393f

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
6302b1d7c6044d9835261e22196be73a

SHA1
eef419da3196219aaa4b1b4bbc02e0b615a8e7cf

SHA256
ef1dffe339295a8288bf0dcb1ffdd8aba903be5551629659dfce4cf5067dfed6

SHA512
b52434199fdec157b70a1b76673b4435573ee63bae633abbcba7ecbd9327d09325b019884cca3dd0a126a0eb16cab714ca3de793f9def509b9b1ca11e1a612eb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
5KB

MD5
f4952462a32f32ae7395e985a612f077

SHA1
56197c75c2b76bece8f976dcc4e15f909ab04c12

SHA256
5bb00a9097b2f2266728555e3222c1ae5a1ffb120294f70bb32a492be4799cfd

SHA512
11aea914f6ca12369b8281deb331a9ab544cce2491a85874d6c494d4f9891cd19d611146d1ca9177f29fb1a015e8d8ad20fb03933e81e345e3bd0b266a444619

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
6ddcd83eb16aa800d4a28829927ffa59

SHA1
7cc2bf139f7d5745ca2a4433553e16d271aed660

SHA256
d6fb2fd88bff8a1ad3d2ba589053b631c0d2dcf77a5a2875e8e5df7acb383499

SHA512
f35bb15b15584bd76a95ac4576a6c636f29fc1d2f3aa143cf8b02eaf9cc90f1422120fd6e564ede5c55a3b1e23c0402bee6c694486f8fb4dcdf4ce87196f3049

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

Filesize
6KB

MD5
80a971f22bb05c15e4d9647d91b0fd00

SHA1
29241d6f00de904ace6576030bbad4a101dada6b

SHA256
2bb786563cabe796bb6af4eb6965cdee042ca3eb1bdf1d61629740dd3e1a538b

SHA512
d126d43607ba23070ae2e15ec24db5c8fc566fab80a67b768b1b194f902b9c6dabc5a8f6745538b5dbb684c2a8dcb6aa07157646487424453b8cfbeb281ed881

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

Filesize
24KB

MD5
917dedf44ae3675e549e7b7ffc2c8ccd

SHA1
b7604eb16f0366e698943afbcf0c070d197271c0

SHA256
9692162e8a88be0977395cc0704fe882b9a39b78bdfc9d579a8c961e15347a37

SHA512
9628f7857eb88f8dceac00ffdcba2ed822fb9ebdada95e54224a0afc50bccd3e3d20c5abadbd20f61eba51dbf71c5c745b29309122d88b5cc6752a1dfc3be053

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
d71eea2cd269dc645236107f812849f4

SHA1
2d4a08b487b055f9591a1908c83ab21393385359

SHA256
cb903beabd3c753a630b93c7c669809ec87a32dfed89f0d7fa1573741778b894

SHA512
9e70bb081dc22dc58f600fdda80642e6ccac1643fc423ea79130e56249eafae5ee76cc623c05905f9db3c961d152144c8c304b7b57c4cd00becd3e5a0c7dda24

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
acc97b878b26d8125f3b93ac04ef77c4

SHA1
6a23643e00bb06cfe3fc4471ef4f8669d15f8df1

SHA256
f84102596a85efe888f4030c91347c4b8c09ba4e53f21fdaced5f90488030f2f

SHA512
08c11d5492c8abdd48386441dadf5c00b5cff812f4b2d385fa10dc0c0e5e2ccb934f2364f8d84205591fdf7d28c6d934552e5901a89da330e752370f65361409

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
30202d7d63827b26aabdcdd1ded95e53

SHA1
8407be61834f7072f0d4eea7e264d5dece53c3de

SHA256
978d9c007da2bbf909021f5e914f2c0aadb00e1425512a1e16984fbf9f182059

SHA512
9a71fe971f2423dffe21eb3407fceb38e0d9401b6331de319b8bdefc85614eaf83137494148d954df45fdc3e0c4baa3337ad804c49f7feb7dfa8a78ba251da7e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
406c6254dc5957c001a901b0bdb4416f

SHA1
b16c3b1c0134ca3d69e46a44538f4e056f12c981

SHA256
9eae98e49e14a2ab49f99d4451543bd7d1ffbac9925cdd3ef99da2bf6c06a2f2

SHA512
b40d6004ae79c7379c6a2a2c68c6539571dd8877fb04559178996b471e61f941374572d312cd7f208c00f74347ee22545e2fd501c1d21bd6561dfb8c189c93c7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

Filesize
1KB

MD5
344f220a8ae9d5678defe3bc37ecb96c

SHA1
727b3d9e7a941a3bab036036d06d5e8ef46b939a

SHA256
5a7bef9adc08dde52d21652374a4b900cf448dddba9a79877ffe234626573a8e

SHA512
c828f4a901e56690c5990a40519f712266c0b0e7b4dabbbbd391ed49eba62143ab67d0c50458ef20ad1b0b777e591cbb17585a00d46410e6854693e9f110b3fc

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe580ff9.TMP

Filesize
874B

MD5
075aa2486b6b7733874cc98cebb786da

SHA1
a16b8a6af23d00f5ea433bd2fcf14361b87e0929

SHA256
9212eaa8636b9a3817b243494e372ef448498dd3fe9c9b2c50456f9e7e2ac00f

SHA512
5a1489c542b6b45a476b4e693eb72884aa507c1dcecf64c4f2f989c0ee019421f57ae5c0ff254e8b53df36d8cc7743b7caf33fe80dda6345b633f84bb8123106

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

Filesize
16B

MD5
6752a1d65b201c13b62ea44016eb221f

SHA1
58ecf154d01a62233ed7fb494ace3c3d4ffce08b

SHA256
0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

SHA512
9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
c34c7608a4a6f9fd7cf6d0e0aeb1059b

SHA1
8eef5112ad6aefdee84e652c4c9288383f69ea37

SHA256
8df7668d10c39a10dda110a8daf2baaa74648ce1f21f9d49881dfa43bbd9e191

SHA512
cd1e9e841377ae53ba8a8627871f83ad63543b346ab734b6d131749d6fdadc0bd95728a561cde688b382bd6547a88874c5ce83ec36a556ddadf47f27c2b156c6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
10KB

MD5
8c9552318bdbc6692be2f7d80c516f06

SHA1
51213d391c7b25079261f06c909e59a5c943f4ea

SHA256
bb0417aa5db49ae68cfbedb91763284dabdfeac4a1fef1417e123da193b11783

SHA512
02af32c6b753950c1c9a0ea5872f126b8efced98e1328e8058d3a8cac016911b1ce38ceca4ce9b5fb16477fa2d1c8b0bb909f0617edccca37140e1ed322883b0

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

Filesize
11KB

MD5
9ca88dd0fb1f38a2fed54711c8057329

SHA1
b3b38488e6832f54093931cab2066a9bb301afd2

SHA256
91f54d4ffef8b8951c648bfd5ecca37ed0261645d221eac9f3417f487afa0b42

SHA512
1b56ccbb76c583f64ffeeeb89af7c061ea368037d811bfebb79f81c0f1d78b4fb916c55d1928581c0632b28e7d8e835d0935a206628442a8cbffbc319731668c

Download Submit
C:\Users\Admin\AppData\Local\Temp\GRABBER.EXE

Filesize
4.9MB

MD5
ea52370726020ad7d6a038d37c498717

SHA1
b85d0892f8cfd54e502bef0941db0e4a8e73c5d7

SHA256
e7c850ded4480d19952c922d1b1b0bd66f09fb5ed7ee459011edb9fb76a5d301

SHA512
25e0cf843b4e6f58598e002c67e7164c2cdcd837d81d076763d75be439f89b1d792399b1f3edd0e9c2f199a5963d2e9d81d5086f2696d5f4fe967fb675cf0551

Download Submit
C:\Users\Admin\AppData\Local\Temp\GRABBER.EXE

Filesize
1.1MB

MD5
343da116cefe3ba6853523f17a0ceffc

SHA1
064e4e82d061852191b4c94589f0aeb1e8260cd4

SHA256
ecc6cd32231e796afff69502bd94bf3855612fe4bb47f620ad45edc572a88c01

SHA512
bea3e5a80a6511c9bb424e07d7cb43a8ec08a0e40332e4e26cb5f922cc22c31c5c9e6a3843ed88d692938fad534da6fa4115abc0d577b0c9178fed6b3bdb8a4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GRABBER.EXE

Filesize
1.2MB

MD5
75ef386bbce237b6243e4ddd5081b5de

SHA1
523f8dcfb2cbdaec8d7a80f8e8ed8c7a366673e8

SHA256
0711cd9333e36063fde7d1d646e5e2e9921d0cb07e01e7e9b0d5678a8f4a9082

SHA512
908789ecf88086a575e626fd3be60aa47bdd358b8b0ca4284c248aad46ee66610e022f7c3995be1606996a04a2965b6224afa437a1df33930942f878d506e8ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\GRABBER.EXE

Filesize
320KB

MD5
d53077c6172459b0d6151d820b9d5868

SHA1
5b98ca434af8edcd372eb39720caaaabe66e0f55

SHA256
82f29ba7cf1f42f4b43b8f5f703bf1d0681517219de81d268f5b276d90948a4d

SHA512
dc3d24c94069845a118b0e321117cbb821d3ea3791ec3d47bf1c455f61a2032e810703e5b75572a5cacb54d8c363d8616a5a2e5fb864d605737fd12f15264e9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GRABBER.EXE

Filesize
391KB

MD5
69464a6169bef0edc56fe0532dcf52ee

SHA1
2b9501858c0f6b2f51f5e47d3c3742d3d4f0c5e4

SHA256
8cfd806ed2ca883e52e39be8c653da515d398ad7e544d5efc19e33cf1843e19b

SHA512
a9c010e847bfc6afb4316a37b253f6236fea46417556b8df8d1e5af6e5a89590be7539a271a078903aeefa62964e24be71d8171ce8c5e1ec09b027db14462de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\GRABBER.EXE

Filesize
64KB

MD5
5a8f5ce7478918dfc2573f91d11be5df

SHA1
a9cc26ef81cd8f1de06ac96d883205719b636e61

SHA256
3c989b1230361365341db7de0244cab35cf8472d39845757c3e1912a18609655

SHA512
2d477c8e9310bca51f3a5cb7b0621ec295ecc84e40a3cd667a745b9cb594781ceb0875199eacd0deefb2f1eb9a5882a5bcf5c9c29f4bb5b330f45ea0b80a4e5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\GRABBER.EXE

Filesize
768KB

MD5
2894322b41481964e4cc69b6ee5f4ab5

SHA1
dff54fbeb594b33deda331a57dceeaac29f06637

SHA256
41ff1e6be8a7ba093bb06e065acd8b4e291f0daf0765636f6bc9f15ee5c7af28

SHA512
83951c75e6a28d3d96e638b4d49ad69b59da58c3d01cef2d8fb4af37293b43dd2d3caefcf342608060a07eac9e67a22c94940ec83501cdad5728203ffa4bf94d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40322\VCRUNTIME140.dll

Filesize
106KB

MD5
870fea4e961e2fbd00110d3783e529be

SHA1
a948e65c6f73d7da4ffde4e8533c098a00cc7311

SHA256
76fdb83fde238226b5bebaf3392ee562e2cb7ca8d3ef75983bf5f9d6c7119644

SHA512
0b636a3cdefa343eb4cb228b391bb657b5b4c20df62889cd1be44c7bee94ffad6ec82dc4db79949edef576bff57867e0d084e0a597bf7bf5c8e4ed1268477e88

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40322\_bz2.pyd

Filesize
81KB

MD5
10d42efac304861ad19821b4594fa959

SHA1
1a65f60bba991bc7e9322af1e19f193dae76d77a

SHA256
8eecdcc250637652e6babc306ea6b8820e9e835ddd2434816d0e0fd0ca67fd14

SHA512
3f16dba627a133586e9d1c16d383b9461424d31892278ab984f7e6932a1cdc51445e1bec017a665bd66c0f2a9ba417387fecc5fdede36d67f8343b82a2ceb9ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40322\_ctypes.pyd

Filesize
120KB

MD5
df6be515e183a0e4dbe9cdda17836664

SHA1
a5e8796189631c1aaca6b1c40bc5a23eb20b85db

SHA256
af598ae52ddc6869f24d36a483b77988385a5bbbf4618b2e2630d89d10a107ee

SHA512
b3f23530de7386cc4dcf6ad39141240e56d36322e3d4041e40d69d80dd529d1f8ef5f65b55cdca9641e378603b5252acfe5d50f39f0c6032fd4c307f73ef9253

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40322\_hashlib.pyd

Filesize
62KB

MD5
f419ac6e11b4138eea1fe8c86689076a

SHA1
886cda33fa3a4c232caa0fa048a08380971e8939

SHA256
441d32922122e59f75a728cc818f8e50613866a6c3dec627098e6cc6c53624e2

SHA512
6b5aa5f5fbc00fb48f49b441801ee3f3214bd07382444569f089efb02a93ce907f6f4e0df281bda81c80f2d6a247b0adc7c2384a2e484bc7ef43b43c84756d2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40322\_lzma.pyd

Filesize
153KB

MD5
3230404a7191c6228a8772d3610e49e5

SHA1
4e8e36c89b4ff440ddff9a5b084b262c9b2394ec

SHA256
33ae42f744d2688bb7d5519f32ff7b7489b96f4eea47f66d2009dba6a0023903

SHA512
6ecce0c8e8b3d42275d486e8ff495e81e36adaaacaaa3db37844e204fcdaa6d89cb3d81c43d9e16d938cd8b6671b8800fe74a1e723a9187b0566a8f3c39d5d5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40322\_socket.pyd

Filesize
76KB

MD5
0fc65ec300553d8070e6b44b9b23b8c0

SHA1
f8db6af578cf417cfcddb2ed798c571c1abd878f

SHA256
360744663fce8dec252abbda1168f470244fdb6da5740bb7ab3171e19106e63c

SHA512
cba375a815db973b4e8babda951d1a4ca90a976e9806e9a62520a0729937d25de8e600e79a7a638d77df7f47001d8f884e88ee4497bd1e05c1dae6fa67fb3dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40322\base_library.zip

Filesize
1.7MB

MD5
e9c28bc7ae0276a2413d913fabe101cc

SHA1
baefb0b00eac192113737106bc76b02244c17838

SHA256
7ecd1dfe0dcc82c2e595729cb238acb890326adc87136334ce9c21a5f0c847bf

SHA512
c25532849462e0dc1e3e7fd5f0dcc93a5dc18c7b29920819143ec30fec899f98cb8a538ab0084b9ba91f62705de3dededef6acfae02daf1efceabac3819804e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40322\libcrypto-1_1.dll

Filesize
3.3MB

MD5
6f4b8eb45a965372156086201207c81f

SHA1
8278f9539463f0a45009287f0516098cb7a15406

SHA256
976ce72efd0a8aeeb6e21ad441aa9138434314ea07f777432205947cdb149541

SHA512
2c5c54842aba9c82fb9e7594ae9e264ac3cbdc2cc1cd22263e9d77479b93636799d0f28235ac79937070e40b04a097c3ea3b7e0cd4376a95ed8ca90245b7891f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40322\libffi-8.dll

Filesize
37KB

MD5
d86a9d75380fab7640bb950aeb05e50e

SHA1
1c61aaf9022cd1f09a959f7b2a65fb1372d187d7

SHA256
68fba9dd89bfad35f8fd657b9af22a8aebda31bffda35058a7f5ae376136e89b

SHA512
18437e64061221be411a1587f634b4b8efa60e661dbc35fd96a6d0e7eff812752de0ada755c01f286efefc47fb5f2daf07953b4cfc4119121b6bee7756c88d0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40322\python3.DLL

Filesize
64KB

MD5
7feb3da304a2fead0bb07d06c6c6a151

SHA1
ee4122563d9309926ba32be201895d4905d686ce

SHA256
ddd2c77222e2c693ef73d142422d6bf37d6a37deead17e70741b0ac5c9fe095b

SHA512
325568bcf1835dd3f454a74012f5d7c6877496068ad0c2421bf65e0640910ae43b06e920f4d0024277eee1683f0ce27959843526d0070683da0c02f1eac0e7d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40322\python311.dll

Filesize
5.1MB

MD5
53eed8ebbc481f1ab39179ccc78a60d6

SHA1
cec5ccfe1453388bda222e0612321a3e2403ce9d

SHA256
72f825502f955120e2adee03a614925a47b02ff41d33733983ddbbb726c14ec8

SHA512
bc928016ed1bf95e949ce2d05e17f42d775ba167b550ee0d0ccb24ef4c02bd77cf2c34cb010baaf363fa37a130227cc5086eaade324d86c1da236057552279e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40322\python311.dll

Filesize
3.2MB

MD5
0435bde8e5b9ad14ff3ddf49054bdb2a

SHA1
762e0cf3d7572cbd8aaf6bffd5fc00afe1821053

SHA256
6dd0f73f91ee3edbcd405147b16100811802c75124566876814e76789bb8b6d2

SHA512
f3183a0ef8cb2e8a8f11774bce566070d64781fef4c77f6ba4f2f237f61c11ca69ee4608b2b7c0c601d59ce4fb71097f8de9bab86e5582bcc8f4a8794ec59adb

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI40322\select.pyd

Filesize
28KB

MD5
116335ebc419dd5224dd9a4f2a765467

SHA1
482ef3d79bfd6b6b737f8d546cd9f1812bd1663d

SHA256
813eede996fc08e1c9a6d45aaa4cbae1e82e781d69885680a358b4d818cfc0d4

SHA512
41dc7facab0757ed1e286ae8e41122e09738733ad110c2918f5e2120dfb0dbff0daefcad2bffd1715b15b44c861b1dd7fb0d514983db50ddc758f47c1b9b3bf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42442\python311.dll

Filesize
962KB

MD5
f6b4b75f9b4efdadedb67ec5a8d8f1e8

SHA1
9cb55129a29eafa9588a546275b761c28cf2b4da

SHA256
bebd05ed0dfbb0877f8e335af2b39d4c57929578e6d034c3f4086ac88e1d9568

SHA512
67dfa690227379bf34116d567679517547bfc07667f3433757ce18fb3e6971e04dfbbbd4f580f3533ad6fc87bcd48ca43606bcb6181698c116e05de18c3d428a

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI42442\python311.dll

Filesize
5.5MB

MD5
a72993488cecd88b3e19487d646f88f6

SHA1
5d359f4121e0be04a483f9ad1d8203ffc958f9a0

SHA256
aa1e959dcff75a343b448a797d8a5a041eb03b27565a30f70fd081df7a285038

SHA512
c895176784b9ac89c9b996c02ec0d0a3f7cd6ebf653a277c20dec104da6a11db084c53dd47c7b6653a448d877ad8e5e79c27db4ea6365ebb8ca2a78aa9c61b38

Download Submit
C:\Users\Admin\Downloads\Script.pif

Filesize
832KB

MD5
0dc2f3100fb9b68342d98d14609792c5

SHA1
c5a40fec29bc22dd46cb1873907c13b3f8b6cec9

SHA256
f38246c5e3b2e4958272d0f886f7b565398514893b819711317af5fe17c7d9f6

SHA512
897e16757d128ea3f973637badd42aa6d97fb600506fffe8cdf234d2146d5f1f7dbf97baf78e4f4dc4d8f22601fce3a0dd54e2289257c9ddb977ac5d3edaddc1

Download Submit
C:\Users\Admin\Downloads\Script.pif

Filesize
128KB

MD5
133d63771461abe666c4a7dc4a24e731

SHA1
e98f69e3266fdac670d792f72b89f8fdd2579eab

SHA256
9a4839c50ccd2ef6808dc1e9f5c5bf5450b33947520c7be68aefa6f06a2e89bd

SHA512
58445f3091832e5b0369428e3eaeba33f4082d4f3721f7fe591f18195a2d9b8e43d8ba064bf7a401caf70102227aa2b1d8c2490d7057a0c6735fcd0b7ff9d84b

Download Submit
C:\Users\Admin\Downloads\Script.pif

Filesize
1024KB

MD5
1e07408e5f91358a6bb5205c0730f463

SHA1
c26270511182962c6016f155e53a93d07012d399

SHA256
7ee58087e085f8b6e5095306a30b717d34389e0059b9b82d7640214da5abd2da

SHA512
8412d705e89f3d4ed910c23ec112fe50f5dfb86fc7ba09b210cfcdd683ce112a804886b115447eae223d7198846cc9f9bc868e7d4e75b153e8ae6fbde2d51f88

Download Submit
C:\Users\Admin\Downloads\Script.pif

Filesize
1.8MB

MD5
a3a294c2805ad6e831b9044ea4d5432a

SHA1
3c8ea4a20a1925eea2bb97401405fcb1199e68f9

SHA256
43b72675461f471c81d049296f2f174b1aab399c3e5d6868a4a02a74ae2a4508

SHA512
8851c3c23169c84b2eb7b7be61342d4749358ed5562a023c26ca436f08e2e898f2dc7d77356433fb2a0d2d8a7d7ea9654ba4b030729615c3aa82ec113832a922

Download Submit
C:\Users\Admin\Downloads\Unconfirmed 680726.crdownload

Filesize
398KB

MD5
b974fac977efaa8b108244dac4a74d8a

SHA1
174fdfcd865718159d0e2b099b9009d8c985d6f4

SHA256
f09b10c5f6a181e1b7069bf67cafd0908e888202581fc61c1f529b66366efc68

SHA512
c059d34c5e26fcfbbb4d4a102ee216a6c0ed9e065264f01e7966f68dbdc36bfc3d08a6d5294d0d5fc97ed4c3b1f07cae1c94dd4d24c5e6c865d12fb870368ceb

Download Submit