Analysis Overview
Threat Level: Known bad
The file https://github.com/xaim919/Discord-Image-Grabber was found to be: Known bad.
Malicious Activity Summary
StormKitty
Contains code to disable Windows Defender
StormKitty payload
Executes dropped EXE
Checks computer location settings
Looks up external IP address via web service
Legitimate hosting services abused for malware hosting/C2
Detects Pyinstaller
Enumerates physical storage devices
Runs net.exe
Suspicious use of SendNotifyMessage
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of AdjustPrivilegeToken
Enumerates system info in registry
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of FindShellTrayWindow
Kills process with taskkill
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-05-15 21:43
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-05-15 21:43
Reported
2024-05-15 21:44
Platform
win10v2004-20240426-en
Max time kernel
24s
Max time network
29s
Command Line
Signatures
Contains code to disable Windows Defender
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
StormKitty
StormKitty payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7zO435A0AE7\image grabber.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7zO435A0AE7\image grabber.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | checkip.dyndns.org | N/A | N/A |
Detects Pyinstaller
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Enumerates physical storage devices
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\taskkill.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/xaim919/Discord-Image-Grabber
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd150d46f8,0x7ffd150d4708,0x7ffd150d4718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2100,2010494825662509829,515495958537892098,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2108 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2100,2010494825662509829,515495958537892098,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2348 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2100,2010494825662509829,515495958537892098,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2812 /prefetch:8
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2010494825662509829,515495958537892098,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3300 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2010494825662509829,515495958537892098,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3348 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,2010494825662509829,515495958537892098,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2100,2010494825662509829,515495958537892098,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5692 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2010494825662509829,515495958537892098,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5548 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2010494825662509829,515495958537892098,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5588 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2100,2010494825662509829,515495958537892098,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=3296 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2010494825662509829,515495958537892098,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3468 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2100,2010494825662509829,515495958537892098,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2010494825662509829,515495958537892098,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2100,2010494825662509829,515495958537892098,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4936 /prefetch:1
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Downloads\Image Grabber.rar"
C:\Users\Admin\AppData\Local\Temp\7zO435A0AE7\image grabber.exe
"C:\Users\Admin\AppData\Local\Temp\7zO435A0AE7\image grabber.exe"
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\GRABBER.EXE
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\GRABBER.EXE"
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMAGE LOGGER.EXE
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMAGE LOGGER.EXE"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\LOL.BAT" "
C:\Windows\SysWOW64\net.exe
net stop"WinDefend"
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 stop"WinDefend"
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMAGE LOGGER.EXE
"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\IMAGE LOGGER.EXE"
C:\Windows\SysWOW64\taskkill.exe
taskkill /f /t /im "MSASCui.exe"
C:\Windows\SysWOW64\reg.exe
reg add "hklm\Software\Microsoft\Windows\CurrentVersion\Run" /v "rundll32_awspeGfa_w32" /t "REG_SZ" /d "C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\LOL.BAT" /f
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\7zO435A0AE7\XD.vbs"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c title xyz
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 77.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 71.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.108.133:443 | avatars.githubusercontent.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 154.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.108.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 232.168.11.51.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 140.82.113.21:443 | collector.github.com | tcp |
| US | 140.82.113.21:443 | collector.github.com | tcp |
| US | 185.199.108.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 21.113.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 8.8.8.8:53 | 210.156.26.20.in-addr.arpa | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 160.61.62.23.in-addr.arpa | udp |
| NL | 23.62.61.160:443 | www.bing.com | tcp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.108.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkip.dyndns.org | udp |
| US | 158.101.44.242:80 | checkip.dyndns.org | tcp |
| US | 8.8.8.8:53 | 242.44.101.158.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | ea98e583ad99df195d29aa066204ab56 |
| SHA1 | f89398664af0179641aa0138b337097b617cb2db |
| SHA256 | a7abb51435909fa2d75c6f2ff5c69a93d4a0ab276ed579e7d8733b2a63ffbee6 |
| SHA512 | e109be3466e653e5d310b3e402e1626298b09205d223722a82344dd78504f3c33e1e24e8402a02f38cd2c9c50d96a303ce4846bea5a583423937ab018cd5782f |
\??\pipe\LOCAL\crashpad_3316_AXIZVPQEETKWFNQE
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | 4f7152bc5a1a715ef481e37d1c791959 |
| SHA1 | c8a1ed674c62ae4f45519f90a8cc5a81eff3a6d7 |
| SHA256 | 704dd4f98d8ca34ec421f23ba1891b178c23c14b3301e4655efc5c02d356c2bc |
| SHA512 | 2e6b02ca35d76a655a17a5f3e9dbd8d7517c7dae24f0095c7350eb9e7bdf9e1256a7009aa8878f96c89d1ea4fe5323a41f72b8c551806dda62880d7ff231ff5c |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | de894e2c194c190cde05203cc884af54 |
| SHA1 | c010487ef14673f784a7aa2c2004eaf53e9a54e4 |
| SHA256 | 1af8cf4ac1eaf495f29b8590b6549cc65a650154ddb40c74a9cd4754663278bc |
| SHA512 | c04d2b08b56a1433fb09db6473f397604ab31c127100cbde561c100bf7f2c22248c4003ad89445d281d8f01ce2b59386e8d850c56b576d810c3940c50a88f977 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 6752a1d65b201c13b62ea44016eb221f |
| SHA1 | 58ecf154d01a62233ed7fb494ace3c3d4ffce08b |
| SHA256 | 0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd |
| SHA512 | 9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | 064297ca2a92eac3b3daa6665c4e06c5 |
| SHA1 | 08046db349bc8fb3d477d792f48d102dd4b030a0 |
| SHA256 | e173b01cb135261f6acbec486ece3fe3b5a6c27fa7112fb6a72861cc4f1ec7e8 |
| SHA512 | 932b3da99b4e733929ae989d2a3b187ea140bfa5198455d3e3c2286c574dac276e36d6ed6b67af5352e3cd2df44aa44b397e314a4393a5f2b13676791d851816 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 3592b848a07aa09c93e512537da6d97f |
| SHA1 | dcee467698f6ee12af22a08bd7d54a43d7a8e700 |
| SHA256 | 14e09932d98e403a33c8388acee820717a7d3279eb34fe699cd90546bb92a746 |
| SHA512 | 3807f8de1a0e3f552df0906a2df4cbb4fbf9dd93866c100bee86e9eefab4ce061af90c98757a294be64b412f97f01b8b5d9333906549e3835c50a6175d4e03f2 |
C:\Users\Admin\Downloads\Unconfirmed 173105.crdownload
| MD5 | 44de91e271048fb81154f20559a9cb9f |
| SHA1 | c3971f1cc73c2e9bb3003f1b55cd4155bb294fa1 |
| SHA256 | d52870d8ffaadba5beb9d658781564e5e9c9a27e67606a13e3b8581008bd5693 |
| SHA512 | 254d77d478cf30c19bdaeaa826fdee73eed21ce2e22b462d9161c17d41f7d90f18ada2795a2a26957457a6088645bc9a1ecb1bb23d3a3d93b9a3aeeda08e0fbe |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | c511c66805130138430cec793453ca61 |
| SHA1 | f371722513b1d4794c09e371364c06b91c68166e |
| SHA256 | 900a83e97509823ad4ce1a1eede8b715d8a3e19102641b636d3ffa5514c98296 |
| SHA512 | 1f2d46dad324197bbe339129bcd9f9be6ab21faf0b2de3bb6763fdbae780dc7853dc2864d935aba958b4e38fc8d8304aba11a0bb5fab2a4c89682b1afa326de7 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | aedd3e681deab4782bdcee89dd478622 |
| SHA1 | a9edc43a991aac75201ae0f9e771e6bc2bd5a7ad |
| SHA256 | c958572f0c580f3b1bdcd1b38e34d678080949e2490003f32a5f91e4e8710385 |
| SHA512 | a471b416c2ddf6d2ff686c6ae1860bbd187c98b6c053d695d8486bcc7bbc75272c173cb037b205318fbc1c1d06cb7db8b9f84a5a6575626864c648aa81b6bf07 |
C:\Users\Admin\AppData\Local\Temp\7zO435A0AE7\image grabber.exe
| MD5 | 450af056aabbcc2aa7df5a33b40423c1 |
| SHA1 | 5384300bb46b349a22b8de845f3e1bb81b21127e |
| SHA256 | b3da645311707200427f2ddadf01908d6841759b670f8288b7d3e5bd556e65be |
| SHA512 | 5da75c4146abb15465ae0c39094fa0464ab46ae9097f4acafb48aeb15a42727931aa58a5d0b15e5e31665fe92087877fd082f35c7ef832e7ff99bebd179b7ed9 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\GRABBER.EXE
| MD5 | d8a776348b63fd6d8df4a8c6e94c60d7 |
| SHA1 | 3bb173d4097bec73a58558aa954e322704c90363 |
| SHA256 | 88dea99636204335f5dbb9c70965d68ad99faa56af18dd618b97358c8bfd8aca |
| SHA512 | d15149b06a35c2ed930397f249d0bf33b53b477d75024925a2cbe6ffa3e2913d5a3a34ecb452d8505a3adf8a4dad5d8de5fd40e62b197cb2bf25e4c81bb776a5 |
memory/5644-249-0x0000000000A80000-0x0000000000AA8000-memory.dmp
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\IMAGE LOGGER.EXE
| MD5 | 2f16688544cef3e2f408351bf83482e8 |
| SHA1 | 8d6056e029876c7cbee46e2c36ca6042c9ff07ff |
| SHA256 | 7275073b3139f2f512533a6ef060497ca57be41e807c906c9e5724d4cdc90101 |
| SHA512 | 13da72cf923f22891dcb752da8fe7b504f4cd9dfebd97bc1a1ed16303d73d03eab9536c83e108a6cdba4b1f98ba9d36e5e5e189018e8b549f257e94e5e96d5d4 |
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\LOL.BAT
| MD5 | 63a8d4832194895037e912648b21dd7e |
| SHA1 | 4f7c6dc63b3189387e11e0e83461f72f73ec8efb |
| SHA256 | 2019bcc66d0c119fde0cf62200d1285d7752e91a39bbb2f29ecacc4864860ea3 |
| SHA512 | 9206b55dfcb5fffe59766a0c2ad3c82086dbfcd56dd757f1c09dbd03e8caf8f1beddb1c89d64c5b3771c67724817ce129d8d761cac9f3c42d8c243d84982ded8 |
C:\Users\Admin\AppData\Local\Temp\_MEI57042\ucrtbase.dll
| MD5 | 61eb0ad4c285b60732353a0cb5c9b2ab |
| SHA1 | 21a1bea01f6ca7e9828a522c696853706d0a457b |
| SHA256 | 10521fe73fe05f2ba95d40757d9f676f2091e2ed578da9d5cdef352f986f3bcd |
| SHA512 | 44cd871f48b5193abb3b9664dbea8cdad19e72c47b6967c685cf1cc803bc9abb48a8a93009c972ef4936e7f78e3c92110828790aa0a9d26b80e6a523bbcd830d |
C:\Users\Admin\AppData\Local\Temp\_MEI57042\python310.dll
| MD5 | c6c37b848273e2509a7b25abe8bf2410 |
| SHA1 | b27cfbd31336da1e9b1f90e8f649a27154411d03 |
| SHA256 | b7a7f3707beab109b66de3e340e3022dd83c3a18f444feb9e982c29cf23c29b8 |
| SHA512 | 222ad791304963a4b8c1c6055e02c0c4c47fce2bb404bd4f89c022ff9706e29ca6fa36c72350fbf296c8a0e3e48e3756f969c003dd1eb056cd026efe0b7eba40 |
C:\Users\Admin\AppData\Local\Temp\_MEI57042\VCRUNTIME140.dll
| MD5 | a87575e7cf8967e481241f13940ee4f7 |
| SHA1 | 879098b8a353a39e16c79e6479195d43ce98629e |
| SHA256 | ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e |
| SHA512 | e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0 |
C:\Users\Admin\AppData\Local\Temp\_MEI57042\base_library.zip
| MD5 | b84ef290351f6094577edd80643bda7d |
| SHA1 | 545caae3c268580486933df445aef3b941266557 |
| SHA256 | 41c75c5c680d01197d5b731c448158172cae9d6eceb08f0b2e4135b8e8a14339 |
| SHA512 | 37bf1a0c6a8c3c925a8d7c3a144bfe295bba4873c2751b5a948f34fa6bb0cf8c31084ff23d10f9b602ee31ace264a9f144000fd5efd34a8e9a84aa06ce3cbde8 |
C:\Users\Admin\AppData\Local\Temp\_MEI57042\libffi-7.dll
| MD5 | eef7981412be8ea459064d3090f4b3aa |
| SHA1 | c60da4830ce27afc234b3c3014c583f7f0a5a925 |
| SHA256 | f60dd9f2fcbd495674dfc1555effb710eb081fc7d4cae5fa58c438ab50405081 |
| SHA512 | dc9ff4202f74a13ca9949a123dff4c0223da969f49e9348feaf93da4470f7be82cfa1d392566eaaa836d77dde7193fed15a8395509f72a0e9f97c66c0a096016 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | 5093b0d83a649bfa246b287f6da051df |
| SHA1 | f628ccc895611aabdecfa6bfc31e2aeadd0c89e9 |
| SHA256 | 6c342e2e5554311114183c4778870217ad0a8dd065f4690e166b794c9971d26c |
| SHA512 | 4e5196981bc446602745775bc05e0ac325c5abd7f011b8cc50468bf462a066789cd83c2f8c74ebbb39eab3a8fbce610bc98440fc3c7ca8a67aa6b829896440a8 |
C:\Users\Admin\AppData\Local\Temp\_MEI57042\_ctypes.pyd
| MD5 | 41a9708af86ae3ebc358e182f67b0fb2 |
| SHA1 | accab901e2746f7da03fab8301f81a737b6cc180 |
| SHA256 | 0bd4ed11f2fb097f235b62eb26a00c0cb16815bbf90ab29f191af823a9fed8cf |
| SHA512 | 835f9aa33fdfbb096c31f8ac9a50db9fac35918fc78bce03dae55ea917f738a41f01aee4234a5a91ffa5bdbbd8e529399205592eb0cae3224552c35c098b7843 |
C:\Users\Admin\AppData\Local\Temp\_MEI57042\python3.dll
| MD5 | c38e9571f33898eb9f3da53dc29b512f |
| SHA1 | 5be348c829b6dfa008d0dd239414ad388e5d7ace |
| SHA256 | 70596aea8c5ca8f3bf88e46a0606522413b50208ec9fcc6b706f7a064cf83b79 |
| SHA512 | 1704be273e3485013282c269fc974558683204639fccfb46e6eb640c64a0769a21572a07ee62fe1d5eb1eed4d1419f2293d6e4fd8193caafe128c6d66bd48f6e |
C:\Users\Admin\AppData\Local\Temp\_MEI57042\_socket.pyd
| MD5 | 79c2ff05157ef4ba0a940d1c427c404e |
| SHA1 | 17da75d598deaa480cdd43e282398e860763297b |
| SHA256 | f3e0e2f3e70ab142e7ce1a4d551c5623a3317fb398d359e3bd8e26d21847f707 |
| SHA512 | f91fc9c65818e74ddc08bbe1ccea49f5f60d6979bc27e1cdb2ef40c2c8a957bd3be7aea5036394abab52d51895290d245fd5c9f84cc3cc554597ae6f85c149e1 |
C:\Users\Admin\AppData\Local\Temp\_MEI57042\select.pyd
| MD5 | 431464c4813ed60fbf15a8bf77b0e0ce |
| SHA1 | 9825f6a8898e38c7a7ddc6f0d4b017449fb54794 |
| SHA256 | 1f56df23a36132f1e5be4484582c73081516bee67c25ef79beee01180c04c7f0 |
| SHA512 | 53175384699a7bb3b93467065992753b73d8f3a09e95e301a1a0386c6a1224fa9ed8fa42c99c1ffbcfa6377b6129e3db96e23750e7f23b4130af77d14ac504a0 |
C:\Users\Admin\AppData\Local\Temp\_MEI57042\_ssl.pyd
| MD5 | 1ed0ef72a40268e300a611ba4ab20dfd |
| SHA1 | 4d04d5911a6ed422308ea11d7b15821af8f62585 |
| SHA256 | 5860fe208122219a4071cc369d5001edc3b08c13bd96156abd1375e35401acd0 |
| SHA512 | f72ea051ed50a09561414fc41d837c03ce44be9d8e4c39f59133dd8a092c9f13fc942c58dc8517edc149caa3bf7d94fa6bdbe88cabc8cb3c6a02428676572f3e |
C:\Users\Admin\AppData\Local\Temp\_MEI57042\libssl-1_1.dll
| MD5 | 86556da811797c5e168135360acac6f2 |
| SHA1 | 42d868fc25c490db60030ef77fba768374e7fe03 |
| SHA256 | a594fc6fa4851b3095279f6dc668272ee975e7e03b850da4945f49578abe48cb |
| SHA512 | 4ba4d6bfff563a3f9c139393da05321db160f5ae8340e17b82f46bcaf30cbcc828b2fc4a4f86080e4826f0048355118ef21a533def5e4c9d2496b98951344690 |
C:\Users\Admin\AppData\Local\Temp\_MEI57042\libcrypto-1_1.dll
| MD5 | 63c756d74c729d6d24da2b8ef596a391 |
| SHA1 | 7610bb1cbf7a7fdb2246be55d8601af5f1e28a00 |
| SHA256 | 17d0f4c13c213d261427ee186545b13ef0c67a99fe7ad12cd4d7c9ec83034ac8 |
| SHA512 | d9cf045bb1b6379dd44f49405cb34acf8570aed88b684d0ab83af571d43a0d8df46d43460d3229098bd767dd6e0ef1d8d48bc90b9040a43b5469cef7177416a2 |
C:\Users\Admin\AppData\Local\Temp\_MEI57042\_brotli.cp310-win_amd64.pyd
| MD5 | 6d44fd95c62c6415999ebc01af40574b |
| SHA1 | a5aee5e107d883d1490257c9702913c12b49b22a |
| SHA256 | 58bacb135729a70102356c2d110651f1735bf40a602858941e13bdeabfacab4a |
| SHA512 | 59b6c07079f979ad4a27ec394eab3fdd2d2d15d106544246fe38f4eb1c9e12672f11d4a8efb5a2a508690ce2677edfac85eb793e2f6a5f8781b258c421119ff3 |
C:\Users\Admin\AppData\Local\Temp\_MEI57042\MSVCP140.dll
| MD5 | db0ab2886b8cb6d21d0f2a88073a6f59 |
| SHA1 | 609a7778a6114a47ae8af0c0fa1e42a9cbf0e3b2 |
| SHA256 | 5fddf4a5c13c79e180656a58f5dfd5058b03eb9ca2125c23a9c8ef86980472c4 |
| SHA512 | 2918da5404dc95130ad061336ebdb105dff30dc157327aba7b3f67438f6fd5f13bb8663ae52c15ef367efeea91b55718a45b814d3f309e0fe417dc53ec4aa116 |
C:\Users\Admin\AppData\Local\Temp\_MEI57042\_hashlib.pyd
| MD5 | f63da7f9a4e64148255e9d3885e7a008 |
| SHA1 | 756dc192e7b2932df147c48f05ec5e38e9aa06e6 |
| SHA256 | fa0bb4bf93a6739ce5ade6a7a69272bbc1227d09c7afc1c027d6cea41141bcc6 |
| SHA512 | 23d06def20c3668613392a02832777b27ad5353e1dc246316043b606890445d195a1066fca65300a5d429319aa2ae2505f9fa3a5ab0f97aba2717b64aaa07e8d |
C:\Users\Admin\AppData\Local\Temp\_MEI57042\_queue.pyd
| MD5 | e6bb918cc02cd270bad449875577427c |
| SHA1 | 5b22420ae4170858a6a2aa04a54adc26b9a8051c |
| SHA256 | 2d8b41dad8a8506870e6f2e2a5856c6c6c68a219f18bd88ad79c63cfa1366b1f |
| SHA512 | b19353e0df213525c466d5cb80f362ab1a22eaf9940f742b59df1c2842e49594db87a5119289dca616fdfa3e808c7ceb26906e0ff8723afc80af768496faca9c |
C:\Users\Admin\AppData\Local\Temp\_MEI57042\_bz2.pyd
| MD5 | bcf0d58a4c415072dae95db0c5cc7db3 |
| SHA1 | 8ce298b7729c3771391a0decd82ab4ae8028c057 |
| SHA256 | d7faf016ef85fdbb6636f74fc17afc245530b1676ec56fc2cc756fe41cd7bf5a |
| SHA512 | c54d76e50f49249c4e80fc6ce03a5fdec0a79d2ff0880c2fc57d43227a1388869e8f7c3f133ef8760441964da0bf3fc23ef8d3c3e72ce1659d40e8912cb3e9bc |
C:\Users\Admin\AppData\Local\Temp\_MEI57042\VCRUNTIME140_1.dll
| MD5 | 37c372da4b1adb96dc995ecb7e68e465 |
| SHA1 | 6c1b6cb92ff76c40c77f86ea9a917a5f854397e2 |
| SHA256 | 1554b5802968fdb2705a67cbb61585e9560b9e429d043a5aa742ef3c9bbfb6bf |
| SHA512 | 926f081b1678c15dc649d7e53bfbe98e4983c9ad6ccdf11c9383ca1d85f2a7353d5c52bebf867d6e155ff897f4702fc4da36a8f4cf76b00cb842152935e319a6 |
C:\Users\Admin\AppData\Local\Temp\7zO435A0AE7\XD.vbs
| MD5 | dae152349afc5a157065d6a73d7e445a |
| SHA1 | 2272104fe03c370f5d402e52d139d2279642a37f |
| SHA256 | 6b9be9c2ab8a64643726e7dddbb52d5ac9f3e63973957a7fcf9a4980c2f2e49e |
| SHA512 | ee37a60e265205bdea21322bc3dd08a4f5f02b24a6a9a5942d8d754f6768b1d191168834998e35fe40ac8985ee3812e665f549fb276da7b536cb9f0d28dd3b5d |
C:\Users\Admin\AppData\Local\Temp\_MEI57042\_lzma.pyd
| MD5 | ba3797d77b4b1f3b089a73c39277b343 |
| SHA1 | 364a052731cfe40994c6fef4c51519f7546cd0b1 |
| SHA256 | f904b02720b6498634fc045e3cc2a21c04505c6be81626fe99bdb7c12cc26dc6 |
| SHA512 | 5688ae25405ae8c5491898c678402c7a62ec966a8ec77891d9fd397805a5cfcf02d7ae8e2aa27377d65e6ce05b34a7ffdedf3942a091741af0d5bce41628bf7d |
C:\Users\Admin\AppData\Local\Temp\_MEI57042\unicodedata.pyd
| MD5 | d1182ba27939104010b6313c466d49ff |
| SHA1 | 7870134f41ba5333294c927dbd77d3f740ac87e7 |
| SHA256 | 1ac171f51cc87f268617b4a635b2331d5991d987d32bb206dd4e38033449c052 |
| SHA512 | ef26a2c8b0094792e10ceabbf4d11724a9368d96f888240581a15d7a551754c1484f6b2ed1b963a73b686495c7952d9cb940021028d4f230b0b47d0794607d0f |
C:\Users\Admin\AppData\Local\Temp\_MEI57042\lxml\etree.cp310-win_amd64.pyd
| MD5 | ed5715ffcbc5fc22e10955b6230e48aa |
| SHA1 | 14ed152f82e31904117129502f59bd91f5a80ef2 |
| SHA256 | f4042d9433e8ced903fddfa0446878851835a27c1c67182416db7a90d8e6c96c |
| SHA512 | 75d2f645f6069aa1bb23386d061d76d6eb92c4cd24140c52c49bdde6d73bea4f6b9ff8605059705ec276244941011232840cc77fa78d914c656c4fdef7f2c74a |